Are Ubuntu security updates still automatic?

imc67

I noticed that my 3 Cloudron Pro servers are running already for 2 months, while before every month a reboot was needed because of security updates.

SSH tells:
21 of these updates are standard security updates.
35 of these updates are standard security updates.
29 of these updates are standard security updates.

Is Cloudron doing it's job here?

james

Hello @imc67
Can you please check if the unattended-upgrades.service is running?

systemctl status unattended-upgrades.service

imc67

systemctl status unattended-upgrades.service
● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2025-12-14 06:11:43 UTC; 1 month 23 days ago
       Docs: man:unattended-upgrade(8)
   Main PID: 787 (unattended-upgr)
      Tasks: 2 (limit: 38374)
     Memory: 10.1M
        CPU: 165ms
     CGroup: /system.slice/unattended-upgrades.service
             └─787 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Notice: journal has been rotated since unit was started, output may be incomplete.

systemctl status unattended-upgrades.service
● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2025-12-13 05:49:30 UTC; 1 month 24 days ago
       Docs: man:unattended-upgrade(8)
   Main PID: 765 (unattended-upgr)
      Tasks: 2 (limit: 38375)
     Memory: 8.3M
        CPU: 91ms
     CGroup: /system.slice/unattended-upgrades.service
             └─765 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Notice: journal has been rotated since unit was started, output may be incomplete.

systemctl status unattended-upgrades.service
● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2025-12-13 05:57:28 UTC; 1 month 24 days ago
       Docs: man:unattended-upgrade(8)
   Main PID: 875 (unattended-upgr)
      Tasks: 2 (limit: 77023)
     Memory: 11.1M
        CPU: 112ms
     CGroup: /system.slice/unattended-upgrades.service
             └─875 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Notice: journal has been rotated since unit was started, output may be incomplete.

james

Hello @imc67

Can you please check what packages are marked as security updates?

apt list --upgradable | grep "\-security"

In the file /etc/apt/apt.conf.d/50unattended-upgrades is configured what are the allowed origins for unattended upgrades.
By default it is:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

You can then cross-reference the pending security udpates with the Unattended-Upgrade::Allowed-Origins and this should explain why certain packages are not upgraded.

---

Run the following command to test unattended-upgrades:

unattended-upgrades --dry-run
# or
unattended-upgrades --dry-run --debug

imc67

one example (of 3), I think it includes the very high ranked issue with OpenSSL?:

apt list --upgradable | grep "\-security"

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libc-bin/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11]
libc-dev-bin/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11]
libc6-dev/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11]
libc6/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11]
libssl3/jammy-updates,jammy-security 3.0.2-0ubuntu1.21 amd64 [upgradable from: 3.0.2-0ubuntu1.20]
linux-generic/jammy-updates,jammy-security 5.15.0.168.159 amd64 [upgradable from: 5.15.0.164.159]
linux-headers-generic/jammy-updates,jammy-security 5.15.0.168.159 amd64 [upgradable from: 5.15.0.164.159]
linux-image-generic/jammy-updates,jammy-security 5.15.0.168.159 amd64 [upgradable from: 5.15.0.164.159]
linux-libc-dev/jammy-updates,jammy-security 5.15.0-168.178 amd64 [upgradable from: 5.15.0-164.174]
locales/jammy-updates,jammy-security 2.35-0ubuntu3.13 all [upgradable from: 2.35-0ubuntu3.11]
mysql-client-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1]
mysql-client-core-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1]
mysql-server-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1]
mysql-server-core-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1]
openssl/jammy-updates,jammy-security 3.0.2-0ubuntu1.21 amd64 [upgradable from: 3.0.2-0ubuntu1.20]
screen/jammy-updates,jammy-security 4.9.0-1ubuntu0.1 amd64 [upgradable from: 4.9.0-1]

cat /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Unattended-Upgrade::Package-Blacklist {

};

unattended-upgrades --dry-run
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/locales_2.35-0ubuntu3.13_all.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libssl3_3.0.2-0ubuntu1.21_amd64.deb 
/usr/bin/dpkg --status-fd 10 --no-triggers --configure libssl3:amd64 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure --recursive /tmp/apt-dpkg-install-JHk6R5 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/linux-libc-dev_5.15.0-168.178_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/mysql-client-core-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libc6-dev_2.35-0ubuntu3.13_amd64.deb /var/cache/apt/archives/libc-dev-bin_2.35-0ubuntu3.13_amd64.deb /var/cache/apt/archives/libc6_2.35-0ubuntu3.13_amd64.deb 
/usr/bin/dpkg --status-fd 10 --no-triggers --configure libc6:amd64 
/usr/bin/dpkg --status-fd 10 --configure --pending 
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/mysql-client-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb /var/cache/apt/archives/mysql-server-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb /var/cache/apt/archives/mysql-server-core-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/screen_4.9.0-1ubuntu0.1_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libc-bin_2.35-0ubuntu3.13_amd64.deb 
/usr/bin/dpkg --status-fd 10 --no-triggers --configure libc-bin:amd64 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/openssl_3.0.2-0ubuntu1.21_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 

The output of unattended-upgrades --dry-run --debug was too much but I "asked" Claude to analyse it and it discovered no issues.

ccfu

I was recently wondering exactly the same thing. Reboots previously required every few weeks and then nothing for a couple of months. Today I see an update notification.

joseph

/var/log/unattended-upgrades/unattended-upgrades.log has the ubuntu unattended upgades log