`unattended-upgrades` seemingly fails to do `apt-get update` first

aexl asked:

I have unattended-upgrades that won’t upgrade. It’s been a full month and its log is empty.

So I checked manually to confirm it thinks there’s nothing to upgrade.

# unattended-upgrades --dry-run --debug
Initial blacklist : 
Initial whitelist: 
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=buster-updates, origin=Debian,codename=buster-proposed-updates, origin=Debian,codename=buster,label=Debian, origin=Debian,codename=buster,label=Debian-Security
Using (^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\.[0-9\.]+-.*|^linux-image-extra-[0-9]+\.[0-9\.]+-.*|^linux-modules-[0-9]+\.[0-9\.]+-.*|^linux-modules-extra-[0-9]+\.[0-9\.]+-.*|^linux-signed-image-[0-9]+\.[0-9\.]+-.*|^linux-image-unsigned-[0-9]+\.[0-9\.]+-.*|^kfreebsd-image-[0-9]+\.[0-9\.]+-.*|^kfreebsd-headers-[0-9]+\.[0-9\.]+-.*|^gnumach-image-[0-9]+\.[0-9\.]+-.*|^.*-modules-[0-9]+\.[0-9\.]+-.*|^.*-kernel-[0-9]+\.[0-9\.]+-.*|^linux-backports-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-tools-[0-9]+\.[0-9\.]+-.*|^linux-cloud-tools-[0-9]+\.[0-9\.]+-.*|^linux-buildinfo-[0-9]+\.[0-9\.]+-.*|^linux-source-[0-9]+\.[0-9\.]+-.*) regexp to find kernel packages
Using (^linux-image-4\.19\.0\-10\-amd64$|^linux-headers-4\.19\.0\-10\-amd64$|^linux-image-extra-4\.19\.0\-10\-amd64$|^linux-modules-4\.19\.0\-10\-amd64$|^linux-modules-extra-4\.19\.0\-10\-amd64$|^linux-signed-image-4\.19\.0\-10\-amd64$|^linux-image-unsigned-4\.19\.0\-10\-amd64$|^kfreebsd-image-4\.19\.0\-10\-amd64$|^kfreebsd-headers-4\.19\.0\-10\-amd64$|^gnumach-image-4\.19\.0\-10\-amd64$|^.*-modules-4\.19\.0\-10\-amd64$|^.*-kernel-4\.19\.0\-10\-amd64$|^linux-backports-modules-.*-4\.19\.0\-10\-amd64$|^linux-modules-.*-4\.19\.0\-10\-amd64$|^linux-tools-4\.19\.0\-10\-amd64$|^linux-cloud-tools-4\.19\.0\-10\-amd64$|^linux-buildinfo-4\.19\.0\-10\-amd64$|^linux-source-4\.19\.0\-10\-amd64$) regexp to find running kernel packages
Checking: nginx ([<Origin component:'nginx' archive:'stable' origin:'nginx' label:'nginx' site:'nginx.org' isTrusted:True>])
adjusting candidate version: nginx=1.14.2-2+deb10u2
pkgs that look like they should be upgraded: 
Fetched 0 B in 0s (0 B/s)                                                                                                                                                                                                                  
fetch.run() result: 0
blacklist: []
whitelist: []
No packages found that can be upgraded unattended and no pending auto-removals
# apt-get upgrade --dry-run
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  nginx
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Inst nginx [1.16.1-1~buster] (1.18.0-1~buster nginx:10.0/stable [amd64])
Conf nginx (1.18.0-1~buster nginx:10.0/stable [amd64])

I tried again after running apt-get update and the results were different.

# unattended-upgrades --dry-run --debug
…
Checking: bind9-host ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'security.debian.org' isTrusted:True>])
Checking: dnsutils ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'security.debian.org' isTrusted:True>])
Checking: libbind9-161 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'security.debian.org' isTrusted:True>])
Checking: libdns-export1104 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'security.debian.org' isTrusted:True>])
Checking: libdns1104 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'security.debian.org' isTrusted:True>])
Checking: libirs161 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'security.debian.org' isTrusted:True>])
Checking: libisc-export1100 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'security.debian.org' isTrusted:True>])
Checking: libisc1100 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'security.debian.org' isTrusted:True>])
Checking: libisccc161 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'security.debian.org' isTrusted:True>])
Checking: libisccfg163 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'security.debian.org' isTrusted:True>])
Checking: liblwres161 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'security.debian.org' isTrusted:True>])
Checking: nginx ([<Origin component:'nginx' archive:'stable' origin:'nginx' label:'nginx' site:'nginx.org' isTrusted:True>])
adjusting candidate version: nginx=1.14.2-2+deb10u3
pkgs that look like they should be upgraded: bind9-host
dnsutils
libbind9-161
libdns-export1104
libdns1104
libirs161
libisc-export1100
libisc1100
libisccc161
libisccfg163
liblwres161
…
Option --dry-run given, *not* performing real actions
Packages that will be upgraded: bind9-host dnsutils libbind9-161 libdns-export1104 libdns1104 libirs161 libisc-export1100 libisc1100 libisccc161 libisccfg163 liblwres161
…
All upgrades installed
InstCount=0 DelCount=0 BrokenCount=0
# apt-get upgrade --dry-run
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  bind9-host dnsutils libbind9-161 libdns-export1104 libdns1104 libirs161 libisc-export1100 libisc1100 libisccc161 libisccfg163 liblwres161 nginx
12 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Inst dnsutils [1:9.11.5.P4+dfsg-5.1+deb10u1] (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64]) []
Inst bind9-host [1:9.11.5.P4+dfsg-5.1+deb10u1] (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64]) []
Inst libbind9-161 [1:9.11.5.P4+dfsg-5.1+deb10u1] (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64]) []
Inst libisccfg163 [1:9.11.5.P4+dfsg-5.1+deb10u1] (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64]) []
Inst libisccc161 [1:9.11.5.P4+dfsg-5.1+deb10u1] (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64]) []
Inst libirs161 [1:9.11.5.P4+dfsg-5.1+deb10u1] (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64]) []
Inst libdns1104 [1:9.11.5.P4+dfsg-5.1+deb10u1] (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64]) []
Inst libisc1100 [1:9.11.5.P4+dfsg-5.1+deb10u1] (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64]) []
Inst liblwres161 [1:9.11.5.P4+dfsg-5.1+deb10u1] (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Inst libisc-export1100 [1:9.11.5.P4+dfsg-5.1+deb10u1] (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Inst libdns-export1104 [1:9.11.5.P4+dfsg-5.1+deb10u1] (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Inst nginx [1.16.1-1~buster] (1.18.0-1~buster nginx:10.0/stable [amd64])
Conf dnsutils (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Conf bind9-host (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Conf libbind9-161 (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Conf libisccfg163 (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Conf libisccc161 (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Conf libirs161 (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Conf libdns1104 (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Conf libisc1100 (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Conf liblwres161 (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Conf libisc-export1100 (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Conf libdns-export1104 (1:9.11.5.P4+dfsg-5.1+deb10u2 Debian-Security:10/stable [amd64])
Conf nginx (1.18.0-1~buster nginx:10.0/stable [amd64])

I believed updating the package lists before calculating an upgrade is a given and should happen automatically. Am I missing something obvious? The tutorials I read only mention apt-get update before installing unattended-upgrades, and searching specifically didn’t help much.

My answer:


To update the package lists, you need to have set in your apt configuration:

APT::Periodic::Update-Package-Lists "1";

The Debian wiki advises creating a file /etc/apt/apt.conf.d/20auto-upgrades to activate unattended upgrades, containing:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.