Non-interactive Apt

Upgrade everything

$ sudo DEBIAN_FRONTEND=noninteractive apt-get update && sudo DEBIAN_FRONTEND=noninteractive NEEDSRESTART_MODE=a apt-get -yyyy -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-confdef" dist-upgrade

That's the command you need, the rest of the article explains the finer details.

Explained - upgrade everything

sudo

Run the command with root priviledges, log who did it.

DEBIAN_FRONTEND=noninteractive

Set shell variable for the following command line. Shell variables must come after sudo. You might think this would make it, well, non-interactive, but it's not enough.

apt-get update

Update the list of what packages are available on the repositories.

 && 

Run the following command only if the previous one (apt-get update) succeeded.

 sudo DEBIAN_FRONTEND=noninteractive 

Covered above. We did not 'export' the variable, so it needs to be repeated for each command.

 NEEDSRESTART_MODE=a 

Automatically restart daemons as needed. Older systems use "NEEDSRESTART=a".

 apt-get -yyyy 

Command 'apt-get' is more suitable for automation than the wrapper 'apt'. Answer yes to stupid questions '-y', except it often does not.

 -o Dpkg::Options::="--force-confold"

Use my own modified config files - instead of overwriting my configuration with the ones in packages. Kind of no-brainer, unless I have broken something.

  -o Dpkg::Options::="--force-confdef" 

When packages have different config files than my own (when I have modified config files), use the default action by the package

  dist-upgrade

Reboot automatically

Upgrade everything, reboot if needed.

$ sudo DEBIAN_FRONTEND=noninteractive apt-get update && sudo DEBIAN_FRONTEND=noninteractive NEEDSRESTART_MODE=r apt-get -yyyy -o Dpkg::Options::="--force-confold" -o Dpkg::Options::="--force-confdef" dist-upgrade; test -f /var/run/reboot-required && sudo shutdown -r now

Explanation - reboot automatically

We already went trough the regular non-interactive upgrade. Here are just the differences related to reboot.

NEEDSRESTART_MODE=r

Automatically reboot the whole computer after dist-upgrade if needed. This is different from "a", which just restarts the daemons (apache, sshd...). Older systems use "NEEDSRESTART=r".

test -f /var/run/reboot-required && sudo shutdown -r now

Test if current or earlier apt-get command has created "reboot-required" file.

This is different from NEEDSRESTART_MODE=r, which does not consider reboot requirements from earlier 'apt-get dist-upgrade' runs. Such runs could also have occurred if you have the package "unattended-upgrades" installed and performing dist-upgrades automatically.

Troubleshooting & Tricks

Clock is wrong - timedatectl

Apt-get fails if your clock is wrong.

Why? Maybe the adversary is sending recorded traffic on the wire. Maybe "they" are watching you... But browsing the web also fails if your clock is wrong, so best set it correctly.

$ sudo timedatectl set-time "2025-04-20 16:20"

If you have network time protocol NTP on, you might need to 'sudo timedatectl set-ntp false' first.

unattended-upgrades

You can make the computer periodically install updates automatically.

$ sudo apt-get update
$ sudo apt-get -y install unattended-upgrades

You still have to reboot yourself for kernel upgades (linux-image...).

Do I need to reboot - /var/run/reboot*

Apt-get will create the file /var/run/reboot-required if you need to reboot. Kernel upgrades (linux-image*) need a reboot. If the file exists, you need to reboot soon.

$ head -1000 /var/run/reboot-required*

Install even phased updates

Add to apt-get dist-upgrade parameters:

-o APT::Get::Always-Include-Phased-Updates=true

Some updates are phased, so that first they are delivered to 10% of users, then next 10% or similar. This way, a failed package deployment can be cancelled. The parameter above ignores this and installs any published package right away. I added this parameter from memory.

Apt-get upgrade stops for questions