> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How to enable automatic security updates

The Ubuntu [images](./boot-disk-images) used on boot disks of VMs include the `unattended-upgrades` package that can install security updates automatically. However, unexpected updates might break running GPU workloads. For this reason, unattended upgrades are disabled by default. We recommend that you check the compatibility of new library versions on a test VM, and then apply the updates manually to all running GPU nodes.

If you do need constant security updates, you can enable `unattended-upgrades`.

## For an existing VM

1. [Connect](../virtual-machines/connect) to the VM.

2. Check that the updates are enabled in the configuration:

   ```bash theme={null}
   sudo nano /etc/apt/apt.conf.d/20auto-upgrades
   ```

   The following values should be equal to 1. If they are set to 0, change them to 1:

   ```bash theme={null}
   APT::Periodic::Update-Package-Lists "1";
   APT::Periodic::Unattended-Upgrade "1";
   ```

3. Start the upgrade services:

   ```bash theme={null}
   sudo systemctl unmask apt-daily.service apt-daily-upgrade.service
   sudo systemctl enable apt-daily.timer apt-daily-upgrade.timer
   sudo systemctl start apt-daily.timer apt-daily-upgrade.timer
   ```

4. Check the service status:

   ```bash theme={null}
   systemctl status apt-daily.timer apt-daily-upgrade.timer
   ```

   Output for active updates should look like the following:

   ```bash theme={null}
   ● apt-daily.timer - Daily apt download activities
        Loaded: loaded (/usr/lib/systemd/system/apt-daily.timer; enabled; preset: enabled)
        Active: active (waiting) since Wed 2025-10-01 14:59:29 UTC; 7s ago
       Trigger: Thu 2025-10-02 04:54:23 UTC; 13h left
      Triggers: ● apt-daily.service

   ● apt-daily-upgrade.timer - Daily apt upgrade and clean activities
        Loaded: loaded (/usr/lib/systemd/system/apt-daily-upgrade.timer; enabled; preset: enabled)
        Active: active (waiting) since Wed 2025-10-01 14:59:29 UTC; 7s ago
       Trigger: Thu 2025-10-02 06:10:29 UTC; 15h left
      Triggers: ● apt-daily-upgrade.service
   ```

## During VM creation

When you create a new VM, you can enable unattended upgrades for the VM in the [user data configuration](../virtual-machines/manage#optional-create-a-user-data-configuration).

<Tabs>
  <Tab title="Web console">
    On the VM creation page in to the **User data** section, enable the custom cloud-init configuration. The window below contains the code that specifies users who can connect to the VM. Add the following code to enable updates:

    ```yaml theme={null}
    users:
      - name: $USER
        sudo: ALL=(ALL) NOPASSWD:ALL
        shell: /bin/bash
        ssh_authorized_keys:
          - $(cat ~/.ssh/id_ed25519.pub)

    package_update: true
    packages:
      - unattended-upgrades

    write_files:
      - path: /etc/apt/apt.conf.d/20auto-upgrades
        permissions: '0644'
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";

    runcmd:
      - systemctl unmask apt-daily.service apt-daily-upgrade.service
      - systemctl enable --now apt-daily.timer apt-daily-upgrade.timer
      - systemctl restart unattended-upgrades
    ```
  </Tab>

  <Tab title="CLI">
    Create a configuration in the [cloud-init](https://cloudinit.readthedocs.io/en/latest/explanation/about-cloud-config.html) format. Add the following code to enable updates for users who can connect to the VM:

    ```bash theme={null}
    export USER_DATA=$(jq -Rs '.' <<EOF
    users:
      - name: $USER
        sudo: ALL=(ALL) NOPASSWD:ALL
        shell: /bin/bash
        ssh_authorized_keys:
          - $(cat ~/.ssh/id_ed25519.pub)

    package_update: true
    packages:
      - unattended-upgrades

    write_files:
      - path: /etc/apt/apt.conf.d/20auto-upgrades
        permissions: '0644'
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";

    runcmd:
      - systemctl unmask apt-daily.service apt-daily-upgrade.service
      - systemctl enable --now apt-daily.timer apt-daily-upgrade.timer
      - systemctl restart unattended-upgrades
    EOF
    )
    ```

    Pass the configured user data to the `--cloud-init-user-data` parameter in the [nebius compute instance create](../../cli/reference/compute/instance/create) command.
  </Tab>

  <Tab title="Terraform">
    Create a configuration in the [cloud-init](https://cloudinit.readthedocs.io/en/latest/explanation/about-cloud-config.html) format. Add the following code to enable updates for users who can connect to the VM:

    ```bash theme={null}
    export USER_DATA=$(jq -Rs '.' <<EOF
    users:
      - name: $USER
        sudo: ALL=(ALL) NOPASSWD:ALL
        shell: /bin/bash
        ssh_authorized_keys:
          - $(cat ~/.ssh/id_ed25519.pub)

    package_update: true
    packages:
      - unattended-upgrades

    write_files:
      - path: /etc/apt/apt.conf.d/20auto-upgrades
        permissions: '0644'
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";

    runcmd:
      - systemctl unmask apt-daily.service apt-daily-upgrade.service
      - systemctl enable --now apt-daily.timer apt-daily-upgrade.timer
      - systemctl restart unattended-upgrades
    EOF
    )
    ```

    Pass the configured user data to the `cloud_init_user_data` parameter in the Terraform resource for the VM.
  </Tab>
</Tabs>