Konfigurieren von "unbeaufsichtigten Upgrades" auf Raspbian Stretch

10

Ich habe kürzlich ein Upgrade von Jessie auf Stretch durchgeführt und eine neue Version der Konfigurationsdatei für erhalten unattended-upgrades. Seltsamerweise verweist diese neue Version auf Debian anstelle von Raspbian.

pi@kegerator:/etc/apt/apt.conf.d $ diff 50unattended-upgrades 50unattended-upgrades.ucf-old 
10,12c10,12
< //   c,component     (eg, "main", "contrib", "non-free")
< //   l,label         (eg, "Debian", "Debian-Security")
< //   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
---
> //   c,component     (eg, "main", "crontrib", "non-free")
> //   l,label         (eg, "Raspbian", "Raspbian-Security")
> //   o,origin        (eg, "Raspbian", "Unofficial Multimedia Packages")
14c14
< //     site          (eg, "http.debian.net")
---
> //     site          (eg, "http.Raspbian.net")
20c20
< // derived from /etc/debian_version:
---
> // derived from /etc/Raspbian_version:
27,30c27
< //      "o=Debian,n=jessie";
< //      "o=Debian,n=jessie-updates";
< //      "o=Debian,n=jessie-proposed-updates";
< //      "o=Debian,n=jessie,l=Debian-Security";
---
> //      "o=Raspbian,n=jessie";
36,39c33,34
< //      "o=Debian,a=stable";
< //      "o=Debian,a=stable-updates";
< //      "o=Debian,a=proposed-updates";
<         "origin=Debian,codename=${distro_codename},label=Debian-Security";
---
> //      "o=Raspbian,a=stable";
> 
85,87d79
< // Automatically reboot even if there are users currently logged in.
< //Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
< 
96,102d87
< 
< // Enable logging to syslog. Default is False
< // Unattended-Upgrade::SyslogEnable "false";
< 
< // Specify syslog facility. Default is daemon
< // Unattended-Upgrade::SyslogFacility "daemon";
< 

Zwischen diesem Launchpad-Fehler , diesem Problem im Quell-Repo und mehreren Forenthemen, die das Fehlen des Raspbian-securityLabels beklagen , bin ich ziemlich verwirrt darüber, wie die "richtige" Konfiguration aussehen sollte.

Könnte jemand seine Arbeitskonfiguration unattended-upgradesfür Raspbian Stretch teilen ?

patricktokeeffe
quelle
Es kann hilfreich sein, unbeaufsichtigte Upgrades im Debug-Modus auszuführen und die Vergleiche zu betrachten. sudo unattended-upgrade -dvon wiki.debian.org/UnattendedUpgrades
HarlemSquirrel

Antworten:

9

Die wichtigsten Zeilen sind:

"origin=Raspbian,codename=${distro_codename},label=Raspbian";
"origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";

Hier ist die gesamte Datei ( /etc/apt/apt.conf.d/50unattended-upgrades):

// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...".  A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line.  (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted.  The accepted keywords are:
//   a,archive,suite (eg, "stable")
//   c,component     (eg, "main", "contrib", "non-free")
//   l,label         (eg, "Rapsbian", "Raspbian")
//   o,origin        (eg, "Raspbian", "Unofficial Multimedia Packages")
//   n,codename      (eg, "jessie", "jessie-updates")
//     site          (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
//   ${distro_id}            Installed origin.
//   ${distro_codename}      Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
//      "o=Raspbian,n=jessie";
//      "o=Raspbian,n=jessie-updates";
//      "o=Raspbian,n=jessie-proposed-updates";
//      "o=Raspbian,n=jessie,l=Raspbian";

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Raspbian,a=stable";
//      "o=Raspbian,a=testing";
        "origin=Raspbian,codename=${distro_codename},label=Raspbian";

        // Additionally, for those running Raspbian on a Raspberry Pi,
        // match packages from the Raspberry Pi Foundation as well.
        "origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//  "vim";
//  "libc6";
//  "libc6-dev";
//  "libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "false";

// Install all unattended-upgrades when the machine is shutting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "[email protected]"
//Unattended-Upgrade::Mail "root";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade 
//Unattended-Upgrade::Automatic-Reboot "false";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

Upstream-Quelle: https://github.com/mvo5/unattended-upgrades/blob/master/data/50unattended-upgrades.Raspbian

Peter Nowee
quelle
Hey Peter, es fehlen ein paar Ratschläge. So etwas wie ... Stellen Sie sicher, dass "origin = Raspbian, codename = $ {distro_codename}, label = Raspbian"; .... Zeile ist nicht auskommentiert und Sie werden feststellen, dass dies für Jesse, Stretch funktioniert und wahrscheinlich auch nach Stretch veröffentlicht wird.
Paul_h
Am Anfang meiner Antwort stehen die beiden wichtigsten Zeilen, einschließlich der von Ihnen erwähnten. Natürlich sollten sie nicht auskommentiert werden. Vielen Dank.
Peter Nowee
Entschuldigung Mann, ich war unklar. Ich schlage ausdrücklich vor, das Englisch in "Ganze Datei /etc/apt/apt.conf.d/50unattended-upgrades" zu korrigieren: Es fehlen ein oder zwei Wörter. Verweisen Sie auf ewigen Reddit-Witz - "Ich habe versehentlich ein Wort" reddit.com/r/AskReddit/comments/1d1wlx/…
paul_h
1
Würde dies nicht alle Raspbian-Updates installieren und nicht nur die sicherheitsrelevanten?
Lichtschalter 05
1
@lightswitch05 Ja, da Raspbian kein separates Sicherheits-Repository hat , werden auch andere Updates installiert, z. B. Punktversionen (z. B. von 9.3 bis 9.4). Aufgrund codename=${distro_codename}dessen wird jedoch nicht automatisch ein Upgrade auf eine neue Version durchgeführt (z. B. von 9 auf 10).
Peter Nowee