Configuration des «mises à niveau sans assistance» sur Raspbian Stretch

10

J'ai récemment mis à niveau de Jessie vers Stretch et j'ai reçu une nouvelle version du fichier de configuration pour unattended-upgrades. Curieusement, cette nouvelle version fait référence à Debian au lieu de Raspbian.

pi@kegerator:/etc/apt/apt.conf.d $ diff 50unattended-upgrades 50unattended-upgrades.ucf-old 
10,12c10,12
< //   c,component     (eg, "main", "contrib", "non-free")
< //   l,label         (eg, "Debian", "Debian-Security")
< //   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
---
> //   c,component     (eg, "main", "crontrib", "non-free")
> //   l,label         (eg, "Raspbian", "Raspbian-Security")
> //   o,origin        (eg, "Raspbian", "Unofficial Multimedia Packages")
14c14
< //     site          (eg, "http.debian.net")
---
> //     site          (eg, "http.Raspbian.net")
20c20
< // derived from /etc/debian_version:
---
> // derived from /etc/Raspbian_version:
27,30c27
< //      "o=Debian,n=jessie";
< //      "o=Debian,n=jessie-updates";
< //      "o=Debian,n=jessie-proposed-updates";
< //      "o=Debian,n=jessie,l=Debian-Security";
---
> //      "o=Raspbian,n=jessie";
36,39c33,34
< //      "o=Debian,a=stable";
< //      "o=Debian,a=stable-updates";
< //      "o=Debian,a=proposed-updates";
<         "origin=Debian,codename=${distro_codename},label=Debian-Security";
---
> //      "o=Raspbian,a=stable";
> 
85,87d79
< // Automatically reboot even if there are users currently logged in.
< //Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
< 
96,102d87
< 
< // Enable logging to syslog. Default is False
< // Unattended-Upgrade::SyslogEnable "false";
< 
< // Specify syslog facility. Default is daemon
< // Unattended-Upgrade::SyslogFacility "daemon";
< 

Entre ce bug du Launchpad , ce problème dans le référentiel source et plusieurs sujets de forum déplorant l'absence de l' Raspbian-securityétiquette, je suis assez confus quant à la configuration «correcte».

Quelqu'un pourrait-il partager sa unattended-upgradesconfiguration de travail pour Raspbian Stretch?

patricktokeeffe
la source
Il peut être utile d'exécuter des mises à niveau sans assistance en mode débogage et d'examiner les comparaisons. sudo unattended-upgrade -dde wiki.debian.org/UnattendedUpgrades
HarlemSquirrel

Réponses:

10

Les lignes les plus importantes sont:

"origin=Raspbian,codename=${distro_codename},label=Raspbian";
"origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";

Voici l'intégralité du fichier ( /etc/apt/apt.conf.d/50unattended-upgrades):

// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...".  A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line.  (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted.  The accepted keywords are:
//   a,archive,suite (eg, "stable")
//   c,component     (eg, "main", "contrib", "non-free")
//   l,label         (eg, "Rapsbian", "Raspbian")
//   o,origin        (eg, "Raspbian", "Unofficial Multimedia Packages")
//   n,codename      (eg, "jessie", "jessie-updates")
//     site          (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
//   ${distro_id}            Installed origin.
//   ${distro_codename}      Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
//      "o=Raspbian,n=jessie";
//      "o=Raspbian,n=jessie-updates";
//      "o=Raspbian,n=jessie-proposed-updates";
//      "o=Raspbian,n=jessie,l=Raspbian";

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Raspbian,a=stable";
//      "o=Raspbian,a=testing";
        "origin=Raspbian,codename=${distro_codename},label=Raspbian";

        // Additionally, for those running Raspbian on a Raspberry Pi,
        // match packages from the Raspberry Pi Foundation as well.
        "origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//  "vim";
//  "libc6";
//  "libc6-dev";
//  "libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "false";

// Install all unattended-upgrades when the machine is shutting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "[email protected]"
//Unattended-Upgrade::Mail "root";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade 
//Unattended-Upgrade::Automatic-Reboot "false";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

Source en amont: https://github.com/mvo5/unattended-upgrades/blob/master/data/50unattended-upgrades.Raspbian

Peter Nowee
la source
Hé Peter, il manque quelques conseils. Quelque chose comme .... Assurez-vous que "origin = Raspbian, codename = $ {distro_codename}, label = Raspbian"; .... la ligne n'est pas commentée et vous constaterez que cela fonctionne pour Jesse, Stretch et probablement aussi après Stretch.
paul_h
Le haut de ma réponse mentionne les deux lignes les plus importantes, y compris celle que vous mentionnez. Bien sûr, ils ne devraient pas être commentés. Merci.
Peter Nowee
Désolé mec je n'étais pas clair. Je suggère spécifiquement de corriger l'anglais dans "Fichier entier /etc/apt/apt.conf.d/50unattended-upgrades:" Il manque un mot ou deux. Reportez-vous à la blague éternelle de Reddit - "J'ai accidentellement un mot" reddit.com/r/AskReddit/comments/1d1wlx/…
paul_h
1
Cela n'installerait-il pas toutes les mises à jour de Raspbian et pas seulement celles liées à la sécurité?
lightswitch05
1
@ lightswitch05 Oui, car Raspbian n'a pas de référentiel de sécurité séparé , cela installera également d'autres mises à jour, telles que des versions ponctuelles (par exemple de 9.3 à 9.4). Cependant, à cause de codename=${distro_codename}cela, il ne sera pas automatiquement mis à niveau vers une nouvelle version (par exemple de 9 à 10).
Peter Nowee