Configuración de 'actualizaciones desatendidas' en Raspbian Stretch

Recientemente actualicé de Jessie a Stretch y recibí una nueva versión del archivo de configuración unattended-upgrades. Curiosamente, esta nueva versión hace referencia a Debian en lugar de Raspbian.

pi@kegerator:/etc/apt/apt.conf.d $ diff 50unattended-upgrades 50unattended-upgrades.ucf-old 
10,12c10,12
< //   c,component     (eg, "main", "contrib", "non-free")
< //   l,label         (eg, "Debian", "Debian-Security")
< //   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
---
> //   c,component     (eg, "main", "crontrib", "non-free")
> //   l,label         (eg, "Raspbian", "Raspbian-Security")
> //   o,origin        (eg, "Raspbian", "Unofficial Multimedia Packages")
14c14
< //     site          (eg, "http.debian.net")
---
> //     site          (eg, "http.Raspbian.net")
20c20
< // derived from /etc/debian_version:
---
> // derived from /etc/Raspbian_version:
27,30c27
< //      "o=Debian,n=jessie";
< //      "o=Debian,n=jessie-updates";
< //      "o=Debian,n=jessie-proposed-updates";
< //      "o=Debian,n=jessie,l=Debian-Security";
---
> //      "o=Raspbian,n=jessie";
36,39c33,34
< //      "o=Debian,a=stable";
< //      "o=Debian,a=stable-updates";
< //      "o=Debian,a=proposed-updates";
<         "origin=Debian,codename=${distro_codename},label=Debian-Security";
---
> //      "o=Raspbian,a=stable";
> 
85,87d79
< // Automatically reboot even if there are users currently logged in.
< //Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
< 
96,102d87
< 
< // Enable logging to syslog. Default is False
< // Unattended-Upgrade::SyslogEnable "false";
< 
< // Specify syslog facility. Default is daemon
< // Unattended-Upgrade::SyslogFacility "daemon";
<

Entre este error de Launchpad , este problema en el repositorio de origen y varios temas del foro que lamentan la ausencia de la Raspbian-securityetiqueta, estoy bastante confundido acerca de cuál debería ser la configuración "correcta".

¿Alguien podría compartir su unattended-upgradesconfiguración de trabajo para Raspbian Stretch?

update raspbian-stretch

— patricktokeeffe
fuente

Puede ser útil ejecutar actualizaciones desatendidas en modo de depuración y ver las comparaciones. sudo unattended-upgrade -dde wiki.debian.org/UnattendedUpgrades

— HarlemSquirrel

Las líneas más importantes son:

"origin=Raspbian,codename=${distro_codename},label=Raspbian";
"origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";

Aquí está el archivo completo ( /etc/apt/apt.conf.d/50unattended-upgrades):

// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...".  A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line.  (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted.  The accepted keywords are:
//   a,archive,suite (eg, "stable")
//   c,component     (eg, "main", "contrib", "non-free")
//   l,label         (eg, "Rapsbian", "Raspbian")
//   o,origin        (eg, "Raspbian", "Unofficial Multimedia Packages")
//   n,codename      (eg, "jessie", "jessie-updates")
//     site          (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
//   ${distro_id}            Installed origin.
//   ${distro_codename}      Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
//      "o=Raspbian,n=jessie";
//      "o=Raspbian,n=jessie-updates";
//      "o=Raspbian,n=jessie-proposed-updates";
//      "o=Raspbian,n=jessie,l=Raspbian";

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Raspbian,a=stable";
//      "o=Raspbian,a=testing";
        "origin=Raspbian,codename=${distro_codename},label=Raspbian";

        // Additionally, for those running Raspbian on a Raspberry Pi,
        // match packages from the Raspberry Pi Foundation as well.
        "origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//  "vim";
//  "libc6";
//  "libc6-dev";
//  "libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "false";

// Install all unattended-upgrades when the machine is shutting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade 
//Unattended-Upgrade::Automatic-Reboot "false";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

Fuente ascendente: https://github.com/mvo5/unattended-upgrades/blob/master/data/50unattended-upgrades.Raspbian

— Peter Nowee
fuente

Hola Peter, faltan algunas palabras de consejo. Algo así como ... Asegúrese de que "origin = Raspbian, codename = $ {distro_codename}, label = Raspbian"; .... la línea no está comentada y encontrará que esto funciona para Jesse, Stretch y probablemente también se lance después de Stretch.

— paul_h

La parte superior de mi respuesta menciona las dos líneas más importantes, incluida la que usted menciona. Por supuesto, no deben comentarse. Gracias.

— Peter Nowee

Lo siento hombre, no estaba claro. Estoy sugiriendo específicamente corregir el inglés en "Archivo completo /etc/apt/apt.conf.d/50unattended-upgrades:" Le faltan una o dos palabras. Consulte la broma eterna de Reddit - "Accidentalmente una palabra" reddit.com/r/AskReddit/comments/1d1wlx/…

— paul_h

¿No instalaría esto todas las actualizaciones de Raspbian y no solo las relacionadas con la seguridad?

— lightswitch05

@ lightswitch05 Sí, porque Raspbian no tiene un repositorio de seguridad separado , esto también instalará otras actualizaciones, como lanzamientos puntuales (por ejemplo, de 9.3 a 9.4). Sin embargo, debido a codename=${distro_codename}que no se actualizará automáticamente a una nueva versión (por ejemplo, de 9 a 10).

— Peter Nowee