auto update with mixed repository

因為中心資安要求龜毛,一定要升級 apache2 到 2.4 以上,明明就不會比較安全 bla bla bla..

所以 目前只設定 apach2 用 sid,其他用stable,然後用 unattended-upgrade 作 secure update

apt 的 source , sources.list

deb http://free.nchc.org.tw/debian/ sid main
deb-src http://free.nchc.org.tw/debian/ sid main

deb http://free.nchc.org.tw/debian/ jessie main
deb-src http://free.nchc.org.tw/debian/ jessie main

deb http://free.nchc.org.tw/debian/ wheezy main
deb-src http://free.nchc.org.tw/debian/ wheezy main

deb http://free.nchc.org.tw/debian-security/ wheezy/updates main
deb-src http://free.nchc.org.tw/debian-security/ wheezy/updates main

# wheezy-updates, previously known as 'volatile'
deb http://free.nchc.org.tw/debian/ wheezy-updates main
deb-src http://free.nchc.org.tw/debian/ wheezy-updates main

再來就是 /etc/apt/preferences.d/20mixedrepository

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=testing
Pin-Priority: 650

Package: *
Pin: release a=unstable
Pin-Priority: 600

之後基本的 apt-get update 要安裝 package 之前可以用 apt-cache policy 看看是裝哪個版本

apache2:
Installed: 2.4.9-1
Candidate: 2.4.9-1
Version table:
*** 2.4.9-1 0
600 http://free.nchc.org.tw/debian/ sid/main amd64 Packages
650 http://free.nchc.org.tw/debian/ jessie/main amd64 Packages
100 /var/lib/dpkg/status
2.2.22-13+deb7u1 0
700 http://free.nchc.org.tw/debian/ wheezy/main amd64 Packages

再來就是設定自動更新

apt-get install unattended-upgrades exim4

設定檔 vi /etc/apt/apt.conf.d/50unattended-upgrades, 這邊不同版本有些差異,自己看著辦

// Automatically upgrade packages from these origin patterns
Unattended-Upgrade::Origins-Pattern {
    // Archive or Suite based matching:
    // Note that this will silently match a different release after
    // migration to the specified archive (e.g. testing becomes the
    // new stable).
    //      "o=Debian,a=stable";
    "o=Debian,a=stable-updates";
    //      "o=Debian,a=proposed-updates";
    "origin=Debian,archive=stable,label=Debian-Security";
};

再來就是設定更新頻率 vi /etc/apt/apt.conf.d/02periodic,基本上是照抄

// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";

// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";

// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";

// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";

// Do "apt-get autoclean" every n-days (0=disable)
APT::Periodic::AutocleanInterval "7";

如果想收到通知的話 apt-get install apticron,記得設定email vi /etc/apticron/apticron.conf

[...]
# set EMAIL to a space separated list of addresses which will be notified of
# impending updates
#
EMAIL="root 王爸但@狗屎院"
[...]

預設這樣是寄不出來的啦,所以可以去設定一下exim4

reference1, [https://wiki.debian.org/AptPreferences] reference2, [http://www.howtoforge.com/how-to-configure-automatic-updates-on-debian-squeeze]

Comments