auto update with mixed repository

因為中心資安要求龜毛,一定要升級 apache2 到 2.4 以上,明明就不會比較安全 bla bla bla..

所以 目前只設定 apach2 用 sid,其他用stable,然後用 unattended-upgrade 作 secure update

apt 的 source , sources.list

deb sid main
deb-src sid main

deb jessie main
deb-src jessie main

deb wheezy main
deb-src wheezy main

deb wheezy/updates main
deb-src wheezy/updates main

# wheezy-updates, previously known as 'volatile'
deb wheezy-updates main
deb-src wheezy-updates main

再來就是 /etc/apt/preferences.d/20mixedrepository

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=testing
Pin-Priority: 650

Package: *
Pin: release a=unstable
Pin-Priority: 600

之後基本的 apt-get update 要安裝 package 之前可以用 apt-cache policy 看看是裝哪個版本

Installed: 2.4.9-1
Candidate: 2.4.9-1
Version table:
*** 2.4.9-1 0
600 sid/main amd64 Packages
650 jessie/main amd64 Packages
100 /var/lib/dpkg/status
2.2.22-13+deb7u1 0
700 wheezy/main amd64 Packages


apt-get install unattended-upgrades exim4

設定檔 vi /etc/apt/apt.conf.d/50unattended-upgrades, 這邊不同版本有些差異,自己看著辦

// Automatically upgrade packages from these origin patterns
Unattended-Upgrade::Origins-Pattern {
    // Archive or Suite based matching:
    // Note that this will silently match a different release after
    // migration to the specified archive (e.g. testing becomes the
    // new stable).
    //      "o=Debian,a=stable";
    //      "o=Debian,a=proposed-updates";

再來就是設定更新頻率 vi /etc/apt/apt.conf.d/02periodic,基本上是照抄

// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";

// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";

// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";

// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";

// Do "apt-get autoclean" every n-days (0=disable)
APT::Periodic::AutocleanInterval "7";

如果想收到通知的話 apt-get install apticron,記得設定email vi /etc/apticron/apticron.conf

# set EMAIL to a space separated list of addresses which will be notified of
# impending updates
EMAIL="root 王爸但@狗屎院"


