diff --git a/pages/UbuntuAutoUpgrade.md b/pages/UbuntuAutoUpgrade.md index 794823d..3a78cf3 100644 --- a/pages/UbuntuAutoUpgrade.md +++ b/pages/UbuntuAutoUpgrade.md @@ -9,24 +9,50 @@ apt-get install unattended-upgrades Edit /etc/apt/apt.conf.d/10periodic ``` +// Enable the update/upgrade script (0=disable) +APT::Periodic::Enable "1"; + +// Do "apt-get update" automatically every n-days (0=disable) APT::Periodic::Update-Package-Lists "1"; + +// Do "apt-get upgrade --download-only" every n-days (0=disable) APT::Periodic::Download-Upgradeable-Packages "1"; -APT::Periodic::AutocleanInterval "7"; + +// Run the "unattended-upgrade" security upgrade script +// every n-days (0=disabled) +// Requires the package "unattended-upgrades" and will write +// a log in /var/log/unattended-upgrades APT::Periodic::Unattended-Upgrade "1"; + +// Do "apt-get autoclean" every n-days (0=disable) +APT::Periodic::AutocleanInterval "7"; + +// Try to cover vuln +// APT::Acquire::http::AllowRedirect "0"; ``` Edit /etc/apt/apt.conf.d/50unattended-upgrades ``` // Automatically upgrade packages from these (origin:archive) pairs +// +// Note that in Ubuntu security updates may pull in new dependencies +// from non-security sources (e.g. chromium). By allowing the release +// pocket these get automatically pulled in. Unattended-Upgrade::Allowed-Origins { + "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; + // Extended Security Maintenance; doesn't necessarily exist for + // every release and this system may not have it installed, but if + // available, the policy for updates is such that unattended-upgrades + // should also install from here by default. + "${distro_id}ESM:${distro_codename}"; "${distro_id}:${distro_codename}-updates"; // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; }; -// List of packages to not update +// List of packages to not update (regexp are supported) Unattended-Upgrade::Package-Blacklist { // "vim"; // "libc6"; @@ -34,6 +60,10 @@ Unattended-Upgrade::Package-Blacklist { // "libc6-i686"; }; +// This option will controls whether the development release of Ubuntu will be +// upgraded automatically. +Unattended-Upgrade::DevRelease "false"; + // This option allows you to control if on a unclean dpkg exit // unattended-upgrades will automatically run // dpkg --force-confold --configure -a @@ -41,12 +71,12 @@ Unattended-Upgrade::Package-Blacklist { //Unattended-Upgrade::AutoFixInterruptedDpkg "false"; // Split the upgrade into the smallest possible chunks so that -// they can be interrupted with SIGUSR1. This makes the upgrade +// they can be interrupted with SIGTERM. This makes the upgrade // a bit slower but it has the benefit that shutdown while a upgrade // is running is possible (with a small delay) -//Unattended-Upgrade::MinimalSteps "true"; +//Unattended-Upgrade::MinimalSteps "false"; -// Install all unattended-upgrades when the machine is shuting down +// Install all unattended-upgrades when the machine is shutting down // instead of doing it in the background while the machine is running // This will (obviously) make shutdown slower //Unattended-Upgrade::InstallOnShutdown "true"; @@ -54,23 +84,47 @@ Unattended-Upgrade::Package-Blacklist { // Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides -// 'mailx' must be installed. -//Unattended-Upgrade::Mail "root@localhost"; +// 'mailx' must be installed. E.g. "user@example.com" +//Unattended-Upgrade::Mail "root"; +Unattended-Upgrade::Mail "root"; // Set this value to "true" to get emails only on errors. Default // is to always send a mail if Unattended-Upgrade::Mail is set //Unattended-Upgrade::MailOnlyOnError "true"; +// Remove unused automatically installed kernel-related packages +// (kernel images, kernel headers and kernel version locked tools). +//Unattended-Upgrade::Remove-Unused-Kernel-Packages "false"; + // Do automatic removal of new unused dependencies after the upgrade // (equivalent to apt-get autoremove) +//Unattended-Upgrade::Remove-Unused-Dependencies "false"; Unattended-Upgrade::Remove-Unused-Dependencies "true"; -// Automatically reboot *WITHOUT CONFIRMATION* if a -// the file /var/run/reboot-required is found after the upgrade +// Automatically reboot *WITHOUT CONFIRMATION* +// if the file /var/run/reboot-required is found after the upgrade //Unattended-Upgrade::Automatic-Reboot "false"; +// If automatic reboot is enabled and needed, reboot at the specific +// time instead of immediately +// Default: "now" +//Unattended-Upgrade::Automatic-Reboot-Time "02:00"; // Use apt bandwidth limit feature, this example limits the download // speed to 70kb/sec //Acquire::http::Dl-Limit "70"; + +// Enable logging to syslog. Default is False +// Unattended-Upgrade::SyslogEnable "false"; + +// Specify syslog facility. Default is daemon +// Unattended-Upgrade::SyslogFacility "daemon"; + +// Download and install upgrades only on AC power +// (i.e. skip or gracefully stop updates on battery) +// Unattended-Upgrade::OnlyOnACPower "true"; + +// Download and install upgrades only on non-metered connection +// (i.e. skip or gracefully stop updates on a metered connection) +// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"; ```