====== Debian 自動更新資安套件 ======
因為大量使用 PVE 內提供的 CT Templates 建立出來的應用服務(採用 TurnKey GNU/Linux 16.0 - Debian 10/Buster), 因之前使用 [[tech/centosupdate|CentOS 都有設定自動更新]], 所以也找一下如何來設定 Debian 可自動更新

===== 設定方式 =====
  * 安裝 unattended-upgrades 套件 <cli>
apt update && apt upgrade
apt install unattended-upgrades -y
sudo systemctl enable unattended-upgrades
sudo systemctl start unattended-upgrades
</cli>
  * 修改設定檔 <cli>
vi /etc/apt/apt.conf.d/50unattended-upgrades
</cli><cli>
:
Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
        // Software will be the latest available for the named release,
        // but the Debian release itself will not be automatically upgraded.
//      "origin=Debian,codename=${distro_codename}-updates";
//      "origin=Debian,codename=${distro_codename}-proposed-updates";
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
:
:
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "false";
:
</cli>
  * 自動執行參數設定<cli>
vi /etc/apt/apt.conf.d/20auto-upgrades
</cli><cli>
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
</cli>
  * 驗證設定是否都沒問題<cli>
unattended-upgrades --dry-run --debug
</cli>

===== 參考網址 =====
  * https://www.linode.com/docs/guides/how-to-configure-automated-security-updates-debian/

{{tag>debian apt auto_update}}