Debian 自動更新資安套件
因為大量使用 PVE 內提供的 CT Templates 建立出來的應用服務(採用 TurnKey GNU/Linux 16.0 - Debian 10/Buster), 因之前使用 CentOS 都有設定自動更新, 所以也找一下如何來設定 Debian 可自動更新
設定方式
- 安裝 unattended-upgrades 套件
apt update && apt upgrade apt install unattended-upgrades -y sudo systemctl enable unattended-upgrades sudo systemctl start unattended-upgrades
- 修改設定檔
vi /etc/apt/apt.conf.d/50unattended-upgrades
: Unattended-Upgrade::Origins-Pattern { // Codename based matching: // This will follow the migration of a release through different // archives (e.g. from testing to stable and later oldstable). // Software will be the latest available for the named release, // but the Debian release itself will not be automatically upgraded. // "origin=Debian,codename=${distro_codename}-updates"; // "origin=Debian,codename=${distro_codename}-proposed-updates"; "origin=Debian,codename=${distro_codename},label=Debian"; "origin=Debian,codename=${distro_codename},label=Debian-Security"; : : // Remove unused automatically installed kernel-related packages // (kernel images, kernel headers and kernel version locked tools). Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; // Do automatic removal of newly unused dependencies after the upgrade Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; // Do automatic removal of unused packages after the upgrade // (equivalent to apt-get autoremove) Unattended-Upgrade::Remove-Unused-Dependencies "false"; :
- 自動執行參數設定
vi /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::AutocleanInterval "7";
- 驗證設定是否都沒問題
unattended-upgrades --dry-run --debug