Debian 自動更新資安套件

因為大量使用 PVE 內提供的 CT Templates 建立出來的應用服務(採用 TurnKey GNU/Linux 16.0 - Debian 10/Buster), 因之前使用 CentOS 都有設定自動更新, 所以也找一下如何來設定 Debian 可自動更新

  • 安裝 unattended-upgrades 套件

    apt update && apt upgrade
    apt install unattended-upgrades -y
    sudo systemctl enable unattended-upgrades
    sudo systemctl start unattended-upgrades

  • 修改設定檔

    vi /etc/apt/apt.conf.d/50unattended-upgrades
    :
    Unattended-Upgrade::Origins-Pattern {
            // Codename based matching:
            // This will follow the migration of a release through different
            // archives (e.g. from testing to stable and later oldstable).
            // Software will be the latest available for the named release,
            // but the Debian release itself will not be automatically upgraded.
    //      "origin=Debian,codename=${distro_codename}-updates";
    //      "origin=Debian,codename=${distro_codename}-proposed-updates";
            "origin=Debian,codename=${distro_codename},label=Debian";
            "origin=Debian,codename=${distro_codename},label=Debian-Security";
    :
    :
    // Remove unused automatically installed kernel-related packages
    // (kernel images, kernel headers and kernel version locked tools).
    Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
    
    // Do automatic removal of newly unused dependencies after the upgrade
    Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
    
    // Do automatic removal of unused packages after the upgrade
    // (equivalent to apt-get autoremove)
    Unattended-Upgrade::Remove-Unused-Dependencies "false";
    :

  • 自動執行參數設定

    vi /etc/apt/apt.conf.d/20auto-upgrades
    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Unattended-Upgrade "1";
    APT::Periodic::AutocleanInterval "7";

  • 驗證設定是否都沒問題

    unattended-upgrades --dry-run --debug

  • tech/debian_autoupdate.txt
  • 上一次變更: 2021/06/29 08:51
  • jonathan