Debian
無人值守升級預設不檢測 Linux 核心安全更新
(注意在下面,
<my_hosting_provider>為了隱私,我已經用 , 替換了我的 VPS 託管服務提供商的域。)我的 Debian 9.3 “Stretch”實例顯示核心更新可用:
# apt list --upgradable -a Listing... Done linux-image-amd64/stable 4.9+80+deb9u3 amd64 [upgradable from: 4.9+80+deb9u2] linux-image-amd64/stable,now 4.9+80+deb9u2 amd64 [installed,upgradable to: 4.9+80+deb9u3]我相信
4.9+80+deb9u3這與4.9.65-3+deb9u2最近旨在解決CVE-2017-5754(又名Meltdown )的核心安全更新相同。預設配置無法安裝核心安全更新
Unattended-Upgrade::Origins-Patternin的預設內容/etc/apt/apt.conf.d/50unattended-upgrades是:Unattended-Upgrade::Origins-Pattern { "origin=Debian,codename=${distro_codename},label=Debian-Security"; };使用該配置,無法安裝核心安全更新:
# unattended-upgrades -v -d Initial blacklisted packages: Initial whitelisted packages: Starting unattended upgrades script Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security'] Checking: linux-image-amd64 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'mirror.<my_hosting_provider>.com' isTrusted:True>]) pkg 'firmware-linux-free' not in allowed origin sanity check failed pkgs that look like they should be upgraded: Fetched 0 B in 0s (0 B/s) fetch.run() result: 0 blacklist: [] whitelist: [] Packages that will be upgraded: InstCount=0 DelCount=0 BrokenCount=0 Extracting content from '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' since '2018-01-05 13:11:22' Sending mail to 'root' mail returned: 0修改後的配置安裝核心安全更新
如果我
Unattended-Upgrade::Origins-Pattern改變/etc/apt/apt.conf.d/50unattended-upgrades閱讀Unattended-Upgrade::Origins-Pattern { "origin=Debian,codename=${distro_codename},label=Debian"; "origin=Debian,codename=${distro_codename},label=Debian-Security"; };然後找到並安裝了安全更新:
# unattended-upgrades -v -d Initial blacklisted packages: Initial whitelisted packages: Starting unattended upgrades script Allowed origins are: ['origin=Debian,codename=stretch,label=Debian', 'origin=Debian,codename=stretch,label=Debian-Security'] Checking: linux-image-amd64 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'mirror.<my_hosting_provider>.com' isTrusted:True>]) pkgs that look like they should be upgraded: linux-image-amd64 Fetched 0 B in 0s (0 B/s) fetch.run() result: 0 <apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 19196 DestFile:'/var/cache/apt/archives/firmware-linux-free_3.4_all.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian/pool/main/f/firmware-free/firmware-linux-free_3.4_all.deb' ID:0 ErrorText: ''> check_conffile_prompt('/var/cache/apt/archives/firmware-linux-free_3.4_all.deb') No conffiles in deb '/var/cache/apt/archives/firmware-linux-free_3.4_all.deb' (There is no member named 'conffiles') <apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 33252 DestFile:'/var/cache/apt/archives/libnuma1_2.0.11-2.1_amd64.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian/pool/main/n/numactl/libnuma1_2.0.11-2.1_amd64.deb' ID:0 ErrorText: ''> check_conffile_prompt('/var/cache/apt/archives/libnuma1_2.0.11-2.1_amd64.deb') No conffiles in deb '/var/cache/apt/archives/libnuma1_2.0.11-2.1_amd64.deb' (There is no member named 'conffiles') <apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 38768102 DestFile:'/var/cache/apt/archives/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian-security/pool/updates/main/l/linux/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb' ID:0 ErrorText: ''> check_conffile_prompt('/var/cache/apt/archives/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb') No conffiles in deb '/var/cache/apt/archives/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb' (There is no member named 'conffiles') <apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 6994 DestFile:'/var/cache/apt/archives/linux-image-amd64_4.9+80+deb9u3_amd64.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian-security/pool/updates/main/l/linux-latest/linux-image-amd64_4.9+80+deb9u3_amd64.deb' ID:0 ErrorText: ''> check_conffile_prompt('/var/cache/apt/archives/linux-image-amd64_4.9+80+deb9u3_amd64.deb') found pkg: linux-image-amd64 No conffiles in deb '/var/cache/apt/archives/linux-image-amd64_4.9+80+deb9u3_amd64.deb' (There is no member named 'conffiles') <apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 40396 DestFile:'/var/cache/apt/archives/irqbalance_1.1.0-2.3_amd64.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian/pool/main/i/irqbalance/irqbalance_1.1.0-2.3_amd64.deb' ID:0 ErrorText: ''> check_conffile_prompt('/var/cache/apt/archives/irqbalance_1.1.0-2.3_amd64.deb') blacklist: [] whitelist: [] Packages that will be upgraded: linux-image-amd64 Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' apt-listchanges: Reading changelogs... Preconfiguring packages ... Selecting previously unselected package firmware-linux-free. (Reading database ... 45465 files and directories currently installed.) Preparing to unpack .../firmware-linux-free_3.4_all.deb ... Unpacking firmware-linux-free (3.4) ... Selecting previously unselected package libnuma1:amd64. Preparing to unpack .../libnuma1_2.0.11-2.1_amd64.deb ... Unpacking libnuma1:amd64 (2.0.11-2.1) ... Selecting previously unselected package linux-image-4.9.0-5-amd64. Preparing to unpack .../linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb ... Unpacking linux-image-4.9.0-5-amd64 (4.9.65-3+deb9u2) ... Preparing to unpack .../linux-image-amd64_4.9+80+deb9u3_amd64.deb ... Unpacking linux-image-amd64 (4.9+80+deb9u3) over (4.9+80+deb9u2) ... Selecting previously unselected package irqbalance. Preparing to unpack .../irqbalance_1.1.0-2.3_amd64.deb ... Unpacking irqbalance (1.1.0-2.3) ... Setting up libnuma1:amd64 (2.0.11-2.1) ... Setting up linux-image-4.9.0-5-amd64 (4.9.65-3+deb9u2) ... I: /vmlinuz.old is now a symlink to boot/vmlinuz-4.9.0-4-amd64 I: /initrd.img.old is now a symlink to boot/initrd.img-4.9.0-4-amd64 I: /vmlinuz is now a symlink to boot/vmlinuz-4.9.0-5-amd64 I: /initrd.img is now a symlink to boot/initrd.img-4.9.0-5-amd64 /etc/kernel/postinst.d/initramfs-tools: update-initramfs: Generating /boot/initrd.img-4.9.0-5-amd64 /etc/kernel/postinst.d/zz-update-grub: Generating grub configuration file ... Found linux image: /boot/vmlinuz-4.9.0-5-amd64 Found initrd image: /boot/initrd.img-4.9.0-5-amd64 Found linux image: /boot/vmlinuz-4.9.0-4-amd64 Found initrd image: /boot/initrd.img-4.9.0-4-amd64 Found linux image: /boot/vmlinuz-4.9.0-3-amd64 Found initrd image: /boot/initrd.img-4.9.0-3-amd64 done Setting up linux-image-amd64 (4.9+80+deb9u3) ... Processing triggers for libc-bin (2.24-11+deb9u1) ... Processing triggers for systemd (232-25+deb9u1) ... Setting up firmware-linux-free (3.4) ... update-initramfs: deferring update (trigger activated) Processing triggers for man-db (2.7.6.1-2) ... Setting up irqbalance (1.1.0-2.3) ... Processing triggers for initramfs-tools (0.130) ... update-initramfs: Generating /boot/initrd.img-4.9.0-5-amd64 Processing triggers for systemd (232-25+deb9u1) ... All upgrades installed InstCount=0 DelCount=0 BrokenCount=0 Extracting content from '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' since '2018-01-05 13:24:35' Sending mail to 'root' mail returned: 0 Found /var/run/reboot-required, rebooting問題
- 關於未能使用預設配置安裝安全更新,我是否應該針對 Debian 的某些部分送出錯誤,或者這是預期的行為(如果是,為什麼)?
- 我只想
unattended-upgrades執行安全更新。鑑於預設配置未成功,我該如何實現?
根據上面評論中的回饋,這似乎是一個錯誤。
現在已在此處送出了相應的錯誤報告。
通過拉伸,無人值守升級僅在早上 6 點到 7 點之間開始。從 apt 包的 NEWS 文件中:
容易(1.4.2)不穩定;緊急=中等
如果啟用了定期更新和無人值守升級,則定期更新的開始現在分佈在 24 小時間隔內(如 1.2 到 1.4),而無人值守升級的開始時間限制在早上 6 點到 7 點之間。這只會影響使用 systemd 的系統,其他系統仍然使用經典的每小時 cron 作業。
- Julian Andres Klode 2017 年 5 月 4 日星期四 22:54:02 +0200