I am wondering whether there exist some "best" configuration options for APT.
Mainly, I am concerned with "unattended-upgrades": I believe that a system should be kept updated as much as possible. Which is not the default configuration, as far as I can see.
I have written two option files, one for a typical desktop environment and another one for a typical server. I would like to hear feedbacks from other system maintainers. Do you agree with this kind of vision? Thank you.
Code: Select all
//APT configuration file for a typical Desktop environment,
//with medium-quality internet connection, shut down each day
//File name should be 51unattended-upgrades-desktop
// REM
// Following files are handled by:
// 00aptitude -> aptitude ? (generated)
// 01autoremove -> apt
// 01autoremove-kernels -> apt (generated)
// 01autoremove-postgresql -> postgresql
// 05aptitude -> aptitude ? (generated)
// 10periodic -> update-notifier-common
// 15update-stamp -> update-notifier-common
// 20changelog -> apt
// 20dbus -> aptdaemon
// 20archive -> update-notifier-common
// 20auto-upgrades -> unattended-upgrades (generated)
// 50unattended-upgrades -> unattended-upgrades
// 70debconf -> debconf
// 99update-notifier -> update-notifier-common
// 99synaptic -> synaptic ? (generated)
//
// see also /etc/cron.daily/apt
APT::Periodic::Update-Package-Lists "1"; //in days
APT::Periodic::Unattended-Upgrade "1"; //in days
APT::Periodic::Download-Upgradeable-Packages "0"; //in days
APT::Periodic::AutocleanInterval "30"; //in days
APT::Archive::MaxAge "30";
APT::Archive::MinAge "2";
APT::Archive::MaxSize "500";
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
Acquire::http::Dl-Limit "50";
Code: Select all
//APT configuration file for a typical Server environment,
//with high-quality internet connection, almost-never shut down
//File name should be 51unattended-upgrades-server
// REM
// Following files are handled by:
// 00aptitude -> aptitude ? (generated)
// 01autoremove -> apt
// 01autoremove-kernels -> apt (generated)
// 01autoremove-postgresql -> postgresql
// 05aptitude -> aptitude ? (generated)
// 10periodic -> update-notifier-common
// 15update-stamp -> update-notifier-common
// 20changelog -> apt
// 20dbus -> aptdaemon
// 20archive -> update-notifier-common
// 20auto-upgrades -> unattended-upgrades (generated)
// 50unattended-upgrades -> unattended-upgrades
// 70debconf -> debconf
// 99update-notifier -> update-notifier-common
// 99synaptic -> synaptic ? (generated)
//
// see also /etc/cron.daily/apt
APT::Periodic::Update-Package-Lists "1"; //in days
APT::Periodic::Unattended-Upgrade "7"; //in days
APT::Periodic::Download-Upgradeable-Packages "1"; //in days
APT::Periodic::AutocleanInterval "30"; //in days
APT::Archives::MaxAge "0";
APT::Archives::MinAge "2";
APT::Archives::MaxSize "0";
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
Acquire::http::Dl-Limit "50";