Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Best APT configurations with unattended-upgrades

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
luca-vercelli
Posts: 1
Joined: 2015-08-28 17:25

Best APT configurations with unattended-upgrades

#1 Post by luca-vercelli »

Dear all,
I am wondering whether there exist some "best" configuration options for APT.
Mainly, I am concerned with "unattended-upgrades": I believe that a system should be kept updated as much as possible. Which is not the default configuration, as far as I can see.

I have written two option files, one for a typical desktop environment and another one for a typical server. I would like to hear feedbacks from other system maintainers. Do you agree with this kind of vision? Thank you.

Code: Select all

//APT configuration file for a typical Desktop environment,
//with medium-quality internet connection, shut down each day

//File name should be 51unattended-upgrades-desktop

// REM
// Following files are handled by:
// 00aptitude -> aptitude ? (generated)
// 01autoremove -> apt
// 01autoremove-kernels -> apt (generated)
// 01autoremove-postgresql -> postgresql
// 05aptitude -> aptitude ? (generated)
// 10periodic -> update-notifier-common
// 15update-stamp -> update-notifier-common
// 20changelog -> apt
// 20dbus -> aptdaemon
// 20archive -> update-notifier-common
// 20auto-upgrades -> unattended-upgrades (generated)
// 50unattended-upgrades -> unattended-upgrades
// 70debconf -> debconf
// 99update-notifier -> update-notifier-common
// 99synaptic -> synaptic ? (generated)
//
// see also  /etc/cron.daily/apt 

APT::Periodic::Update-Package-Lists "1"; //in days
APT::Periodic::Unattended-Upgrade "1"; //in days
APT::Periodic::Download-Upgradeable-Packages "0"; //in days
APT::Periodic::AutocleanInterval "30"; //in days

APT::Archive::MaxAge "30";
APT::Archive::MinAge "2";
APT::Archive::MaxSize "500";

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
	"${distro_id}:${distro_codename}-security";
	"${distro_id}:${distro_codename}-updates";
//	"${distro_id}:${distro_codename}-proposed";
//	"${distro_id}:${distro_codename}-backports";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//	"vim";
//	"libc6";
//	"libc6-dev";
//	"libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "true";

// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION*
//  if the file /var/run/reboot-required is found after the upgrade 
//Unattended-Upgrade::Automatic-Reboot "false";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
Acquire::http::Dl-Limit "50";

Code: Select all

//APT configuration file for a typical Server environment,
//with high-quality internet connection, almost-never shut down

//File name should be 51unattended-upgrades-server

// REM
// Following files are handled by:
// 00aptitude -> aptitude ? (generated)
// 01autoremove -> apt
// 01autoremove-kernels -> apt (generated)
// 01autoremove-postgresql -> postgresql
// 05aptitude -> aptitude ? (generated)
// 10periodic -> update-notifier-common
// 15update-stamp -> update-notifier-common
// 20changelog -> apt
// 20dbus -> aptdaemon
// 20archive -> update-notifier-common
// 20auto-upgrades -> unattended-upgrades (generated)
// 50unattended-upgrades -> unattended-upgrades
// 70debconf -> debconf
// 99update-notifier -> update-notifier-common
// 99synaptic -> synaptic ? (generated)
//
// see also  /etc/cron.daily/apt 

APT::Periodic::Update-Package-Lists "1"; //in days
APT::Periodic::Unattended-Upgrade "7"; //in days
APT::Periodic::Download-Upgradeable-Packages "1"; //in days
APT::Periodic::AutocleanInterval "30"; //in days

APT::Archives::MaxAge "0";
APT::Archives::MinAge "2";
APT::Archives::MaxSize "0";

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
	"${distro_id}:${distro_codename}-security";
//	"${distro_id}:${distro_codename}-updates";
//	"${distro_id}:${distro_codename}-proposed";
//	"${distro_id}:${distro_codename}-backports";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//	"vim";
//	"libc6";
//	"libc6-dev";
//	"libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";

// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION*
//  if the file /var/run/reboot-required is found after the upgrade 
Unattended-Upgrade::Automatic-Reboot "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
Acquire::http::Dl-Limit "50";
Top
Post Reply

Return to “General Debian”