From 197bf750d31696c41bcf9afa6d4471586918ff0c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 19 Jul 2015 14:21:06 +0200 Subject: Update unattended-upgrades configuration. --- .../files/etc/apt/apt.conf.d/50unattended-upgrades | 74 ++++++++++++++-------- 1 file changed, 49 insertions(+), 25 deletions(-) (limited to 'roles/common') diff --git a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades index 5a58095..c9adc5f 100644 --- a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades +++ b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades @@ -1,33 +1,53 @@ -// Automatically upgrade packages from these origin patterns +// Unattended-Upgrade::Origins-Pattern controls which packages are +// upgraded. +// +// Lines below have the format format is "keyword=value,...". A +// package will be upgraded only if the values in its metadata match +// all the supplied keywords in a line. (In other words, omitted +// keywords are wild cards.) The keywords originate from the Release +// file, but several aliases are accepted. The accepted keywords are: +// a,archive,suite (eg, "stable") +// c,component (eg, "main", "crontrib", "non-free") +// l,label (eg, "Debian", "Debian-Security") +// o,origin (eg, "Debian", "Unofficial Multimedia Packages") +// n,codename (eg, "jessie", "jessie-updates") +// site (eg, "http.debian.net") +// The available values on the system are printed by the command +// "apt-cache policy", and can be debugged by running +// "unattended-upgrades -d" and looking at the log file. +// +// Within lines unattended-upgrades allows 2 macros whose values are +// derived from /etc/debian_version: +// ${distro_id} Installed origin. +// ${distro_codename} Installed codename (eg, "jessie") Unattended-Upgrade::Origins-Pattern { + // Codename based matching: + // This will follow the migration of a release through different + // archives (e.g. from testing to stable and later oldstable). +// "o=Debian,n=jessie"; +// "o=Debian,n=jessie-updates"; +// "o=Debian,n=jessie-proposed-updates"; +// "o=Debian,n=jessie,l=Debian-Security"; + // Archive or Suite based matching: // Note that this will silently match a different release after // migration to the specified archive (e.g. testing becomes the // new stable). - // XXX: Sadly as of Wheezy, unattended-upgrades doesn't match - // $distro_codename against (old)stable. Hence since packages - // that are candidates for upgrade show up with a=(old)stable, - // it is not enough to specifiy a=$distro_codename here. - // Instead, we list both oldstable and stable; the useless one - // is harmless and is being ignored anyway, as it is not in a - // proper sources.list. - "o=${distro_id},a=oldstable"; - "o=${distro_id},a=stable"; -// "o=${distro_id},a=stable-updates"; -// "o=${distro_id},a=proposed-updates"; - "o=${distro_id},a=oldstable,l=Debian-Security"; - "o=${distro_id},a=stable,l=Debian-Security"; +// "o=Debian,a=stable"; +// "o=Debian,a=stable-updates"; +// "o=Debian,a=proposed-updates"; + "origin=Debian,codename=${distro_codename}"; + "origin=Debian,codename=${distro_codename},label=Debian-Security"; }; -// List of packages to not update +// List of packages to not update (regexp are supported) Unattended-Upgrade::Package-Blacklist { -// "vim"; -// "libc6"; -// "libc6-dev"; -// "libc6-i686"; +// "vim"; +// "libc6"; +// "libc6-dev"; +// "libc6-i686"; }; - // This option allows you to control if on a unclean dpkg exit // unattended-upgrades will automatically run // dpkg --force-confold --configure -a @@ -59,11 +79,15 @@ Unattended-Upgrade::Mail "admin@fripost.org"; // (equivalent to apt-get autoremove) //Unattended-Upgrade::Remove-Unused-Dependencies "false"; -// Automatically reboot *WITHOUT CONFIRMATION* if a -// the file /var/run/reboot-required is found after the upgrade -Unattended-Upgrade::Automatic-Reboot "false"; +// Automatically reboot *WITHOUT CONFIRMATION* if +// the file /var/run/reboot-required is found after the upgrade +//Unattended-Upgrade::Automatic-Reboot "false"; +// If automatic reboot is enabled and needed, reboot at the specific +// time instead of immediately +// Default: "now" +//Unattended-Upgrade::Automatic-Reboot-Time "02:00"; // Use apt bandwidth limit feature, this example limits the download -// speed to 128kb/sec -Acquire::http::Dl-Limit "128"; +// speed to 256kb/sec +Acquire::http::Dl-Limit "256"; -- cgit v1.2.3