14

I recently upgraded from Jessie to Stretch and received a new version of the configuration file for unattended-upgrades. Oddly, this new version references Debian instead of Raspbian. 

pi@kegerator:/etc/apt/apt.conf.d $ diff 50unattended-upgrades 50unattended-upgrades.ucf-old 
10,12c10,12
< //   c,component     (eg, "main", "contrib", "non-free")
< //   l,label         (eg, "Debian", "Debian-Security")
< //   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
---
> //   c,component     (eg, "main", "crontrib", "non-free")
> //   l,label         (eg, "Raspbian", "Raspbian-Security")
> //   o,origin        (eg, "Raspbian", "Unofficial Multimedia Packages")
14c14
< //     site          (eg, "http.debian.net")
---
> //     site          (eg, "http.Raspbian.net")
20c20
< // derived from /etc/debian_version:
---
> // derived from /etc/Raspbian_version:
27,30c27
< //      "o=Debian,n=jessie";
< //      "o=Debian,n=jessie-updates";
< //      "o=Debian,n=jessie-proposed-updates";
< //      "o=Debian,n=jessie,l=Debian-Security";
---
> //      "o=Raspbian,n=jessie";
36,39c33,34
< //      "o=Debian,a=stable";
< //      "o=Debian,a=stable-updates";
< //      "o=Debian,a=proposed-updates";
<         "origin=Debian,codename=${distro_codename},label=Debian-Security";
---
> //      "o=Raspbian,a=stable";
> 
85,87d79
< // Automatically reboot even if there are users currently logged in.
< //Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
< 
96,102d87
< 
< // Enable logging to syslog. Default is False
< // Unattended-Upgrade::SyslogEnable "false";
< 
< // Specify syslog facility. Default is daemon
< // Unattended-Upgrade::SyslogFacility "daemon";
<

Between this Launchpad bug, this issue in the source repo, and several forum topics lamenting the absence of the Raspbian-security label, I'm fairly confused about what the 'correct' configuration should be.

Could anyone share their working unattended-upgrades configuration for Raspbian Stretch?

patricktokeeffe
  • 547
  • 2
  • 5
  • 11
  • It might help to run unattended upgrades in debug mode and look at the comparisons. sudo unattended-upgrade -d from https://wiki.debian.org/UnattendedUpgrades – HarlemSquirrel Sep 29 '17 at 01:22

1 Answers1

12

The most important lines are:

"origin=Raspbian,codename=${distro_codename},label=Raspbian";
"origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";

Here is the entire file (/etc/apt/apt.conf.d/50unattended-upgrades):

// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...".  A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line.  (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted.  The accepted keywords are:
//   a,archive,suite (eg, "stable")
//   c,component     (eg, "main", "contrib", "non-free")
//   l,label         (eg, "Rapsbian", "Raspbian")
//   o,origin        (eg, "Raspbian", "Unofficial Multimedia Packages")
//   n,codename      (eg, "jessie", "jessie-updates")
//     site          (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
//   ${distro_id}            Installed origin.
//   ${distro_codename}      Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
//      "o=Raspbian,n=jessie";
//      "o=Raspbian,n=jessie-updates";
//      "o=Raspbian,n=jessie-proposed-updates";
//      "o=Raspbian,n=jessie,l=Raspbian";

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Raspbian,a=stable";
//      "o=Raspbian,a=testing";
        "origin=Raspbian,codename=${distro_codename},label=Raspbian";

        // Additionally, for those running Raspbian on a Raspberry Pi,
        // match packages from the Raspberry Pi Foundation as well.
        "origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//  "vim";
//  "libc6";
//  "libc6-dev";
//  "libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "false";

// Install all unattended-upgrades when the machine is shutting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade 
//Unattended-Upgrade::Automatic-Reboot "false";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

Upstream source: https://github.com/mvo5/unattended-upgrades/blob/master/data/50unattended-upgrades.Raspbian

Peter Nowee
  • 221
  • 2
  • 5
  • Hey Peter, there's a few words of advice missing. Something like ....Ensure that the "origin=Raspbian,codename=${distro_codename},label=Raspbian"; .... line is not commented out and you will find that this works for Jesse, Stretch and probably releases after Stretch too. – paul_h Nov 11 '17 at 14:48
  • The top of my answer mentions the two most important lines, including the one you mention. Of course they should not be commented out. Thanks. – Peter Nowee Nov 13 '17 at 02:17
  • Sorry man I was unclear. I'm specifically suggesting fixing the English in "Entire file /etc/apt/apt.conf.d/50unattended-upgrades :" It's missing a word or two. Refer eternal Reddit joke - "I accidentally a word" https://www.reddit.com/r/AskReddit/comments/1d1wlx/wtf_does_i_accidentally_a_word_mean_wtf_is/ – paul_h Nov 13 '17 at 22:19
  • it is better now, yes :) – paul_h Nov 17 '17 at 19:18
  • 1
    Wouldn't this install all Raspbian updates and not just the security related ones? – lightswitch05 Jun 15 '18 at 15:28
  • 1
    @lightswitch05 Yes, because Raspbian does not have a separate security repository, this will also install other updates, such as point releases (e.g. from 9.3 to 9.4). However, because of codename=${distro_codename}, it won't automatically upgrade to a new release (e.g. from 9 to 10). – Peter Nowee Jun 16 '18 at 04:00