( <my_hosting_provider>개인정보 보호를 위해 아래에서 VPS 호스팅 제공업체의 도메인 이름을 로 바꾸었습니다.)
내 Debian 9.3 "Stretch" 인스턴스는 커널 업데이트를 사용할 수 있다고 표시합니다.
# apt list --upgradable -a
Listing... Done
linux-image-amd64/stable 4.9+80+deb9u3 amd64 [upgradable from: 4.9+80+deb9u2]
linux-image-amd64/stable,now 4.9+80+deb9u2 amd64 [installed,upgradable to: 4.9+80+deb9u3]
나는 이것이 다음 문제를 해결하도록 설계된 4.9+80+deb9u3최근 커널 보안 업데이트와 동일하다고 생각합니다.4.9.65-3+deb9u2CVE-2017-5754, 또한 ~으로 알려진무너지다.
기본 구성이 커널 보안 업데이트를 설치하지 못함
Unattended-Upgrade::Origins-Patternin의 기본 내용은 다음 /etc/apt/apt.conf.d/50unattended-upgrades과 같습니다.
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
이 구성을 완료한 후에는 커널 보안 업데이트를 설치할 수 없습니다.
# unattended-upgrades -v -d
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
Checking: linux-image-amd64 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'mirror.<my_hosting_provider>.com' isTrusted:True>])
pkg 'firmware-linux-free' not in allowed origin
sanity check failed
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
whitelist: []
Packages that will be upgraded:
InstCount=0 DelCount=0 BrokenCount=0
Extracting content from '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' since '2018-01-05 13:11:22'
Sending mail to 'root'
mail returned: 0
커널 보안 업데이트를 설치하도록 구성 수정
만약 내가 대신 공부 Unattended-Upgrade::Origins-Pattern하러 갔다 면/etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
그런 다음 보안 업데이트를 찾아 설치합니다.
# unattended-upgrades -v -d
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,codename=stretch,label=Debian', 'origin=Debian,codename=stretch,label=Debian-Security']
Checking: linux-image-amd64 ([<Origin component:'main' archive:'stable' origin:'Debian' label:'Debian-Security' site:'mirror.<my_hosting_provider>.com' isTrusted:True>])
pkgs that look like they should be upgraded: linux-image-amd64
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 19196 DestFile:'/var/cache/apt/archives/firmware-linux-free_3.4_all.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian/pool/main/f/firmware-free/firmware-linux-free_3.4_all.deb' ID:0 ErrorText: ''>
check_conffile_prompt('/var/cache/apt/archives/firmware-linux-free_3.4_all.deb')
No conffiles in deb '/var/cache/apt/archives/firmware-linux-free_3.4_all.deb' (There is no member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 33252 DestFile:'/var/cache/apt/archives/libnuma1_2.0.11-2.1_amd64.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian/pool/main/n/numactl/libnuma1_2.0.11-2.1_amd64.deb' ID:0 ErrorText: ''>
check_conffile_prompt('/var/cache/apt/archives/libnuma1_2.0.11-2.1_amd64.deb')
No conffiles in deb '/var/cache/apt/archives/libnuma1_2.0.11-2.1_amd64.deb' (There is no member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 38768102 DestFile:'/var/cache/apt/archives/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian-security/pool/updates/main/l/linux/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb' ID:0 ErrorText: ''>
check_conffile_prompt('/var/cache/apt/archives/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb')
No conffiles in deb '/var/cache/apt/archives/linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb' (There is no member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 6994 DestFile:'/var/cache/apt/archives/linux-image-amd64_4.9+80+deb9u3_amd64.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian-security/pool/updates/main/l/linux-latest/linux-image-amd64_4.9+80+deb9u3_amd64.deb' ID:0 ErrorText: ''>
check_conffile_prompt('/var/cache/apt/archives/linux-image-amd64_4.9+80+deb9u3_amd64.deb')
found pkg: linux-image-amd64
No conffiles in deb '/var/cache/apt/archives/linux-image-amd64_4.9+80+deb9u3_amd64.deb' (There is no member named 'conffiles')
<apt_pkg.AcquireItem object:Status: 2 Complete: 1 Local: 1 IsTrusted: 1 FileSize: 40396 DestFile:'/var/cache/apt/archives/irqbalance_1.1.0-2.3_amd64.deb' DescURI: 'http://mirror.<my_hosting_provider>.com/debian/pool/main/i/irqbalance/irqbalance_1.1.0-2.3_amd64.deb' ID:0 ErrorText: ''>
check_conffile_prompt('/var/cache/apt/archives/irqbalance_1.1.0-2.3_amd64.deb')
blacklist: []
whitelist: []
Packages that will be upgraded: linux-image-amd64
Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log'
apt-listchanges: Reading changelogs...
Preconfiguring packages ...
Selecting previously unselected package firmware-linux-free.
(Reading database ... 45465 files and directories currently installed.)
Preparing to unpack .../firmware-linux-free_3.4_all.deb ...
Unpacking firmware-linux-free (3.4) ...
Selecting previously unselected package libnuma1:amd64.
Preparing to unpack .../libnuma1_2.0.11-2.1_amd64.deb ...
Unpacking libnuma1:amd64 (2.0.11-2.1) ...
Selecting previously unselected package linux-image-4.9.0-5-amd64.
Preparing to unpack .../linux-image-4.9.0-5-amd64_4.9.65-3+deb9u2_amd64.deb ...
Unpacking linux-image-4.9.0-5-amd64 (4.9.65-3+deb9u2) ...
Preparing to unpack .../linux-image-amd64_4.9+80+deb9u3_amd64.deb ...
Unpacking linux-image-amd64 (4.9+80+deb9u3) over (4.9+80+deb9u2) ...
Selecting previously unselected package irqbalance.
Preparing to unpack .../irqbalance_1.1.0-2.3_amd64.deb ...
Unpacking irqbalance (1.1.0-2.3) ...
Setting up libnuma1:amd64 (2.0.11-2.1) ...
Setting up linux-image-4.9.0-5-amd64 (4.9.65-3+deb9u2) ...
I: /vmlinuz.old is now a symlink to boot/vmlinuz-4.9.0-4-amd64
I: /initrd.img.old is now a symlink to boot/initrd.img-4.9.0-4-amd64
I: /vmlinuz is now a symlink to boot/vmlinuz-4.9.0-5-amd64
I: /initrd.img is now a symlink to boot/initrd.img-4.9.0-5-amd64
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-4.9.0-5-amd64
/etc/kernel/postinst.d/zz-update-grub:
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.9.0-5-amd64
Found initrd image: /boot/initrd.img-4.9.0-5-amd64
Found linux image: /boot/vmlinuz-4.9.0-4-amd64
Found initrd image: /boot/initrd.img-4.9.0-4-amd64
Found linux image: /boot/vmlinuz-4.9.0-3-amd64
Found initrd image: /boot/initrd.img-4.9.0-3-amd64
done
Setting up linux-image-amd64 (4.9+80+deb9u3) ...
Processing triggers for libc-bin (2.24-11+deb9u1) ...
Processing triggers for systemd (232-25+deb9u1) ...
Setting up firmware-linux-free (3.4) ...
update-initramfs: deferring update (trigger activated)
Processing triggers for man-db (2.7.6.1-2) ...
Setting up irqbalance (1.1.0-2.3) ...
Processing triggers for initramfs-tools (0.130) ...
update-initramfs: Generating /boot/initrd.img-4.9.0-5-amd64
Processing triggers for systemd (232-25+deb9u1) ...
All upgrades installed
InstCount=0 DelCount=0 BrokenCount=0
Extracting content from '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' since '2018-01-05 13:24:35'
Sending mail to 'root'
mail returned: 0
Found /var/run/reboot-required, rebooting
질문
- 기본 구성을 사용하여 보안 업데이트를 설치할 수 없는 것과 관련하여 Debian의 일부에 대한 버그를 제출해야 합니까, 아니면 이것이 예상되는 동작입니까(그렇다면 이유는 무엇입니까)?
unattended-upgrades보안 업데이트를 수행하고 싶습니다 . 기본 구성이 작동하지 않는 경우 어떻게 이를 달성할 수 있습니까?
답변1
위 댓글의 피드백에 따르면 이는 버그인 것으로 보입니다.
해당 버그 보고서가 제출되었습니다.여기.
답변2
연장의 경우 무인 업그레이드는 오전 6시에서 7시 사이에만 시작됩니다. apt 패키지의 NEWS 파일에서:
적절함(1.4.2) 긴급성=중간;
예약된 업데이트 및 무인 업그레이드가 활성화된 경우 예약된 업데이트의 시작 시간은 이제 24시간 간격(예: 1.2~1.4)으로 분산되는 반면, 무인 업그레이드 시작 시간은 오전 6시에서 오전 7시 사이로 제한됩니다. 이는 systemd를 사용하는 시스템에만 영향을 미치며, 다른 시스템은 여전히 전통적인 시간별 크론 작업을 사용합니다.
—Julian Andrés Claude 목, 2017년 5월 4일 22:54:02 +0200