How to configure unattended-upgrades to upgrade updates?

catkin · 02-21-2014, 11:23 PM

I have not been able to configure unattended-upgrades to automatically upgrade updates as well as the default security upgrades.

/etc/apt/apt.conf.d/50unattended-upgrades must be changed, specifically the Unattended-Upgrade::Origins-Pattern: section.

I could not find documentation or examples on what to put in this section. The as-installed section is:

Code:

// Automatically upgrade packages from these origin patterns
Unattended-Upgrade::Origins-Pattern {
        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the 
        // new stable).
//      "o=Debian,a=stable";
//      "o=Debian,a=stable-updates";
//      "o=Debian,a=proposed-updates";
        "origin=Debian,archive=stable,label=Debian-Security";
};

Why "stable" rather than wheezy? Is it simply a convenience so the file does not have to be changed if the computer is dist upgraded rather doing a fresh installation? (I prefer to use "wheezy" rather than "stable" after we accidentally upgraded squeeze to wheezy by having "stable" rather than "squeeze" in sources.list and a sysadmin's command line typo -- maybe upgrade instead of safe-upgrade).

Why does the default have a label= while the commented out examples do not?

How can valid values for archive and label be found? The sources.list contents do not seem related. The output from apt-cache policy looks similar but after using them ...

Code:

"origin=Debian,archive=wheezy-updates,label=Debian";

... /var/log/unattended-upgrades/unattended-upgrades.log showed no upgrade done:

Code:

2014-02-22 07:14:05,344 INFO Starting unattended upgrades script
2014-02-22 07:14:05,344 INFO Allowed origins are: ['origin=Debian,archive=wheezy,label=Debian-Security', 'origin=Debian,archive=wheezy-updates,label=Debian']
2014-02-22 07:14:07,315 INFO No packages found that can be upgraded unattended

Packages have been downloaded to /var/cache/apt/archives, ready to upgrade. Running aptitude safe-upgrade (and declining to continue) lists the same packages:

Code:

root:/var/cache/apt/archives# lrt | tail
-rw-r--r-- 1 root root   819046 Feb  2 08:34 linux-libc-dev_3.2.54-2_amd64.deb
-rw-r--r-- 1 root root 23432568 Feb  2 08:34 linux-image-3.2.0-4-amd64_3.2.54-2_amd64.deb
-rw-r--r-- 1 root root    57944 Feb 12 03:23 libyaml-0-2_0.1.4-2+deb7u3_amd64.deb
-rw-r--r-- 1 root root   201956 Feb 15 22:38 libmagic1_5.11-2+deb7u1_amd64.deb
-rw-r--r-- 1 root root    51908 Feb 15 22:38 file_5.11-2+deb7u1_amd64.deb
-rw-r--r-- 1 root root   996478 Feb 20 18:47 postgresql-client-9.1_9.1.12-0wheezy1_amd64.deb
-rw-r--r-- 1 root root  3268826 Feb 20 18:47 postgresql-9.1_9.1.12-0wheezy1_amd64.deb
-rw-r--r-- 1 root root   136580 Feb 20 18:47 libpq5_9.1.12-0wheezy1_amd64.deb
-rw-r--r-- 1 root root   191966 Feb 20 18:47 libpq-dev_9.1.12-0wheezy1_amd64.deb
drwxr-xr-x 2 root root     4096 Feb 22 07:14 partial
root:~# aptitude safe-upgrade
The following packages will be upgraded: 
  apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common base-files curl file libc-bin libc-dev-bin 
  libc6 libc6-dev libc6-i386 libcurl3 libcurl3-gnutls libmagic1 libmysqlclient-dev libmysqlclient18 libpq-dev libpq5 
  libssl-dev libssl-doc libssl1.0.0 libyaml-0-2 linux-image-3.2.0-4-amd64 linux-libc-dev locales multiarch-support 
  mysql-client-5.5 mysql-common mysql-server mysql-server-5.5 mysql-server-core-5.5 openssl postgresql-9.1 
  postgresql-client-9.1 tzdata wget whois 
39 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/65.6 MB of archives. After unpacking 2,301 kB will be used.
Do you want to continue? [Y/n/?] n

Version: wheezy.

References:

/usr/share/doc/unattended-upgrades/README
http://www.debian.org/doc/manuals/de...de_of_packages

widget · 02-22-2014, 03:05 AM

The thought of unattended upgrades gives me chills so I am not much of an expert.

This may be of some help if you have not seen it;
http://www.howtoforge.com/how-to-con...debian-squeeze

and;
https://kura.io/2012/01/28/automatic...ian-6-squeeze/

Those are both for Debian 6 but I can't see how 7 would be a lot different.

Or testing or sid for that matter, although auto upgrades in either of those just strikes me as a silly to automate breaking your system.

evo2 · 02-24-2014, 08:35 PM

Hi,

I think the answers are in the README:

Quote:

The main way to specify which packages will be auto-upgraded is by
means of their "origin" and "archive". These are taken respectively
from the Origin and Suite fields of the respository's Release file

So look in your /var/lib/apt/lists/*_Release files. These also seems to provide the "label" value.

HTH,

Evo2.

catkin · 02-25-2014, 04:08 AM

Thanks both

I tried values shown both by apt-cache policy output and as listed in the /var/lib/apt/lists/*debian*_Release files, with and without label= and (clutching at straws) with o= and a= rather than origin= and archive=. Using those configurations, nothing would have been upgraded, as tested by unattended-upgrade --dry-run

Finally I used the sample values listed commented out in the as-installed /etc/apt/apt.conf.d/50unattended-upgrades file:

Code:

        "o=Debian,a=stable";
        "o=Debian,a=stable-updates";

They worked.

It will be interesting to find out what happens when wheezy is no longer stable but oldstable.