自動セキュリティ更新

1
2
3
4
5
6
 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

200 個のパッケージがアップデート可能です。
105 個のアップデートはセキュリティアップデートです。

apt updates && apt upgrades -yを実行しないで自動的にアップデートを適用する

unattended-upgradesを使った自動更新

unattended-upgradesをインストール

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@bash # apt install unattended-upgrades
パッケージリストを読み込んでいます... 完了
依存関係ツリーを作成しています
状態情報を読み取っています... 完了
以下のパッケージが自動でインストールされましたが、もう必要とされていません:
  gconf-service gconf-service-backend gconf2-common libgconf-2-4 libllvm6.0
  libllvm7 linux-headers-4.15.0-38 linux-headers-4.15.0-38-generic
  linux-headers-4.15.0-39 linux-headers-4.15.0-39-generic
  linux-headers-4.15.0-42 linux-headers-4.15.0-42-generic
  linux-headers-4.15.0-43 linux-headers-4.15.0-43-generic

…略…

unattended-upgrades (1.1ubuntu1.18.04.13) で (1.1ubuntu1.18.04.11 に) 上書き展開しています ...
ureadahead (0.100.0-21) のトリガを処理しています ...
systemd (237-3ubuntu10.24) のトリガを処理しています ...
unattended-upgrades (1.1ubuntu1.18.04.13) を設定しています ...
man-db (2.8.3-2ubuntu0.1) のトリガを処理しています ...
root@bash #

unattended-upgradesを有効化

1
2
3
root@bash # dpkg-reconfigure -plow unattended-upgrades

Creating config file /etc/apt/apt.conf.d/20auto-upgrades with new version

以下の画面で有効を選択。

unattended-upgrades width=480

unattended-upgrades width=480

自動更新設定(20auto-upgrades)のカスタマイズ

20auto-upgrades(/etc/apt/apt.conf.d/20auto-upgrades)の設定

1
2
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

以下の内容に変更する

1
2
3
4
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
パラメーター 内容
APT::Periodic::Update-Package-Lists パッケージリストの更新頻度 日数
APT::Periodic::Download-Upgradeable-Packages パッケージをダウンロードする頻度 日数
APT::Periodic::AutocleanInterval 古いパッケージをAPTキャッシュから削除する(apt autoclean)頻度 日数
APT::Periodic::Unattended-Upgrade unattended-upgradeの有効化 1:有効、0:無効

自動更新設定(50auto-upgrades)のカスタマイズ

50auto-upgrades(/etc/apt/apt.conf.d/50auto-upgrades)で更新時の動作をカスタマイズ
多くの設定項目がコメントアウトされているので、必要項目を有効化していく。

更新対象のパッケージ

通常のアップデートもセキュリティアップデートも更新する

  • "${distro_id}:${distro_codename}-updates";通常のアップデート
  • "${distro_id}:${distro_codename}-security"セキュリティアップデート
1
2
3
4
5
6
7
8
9
10
11
12
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESM:${distro_codename}";
        "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

使用していないパッケージを自動的に削除する

使用していないカーネルパッケージや依存関係のパッケージを自動削除する

  • Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
  • Unattended-Upgrade::Remove-Unused-Dependencies "true";

自動的にシステムを再起動する

自動的にシステムを再起動(21:00)する

  • Unattended-Upgrade::Automatic-Reboot "true";
  • Unattended-Upgrade::Automatic-Reboot-Time "21:00";

/etc/apt/apt.conf.d/50unattended-upgrades (default)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESM:${distro_codename}";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

// This option will controls whether the development release of Ubuntu will be
// upgraded automatically.
Unattended-Upgrade::DevRelease "false";

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "false";

// Install all unattended-upgrades when the machine is shutting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION*
//  if the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";

// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";

// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";

// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";

設定変更後の動作確認

cronによる定期実行を待たなくてもunattended-upgrades --dry-run --debugで即時実行できる

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
root@bash # unattended-upgrades --dry-run --debug
初期状態でブラックリストにあるパッケージ:
初期状態でホワイトリストにあるパッケージ:
自動アップグレードスクリプトを開始します
許可されているパッケージ導入元: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic, o=Ubuntu,a=bionic-updates
Using (^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\.[0-9\.]+-.*|^linu

…略…

ubuntu-server
ubuntu-standard
udev
util-linux
uuid-runtime
wpasupplicant
xkb-data
60% [us.archive.ubuntu.com へ接続しています]
60% [us.archive.ubuntu.com (91.189.91.23) へ接続しています]
60% [ヘッダの待機中です]
Get:1 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 base-files amd64 10.1ubuntu2.7 [60.3 kB]

…略…

conffile line: /etc/wpa_supplicant/ifupdown.sh 4c82dbf7e1d8c5ddd70e40b9665cfeee
current md5: 4c82dbf7e1d8c5ddd70e40b9665cfeee
blacklist: []
whitelist: []
Removing unused kernel packages: linux-headers-4.15.0-42-generic linux-modules-extra-4.15.0-43-generic

…略…

marking linux-image-4.15.0-43-generic for removal
marking linux-image-4.15.0-38-generic for removal
Packages that were successfully auto-removed:
Packages that are kept back:
Option --dry-run given, *not* performing real actions

…略…

Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log

…略…

すべてのアップグレードがインストールされました

…略…

marking linux-image-4.15.0-38-generic for removal
Packages that were successfully auto-removed:
Packages that are kept back:
InstCount=0 DelCount=0 BrokenCount=0

参考