特殊:Badtitle/NS100:AutomaticSecurityUpdates:修订间差异

来自Ubuntu中文
跳到导航跳到搜索
Wikibot留言 | 贡献
无编辑摘要
Wikibot留言 | 贡献
无编辑摘要
 
(未显示2个用户的8个中间版本)
第4行: 第4行:
=== Introduction ===
=== Introduction ===
This is a simple tutorial that will teach you to create a script and a cron job to go out and automatically install security updates without requiring you to do anything. There are always some security risks involved in running software upgrades without supervision, but there are also benefits.  If you believe it's important to stay up to date with the latest security patches, then you should follow this simple tutorial.
This is a simple tutorial that will teach you to create a script and a cron job to go out and automatically install security updates without requiring you to do anything. There are always some security risks involved in running software upgrades without supervision, but there are also benefits.  If you believe it's important to stay up to date with the latest security patches, then you should follow this simple tutorial.
=== Instructions ===
=== Using apt.conf.d ===
If you are using GNOME, go to the "System" menu, then "Administration", then "Software Sources".
Open up the "Updates" tab and select "Automatic updates", also select "Install security updates without confirmation".
Alternately you may configure the <code><nowiki>unattended-upgrades</nowiki></code> package via the command line; simply change your '''''/etc/apt/apt.conf.d/10periodic''''' to:
<pre><nowiki>
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
</nowiki></pre>
Details about what these values mean may be found in the header of the '''/etc/cron.daily/apt''' file.
And '''''/etc/apt/apt.conf.d/50unattended-upgrades''''':
<pre><nowiki>
// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "Ubuntu karmic-security";
};
 
// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
//  "vim";
//  "libc6";
//  "libc6-dev";
//  "libc6-i686";
};
 
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. The package 'mailx'
// must be installed or anything that provides /usr/bin/mail.
//Unattended-Upgrade::Mail "root@localhost";
 
 
// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
</nowiki></pre>
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png '''Note:''' Using this method requires that you modify /etc/apt/apt.conf.d/10periodic and /etc/apt/apt.conf.d/50unattended-upgrades every time you upgrade your system to the next Ubuntu release.  Be sure to replace '''karmic''' with the code name for your Ubuntu version!
=== Using cron ===
==== Instructions ====
To begin, press Alt+F2 and create a new file:
To begin, press Alt+F2 and create a new file:
<pre><nowiki>
<pre><nowiki>
第11行: 第50行:
If you're using KDE, use this command instead:
If you're using KDE, use this command instead:
<pre><nowiki>
<pre><nowiki>
kdesu kate /etc/cron.weekly/apt-security-updates
kdesudo kate /etc/cron.weekly/apt-security-updates
</nowiki></pre>
</nowiki></pre>
Copy the following text into this new file, save, and exit:
Copy the following text into this new file, save, and exit:
第19行: 第58行:
date >> /var/log/apt-security-updates
date >> /var/log/apt-security-updates
aptitude update >> /var/log/apt-security-updates
aptitude update >> /var/log/apt-security-updates
aptitude upgrade -o Aptitude::Delete-Unused=false --assume-yes --target-release `lsb_release -cs`-security >> /var/log/apt-security-updates
aptitude safe-upgrade -o Aptitude::Delete-Unused=false --assume-yes --target-release `lsb_release -cs`-security >> /var/log/apt-security-updates
echo "Security updates (if any) installed"
echo "Security updates (if any) installed"
</nowiki></pre>
</nowiki></pre>
Recently (since Ubuntu 7.10), the aptitude action 'upgrade' is deprecated. There are now two ways to upgrade, a safe one (conservative, if an update needs to add or remove dependencies, it won't update) and a full one (it will always upgrade even though it impacts other packages by adding them or removing them, previously called 'dist-upgrade'). The actions are now 'safe-upgrade' or 'full-upgrade'. See the manual page of aptitude (<code><nowiki>man aptitude</nowiki></code>) for more details.
Once you are complete, you want to make the file executable. So, via the terminal, type the following line:
Once you are complete, you want to make the file executable. So, via the terminal, type the following line:
<pre><nowiki>
<pre><nowiki>
sudo chmod +x /etc/cron.weekly/apt-security-updates
sudo chmod +x /etc/cron.weekly/apt-security-updates
</nowiki></pre>
</nowiki></pre>
=== Post-Install Setup and Execution Information ===
==== Post-Install Setup and Execution Information ====
This script will run once weekly and it installs all available packages from the security repository. It also generates a log in ~-/var/log/apt-security-updates-~ for later inspection in case something goes wrong.
This script will run once weekly and it installs all available packages from the security repository. It also generates a log in ~-/var/log/apt-security-updates-~ for later inspection in case something goes wrong.
This script will output information to a log file, so to prevent this log file from getting too large we need to make sure it gets rotated out.  To do this, we'll use the ~-logrotate-~ utility, which comes with Ubuntu.  Press Alt+F2 and type this command:
This script will output information to a log file, so to prevent this log file from getting too large we need to make sure it gets rotated out.  To do this, we'll use the ~-logrotate-~ utility, which comes with Ubuntu.  Press Alt+F2 and type this command:
第34行: 第74行:
For KDE, use this command instead:
For KDE, use this command instead:
<pre><nowiki>
<pre><nowiki>
kdesu kate /etc/logrotate.d/apt-security-updates
kdesudo kate /etc/logrotate.d/apt-security-updates
</nowiki></pre>
</nowiki></pre>
Paste this into the editor, save, and exit:
Paste this into the editor, save, and exit:
<pre><nowiki>
<pre><nowiki>
/var/log/apt-security-updates {
/var/log/apt-security-updates {
rotate 2
        rotate 2
weekly
        weekly
size 250k
        size 250k
compress
        compress
notifempty
        notifempty
}
}
</nowiki></pre>
</nowiki></pre>
This will rotate the log file every week (`weekly`), or if it's over 250kB in size (`size 250k`), compressing old versions (`compress`).  The previous two log files will be kept (`rotate 2`), and no rotation will occur if the file is empty (`notifempty`).
This will rotate the log file every week (`weekly`), or if it's over 250kB in size (`size 250k`), compressing old versions (`compress`).  The previous two log files will be kept (`rotate 2`), and no rotation will occur if the file is empty (`notifempty`).
=== Using cron-apt to handle automatic updating ===
==== Using cron-apt to handle automatic updating ====
Updating can be also done automatically by using package called [http://packages.ubuntu.com/feisty/admin/cron-apt cron-apt]. Please read man page before doing anything.
Updating can be also done automatically by using package called [http://packages.ubuntu.com/intrepid/cron-apt cron-apt]. Please read man page before doing anything.
----
----
[[category:CategorySecurity]]  
[[category:CategorySecurity]]  


[[category:UbuntuHelp]]
[[category:UbuntuHelp]]

2010年5月19日 (三) 21:39的最新版本

{{#ifexist: :AutomaticSecurityUpdates/zh | | {{#ifexist: AutomaticSecurityUpdates/zh | | {{#ifeq: {{#titleparts:AutomaticSecurityUpdates|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:AutomaticSecurityUpdates|1|-1|}} | zh | | }}

  1. title Automatic Security Updates

Introduction

This is a simple tutorial that will teach you to create a script and a cron job to go out and automatically install security updates without requiring you to do anything. There are always some security risks involved in running software upgrades without supervision, but there are also benefits. If you believe it's important to stay up to date with the latest security patches, then you should follow this simple tutorial.

Using apt.conf.d

If you are using GNOME, go to the "System" menu, then "Administration", then "Software Sources". Open up the "Updates" tab and select "Automatic updates", also select "Install security updates without confirmation". Alternately you may configure the unattended-upgrades package via the command line; simply change your /etc/apt/apt.conf.d/10periodic to:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";

Details about what these values mean may be found in the header of the /etc/cron.daily/apt file. And /etc/apt/apt.conf.d/50unattended-upgrades:

// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "Ubuntu karmic-security";
};

// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
//  "vim";
//  "libc6";
//  "libc6-dev";
//  "libc6-i686";
};

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you 
// have a working mail setup on your system. The package 'mailx'
// must be installed or anything that provides /usr/bin/mail.
//Unattended-Upgrade::Mail "root@localhost";


// Automatically reboot *WITHOUT CONFIRMATION* if a 
// the file /var/run/reboot-required is found after the upgrade 
//Unattended-Upgrade::Automatic-Reboot "false";

IconsPage?action=AttachFile&do=get&target=IconNote.png Note: Using this method requires that you modify /etc/apt/apt.conf.d/10periodic and /etc/apt/apt.conf.d/50unattended-upgrades every time you upgrade your system to the next Ubuntu release. Be sure to replace karmic with the code name for your Ubuntu version!

Using cron

Instructions

To begin, press Alt+F2 and create a new file:

gksudo gedit /etc/cron.weekly/apt-security-updates

If you're using KDE, use this command instead:

kdesudo kate /etc/cron.weekly/apt-security-updates

Copy the following text into this new file, save, and exit:

#! /bin/sh
echo "**************" >> /var/log/apt-security-updates
date >> /var/log/apt-security-updates
aptitude update >> /var/log/apt-security-updates
aptitude safe-upgrade -o Aptitude::Delete-Unused=false --assume-yes --target-release `lsb_release -cs`-security >> /var/log/apt-security-updates
echo "Security updates (if any) installed"

Recently (since Ubuntu 7.10), the aptitude action 'upgrade' is deprecated. There are now two ways to upgrade, a safe one (conservative, if an update needs to add or remove dependencies, it won't update) and a full one (it will always upgrade even though it impacts other packages by adding them or removing them, previously called 'dist-upgrade'). The actions are now 'safe-upgrade' or 'full-upgrade'. See the manual page of aptitude (man aptitude) for more details. Once you are complete, you want to make the file executable. So, via the terminal, type the following line:

sudo chmod +x /etc/cron.weekly/apt-security-updates

Post-Install Setup and Execution Information

This script will run once weekly and it installs all available packages from the security repository. It also generates a log in ~-/var/log/apt-security-updates-~ for later inspection in case something goes wrong. This script will output information to a log file, so to prevent this log file from getting too large we need to make sure it gets rotated out. To do this, we'll use the ~-logrotate-~ utility, which comes with Ubuntu. Press Alt+F2 and type this command:

gksudo gedit /etc/logrotate.d/apt-security-updates

For KDE, use this command instead:

kdesudo kate /etc/logrotate.d/apt-security-updates

Paste this into the editor, save, and exit:

/var/log/apt-security-updates {
        rotate 2
        weekly
        size 250k
        compress
        notifempty
}

This will rotate the log file every week (`weekly`), or if it's over 250kB in size (`size 250k`), compressing old versions (`compress`). The previous two log files will be kept (`rotate 2`), and no rotation will occur if the file is empty (`notifempty`).

Using cron-apt to handle automatic updating

Updating can be also done automatically by using package called cron-apt. Please read man page before doing anything.