firefexx
Posts: 2
Joined: Fri Jul 25, 2014 7:16 pm

unattended-upgrades not working

Fri Jul 25, 2014 7:34 pm

Hi,

on my Raspbian installation, unattended-upgrades is installed to keep track of security updates.
After several days, I noticed that the log file does not contain any information about installed security updates. So I assume it does not work with its default configuration.

The configuration (should be the default...):

Code: Select all

$ cat /etc/apt/apt.conf.d/20auto-upgrades 
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Code: Select all

$ cat /etc/apt/apt.conf.d/50unattended-upgrades 
// Automatically upgrade packages from these origin patterns
Unattended-Upgrade::Origins-Pattern {
        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Raspbian,a=stable";
//      "o=Raspbian,a=stable-updates";
//      "o=Raspbian,a=proposed-updates";
        "origin=Raspbian,archive=stable,label=Raspbian-Security";
};

// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
//	"vim";
//	"libc6";
//	"libc6-dev";
//	"libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";

// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION* if a 
// the file /var/run/reboot-required is found after the upgrade 
//Unattended-Upgrade::Automatic-Reboot "false";


// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
Let unattended-upgrades do a test run and check log file:

Code: Select all

$ sudo unattended-upgrade --dry-run
$ tail -n 4 /var/log/unattended-upgrades/unattended-upgrades.log 
2014-07-25 21:26:56,273 INFO Initial blacklisted packages: 
2014-07-25 21:26:56,278 INFO Starting unattended upgrades script
2014-07-25 21:26:56,283 INFO Allowed origins are: ['origin=Raspbian,archive=stable,label=Raspbian-Security']
2014-07-25 21:27:45,862 INFO No packages found that can be upgraded unattended
Nothing found..
Now see that there updates present:

Code: Select all

$ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common
5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/1,135 kB of archives.
After this operation, 8,192 B of additional disk space will be used.
Do you want to continue [Y/n]? n
Abort.
So, what is wrong? Can someone help me?

DirkS
Posts: 7631
Joined: Tue Jun 19, 2012 9:46 pm
Location: Essex, UK

Re: unattended-upgrades not working

Fri Jul 25, 2014 8:51 pm

Are you certain that these apache updates *are* actually security updates?

Gr.
Dirk.

firefexx
Posts: 2
Joined: Fri Jul 25, 2014 7:16 pm

Re: unattended-upgrades not working

Sat Jul 26, 2014 8:30 am

I'm not definitely sure but I thought they are security updates because I read something about CVE fixes in apache earlier the day.
Is there a way to check if these updates are security updates?

wuftymerguftyguff
Posts: 3
Joined: Tue May 29, 2012 11:11 am

Re: unattended-upgrades not working - shellshock

Fri Sep 26, 2014 11:30 am

I certainly can't pretend to be an expert in this area, but I have just noted that unattended-upgrades has not downloaded the patched version of bash for me.

I think that this is because the bash package in the repo does not have the label "Raspbian-Security"

Code: Select all

jeffa@MagnumPI:/var/log/unattended-upgrades# sudo unattended-upgrades --debug --dry-run | grep bash
Checking: bash (["<Origin component:'main' archive:'stable' origin:'Raspbian' label:'Raspbian' site:'archive.raspbian.org' isTr                        usted:True>"])
The default config in the package is:

Code: Select all

// Automatically upgrade packages from these origin patterns
Unattended-Upgrade::Origins-Pattern {
        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Raspbian,a=stable";
//      "o=Raspbian,a=stable-updates";
//      "o=Raspbian,a=proposed-updates";
        "origin=Raspbian,archive=stable,label=Raspbian-Security";
};
So anything without the label Raspbian-Security will not get updated.

If you want automated updates for security only this does not work in my eyes.

Unless you know different....?? What am I doing wrong?

Jeff

:wq

slweiss
Posts: 1
Joined: Sun Dec 14, 2014 1:10 pm

Re: unattended-upgrades not working

Sun Dec 14, 2014 1:44 pm

I had a similar problem. Yesterday (2014-12-13) an update for libyaml-0-2 has been announced on the Debian security mailing list (from version 0.1.4-2+deb7u4 to 0.1.4-2+deb7u5), but unattended-upgrades did not install this update untiI I changed the line

Code: Select all

"origin=Raspbian,archive=stable,label=Raspbian-Security";
into

Code: Select all

"origin=Raspbian,archive=stable,label=Raspbian";
Silvio

nachoparker
Posts: 13
Joined: Mon Feb 20, 2017 8:39 am

Re: unattended-upgrades not working

Thu Jul 27, 2017 3:01 pm

Hello,

I would like to necro-bump this old thread.

I was very surprised at discovering that there is no Raspbian-Security label.

Please, is there any way we can ask for this to happen? Think of the many users that use Raspberry Pi as home mini-servers. They don't want to touch them, they don't want to administer them, they don't want them to break, but having automatic security updates would be a must for them.

I think it would be really important to implement this!! Raspbian is probably the leader IoT operating system, and nowadays there are so many security threats (shellshock, and so on and so on...)

Signed: NextCloudPi developer

https://ownyourbits.com/2017/02/13/next ... -pi-image/

User avatar
rpdom
Posts: 11708
Joined: Sun May 06, 2012 5:17 am
Location: Essex, UK

Re: unattended-upgrades not working

Thu Jul 27, 2017 8:52 pm

What makes you think that security updates aren't already included in the standard Raspbian setup? (Clue: They are. There is no need for a separate "security" updates section.)

User avatar
pandark
Posts: 2
Joined: Wed Sep 06, 2017 6:46 pm
Location: France

Re: unattended-upgrades not working

Wed Sep 13, 2017 1:08 pm

I think the idea is to apply only the security updates automatically, to minimize the chances of braking something while keeping the system relatively safe, and do the other updates manually. For that, you need to be able to distinguish between the two kinds of updates.

User avatar
rpdom
Posts: 11708
Joined: Sun May 06, 2012 5:17 am
Location: Essex, UK

Re: unattended-upgrades not working

Wed Sep 13, 2017 4:50 pm

In Debian Stable (Stretch) which Raspbian Stretch follows, there are only security updates. That's what "Stable" means.

Return to “Raspbian”

Who is online

Users browsing this forum: No registered users and 39 guests