Ubuntu无人值守升级

首次安装 树莓派4b运行64位Ubuntu 之后，执行升级命令:

apt install screen

提示错误:

Waiting for cache lock: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 2542 (unattended-upgr)

可以看到系统中有一个进程:

/usr/bin/python3 /usr/bin/unattended-upgrade

也可能有多个进程:

root        1317  0.0  0.2 107792 19076 ?        Ssl  00:34   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root        2542 33.4  1.6 296300 134172 ?       Sl   00:39   1:19 /usr/bin/python3 /usr/bin/unattended-upgrade
root        4534  1.0  1.0 296300 87332 ?        S    00:42   0:00 /usr/bin/python3 /usr/bin/unattended-upgrade

• 检查状态:

  systemctl status unattended-upgrades
  

显示:

● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-04-01 17:25:51 UTC; 6 months 19 days ago
       Docs: man:unattended-upgrade(8)
   Main PID: 1317 (unattended-upgr)
      Tasks: 2 (limit: 9254)
     CGroup: /system.slice/unattended-upgrades.service
             └─1317 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Apr 01 17:25:51 pi-worker1 systemd[1]: Started Unattended Upgrades Shutdown.

• 检查 apt update 命令显示的:

  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  69 packages can be upgraded. Run 'apt list --upgradable' to see them.
  

XX packages can be upgraded 数值不断减少，说明后台正在不断更新软件包。

unatted-upgrades简介

unattended-upgrades 服务提供了自动的安全补丁安装。

• 如果 unattended-upgrades 软件包没有默认安装，可以通过命令安装:

使用apt命令安装unattended-upgrades软件包

sudo apt install unattended-upgrades

• 安装完成后使用以下命令交互激活:

  sudo dpkg-reconfigure --priority=low unattended-upgrades
  

上述命令会创建 /etc/apt/apt.conf.d/20auto-upgrades 配置，包含一下内容:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

• 如果不使用激活命令，也可以直接使用以下直接生成配置的方式来激活 unattended-upgrades :

命令行激活unattended-upgrades

cat << EOF > /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1"
EOF

当apt任务启动时，它将随机在 0 到 APT::Periodic::RandomSleep 秒数之间休眠，默认是1800秒，也就是停止最多30分钟，这样可以避免大量用户同时访问镜像网站而导致压力过大。只有使用本地镜像才可以将这个值设为0。

如果需要更多升级调试信息，则设置 APT::Periodic::Verbose "1";

当前unattended-upgrades配置

执行一下命令可以获得当前apt配置:

apt-config dump APT::Periodic::Unattended-Upgrade

设置cron和aptitude

• 可以设置每周更新安全补丁，增加一个 /etc/cron.weekly/apt-security-updates 配置如下:

  echo "**************" >> /var/log/apt-security-updates
  date >> /var/log/apt-security-updates
  aptitude update >> /var/log/apt-security-updates
  aptitude safe-upgrade -o Aptitude::Delete-Unused=false --assume-yes --target-release `lsb_release -cs`-security >> /var/log/apt-security-updates
  echo "Security updates (if any) installed"
  

然后注意这个文件必须设置为可执行:

sudo chmod +x /etc/cron.weekly/apt-security-updates

这样就能够每周执行升级

• 还需要配套设置升级日志轮转，编辑 /etc/logrotate.d/apt-security-updates 内容如下:

  /var/log/apt-security-updates {
    rotate 2
    weekly
    size 250k
    compress
    notifempty
  }
  

停用unattended-upgrades

在启动或停止Ubuntu时，我注意到启动输出中有一个job会长时间停顿直到超时，类似输出:

A stop job is running for Unattended Upgrades Shutdown (10s / 30 min)

特别是网络没有配置好，主机无法连接internet时候，这个超时时间非常长。

• 停止:

  systemctl stop unattended-upgrades
  

停止 unattended-upgrades 需要一些时间，后台当前在更新的软件包没有完成时不会退出。

• 禁止 unattended-upgrades

  systemctl disable unattended-upgrades
  

这样今后启动系统时就不会再出现长时间等待升级进程完成的延迟，关机也可以较为迅速。

也可以通过交互方式关闭 sudo dpkg-reconfigure unattended-upgrades

• 如果你确实不需要自动升级，也可以移除这个软件包:

  sudo apt remove unattended-upgrades
  

参考

• AutomaticSecurityUpdates

• How To Setup And Enable Automatic Security Updates On Ubuntu

• How To Disable Unattended Upgrades On Ubuntu