在Debian系统中,可通过配置apt工具来确保系统只安装安全更新补丁,而不进行完整的系统升级。以下是实现步骤:
1、安装 unattended-upgrades 包
sudo apt-get update
sudo apt-get install unattended-upgrades2、修改apt配置文件
sudo vi /etc/apt/apt.conf.d/50unattended-upgrades
注释掉这三行
"origin=Debian,codename=${distro_codename},label=Debian";
Unattended-Upgrade::Package-Blacklist {
};
只保留如下所示即可。
grep -v '//' /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
};3、更新并应用配置:
sudo apt-get update
sudo unattended-upgrade现在已经设置好了只进行安全更新,可查看日志确认:
root@devops11:~# cat /var/log/unattended-upgrades/unattended-upgrades.log
2024-08-30 04:51:38,284 INFO Checking if system is running on battery is skipped. Please install powermgmt-base package to check power status and skip installing updates when the system is running on battery.
2024-08-30 04:51:38,292 INFO Starting unattended upgrades script
2024-08-30 04:51:38,293 INFO Allowed origins are: origin=Debian,codename=bullseye,label=Debian-Security, origin=Debian,codename=bullseye-security,label=Debian-Security
2024-08-30 04:51:38,293 INFO Initial blacklist:
2024-08-30 04:51:38,293 INFO Initial whitelist (not strict):
2024-08-30 04:51:38,980 INFO No packages found that can be upgraded unattended and no pending auto-removals
root@devops11:~# unattended-upgrade -d
Checking if system is running on battery is skipped. Please install powermgmt-base package to check power status and skip installing updates when the system is running on battery.
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=bullseye,label=Debian-Security, origin=Debian,codename=bullseye-security,label=Debian-Security
Initial blacklist:
Initial whitelist (not strict):
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/mirrors.163.com_debian_dists_bullseye-updates_main_i18n_Translation-en' a=oldstable-updates,c=main,v=11-updates,o=Debian,l=Debian arch='' site='mirrors.163.com' IndexType='Debian Translation Index' Size=58637 ID:5> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/mirrors.163.com_debian_dists_bullseye-updates_main_binary-amd64_Packages' a=oldstable-updates,c=main,v=11-updates,o=Debian,l=Debian arch='amd64' site='mirrors.163.com' IndexType='Debian Package Index' Size=79301 ID:4> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/mirrors.163.com_debian_dists_bullseye_main_i18n_Translation-en' a=oldstable,c=main,v=11.10,o=Debian,l=Debian arch='' site='mirrors.163.com' IndexType='Debian Translation Index' Size=30255023 ID:1> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/mirrors.163.com_debian_dists_bullseye_main_binary-amd64_Packages' a=oldstable,c=main,v=11.10,o=Debian,l=Debian arch='amd64' site='mirrors.163.com' IndexType='Debian Package Index' Size=45560272 ID:0> with -32768 pin
Applying pinning: PkgFilePin(id=5, priority=-32768)
Applying pin -32768 to package_file: <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/mirrors.163.com_debian_dists_bullseye-updates_main_i18n_Translation-en' a=oldstable-updates,c=main,v=11-updates,o=Debian,l=Debian arch='' site='mirrors.163.com' IndexType='Debian Translation Index' Size=58637 ID:5>
Applying pinning: PkgFilePin(id=4, priority=-32768)
Applying pin -32768 to package_file: <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/mirrors.163.com_debian_dists_bullseye-updates_main_binary-amd64_Packages' a=oldstable-updates,c=main,v=11-updates,o=Debian,l=Debian arch='amd64' site='mirrors.163.com' IndexType='Debian Package Index' Size=79301 ID:4>
Applying pinning: PkgFilePin(id=1, priority=-32768)
Applying pin -32768 to package_file: <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/mirrors.163.com_debian_dists_bullseye_main_i18n_Translation-en' a=oldstable,c=main,v=11.10,o=Debian,l=Debian arch='' site='mirrors.163.com' IndexType='Debian Translation Index' Size=30255023 ID:1>
Applying pinning: PkgFilePin(id=0, priority=-32768)
Applying pin -32768 to package_file: <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/mirrors.163.com_debian_dists_bullseye_main_binary-amd64_Packages' a=oldstable,c=main,v=11.10,o=Debian,l=Debian arch='amd64' site='mirrors.163.com' IndexType='Debian Package Index' Size=45560272 ID:0>
Using (^linux-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^linux-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$) regexp to find kernel packages
Using (^linux-.*-5\.10\.0\-32\-amd64$|^linux-.*-5\.10\.0\-32$|^kfreebsd-.*-5\.10\.0\-32\-amd64$|^kfreebsd-.*-5\.10\.0\-32$|^gnumach-.*-5\.10\.0\-32\-amd64$|^gnumach-.*-5\.10\.0\-32$|^.*-modules-5\.10\.0\-32\-amd64$|^.*-modules-5\.10\.0\-32$|^.*-kernel-5\.10\.0\-32\-amd64$|^.*-kernel-5\.10\.0\-32$|^linux-.*-5\.10\.0\-32\-amd64$|^linux-.*-5\.10\.0\-32$|^kfreebsd-.*-5\.10\.0\-32\-amd64$|^kfreebsd-.*-5\.10\.0\-32$|^gnumach-.*-5\.10\.0\-32\-amd64$|^gnumach-.*-5\.10\.0\-32$|^.*-modules-5\.10\.0\-32\-amd64$|^.*-modules-5\.10\.0\-32$|^.*-kernel-5\.10\.0\-32\-amd64$|^.*-kernel-5\.10\.0\-32$) regexp to find running kernel packages
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
Packages blacklist due to conffile prompts: []
No packages found that can be upgraded unattended and no pending auto-removals
Extracting content from /var/log/unattended-upgrades/unattended-upgrades-dpkg.log since 2024-08-30 04:52:49