Problems on raspbian/debian wheezy

[Yannik]

Hi,

on a wheezy installation (raspbian), I get this error when running unattended-upgrade:

Traceback (most recent call last):
  File "/usr/bin/unattended-upgrade", line 1011, in <module>
    main(options)
  File "/usr/bin/unattended-upgrade", line 793, in main
    allowed_origins=allowed_origins)
  File "/usr/bin/unattended-upgrade", line 75, in __init__
    self.adjust_candidate_versions()
  File "/usr/bin/unattended-upgrade", line 92, in adjust_candidate_versions
    if is_allowed_origin(pkg.candidate, self.allowed_origins):
  File "/usr/bin/unattended-upgrade", line 364, in is_allowed_origin
    if match_whitelist_string(allowed, origin):
  File "/usr/bin/unattended-upgrade", line 272, in match_whitelist_string
    what, token))
__main__.UnknownMatcherError: Unknown whitelist entry for macher 'codename' (token 'codename=wheezy')

ii  unattended-upgrades                   0.79.5+rpi1                             all          automatic installation of security upgrades

unattended-upgrades is > 0.70.

Can you give me any advice how to fix this properly?

[Yannik]

I compiled some information on how to handle selection of these Patterns:

Show all the different Origins you are using packages from:

find /var/lib/apt/lists/ -iname "*Release" -exec sh -c 'echo "=====  {}  ====="; cat "{}" | head; echo' \;

Alternatively:

apt-cache policy

This is the main package repo on rasbian:

=====  /var/lib/apt/lists/mirrordirector.raspbian.org_raspbian_dists_wheezy_Release  =====
Origin: Raspbian
Label: Raspbian
Suite: oldstable
Codename: wheezy
Version: 7.0
Date: Wed, 24 Feb 2016 22:17:49 UTC
Architectures: armhf
Components: main contrib non-free rpi firmware

Show the ${distro_id} and ${distro_codename} of your host:

#!python
import lsb_release
print "distro_id: " + lsb_release.get_distro_information()['ID']
print "distro_codename: " + lsb_release.get_distro_information()['CODENAME']
print "Full distro information: " 
lsb_release.get_distro_information()

This is the default /etc/apt/apt.conf.d/50unattended-upgrades on raspbian wheezy:

Unattended-Upgrade::Origins-Pattern {
        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Raspbian,a=stable";
//      "o=Raspbian,a=stable-updates";
//      "o=Raspbian,a=proposed-updates";
        "origin=Raspbian,archive=stable,label=Raspbian-Security";
};

However, there is actually no repo with label Raspbian-Security installed on this system (default installation) I am running:

$ grep --no-filename -r "^Label" /var/lib/apt/lists/
Label: Webmin
Label: ansible
Label: Raspbian
Label: Raspberry Pi Foundation
Label: Collabora Raspberry Pi graphics enablement
Label: Raspbian

This is the output on debian jessie (normal installation, not raspbian):

$ grep --no-filename -r "^Label" /var/lib/apt/lists/
Label: Debian
Label: Debian Backports
Label: ansible
Label: Debian
Label: Debian-Security
Label: packages.dotdeb.org

Here we have a Debian-Security package.

And on ubuntu trusty, there is none again:

$ grep --no-filename -r "^Label" /var/lib/apt/lists/

Label: PPA for PHP (5.6, 7.0)
Label: Ubuntu
Label: ansible
Label: Ubuntu
Label: Ubuntu

However, ubuntu uses 'origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu'] as its default origin pattern.

$ grep -r "trusty-security" /var/lib/apt/lists/
/var/lib/apt/lists/de.archive.ubuntu.com_ubuntu_dists_trusty-security_InRelease:Suite: trusty-security

...archive and suite are apparantly the same (https://github.com/jnv/ansible-role-unattended-upgrades#origins-patterns points this out too).

[Yannik]

Apparantly the codename directive is not supported in unattended-upgrades 0.79.5 (debian/raspbian wheezy -> python2.7), but is supported in 0.82 and 0.83 (ubuntu trusty/debian jessie->python3).

unattended-upgrades (0.80) unstable; urgency=low
  * data/50unattended-upgrades.Debian:
    - use ${distro_codename} instead of "stable" to avoid issues
      on release upgrades, thanks to Evgeny Kapun (closes: #707002)
  * switch to python3 by default

unattended-upgrades (0.80~exp2) experimental; urgency=low
  * add codename based matching 
  * add support for "${distro_id}", "${distro_codename}" in the 
    Unattended-Upgrade::Origins-Pattern based matching too

Source: http://metadata.ftp-master.debian.org/changelogs/main/u/unattended-upgrades/unattended-upgrades_0.83.3.2+deb8u1_changelog

and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707002

[jnv]

Well, I think you should be able to fix this by overriding unattended_origins_patterns variable. Just pass in Ansible's fact, e.g.:

unattended_origins_patterns:
  - 'origin=Debian,codename={{ansible_distribution_release}},label=Debian-Security'

You could also use ansible_lsb.codename -- see documentation. Alternatively check Raspbian's default configuration for the package and use that instead.

I would prefer not to support older versions of the unattended-upgrades package in this role, however since this override is in place, I think it is easier to just document the recommendedation.

[Yannik]

I got an overview about the whole issue now.

First: The codename directive not being supported on unattended-upgrades < 0.80, this should just be documented in the README.md.

Second:

The Raspbian Origin is "Raspbian", so when including the default origin pattern based on the ansible_distribution, which is Debian too, the default origin pattern will of course be incompatible. There is a very easy way to get the distribution vendor: dpkg-vendor --query Vendor. This returns Ubuntu, for any ubuntu release, Debian for any debian release and Raspbian for any raspbian release.

It would be nice to use this and provide a default template for raspbian as well.

Third: The default origin set by the unattended-upgrades package on raspbian wheezy, which is "origin=Raspbian,archive=stable,label=Raspbian-Security"; (the template in the actual unattended-upgrades repo is different again: https://github.com/mvo5/unattended-upgrades/blob/debian/jessie/data/50unattended-upgrades.Raspbian - no idea why - but it has the same flaw) uses the label Raspbian-Security. This label does not exist and is never used. On raspbian, all security updates are just shoved into the Raspbian labeled repo. This has been confirmed here: https://www.raspberrypi.org/forums/viewtopic.php?t=72383&p=524340 and https://www.raspberrypi.org/forums/viewtopic.php?t=82863&p=585739

unattended-upgrades -d confirms it aswell: Updates which are security critical are in the Rasbian labeled repo.

So, this leaves me to decide whether to not install security updates at all or install all Raspbian updates, including non-security ones. Not a very great choice. I will probably go with the latter, but am quite unhappy about it, as this is a system with alot of manual configuration which I don't wont to get destroyed by lazy package maintainers. (Had this happen yesterday in a very very bad way: https://github.com/oerdnj/deb.sury.org/issues/266)

[jnv]

I would love to provide sensible defaults for Raspbian, however given how the security updates are handled, I don't see any acceptable default solution at all. Furthermore, the default configuration for Raspbian's version of unattended-upgrades is broken; I don't think role is the best place for bugs workarounds.

However, if you use third-party APT sources, I think you should be able to mask them out using Origin Patterns.

Anyway, I prefer if we could just document this in README, including the caveats.

[Yannik]

I agree, installing all updates is definitely not a sensible default. Setting no allowed origins is maybe the most useful thing to do (in addition to documenting this), as this is better than having a faulty origin pattern intended for debian. This PR adds some explanation about ${distro_codename}.

Some more additions to README could be done about the issues we discussed.

[Yannik]

The new commit to #20 includes information about raspbian and additional differentation between using codename and archive in the examples. Please review.

[jnv]

This is now merged-in. Thanks!