Closed Yannik closed 8 years ago
I compiled some information on how to handle selection of these Patterns:
Show all the different Origins you are using packages from:
find /var/lib/apt/lists/ -iname "*Release" -exec sh -c 'echo "===== {} ====="; cat "{}" | head; echo' \;
Alternatively:
apt-cache policy
This is the main package repo on rasbian:
===== /var/lib/apt/lists/mirrordirector.raspbian.org_raspbian_dists_wheezy_Release =====
Origin: Raspbian
Label: Raspbian
Suite: oldstable
Codename: wheezy
Version: 7.0
Date: Wed, 24 Feb 2016 22:17:49 UTC
Architectures: armhf
Components: main contrib non-free rpi firmware
Show the ${distro_id}
and ${distro_codename}
of your host:
#!python
import lsb_release
print "distro_id: " + lsb_release.get_distro_information()['ID']
print "distro_codename: " + lsb_release.get_distro_information()['CODENAME']
print "Full distro information: "
lsb_release.get_distro_information()
This is the default /etc/apt/apt.conf.d/50unattended-upgrades
on raspbian wheezy:
Unattended-Upgrade::Origins-Pattern {
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Raspbian,a=stable";
// "o=Raspbian,a=stable-updates";
// "o=Raspbian,a=proposed-updates";
"origin=Raspbian,archive=stable,label=Raspbian-Security";
};
However, there is actually no repo with label Raspbian-Security
installed on this system (default installation) I am running:
$ grep --no-filename -r "^Label" /var/lib/apt/lists/
Label: Webmin
Label: ansible
Label: Raspbian
Label: Raspberry Pi Foundation
Label: Collabora Raspberry Pi graphics enablement
Label: Raspbian
This is the output on debian jessie (normal installation, not raspbian):
$ grep --no-filename -r "^Label" /var/lib/apt/lists/
Label: Debian
Label: Debian Backports
Label: ansible
Label: Debian
Label: Debian-Security
Label: packages.dotdeb.org
Here we have a Debian-Security
package.
And on ubuntu trusty, there is none again:
$ grep --no-filename -r "^Label" /var/lib/apt/lists/
Label: PPA for PHP (5.6, 7.0)
Label: Ubuntu
Label: ansible
Label: Ubuntu
Label: Ubuntu
However, ubuntu uses 'origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu']
as its default origin pattern.
$ grep -r "trusty-security" /var/lib/apt/lists/
/var/lib/apt/lists/de.archive.ubuntu.com_ubuntu_dists_trusty-security_InRelease:Suite: trusty-security
...archive
and suite
are apparantly the same (https://github.com/jnv/ansible-role-unattended-upgrades#origins-patterns points this out too).
Apparantly the codename directive is not supported in unattended-upgrades 0.79.5 (debian/raspbian wheezy -> python2.7), but is supported in 0.82 and 0.83 (ubuntu trusty/debian jessie->python3).
unattended-upgrades (0.80) unstable; urgency=low
* data/50unattended-upgrades.Debian:
- use ${distro_codename} instead of "stable" to avoid issues
on release upgrades, thanks to Evgeny Kapun (closes: #707002)
* switch to python3 by default
unattended-upgrades (0.80~exp2) experimental; urgency=low
* add codename based matching
* add support for "${distro_id}", "${distro_codename}" in the
Unattended-Upgrade::Origins-Pattern based matching too
and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707002
Well, I think you should be able to fix this by overriding unattended_origins_patterns
variable. Just pass in Ansible's fact, e.g.:
unattended_origins_patterns:
- 'origin=Debian,codename={{ansible_distribution_release}},label=Debian-Security'
You could also use ansible_lsb.codename
-- see documentation. Alternatively check Raspbian's default configuration for the package and use that instead.
I would prefer not to support older versions of the unattended-upgrades package in this role, however since this override is in place, I think it is easier to just document the recommendedation.
I got an overview about the whole issue now.
First: The codename directive not being supported on unattended-upgrades < 0.80
, this should just be documented in the README.md.
Second:
The Raspbian Origin is "Raspbian", so when including the default origin pattern based on the ansible_distribution
, which is Debian
too, the default origin pattern will of course be incompatible.
There is a very easy way to get the distribution vendor: dpkg-vendor --query Vendor
. This returns Ubuntu
, for any ubuntu release, Debian
for any debian release and Raspbian
for any raspbian release.
It would be nice to use this and provide a default template for raspbian as well.
Third:
The default origin set by the unattended-upgrades
package on raspbian wheezy, which is "origin=Raspbian,archive=stable,label=Raspbian-Security";
(the template in the actual unattended-upgrades
repo is different again: https://github.com/mvo5/unattended-upgrades/blob/debian/jessie/data/50unattended-upgrades.Raspbian - no idea why - but it has the same flaw) uses the label Raspbian-Security
. This label does not exist and is never used. On raspbian, all security updates are just shoved into the Raspbian
labeled repo. This has been confirmed here: https://www.raspberrypi.org/forums/viewtopic.php?t=72383&p=524340 and https://www.raspberrypi.org/forums/viewtopic.php?t=82863&p=585739
unattended-upgrades -d
confirms it aswell: Updates which are security critical are in the Rasbian
labeled repo.
So, this leaves me to decide whether to not install security updates at all or install all Raspbian updates, including non-security ones. Not a very great choice. I will probably go with the latter, but am quite unhappy about it, as this is a system with alot of manual configuration which I don't wont to get destroyed by lazy package maintainers. (Had this happen yesterday in a very very bad way: https://github.com/oerdnj/deb.sury.org/issues/266)
I would love to provide sensible defaults for Raspbian, however given how the security updates are handled, I don't see any acceptable default solution at all. Furthermore, the default configuration for Raspbian's version of unattended-upgrades is broken; I don't think role is the best place for bugs workarounds.
However, if you use third-party APT sources, I think you should be able to mask them out using Origin Patterns.
Anyway, I prefer if we could just document this in README, including the caveats.
I agree, installing all updates is definitely not a sensible default. Setting no allowed origins is maybe the most useful thing to do (in addition to documenting this), as this is better than having a faulty origin pattern intended for debian.
This PR adds some explanation about ${distro_codename}
.
Some more additions to README could be done about the issues we discussed.
The new commit to #20 includes information about raspbian and additional differentation between using codename and archive in the examples. Please review.
This is now merged-in. Thanks!
Hi,
on a wheezy installation (raspbian), I get this error when running
unattended-upgrade
:unattended-upgrades is > 0.70.
Can you give me any advice how to fix this properly?