Linux

Raspberry Pi automatisch aktualisieren

Raspberry Pi einrichten, damit Sicherheitsupdates automatisch eingespielt werden. Dies ist vor allem für die Geräte von Bedeutung, welche direkt aus dem Internet erreichbar sind und ein einfaches Ziel für Hacker ist.

Schritt-für-Schritt-Anleitung

  1. Als erstes wird der Raspberry Pi auf den aktuellen Stand gebracht:
    sudo apt-get update -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y
  2. Damit die Updates automatisch installiert werden, gibt es das Paket unattended- upgrades:
    sudo apt-get install unattended-upgrades
  3. Als nächstes werden zwei Konfigurationsdateien angelegt. Dies geht am einfachsten mit folgenden Befehl:
    sudo dpkg-reconfigure unattended-upgrades
  4. Im Einrichtungsassistent bestätigen Sie als erstes mit OK:
    Und im folgenden Punkt korrigieren Sie bitte die Zeile passend zum Raspbian Pi:

    “origin=Raspbian,codename=${distro_codename},label=Raspbian";"origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";
    Am Ende wurden zwei Konfigurationsdateien erstellt.
  5. Erste Konfigurationsdatei: /etc/apt/apt.conf.d/20auto-upgrades
    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Unattended-Upgrade "1";
    APT::Periodic::Update-Package-Lists „1“; Aktualisierung der Paketlisten
    APT::Periodic::Unattended-Upgrade „1“; Führe unbeaufsichtigte Upgrades durch
  6. Zweite Konfigurationsdatei: /etc/apt/apt.conf.d/50unattended-upgrades
    // Unattended-Upgrade::Origins-Pattern controls which packages are
    // upgraded.
    //
    // Lines below have the format format is "keyword=value,...".  A
    // package will be upgraded only if the values in its metadata match
    // all the supplied keywords in a line.  (In other words, omitted
    // keywords are wild cards.) The keywords originate from the Release
    // file, but several aliases are accepted.  The accepted keywords are:
    //   a,archive,suite (eg, "stable")
    //   c,component     (eg, "main""contrib""non-free")
    //   l,label         (eg, "Debian""Debian-Security")
    //   o,origin        (eg, "Debian""Unofficial Multimedia Packages")
    //   n,codename      (eg, "jessie""jessie-updates")
    //     site          (eg, "http.debian.net")
    // The available values on the system are printed by the command
    // "apt-cache policy", and can be debugged by running
    // "unattended-upgrades -d" and looking at the log file.
    //
    // Within lines unattended-upgrades allows 2 macros whose values are
    // derived from /etc/debian_version:
    //   ${distro_id}            Installed origin.
    //   ${distro_codename}      Installed codename (eg, "jessie")
    Unattended-Upgrade::Origins-Pattern {
    // Codename based matching:
    // This will follow the migration of a release through different
    // archives (e.g. from testing to stable and later oldstable).
    //      "o=Debian,n=jessie";
    //      "o=Debian,n=jessie-updates";
    //      "o=Debian,n=jessie-proposed-updates";
    //      "o=Debian,n=jessie,l=Debian-Security";
     
    // Archive or Suite based matching:
    // Note that this will silently match a different release after
    // migration to the specified archive (e.g. testing becomes the
    // new stable).
    //      "o=Debian,a=stable";
    //      "o=Debian,a=stable-updates";
    //      "o=Debian,a=proposed-updates";
    "origin=Raspbian,codename=${distro_codename},label=Raspbian";
     
     
    // Additionally, for those running Raspbian on a Raspberry Pi,
    // match packages from the Raspberry Pi Foundation as well.
    "origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";
    };
     
    // List of packages to not update (regexp are supported)
    Unattended-Upgrade::Package-Blacklist {
    //      "vim";
    //      "libc6";
    //      "libc6-dev";
    //      "libc6-i686";
    };
     
    // This option allows you to control if on a unclean dpkg exit
    // unattended-upgrades will automatically run
    //   dpkg --force-confold --configure -a
    // The default is true, to ensure updates keep getting installed
    //Unattended-Upgrade::AutoFixInterruptedDpkg "false";
     
    // Split the upgrade into the smallest possible chunks so that
    // they can be interrupted with SIGUSR1. This makes the upgrade
    // a bit slower but it has the benefit that shutdown while a upgrade
    // is running is possible (with a small delay)
    //Unattended-Upgrade::MinimalSteps "true";
     
    // Install all unattended-upgrades when the machine is shuting down
    // instead of doing it in the background while the machine is running
    // This will (obviously) make shutdown slower
    //Unattended-Upgrade::InstallOnShutdown "true";
     
    // Send email to this address for problems or packages upgrades
    // If empty or unset then no email is sent, make sure that you
    // have a working mail setup on your system. A package that provides
    // 'mailx' must be installed. E.g. "user@example.com"
    //Unattended-Upgrade::Mail "root";
     
    // Set this value to "true" to get emails only on errors. Default
    // is to always send a mail if Unattended-Upgrade::Mail is set
    //Unattended-Upgrade::MailOnlyOnError "true";
     
    // Do automatic removal of new unused dependencies after the upgrade
    // (equivalent to apt-get autoremove)
    //Unattended-Upgrade::Remove-Unused-Dependencies "false";
     
    // Automatically reboot *WITHOUT CONFIRMATION* if
    //  the file /var/run/reboot-required is found after the upgrade
    //Unattended-Upgrade::Automatic-Reboot "false";
     
    // Automatically reboot even if there are users currently logged in.
    //Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
     
    // If automatic reboot is enabled and needed, reboot at the specific
    // time instead of immediately
    //  Default: "now"
    //Unattended-Upgrade::Automatic-Reboot-Time "02:00";
     
    // Use apt bandwidth limit feature, this example limits the download
    // speed to 70kb/sec
    //Acquire::http::Dl-Limit "70";
     
    // Enable logging to syslog. Default is False
    // Unattended-Upgrade::SyslogEnable "false";
     
    // Specify syslog facility. Default is daemon
    // Unattended-Upgrade::SyslogFacility "daemon";
    Die Kommentare sind selbstsprechend und somit kann die Konfigurationsdatei entsprechend verfeinert werden.
  7. Zum debuggen kann folgender Befehl verwendet werden:
    sudo unattended-upgrade -d
  8. Die entsprechenden Log-Datein sind hier:
    cat /var/log/unattended-upgrades/unattended-upgrades.log

Referenz

0 Kommentare zu “Raspberry Pi automatisch aktualisieren

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.