Automatizando atualizações usando o cron-apt

De MediaWiki do Campus São José
Ir para: navegação, pesquisa

É sempre bom manter o sistema atualizado, mas muitas vezes não nos lembramos de fazê-lo. Para automatizar esta tarefa é possível utilizar o script cron-apt. Como o nome já diz ele agenda a execução do apt-get ou aptitude para atualizar os pacotes de seu sistema.

NOTA: A atualização de pacotes automatizada não é recomendada para as versões testing e unstable do Debian. Mesmo na versão stable use por sua conta e risco.

Instale o pacote cron-apt.

sudo apt-get update
sudo apt-get install cron-apt

Edite o arquivo /etc/cron-apt/config.

OBS: Algumas instalações vem com este arquivo zerado, para isso segue um exemplo abaixo:

Arquivo /etc/cron-apt/config

  1. Configuration for cron-apt. For further information about the possible
  2. configuration settings see /usr/share/doc/cron-apt/README.gz.
  1. The command used to execute all actions. By default, apt-get is used.
  2. Change this to /usr/bin/aptitude to use aptitude instead, which will
  3. resolve changed Recommends (and Suggests as well, if aptitude is so
  4. configured). You can also set other utilities (especially useful in the
  5. config.d directory) so set some completely different tool.
  6. OBSERVE that this tool is indended for apt-get and tools like aptitude do not
  7. have full support for noninteractive upgrades. You may have to tune options
  8. to not create infinit logfiles for example.
  9. APTCOMMAND=/usr/bin/apt-get

APTCOMMAND=/usr/bin/aptitude

  1. APTCOMMAND=/usr/bin/apt-file
  1. If FILTERCTRLM is "true", then any line containing ^M in the apt-get
  2. output will be filtered from log/mail/console output. This is useful
  3. with aptitude, which does not currently support -qq (very quiet).
  4. This feature is considered exprimental and will not work with
  5. for example MAILON=upgrade.
  6. FILTERCTRLM="false"
  1. A path is needed for this to work. This is the default PATH.

export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin

  1. The random sleep time in seconds. This is used to prevent clients from
  2. accessing the APT sources all at the same time and overwhelming them.
  3. Default is 3600 seconds which means one hour.

RUNSLEEP=3600

  1. The directory where the actions is stored.
  2. ACTIONDIR="/etc/cron-apt/action.d"
  1. The directory where configuration per action is stored. The message file
  2. must have the same name as the action file.
  3. ACTIONCONFDIR="/etc/cron-apt/config.d"
  1. The directory where messages that will be prepended to the email that is
  2. sent (per action) is stored. The message file must have the same name as
  3. the action file.
  4. MAILMSGDIR="/etc/cron-apt/mailmsg.d"
  1. The directory where messages that will be prepended to text that is
  2. sent (per action) to syslog. The message file must have the same name as
  3. the action file.
  4. SYSLOGMSGDIR="/etc/cron-apt/syslogmsg.d"
  1. The directory where messages that will be prepended to the error message
  2. (per action) is stored. The message file must have the same name as
  3. the action file.
  4. ERRORMSGDIR="/etc/cron-apt/errormsg.d"
  1. The directory where messages that will be prepended to the log (debug)
  2. message (per action) is stored. The message file must have the same name as
  3. the action file.
  4. LOGMSGDIR="/etc/cron-apt/logmsg.d"
  1. The directory where messages that will be prepended to the mail message
  2. (per MAILON type) is stored. The message file must have the same name as
  3. the $MAILON directive.
  4. MAILONMSGSDIR="/etc/cron-apt/mailonmsgs"
  1. The directory where messages that will be prepended to the syslog message
  2. (per SYSLOGON type) is stored. The message file must have the same name as
  3. the $SYSLOGON directive.
  4. SYSLOGONMSGSDIR="/etc/cron-apt/syslogonmsgs"
  1. Value: "" (warn if dotlockfile not installed)
  2. "nowarn" (don't give warning if dotlockfile not installed)
  3. NOLOCKWARN=""
  1. The file that contains error messages.
  2. ERROR="/var/log/cron-apt/error"
  1. The file that contains current run information
  2. when still running the script.
  3. TEMP="/var/log/cron-apt/temp"
  1. The logfile (for debugging). Use syslog for normal logging.
  2. LOG="/var/log/cron-apt/log"
  1. The mail file.

MAIL="/var/log/cron-apt/mail"

  1. The email address to send mail to.

MAILTO="rmartins@ifsc.edu.br"

  1. When to send email about the cron-apt results.
  2. Value: error (send mail on error runs)
  3. upgrade (when packages is upgraded)
  4. changes (mail when change in output from an action)
  5. output (send mail when output is generated)
  6. always (always send mail)
  7. (else never send mail)

MAILON="always"

  1. Value: error (syslog on error runs)
  2. upgrade (when packages is upgraded)
  3. changes (syslog when change in output from an action)
  4. output (syslog when output is generated)
  5. always (always syslog)
  6. (else never syslog)

SYSLOGON="always"

  1. Value: error (exit on error only)
  2. (else never exit)
  3. EXITON="error"
  1. Value: verbose (log everything)
  2. always (always log)
  3. upgrade (when packages is upgraded)
  4. changes (log when change in output from an action)
  5. output (log when output is generated)
  6. error (log error runs only)
  7. (else log nothing)

DEBUG="always"

  1. What to do with the diff when *ON=changes.
  2. Value: prepend (prepend to the output)
  3. append (append to the output)
  4. only (only show the diff, not the output itself)
  5. (else do nothing)
  6. DIFFONCHANGES=prepend
  1. General apt options that will be passed to all APTCOMMAND calls.
  2. Use "-o quiet" instead of "-q" for aptitude compatibility.
  3. OPTIONS="-o quiet=1"
  4. You can for example add an alternative sources.list file here.
  5. OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list"
  6. If you want to allow unauthenticated and untrusted packages add the
  7. following to your options directive.
  8. This will only work with aptitude >= 0.3.5
  9. The --assume-yes option will answer yes to almost all questions. This
  10. is not very safe, and can fill up your /tmp file system (#316606) due
  11. to an aptitude bug (#332885) which shows if --assume-yes is used and
  12. untrusted packages would be installed. This aptitude bug is fixed in
  13. aptitude 0.3.4.
  14. OPTIONS="-o quiet=1 -o APT::Get::AllowUnauthenticated=true -o aptitude::Cmdline::ignore-trust-violations=yes"
  1. Do not run the command, if there is an error in the previous run (default).
  2. Value: error (do not run if there is an error on last run)
  3. (else always run, remove previous error file and run)
  4. DONTRUN=""
  1. If this file exist cron-apt will silently exit.
  2. REFRAINFILE=/etc/cron-apt/refrain
  1. If this is non-empty, it will be used as the host name in subjects of
  2. generated e-mail messages. If this is empty, the output of uname -n
  3. will be used.
  4. HOSTNAME=""
  1. Ignore lines matching this regexp to determine whether changes occurred
  2. for MAILON="changes". If empty no lines will be ignored.
  3. Suggested value for aptitude:
  4. DIFFIGNORE="^\(Get:digit:\+\|Hit\|Ign\|Del\|Fetched\|Freed\|Reading\)space:"
  1. Suggested value for apt-get:
  2. DIFFIGNORE="^\(Get:digit:\+\|Hit\|Ign)space:"
  3. Default:
  4. DIFFIGNORE=""

</syntaxhighlight>

Por padrão ele apenas baixa os pacotes sem instalá-los usando a opção dist-upgrade. Aqui mostro como mudar esta ação que não é muito interessante.

Edite o arquivo /etc/cron-apt/actions.d/3-download alterando a seguinte linha: dist-upgrade -d -y -o APT::Get::Show-Upgraded=true</syntaxhighlight> Modificando para: safe-upgrade -y -o APT::Get::Show-Upgraded=true autoclean -y </syntaxhighlight>

O cron-apt esta agendado para ser executado às 04 da manhã todos os dias. Se quiser mudar este agendamento edite a seguinte linha no arquivo /etc/cron.d/cron-apt 0 4 * * * root test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt </syntaxhighlight>

Tenha cuidado ao utilizar ferramentas automatizas na gestão dos seus sistemas. Por isso recomendo fortemente a configuração do envio de emails, assim você poderá acompanhar de forma segura todas as ações realizadas por esta ferramenta.

Você também pode especificar um source.list alternativo. Para fazer isso deve-se criar um arquivo dentro da pasta "/etc/cron-apt/action.d". Como exemplo adicionarei atualizações de segurança para mostrar como deve ficar os arquivos de configuração.

Arquivo criado: /etc/cron-apt/action.d/5-security contendo: upgrade -y -o APT::Get::Show-Upgraded=true </syntaxhighlight>

Arquivo criado: /etc/cron-apt/config.d/5-security contendo: OPTIONS="-o quiet=1 --no-list-cleanup -o Dir::Etc::SourceList=/etc/apt/sources.list.d/security.list -o Dir::Etc::SourceParts=\"/dev/null\"" </syntaxhighlight>

Para se fazer isso o arquivo security.list deve ser criado desse modo: /etc/apt/sources.list.d/security.list e deve ter como conteúdo deb http://security.debian.org/ wheezy/updates main deb-src http://security.debian.org/ wheezy/updates main </syntaxhighlight>

O cron-apt irá executar todas as ações que estão na pasta "action.d", fazendo isso não precisa se fazer mais nada.