root@rp1:/etc# diff -U3 /etc/apt/apt.conf.d/50unattended-upgrades.ucf-old /etc/apt/apt.conf.d/50unattended-upgrades
1,2c1,2--- /etc/apt/apt.conf.d/50unattended-upgrades.ucf-old 2021-11-23 18:02:23.908766790 +0000
< // This file is managed by Puppet. DO NOT EDIT.+++ /etc/apt/apt.conf.d/50unattended-upgrades 2021-11-24 10:34:33.004766790 +0000
< // Automatically upgrade packages from these (origin:archive) pairs@@ -1,68 +1,164 @@
----// This file is managed by Puppet. DO NOT EDIT.
> // Unattended-U-// Automatically upgrade::Origins-Pattern controls which packages are packages from these (origin:archive) pairs
> // u+// Unattended-Upgraded.e::Origins-Pattern controls which packages are
4,6c4,22+// upgraded.
< // Note that in Ubuntu security updates may pull in new dependencies //
< // from non--// Note that in Ubuntu security sources (e.g. chromium). By allowing the releaseupdates may pull in new dependencies
< // pocket these get automatically pulled in.-// from non-security sources (e.g. chromium). By allowing the release
----// pocket these get automatically pulled in.
> //+// Lines below have the format "keyword=value,...". A
> //+// package will be upgraded only if the values in its metadata match
> //+// all the supplied keywords in a line. (In other words, omitted
> //+// keywords are wild cards.) The keywords originate from the Release
> +// file, but several aliases are accepted. The accepted keywords are:
> +// a,archive,suite (eg, "stable")
> +// c,component (eg, "main", "contrib", "non-free")
> +// l,label (eg, "Debian", "Debian-Security")
> +// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
> +// n,codename (eg, "jessie", "jessie-updates")
> +// site (eg, "http.debian.net")
> //+// The available values on the system are printed by the command
> +// "apt-cache policy", and can be debugged by running
> //+// "unattended-upgrades -d" and looking at the log file.
> //+//
> //+// Within lines unattended-upgrades allows 2 macros whose values are
> +// derived from /etc/debian_version:
> +// ${distro_id} Installed origin.
> //+// ${distro_codename} Installed codename (eg, "buster")
8,14c24,42 Unattended-Upgrade::Origins-Pattern {
<- "o=Debian,n=buster";
<- "o=Debian,n=buster-updates";
<- "o=Debian,n=buster,l=Debian-Security";
<- "o=debian icinga-buster,n=icinga-buster";
<- "o=Debian Azure,n=buster";
<- "o=Proxmox,n=buster";
<- "o=packages.sury.org";
---+ // Codename based matching:
>+ // Codename based matching:// This will follow the migration of a release through different
> + // This will follow the migration of a release through differentarchives (e.g. from testing to stable and later oldstable).
> + // archives (e.g. from testing to stSoftware will be the latest available and later oldstable).for the named release,
> + // Software will be the latest available for the named release,but the Debian release itself will not be automatically upgraded.
> +// // but the "origin=Debian release itself will not be automatically upgraded.,codename=${distro_codename}-updates";
> +// "origin=Debian,codename=${distro_codename}-proposed-updates";
> //+ "origin=Debian,codename=${distro_codename}-proposed-updates";,label=Debian";
> + "origin=Debian,codename=${distro_codename},label=Debian-Security";
> + "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
> "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";+
>+ // Archive or Suite based matching:
> + // Archive or Suite basedNote that this will silently matching: a different release after
> + // Note that this will silently match a different release aftermigration to the specified archive (e.g. testing becomes the
> + // migration to the specified archive (e.g. testing becomes thenew stable).
>+// // new "o=Debian,a=stable).";
> +// "o=Debian,a=stable";e-updates";
> +// "o=Debian,a=stableproposed-updates";
> +// "o=Debian,a=proposed-updates"; Backports,a=${distro_codename}-backports,l=Debian Backports";
> // "o=Debian Backports,a=${distro_codename}-backports,l=Debian Back };
-// List of packages to not update (regexp are supports";ed)
17c45+// Python regular expressions, matching packages to exclude from upgrading
< // List of packages to not update (regexp are supported) Unattended-Upgrade::Package-Blacklist {
----};
> // Python regular expressions,+ // The following matchinges all packages to exclude from upgradingstarting with linux-
19c47,61+// "linux-";
< };+
---+ // Use $ to explicitely define the end of a package name. Without
> + // The following matches all packages starting with linux-the $, "libc6" would match all of them.
> +// "linux-";bc6$";
>+// "libc6-dev$";
> // Use $ to explicitely define the end of a package name. Without+// "libc6-i686$";
> // the $, "libc6" would match all of them.+
> // "libc6$";+ // Special characters need escaping
> +// "libc6-dev$";stdc\+\+6$";
> // "libc6-i686$";+
>+ // The following matches packages like xen-system-amd64, xen-utils-4.1,
> + // Special characters need escapingxenstore-utils and libxenstore3.0
> +// "libstdc\+\+6$";(lib)?xen(store)?";
-// List of days in the week that updates should be applied.
>-// The days can be specified as localized abbreviated or full names.
> // The following matches packages like xen-system-amd64-// Or as integers where "0" is Sunday, xen-utils-4.1,"1" is Monday etc.
> // xenstore-utils and libxenstore3.0-// Require Unattended-upgrades version >=0.91 to work, else it is ignored
> // "(lib)?xen(store)?";-Unattended-Upgrade::Update-Days {
21,25c63,64+ // For more information about Python regular expressions, see
< // List of days in the week that updates should be applied.+ // https://docs.python.org/3/howto/regex.html
< };
// The days can be specified as localized abbreviated or full names.is option allows you to control if on a unclean dpkg exit
< // Or as integers where "0" is Sunday, "1" is Monday etc.-// unattended-upgrades will automatically run
< // Require U+// unattended-upgrades version >=0.91 to work, else it is ignoredwill automatically run
< Unattended-Upgrade::Update-Days { // dpkg --force-confold --configure -a
--- // The default is true, to ensure updates keep getting installed
> // For more information about Python regular expressions, see-Unattended-Upgrade::AutoFixInterruptedDpkg "true";
> // https://docs.python.org/3/howto/regex.html+//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
29c68-// they can be interrupted with SIGUSR1. This makes the upgrade
< // unattended-upgrades will automatically run+// they can be interrupted with SIGTERM. This makes the upgrade
--- // a bit slower but it has the benefit that shutdown while a upgrade
> // unattended-upgrades will automatically runis running is possible (with a small delay)
32c71-Unattended-Upgrade::MinimalSteps "true";
< +//Unattended-Upgrade::AutoFixInterruptedDpkg "true";MinimalSteps "true";
-// Install all unattended-upgrades when the machine is shuting down
----// instead of doing it in the background while the machine is running
> //Unattended-Upgrade::AutoFixInterruptedDpkg "true";-// This will (obviously) make shutdown slower
35c74-Unattended-Upgrade::InstallOnShutdown "false";
< // they can be interrupted with SIGUSR1. This makes the upgrade+// Install all updates when the machine is shutting down
---+// instead of doing it in the background while the machine is running.
> // they can be interrupted with SIGTERM. This+// This will (obviously) makes the upgrade shutdown slower.
38c77+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
< U+// This allows more time for unattended-Uupgrade::MinimalSteps "true";s to shut down gracefully
---+// or even install a few packages in InstallOnShutdown mode, but is still a
> //Unattended-Upgrade::MinimalSteps "true";+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
40,43c79,88+// Users enabling InstallOnShutdown mode are advised to increase
< +// Install all unattended-upgrades when the machine is shuting downhibitDelayMaxSec even further, possibly to 30 minutes.
< // instead of doing it in the background while the machine is running+//Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
< // This will (obviously) // If empty or unset then no email is sent, make shutdown slowerure that you
< Unattended-Upgrade::InstallOnShutdown "false"; // have a working mail setup on your system. A package that provides
--- // 'mailx' must be installed. E.g. "user@example.com"
> // Install all updates when the machine is shutting down+//Unattended-Upgrade::Mail "";
-Unattended-Upgrade::Mail "root";
> // instead of doing it in the background while the machine is running.+// Set this value to one of:
> // This will (obviously) make shutdown slower.+// "always", "only-on-error" or "on-change"
> // Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.+// If this is not set, then any legacy MailOnlyOnError (boolean) value
> // This allows more time for unattended-upgrades to shut down gracefully+// is used to chose between "only-on-error" and "on-change"
> // or even install a few packages in InstallOnShutdown mode, but is still a+//Unattended-Upgrade::MailReport "on-change";
> // big step back from the 30 minutes allowed for InstallOnShutdown previously.+
> // Users enabling InstallOnShutdown mode are advised to increase+// Remove unused automatically installed kernel-related packages
> // InhibitDelayMaxSec even further+// (kernel images, possibly to 30 minuteskernel headers and kernel version locked tools).
> +//Unattended-Upgrade::InstallOnShutdown "false";Remove-Unused-Kernel-Packages "true";
-// Set this value to "true" to get emails only on errors. Default
48a94-// is to always send a mail if Unattended-Upgrade::Mail is set
> //-Unattended-Upgrade::Mail "";lOnlyOnError "true";
50c96,104+// Do automatic removal of newly unused dependencies after the upgrade
< Unattended-Upgrade::Mail "root";+//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
-// Do automatic removal of new unused dependencies after the upgrade
---+// Do automatic removal of unused packages after the upgrade
> // Set this value to one of:(equivalent to apt-get autoremove)
> // "always", "only-on-error" or "on-change"-Unattended-Upgrade::Remove-Unused-Dependencies "true";
> // If this is not set, then any legacy MailOnlyOnError (boolean) value+//Unattended-Upgrade::Remove-Unused-Dependencies "false";
-// Automatically reboot *WITHOUT CONFIRMATION*
> -// is used to chose between "only-on-error" and "on-change"f the file /var/run/reboot-required is found after the upgrade
> //-Unattended-Upgrade::MailReport "on-change";Automatic-Reboot "false";
>+// Automatically reboot *WITHOUT CONFIRMATION* if
> // Remove unused automatically installed kernel-related packages+// the file /var/run/reboot-required is found after the upgrade
> // (kernel images, kernel headers and kernel version locked tools).+//Unattended-Upgrade::Automatic-Reboot "false";
> //Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";+
52,54c106,107+// Automatically reboot even if there are users currently logged in
< // Set this value to "true" to get emails only on errors. Default+// when Unattended-Upgrade::Automatic-Reboot is set to true
< // is to always send a mail if Unattended-Upgrade::Mail is set+//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
< Unattended-Upgrade::MailOnlyOnError "true"; // time instead of immediately
--- // Default: "now"
> // Do automatic removal of newly unused dependencies after the upgrade-Unattended-Upgrade::Automatic-Reboot-Time "now";
> +//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";Automatic-Reboot-Time "02:00";
+// Use apt bandwidth limit feature, this example limits the download
56c109+// speed to 70kb/sec
< // Do automatic removal of new unused dependencies after the upgrade+//Acquire::http::Dl-Limit "70";
---+
> // Do automatic removal of unused packages after the upgrade+// Enable logging to syslog. Default is False
58c111+// Unattended-Upgrade::SyslogEnable "false";
< Unattended-Upgrade::Remove-Unused-Dependencies "true";+
---+// Specify syslog facility. Default is daemon
> //+// Unattended-Upgrade::Remove-Unused-Dependencies "false";SyslogFacility "daemon";
60,62c113,119+
< // Automatically reboot *WITHOUT CONFIRMATION*+// Download and install upgrades only on AC power
< // if the file /var/run/reboot-required is found after the upgrade+// (i.e. skip or gracefully stop updates on battery)
<+// Unattended-Upgrade::Automatic-Reboot "false";OnlyOnACPower "true";
---+
> // Automatically reboot *WITHOUT CONFIRMATION* if+// Download and install upgrades only on non-metered connection
> // the file /var/run/reboot-required is found after the upgrade+// (i.e. skip or gracefully stop updates on a metered connection)
> //+// Unattended-Upgrade::Automatic-Reboot "false";Skip-Updates-On-Metered-Connections "true";
>+
> // Automatically reboot even if there are users currently+// Verbose logged ining
> // when+// Unattended-Upgrade::Automatic-Reboot is set to trueVerbose "false";
> //Unattended-Upgrade::Automatic-Reboot-WithUsers "true";+
67c124+// Print debugging information both in unattended-upgrades and
< U+// in unattended-Uupgrade::Automatic-Reboot-Time "now";-shutdown
---+// Unattended-Upgrade::Debug "false";
> //Unattended-Upgrade::Automatic-Reboot-Time "02:00";+
68a126,164+// Allow package downgrade if Pin-Priority exceeds 1000
> +// Use apt bandwidth limit feature, this example limits the downloadnattended-Upgrade::Allow-downgrade "false";
> // speed to 70kb/sec+
> //Acquire::http::Dl-Limit "70";+// When APT fails to mark a package to be upgraded or installed try adjusting
>+// candidates of related packages to help APT's resolver in finding a solution
> // Enable logging to syslog. Default is False+// where the package can be upgraded or installed.
> // Unattended-Upgrade::SyslogEnable "false";+// This is a workaround until APT's resolver is fixed to always find a
>+// solution if it exists. (See Debian bug #711128.)
> // Specify syslog facility.+// The fallback is enabled by default, Default is daemonexcept on Debian's sid release because
> // Unattended-Upgrade::SyslogFacility "daemon";+// uninstallable packages are frequent there.
>+// Disabling the fallback speeds up unattended-upgrades when there are
> // Download and install upgrades only on AC power+// uninstallable packages at the expense of rarely keeping back packages which
> // (i.e. skip or gracefully stop updates on battery)+// could be upgraded or installed.
> // Unattended-Upgrade::OnlyOnACPower "true";
>
> // Download and install upgrades only on non-metered connection
> // (i.e. skip or gracefully stop updates on a metered connection)
> // Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
>
> // Verbose logging
> // Unattended-Upgrade::Verbose "false";
>
> // Print debugging information both in unattended-upgrades and
> // in unattended-upgrade-shutdown
> // Unattended-Upgrade::Debug "false";
>
> // Allow package downgrade if Pin-Priority exceeds 1000
> // Unattended-Upgrade::Allow-downgrade "false";
>
> // When APT fails to mark a package to be upgraded or installed try adjusting
> // candidates of related packages to help APT's resolver in finding a solution
> // where the package can be upgraded or installed.
> // This is a workaround until APT's resolver is fixed to always find a
> // solution if it exists. (See Debian bug #711128.)
> // The fallback is enabled by default, except on Debian's sid release because
> // uninstallable packages are frequent there.
> // Disabling the fallback speeds up unattended-upgrades when there are
> // uninstallable packages at the expense of rarely keeping back packages which
> // could be upgraded or installed.
> //+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";