Tag Archives: dpkg

cron-apt and the perfect update system

On my spare time, I manage a handful of servers. And even if it’s not really my job, I try to do it well and efficiently. All of them work on Debian because it’s simple to manage. I started using cron-apt a few years ago. I started by upgrading everything automatically, this was a big mistake. I switched to only sending mails on available upgrades and doing the upgrade manually. But this is also quite painful because 95% of the time, it consists in typing “apt-get dist-upgrade -y” and waiting and I have lots more interestings things to do.

So here is my cron-apt configuration, I like it a lot:

In /etc/apt:
– I removed the sources.list file
– I put the content of my sources.list into sources.list.d/main.list, it should look something like that:

1
2
deb http://http.us.debian.org/debian stable main contrib non-free
deb-src http://http.us.debian.org/debian stable main contrib non-free

– I created a directory sources.security.list.d
– I put the following content:

1
2
deb http://security.debian.org/ stable/updates main contrib non-free
deb-src http://security.debian.org/ stable/updates main contrib non-free

Then I added the repositories with packages I want to manually upgrade to /etc/apt/sources.list.d/ and the ones that I want to automatically upgrade (which means that they can’t require any user interaction) to /etc/apt/sources.security.list.d/.

The interesting part is here, in /etc/cron-apt/action.d, this what I have:

0-update

1
2
update -o quiet=2
update -o quiet=2 -o Dir::Etc::sourceparts=/etc/apt/sources.security.list.d -o Dir::State::lists="security-lists"

We launch an update of the two kinds of repositories. For the sources.security.list.d one, we use also a different Dir::State::lists parameter (which is the directory the cache file) so that we don’t to re-download the content of the index files every time.

2-install-security

1
dist-upgrade -y -o quiet=1 -o Dir::Etc::sourceparts=/etc/apt/sources.security.list.d -o Dir::State::lists="security-lists" -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold"

For the –force-conf* options, I found the solution on RaphaĆ«l Hertzog’s blog.

We launch the upgrade (dist-upgrade actually) only on the repositories defined in /etc/apt/sources.security.list.d.

3-download

1
dist-upgrade -d -y -o APT::Get::Show-Upgraded=true

Then we only download files for the upgrade of the non-security packets.

6-clean

1
autoclean -y

And we finally delete all the old packets (the ones that will never be used).

If you want to play with the apt settings yourself, you should use apt-config to see what can change to fit your needs.

This made me save a lot of time. Because Debian produces quite a lot of security updates. Here is the frequency of the updates for one of my servers:

get start-stop-daemon on any Linux distribution

I switched from Debian to CentOS because I had the choice between an old 32 bits Debian 4.0 or a brand new 64 bits CentOS 5.3. And I have some scripts that use the great “start-stop-daemon” tool, which isn’t available on CentOS.

The easiest way to solve this problem is to get dpkg from Debian and then try to compile it. It’s likely that it will fail because libselinux (and it’s subsidiary library libsepol) won’t be registered in the pkgconfig dir. But we don’t really care as we only need start-stop-daemon, not dpkg.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# wget http://ftp.de.debian.org/debian/pool/main/d/dpkg/dpkg_1.14.25.tar.gz
# tar -xf dpkg_1.14.25.tar.gz
# cd dpkg-1.14.25/
# ./configure >/dev/null
configure: WARNING: x86_64 not found in cputable
configure: WARNING: linux-gnu not found in ostable
Package libselinux was not found in the pkg-config search path.
Perhaps you should add the directory containing `libselinux.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libselinux' found
configure: WARNING: no curses library found
# make >/dev/null
processarc.o: In function `process_archive':
/root/dpkg-1.14.25/src/processarc.c:166: warning: the use of `tmpnam' is dangerous, better use `mkstemp'
archives.o: In function `tarobject':
/root/dpkg-1.14.25/src/archives.c:634: undefined reference to `matchpathcon'
/root/dpkg-1.14.25/src/archives.c:640: undefined reference to `setfscreatecon'
/root/dpkg-1.14.25/src/archives.c:802: undefined reference to `setfscreatecon'
/root/dpkg-1.14.25/src/archives.c:804: undefined reference to `freecon'
/root/dpkg-1.14.25/src/archives.c:826: undefined reference to `setfscreatecon'
/root/dpkg-1.14.25/src/archives.c:618: undefined reference to `is_selinux_enabled'
collect2: ld returned 1 exit status
make[2]: *** [dpkg] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
# cd utils
# make install
gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DLOCALEDIR=\"/usr/local/share/locale\" -idirafter ../libcompat -I../lib    -g -O2 -MT start-stop-daemon.o -MD -MP -MF .deps/start-stop-daemon.Tpo -c -o start-stop-daemon.o start-stop-daemon.c
mv -f .deps/start-stop-daemon.Tpo .deps/start-stop-daemon.Po
gcc -std=gnu99  -g -O2  -Wl,-O1 -o start-stop-daemon start-stop-daemon.o ../libcompat/libcompat.a
make[1]: Entering directory `/root/dpkg-1.14.25/utils'
test -z "/usr/local/sbin" || /bin/mkdir -p "/usr/local/sbin"
  /usr/bin/install -c 'start-stop-daemon' '/usr/local/sbin/start-stop-daemon'
make[1]: Nothing to be done for `install-data-am'.
make[1]: Leaving directory `/root/dpkg-1.14.25/utils'

Even if it doesn’t look so good, it should have installed the start-stop-daemon software.