Wednesday, January 26, 2011

How to set up a staging apt repository to securely manage upgrades

Hello,

I would like to be able to run automatic apt-get upgrade (once per hour) on our servers (Ubuntu 10.04), so that I don't have to do it manually on all of them (about 15). However, for production machines, that's not a good idea ...

So here's my idea:

Set up a local repository for all 'approved' updates for critical packages. I would then push updated packages from upstream to our local repo after I tested them, and all servers could automatically (apt-cron?) upgrade from this repository.

So my question is this: How do I configure apt on the clients so that they use the local repository only for all packages which exist on the local repository, and the upstream one for all other packages?

Does this actually make sense? Or am I missing something?

Anyways, thanks for your insight!

Andreas.

  • Hi

    I'm not an expert but I think you can do the with apt pinning.

    if you have a local repo at http://my.local.repo/ called myrepo

    then your /etc/apt/sources.list on you servers will look like this

    deb http://my.local.repo/ myrepo main contrib non-free
    
    deb http://ftp.debian.org/debian/ stable main contrib non-free
    

    then in the /etc/apt/preferences will look like this

    Package: *
    Pin: release a=myrepo
    Pin-Priority: 700
    
    Package: *
    Pin: release a=stable
    Pin-Priority: 600
    

    then apt will favour the packets from you local repo

    hope this make sense and/or works

    From Ketil

0 comments:

Post a Comment