Penguin
Recent Changes
Annotated edit history of AptNotes version 39, including all changes. View license author blame.
Rev Author # Line
30 CraigBox 1 !!! [APT] through a WebProxy
2
3 Using [APT] through a WebProxy is not documented very well, but is really easy. All you need is to add something like this to your <tt>/etc/apt/apt.conf</tt>:
4
5 <verbatim>
6 Acquire {
7 Retries "0";
8 Http {
9 Proxy "http://user:pass@proxy:port/";
10 }
11 };
12 </verbatim>
13
14 Apparently [APT] will also honour the <tt>http_proxy</tt> EnvironmentVariable (or <tt>ftp_proxy</tt> for ftp [URI]s), which is used by some network-related applications.
15
16 !!! Ratelimiting [APT] Downloads
17
18 See the relevant notes about limiting download speeds on the DebianNotes page
19
37 IanMcDonald 20 !!! Reinstalling or fixing packages
30 CraigBox 21
22 use <tt>apt-get --reinstall install <package> </tt>
37 IanMcDonald 23
24 You may wish to just reconfigure the package in which case you can do <tt>dpkg-reconfigure <package></tt>
30 CraigBox 25
26 !!! Secure [APT]: Verifying Packages
27
28 Starting with version 0.6, which is now in [Debian] unstable (sid/etch) and Ubuntu, [APT] has the capability to verify package signatures. This is done by verifying that the Release file is signed by a trusted key. The signed release file then contains the [MD5] checksums of the packages which you can verify against what you just downloaded. This protects against two attacks:
29
30 * Mirror Network Compromise -- like if your favourite mirror gets hacked
31 * Network Layer Attacks -- [DNS] Spoofing, Man in the Middle attacks, etc
32
33 To have [APT] automatically verify downloads you need to import a suitable key. For Debian:
34
35 <verbatim>
36 gpg --keyserver keyring.debian.org --recv 4F368D5D
37 gpg --export 4F368D5D | apt-key add -
38 </verbatim>
39
40 __Note:__ if you just trusted that command and imported that key, you probably don't need <tt>apt-secure</tt> anyway... You can get Debian's key from http://www.debian.org/releases/, and there is a [Debian administration article|http://www.debian-administration.org/articles/174] on the subject.
41
42 For Ubuntu, you can do the following:
43 <verbatim>
44 apt-key add /usr/share/keyrings/ubuntu-archive-keyring.gpg
45 </verbatim>
46
47 After you've got the key, run <tt>apt-get update</tt> once and you should be away.
48
49 See
50 * http://www.enyo.de/fw/software/apt-secure/
51
52 !!! Pinning Packages
53
54 If you want to run Stable, but want to have the ability to install packages or source from Testing or Unstable when there is no Stable equivalent, you can ''pin'' the releases to certain priorities. Normally, the highest version of an available package wins, but we will override that.
55
56 Create an <tt>/etc/apt/preferences</tt> file. A simple example may look like this:
57
58 <verbatim>
59 Package: *
60 Pin: release o=volatile.debian.net,a=sarge
61 Pin-Priority: 990
62
63 Package: *
64 Pin: release o=volatile.debian.net,a=sarge-sloppy
65 Pin-Priority: 990
66
67 Package: *
68 Pin: origin security.debian.org
69 Pin-Priority: 900
70
71 Package: *
72 Pin: release a=stable
73 Pin-Priority: 700
74
75 Package: *
76 Pin: release a=testing
77 Pin-Priority: 650
78
79 Package: *
80 Pin: release a=unstable
81 Pin-Priority: 600
82 </verbatim>
83
84 Note the descending values. This example includes the [volatile|FlavoursOfDebian] distribution as well. The priority is set higher than the security distribution, as we want to favour it over the (normally higher rating) security packages.
85
86 Since Stable has the highest pin-priority, it will be installed preferentially over Testing or Unstable. Uncomment stable and unstable in the AptSourcesList file at the same time. See [Apt-Pinning for Beginners | http://jaqque.sbih.org/kplug/apt-pinning.html] for more information.
87
88 You can then specifically request packages from the Testing or Unstable repository by using one of the following forms:''''
89
90 <pre>
91 apt-get install ''package'' -t ''distrib''
92 apt-get install ''package''/''distrib''
93 apt-get install ''package''=''version''
94 </pre>
95
96 <i>(If you see advice to set the <tt>APT::Default-Release</tt> preference in apt.conf(5), ignore it. See [Using APT with more than 2 sources | http://www.argon.org/~roderick/apt-pinning.html] for details.)</i>
97
98 If you're worried about which version of packages apt will prefer, try <tt>apt-cache policy ''<package>''</tt>. If you're interested in developing your own /etc/apt/preferences file for pinning, look at the output of <tt>apt-cache policy</tt> with no package name for fields you can use.
99
100 !!! Private [APT] repository pico-HowTo
101
102 SysAdmin~s responsible for more than a few servers will often need to roll out customized [Package]s or security patches to many systems. A custom [APT] source makes the job much easier.
103
104 All you really need is the apt-ftparchive(1) utility. First, put all the [Deb]s in a directory reachable via a WebServer. Say the directory is <tt>/usr/local/httpd/packages</tt> and is reachable over [HTTP] as <tt>~http://example.com/packages/</tt>. Then change directory to <tt>/usr/local/httpd/packages</tt> and run
105
106 <verbatim>
107 apt-ftparchive packages . > Packages
108 </verbatim>
109
110 That's it. Now add
111
112 <verbatim>
113 deb http://example.com/packages ./
114 </verbatim>
115
116 to the AptSourcesList~s on your machines and run <tt>apt-get update</tt> on them and you'll be able to <tt>apt-get install foo</tt> to install your custom package <tt>foo</tt>.
117
118 Make sure to build your packages with proper version incrememts. The following shell script makes good suggestions:
119
120 <verbatim>
121 #!/bin/sh
122 VERSTR='+0.local.'
123 case $1 in
124 *${VERSTR}[0-9]*)
125 REV=${1##*${VERSTR}}
126 echo ${1%${VERSTR}*}${VERSTR}$((++REV));;
127 *-*)
128 echo ${1}${VERSTR}1;;
129 *)
130 echo ${1}-0${VERSTR}1;;
131 esac
132 </verbatim>
133
134 Save it as <tt>bump-version</tt> and call it with the current version number to get a suggestion for the next version number to use:
135
136 <verbatim>
137 $ bump-version 1.0
138 1.0-0+0.local.1
139 $ bump-version 1.0-1
140 1.0-1+0.local.1
141 </verbatim>
142
143 Or alternatively, use pinning.
144
145 ''Taken from [Re: custom sec updates | http://lists.debian.org/debian-security/2005/06/msg00204.html].''
146
147 For a slightly more comprehensive guide to building a custom repository see http://familiasanchez.net/~sanchezr/?page=debrepository
148
149
150 !!! Downloading packages for an unconnected machine
151
152 You can ask <tt>apt-get</tt> to compute the list of dependencies for you and give you a list of [Package]s and their download [URL]s, rather than actually attempting an action, by giving it the <tt>--print-uris</tt> switch. Do this on the machine with no (or limited) net connection:
153
154 <verbatim>
155 apt-get --print-uris upgrade | awk '{ print "wget -O", $2, $1 }' > /tmp/wget-script
156 </verbatim>
157
158 Instead of the <tt>upgrade</tt> action, you can also use <tt>install ''foo''</tt> or something else. The result will be a file of the form
159
160 <verbatim>
161 wget -O e2fslibs_1.38-1_i386.deb 'http://ftp.nz.debian.org/debian/pool/main/e/e2fsprogs/e2fslibs_1.38-1_i386.deb'
162 wget -O e2fsprogs_1.38-1_i386.deb 'http://ftp.nz.debian.org/debian/pool/main/e/e2fsprogs/e2fsprogs_1.38-1_i386.deb'
163 wget -O findutils_4.2.22-2_i386.deb 'http://ftp.nz.debian.org/debian/pool/main/f/findutils/findutils_4.2.22-2_i386.deb'
164 wget -O grep_2.5.1.ds1-5_i386.deb 'http://ftp.nz.debian.org/debian/pool/main/g/grep/grep_2.5.1.ds1-5_i386.deb'
165 </verbatim>
166
167 This is a ready-made [Shell] script you can copy to a FloppyDisk, KeyDrive or the like. Take it to a machine with an internet connection and execute it to download the [Deb]s to the current directory. Then transport these files back to the unconnected machine.
168
169 Once you have mounted the media on the unconnected machine, you can install the [Package]s either:
170
171 * directly from their location on the media by using <tt>apt-get -o dir::cache::archives=/mnt/usb/ ''action''</tt>
172 * or by copying the files to <tt>/var/cache/apt/archives/</tt> and using <tt>apt-get -u ''action''</tt> or one of the other [APT] tools, such as aptitude(1) or synaptic(1).
173
174 !!! Downgrading a package
175
176 In theory you can do:
177 <verbatim>
178 aptitude install package_name=version_num
179 </verbatim>
180
181 but this doesn't always work. Instead download the .deb file manually from your mirror (look in debian/pool) and then type the following
182 <verbatim>
183 dpkg --install package_name_version_num.deb
184 </verbatim>
185
186 where package_name and version_num are replaced by the package name you are working with and the version number.
187
188 !!! Having multiple machines update over a slow line
189 You can use apt-proxy(8) on one machine and point all your machines to use the proxy. apt-proxy will download a package the first time a machine asks for it, then caches the package locally for the rest of the machines on the network to use.
190
191 One thing to be aware of with apt-proxy(8) is that reasonably often it will appear to be getting no throughput at all. What is actually happening is that apt-proxy(8) is downloading the file in the background and will start sending to you when it has finished downloading the entire file.
31 IanMcDonald 192
193 !!! Releasing disk space
32 AristotlePagaltzis 194
33 AristotlePagaltzis 195 [APT] keeps copies of all the [Package]s you downloaded in <tt>/var/cache/apt/archive</tt>, which adds up over time. To remove all but the most recent copies, issue <tt>aptitude autoclean</tt>
34 CraigBox 196
197 !!! Holding packages
198
199 If you need to pin a certain package, you can easily do this with aptitude:
200
201 <verbatim>
202 root@box:~ # aptitude hold linux-image-2.6.15-26-server
203 <snip>
204 root@box:~ # aptitude dist-upgrade
205 Reading package lists... Done
206 Building dependency tree... Done
207 Reading extended state information
208 Initializing package states... Done
209 Building tag database... Done
210 The following packages have been kept back:
211 linux-image-2.6.15-26-server
212 The following packages will be upgraded:
213 bind9 bind9-host clamav clamav-base clamav-daemon clamav-freshclam
214 <snip>
215 </verbatim>
216
36 IanMcDonald 217 There is no command-line method for doing this with apt-get. I wanted to do this as I was installing a -27 kernel as well, and upon a successful reboot, I'd just remove the (outdated) -26 package. It is for this reason, and others that [Debian] have recommended using aptitude instead of apt. IanMcDonald strongly recommends using command line only for aptitude - the text GUI is awful and will probably trash your system (it did his once!). If you want a GUI tool use one provided with your distro such as Synaptic or with [Ubuntu] just use Add/remove programs in many cases.
38 CraigBox 218
219 !!! Forcing accepting specific configuration files
220
221 You can cause apt-get/dpkg to automatically answer 'yes' or 'no' to installing the newer version of a configuration file (conffile).
222
223 * To force accepting the new conffile: <tt>-o Dpkg::Options::="--force-confnew"</tt>
224 * To force accepting the old conffile: <tt>-o Dpkg::Options::="--force-confold"</tt>
225
226 You need the :: after the Options.
227
228 If your configuration files are managed with UCF, you set environment variables rather than using command line parameters:
229
230 * To force accepting the new conffile: <tt>UCF_FORCE_CONFFNEW=yes</tt>
231 * To force accepting the old conffile: <tt>UCF_FORCE_CONFFOLD=yes</tt>
232
233 Note the extra f.
39 AlastairPorter 234
235 !!! Working out why apt has made a package choice
236 Sometimes apt may decide to install or uninstall a package and you have no idea why it made this choice. To see its reasoning, add
237
238 <verbatim>
239 -o Debug::pkgProblemResolver=yes
240 </verbatim>
241
242 to the command