document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-03-12 01:40:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'LCTT/master'

Browse Source
This commit is contained in:
Xingyu Wang 2019-08-20 23:41:27 +08:00
commit ec43e3c9d7
7 changed files with 371 additions and 367 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
sources/news/20190817 LiVES Video Editor 3.0 is Here With Significant Improvements.md
View File

@ -1,5 +1,5 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: translator: (scvoet)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
@ -7,81 +7,82 @@
[#]: via: (https://itsfoss.com/lives-video-editor/)
[#]: author: (Ankush Das https://itsfoss.com/author/ankush/)
LiVES Video Editor 3.0 is Here With Significant Improvements
LiVES 视频编辑器 3.0 有了显著的改善
======
We recently covered a list of [best open source video editors][1]. LiVES is one of those open source video editors, available for free.
我们最近列出了[最好开源视频编辑器][1]的清单。LiVES 是这些开源视频编辑器中的免费提供服务的一个。
Even though a lot of users are still waiting for the release on Windows, a major update just popped up for LiVES Video Editor (i.e v3.0.1 as the latest package) on Linux. The new upgrade includes some new features and improvements.
即使许多用户还在等待 Windows 版本的发行,但在刚刚发行的 LiVES 视频编辑器 Linux 版本中(最新版本 v3.0.1)进行了一个重大更新,更新内容中包括了一些新的功能和改进。
In this article, Ill cover the key improvements in the new version and Ill also mention the steps to install it on your Linux system.
在这篇文章里,我将会列出新版本中的重要改进,并且我将会提到在 Linux 上安装的步骤。
### LiVES Video Editor 3.0: New Changes
### LiVES 视频编辑器 3.0:新的改进
![Lives Video Editor Loading in Zorin OS][2]
![Zorin OS 中正在加载的 LiVES 视频编辑器][2]
Overall, with this major update LiVES Video Editor aims to have a smoother playback, prevent unwanted crashes, optimized video recording, and making the online video downloader more useful.
总的来说,在这次重大更新中 LiVES 视频编辑器旨在提供更加丝滑的回放、防止闻所未闻的崩溃、优化视频记录,以及让在线视频下载更加实用。
The list of changes are:
下面列出了修改:
* Render silence to end of video if necessary during rendering.
* Improvements to openGL playback plugin, including much smoother playback.
* Re-enable Advanced options for the openGL playback plugin.
* Allow “Enough” in VJ / Pre-decode all frames
* Refactor code for timebase calculations during playback (better a/v synch).
* Overhaul external audio and audio recording to improve accuracy and use fewer CPU cycles.
* Auto switch to internal audio when entering multitack mode.
* Show correct effects state (on / off) when reshowing effect mapper window.
* Eliminate some race conditions between the audio and video threads.
* Improvements to online video downloader, clip size and format can now be selected, added an update option.
* Implemented reference counting for realtime effect instances.
* Extensively rewrote the main interface, cleaning up the code and making many visual improvements.
* Optimized recording when video generators are running.
* Improvements to the projectM filter wrapper, including SDL2 support.
* Added an option to invert the Z-order in multitrack compositor (rear layers can now overlay front ones).
* Added support for musl libc
* Updated translations for Ukranian
* 如果需要加载的话,可以静默加载直到到视频播放完毕。
* 改进回放插件为 openGL提供更加丝滑的回放。
* 重新启用了 openGL 回放插件的高级选项。
  * 在 VJ/预解码 中允许“充足”的所有帧
  * 重构了在播放时基础计算的代码(有了更好的 a/v 同步)。
  * 彻底修复了外部音频和音频,提高了准确性并减少了 CPU 周期。
  * 进入多音轨模式时自动切换至内部音频。
  * 重新显示效果映射器窗口时将会正常展示效果状态on/off
  * 解决了音频和视频线程之间的冲突。
  * 现在可以对在线视频下载器,剪辑大小和格式进行修改并添加了更新选项。
  * 对实时效果实行了参考计数的记录。
  * 大范围重写了主界面,清理代码并改进多视觉。
  * 优化了视频播放器运行时的录制功能。
  * 改进了 projectM 过滤器,包括支持了 SDL2。
  * 添加了一个选项来逆转多轨合成器中的 Z-order后层现在可以覆盖上层了
  * 增加了对 musl libc 的支持
  * 更新了乌克兰语的翻译
While some of the points listed can just go over your head if you are not an advanced video editor. But, in a nutshell, all of these things make LiVES Video Editor a better open source video editing software.
如果您不是一位高级视频编辑师也许会对上面列出的重要更新提不起太大的兴趣。但正是因为这些更新才使得“LiVES 视频编辑器”成为了最好的开源视频编辑软件。
[][3]
Suggested read  VidCutter Lets You Easily Trim And Merge Videos In Linux
推荐阅读  VidCutter Lets You Easily Trim And Merge Videos In Linux
### Installing LiVES Video Editor on Linux
### 在 Linux 上安装 LiVES 视频编辑器
LiVES is normally available in the repository of all major Linux distributions. However, you may not find the latest version on your software center yet. So, if you want to install it that way youll have to wait.
LiVES 几乎可以在所有主要 Linux 发行版中使用。但是,您可能并不能在软件中心找到它的最新版本。所以,如果你想通过这种方式安装,那你就不得不耐心等待了。
If you want to install it manually, you can get the RPM packages for Fedora/Open SUSE from its download page. The source is also available for Linux distros.
如果你想要手动安装,可以从它的下载页面获取 Fedora/Open SUSE 的 RPM 安装包。它也适用于其他 Linux 发行版。
[Download LiVES Video Editor][4]
[下载 LiVES 视频编辑器] [4]
For Ubuntu (or Ubuntu-based distros), you can add the [unofficial PPA][5] maintained by [Ubuntuhandbook][6]. Heres how to do it:
如果您使用的是 Ubuntu或其他基于 Ubuntu 的发行版),您可以安装由 [Ubuntuhandbook][6] 进行维护的[非官方 PPA][5]。
**1.** Launch the terminal and enter the following command:
下面由我来告诉你,你该做些什么:
**1. **启动终端后输入以下命令:
```
sudo add-apt-repository ppa:ubuntuhandbook1/lives
sudo add-apt-repository ppaubuntuhandbook1 / lives
```
You will be prompted for the password to authenticate the addition of PPA.
系统将提示您输入密码用于确认添加 PPA。
**2.** Once done, you can now easily proceed to update the list of packages and get LiVES Video Editor installed. Heres the set of commands that you need to enter next:
**2. **完成后,您现在可以轻松地更新软件包列表并安装 LiVES 视频编辑器。以下是需要您输入的命令段:
```
sudo apt update
sudo apt install lives lives-plugins
sudo apt install life-plugins
```
**3.** Now, it will start downloading and installing the video editor. You should be good to go in a minute.
**3.** 现在,它开始下载并安装视频编辑器,等待大约一分钟即可完成。
**Wrapping Up**
**总结**
There are a handful of [video editors available on Linux][7]. But they are not often considered good enough for professional editing. I am not a professional but I do manage simple editing with such freely available video editors like LiVES.
Linux 上有许多[视频编辑器] [7]。但它们通常被认为不能进行专业的编辑。而我并不是一名专业人士,所以像 LiVES 这样免费的视频编辑器就足以进行简单的编辑了。
How about you? Hows your experience with LiVES or other video editors on Linux? Let us know your thoughts in the comments below.
您认为怎么样呢?您在 Linux 上使用 LiVES 或其他视频编辑器的体验还好吗?在下面的评论中告诉我们你的感觉吧。
--------------------------------------------------------------------------------
@ -89,13 +90,14 @@ via: https://itsfoss.com/lives-video-editor/
作者:[Ankush Das][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
译者:[Scvoet][c]
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://itsfoss.com/author/ankush/
[b]: https://github.com/lujun9972
[c]: https://github.com/scvoet
[1]: https://itsfoss.com/open-source-video-editors/
[2]: https://i1.wp.com/itsfoss.com/wp-content/uploads/2019/08/lives-video-editor-loading.jpg?ssl=1
[3]: https://itsfoss.com/vidcutter-video-editor-linux/

14
sources/tech/20140510 Managing Digital Files (e.g., Photographs) in Files and Folders.md
View File

@ -1,13 +1,17 @@
Managing Digital Files (e.g., Photographs) in Files and Folders
qfzy1233 is translating
数码文件与文件夹收纳术(以照片为例)
======
Update 2014-05-14: added real world example
更新 2014-05-14:增加了一些具体实例
Update 2015-03-16: filtering photographs according to their GPS coordinates
更新 2015-03-16:根据照片的 GPS 坐标过滤图片
Update 2016-08-29: replaced outdated `show-sel.sh` method with new `filetags --filter` method
更新 2016-08-29:以新的 `filetags--filter` (LCTT译注文件标签过滤器)替换已经过时的 `show-sel.sh` 脚本LCTT译注show-sel 为 show firmware System Event Log records 即硬件系统事件及日志显示)
Update 2017-08-28: Email comment on geeqie video thumbnails
更新 2017-08-28:
I am a passionate photographer when being on vacation or whenever I see something beautiful. This way, I collected many [JPEG][1] files over the past years. Here, I describe how I manage my digital photographs while avoiding any [vendor lock-in][2] which binds me to a temporary solution and leads to loss of data. Instead, I prefer solutions where I am able to **invest my time and effort for a long-term relationship**.
This (very long) entry is **not about image files only** : I am going to explain further things like my folder hierarchy, file name convention, and so forth. Therefore, this information applies to all kind of files I process.

145
sources/tech/20181213 Podman and user namespaces- A marriage made in heaven.md
View File

@ -1,145 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Podman and user namespaces: A marriage made in heaven)
[#]: via: (https://opensource.com/article/18/12/podman-and-user-namespaces)
[#]: author: (Daniel J Walsh https://opensource.com/users/rhatdan)
Podman and user namespaces: A marriage made in heaven
======
Learn how to use Podman to run containers in separate user namespaces.
![](https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/architecture_structure_planning_design_.png?itok=KL7dIDct)
[Podman][1], part of the [libpod][2] library, enables users to manage pods, containers, and container images. In my last article, I wrote about [Podman as a more secure way to run containers][3]. Here, I'll explain how to use Podman to run containers in separate user namespaces.
I have always thought of [user namespace][4], primarily developed by Red Hat's Eric Biederman, as a great feature for separating containers. User namespace allows you to specify a user identifier (UID) and group identifier (GID) mapping to run your containers. This means you can run as UID 0 inside the container and UID 100000 outside the container. If your container processes escape the container, the kernel will treat them as UID 100000. Not only that, but any file object owned by a UID that isn't mapped into the user namespace will be treated as owned by "nobody" (65534, kernel.overflowuid), and the container process will not be allowed access unless the object is accessible by "other" (world readable/writable).
If you have a file owned by "real" root with permissions [660][5], and the container processes in the user namespace attempt to read it, they will be prevented from accessing it and will see the file as owned by nobody.
### An example
Here's how that might work. First, I create a file in my system owned by root.
```
$ sudo bash -c "echo Test > /tmp/test"
$ sudo chmod 600 /tmp/test
$ sudo ls -l /tmp/test
-rw-------. 1 root root 5 Dec 17 16:40 /tmp/test
```
Next, I volume-mount the file into a container running with a user namespace map 0:100000:5000.
```
$ sudo podman run -ti -v /tmp/test:/tmp/test:Z --uidmap 0:100000:5000 fedora sh
# id
uid=0(root) gid=0(root) groups=0(root)
# ls -l /tmp/test
-rw-rw----. 1 nobody nobody 8 Nov 30 12:40 /tmp/test
# cat /tmp/test
cat: /tmp/test: Permission denied
```
The **\--uidmap** setting above tells Podman to map a range of 5000 UIDs inside the container, starting with UID 100000 outside the container (so the range is 100000-104999) to a range starting at UID 0 inside the container (so the range is 0-4999). Inside the container, if my process is running as UID 1, it is 100001 on the host
Since the real UID=0 is not mapped into the container, any file owned by root will be treated as owned by nobody. Even if the process inside the container has **CAP_DAC_OVERRIDE** , it can't override this protection. **DAC_OVERRIDE** enables root processes to read/write any file on the system, even if the process was not owned by root or world readable or writable.
User namespace capabilities are not the same as capabilities on the host. They are namespaced capabilities. This means my container root has capabilities only within the container—really only across the range of UIDs that were mapped into the user namespace. If a container process escaped the container, it wouldn't have any capabilities over UIDs not mapped into the user namespace, including UID=0. Even if the processes could somehow enter another container, they would not have those capabilities if the container uses a different range of UIDs.
Note that SELinux and other technologies also limit what would happen if a container process broke out of the container.
### Using `podman top` to show user namespaces
We have added features to **podman top** to allow you to examine the usernames of processes running inside a container and identify their real UIDs on the host.
Let's start by running a sleep container using our UID mapping.
```
$ sudo podman run --uidmap 0:100000:5000 -d fedora sleep 1000
```
Now run **podman top** :
```
$ sudo podman top --latest user huser
USER   HUSER
root   100000
$ ps -ef | grep sleep
100000   21821 21809  0 08:04 ?         00:00:00 /usr/bin/coreutils --coreutils-prog-shebang=sleep /usr/bin/sleep 1000
```
Notice **podman top** reports that the user process is running as root inside the container but as UID 100000 on the host (HUSER). Also the **ps** command confirms that the sleep process is running as UID 100000.
Now let's run a second container, but this time we will choose a separate UID map starting at 200000.
```
$ sudo podman run --uidmap 0:200000:5000 -d fedora sleep 1000
$ sudo podman top --latest user huser
USER   HUSER
root   200000
$ ps -ef | grep sleep
100000   21821 21809  0 08:04 ?         00:00:00 /usr/bin/coreutils --coreutils-prog-shebang=sleep /usr/bin/sleep 1000
200000   23644 23632  1 08:08 ?         00:00:00 /usr/bin/coreutils --coreutils-prog-shebang=sleep /usr/bin/sleep 1000
```
Notice that **podman top** reports the second container is running as root inside the container but as UID=200000 on the host.
Also look at the **ps** command—it shows both sleep processes running: one as 100000 and the other as 200000.
This means running the containers inside separate user namespaces gives you traditional UID separation between processes, which has been the standard security tool of Linux/Unix from the beginning.
### Problems with user namespaces
For several years, I've advocated user namespace as the security tool everyone wants but hardly anyone has used. The reason is there hasn't been any filesystem support or a shifting file system.
In containers, you want to share the **base** image between lots of containers. The examples above use the Fedora base image in each example. Most of the files in the Fedora image are owned by real UID=0. If I run a container on this image with the user namespace 0:100000:5000, by default it sees all of these files as owned by nobody, so we need to shift all of these UIDs to match the user namespace. For years, I've wanted a mount option to tell the kernel to remap these file UIDs to match the user namespace. Upstream kernel storage developers continue to investigate and make progress on this feature, but it is a difficult problem.
Podman can use different user namespaces on the same image because of automatic [chowning][6] built into [containers/storage][7] by a team led by Nalin Dahyabhai. Podman uses containers/storage, and the first time Podman uses a container image in a new user namespace, container/storage "chowns" (i.e., changes ownership for) all files in the image to the UIDs mapped in the user namespace and creates a new image. Think of this as the **fedora:0:100000:5000** image.
When Podman runs another container on the image with the same UID mappings, it uses the "pre-chowned" image. When I run the second container on 0:200000:5000, containers/storage creates a second image, let's call it **fedora:0:200000:5000**.
Note if you are doing a **podman build** or **podman commit** and push the newly created image to a container registry, Podman will use container/storage to reverse the shift and push the image with all files chowned back to real UID=0.
This can cause a real slowdown in creating containers in new UID mappings since the **chown** can be slow depending on the number of files in the image. Also, on a normal [OverlayFS][8], every file in the image gets copied up. The normal Fedora image can take up to 30 seconds to finish the chown and start the container.
Luckily, the Red Hat kernel storage team, primarily Vivek Goyal and Miklos Szeredi, added a new feature to OverlayFS in kernel 4.19. The feature is called **metadata only copy-up**. If you mount an overlay filesystem with **metacopy=on** as a mount option, it will not copy up the contents of the lower layers when you change file attributes; the kernel creates new inodes that include the attributes with references pointing at the lower-level data. It will still copy up the contents if the content changes. This functionality is available in the Red Hat Enterprise Linux 8 Beta, if you want to try it out.
This means container chowning can happen in a couple of seconds, and you won't double the storage space for each container.
This makes running containers with tools like Podman in separate user namespaces viable, greatly increasing the security of the system.
### Going forward
I want to add a new flag, like **\--userns=auto** , to Podman that will tell it to automatically pick a unique user namespace for each container you run. This is similar to the way SELinux works with separate multi-category security (MCS) labels. If you set the environment variable **PODMAN_USERNS=auto** , you won't even need to set the flag.
Podman is finally allowing users to run containers in separate user namespaces. Tools like [Buildah][9] and [CRI-O][10] will also be able to take advantage of user namespaces. For CRI-O, however, Kubernetes needs to understand which user namespace will run the container engine, and the upstream is working on that.
In my next article, I will explain how to run Podman as non-root in a user namespace.
--------------------------------------------------------------------------------
via: https://opensource.com/article/18/12/podman-and-user-namespaces
作者:[Daniel J Walsh][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/rhatdan
[b]: https://github.com/lujun9972
[1]: https://podman.io/
[2]: https://github.com/containers/libpod
[3]: https://opensource.com/article/18/10/podman-more-secure-way-run-containers
[4]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html
[5]: https://chmodcommand.com/chmod-660/
[6]: https://en.wikipedia.org/wiki/Chown
[7]: https://github.com/containers/storage
[8]: https://en.wikipedia.org/wiki/OverlayFS
[9]: https://buildah.io/
[10]: http://cri-o.io/

168
sources/tech/20190815 How To Set up Automatic Security Update (Unattended Upgrades) on Debian-Ubuntu.md
View File

@ -1,168 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (How To Set up Automatic Security Update (Unattended Upgrades) on Debian/Ubuntu?)
[#]: via: (https://www.2daygeek.com/automatic-security-update-unattended-upgrades-ubuntu-debian/)
[#]: author: (Magesh Maruthamuthu https://www.2daygeek.com/author/magesh/)
How To Set up Automatic Security Update (Unattended Upgrades) on Debian/Ubuntu?
======
One of an important task for Linux admins to make the system up-to-date.
Its keep your system more stable and avoid unwanted access and attack.
Installing a package in Linux is a piece of cake.
In the similar way we can update security patches as well.
This is a simple tutorial that will show you to configure your system to receive automatic security updates.
There are some security risks involved when you running an automatic security package upgrades without inspection, but there are also benefits.
If you dont want to miss security patches and would like to stay up-to-date with the latest security patches.
Then you should set up an automatic security update with help of unattended upgrades utility.
You can **[manually install Security Updates on Debian & Ubuntu systems][1]** if you dont want to go for automatic security update.
There are many ways that we can automate this. However, we are going with an official method and later we will cover other ways too.
### How to Install unattended-upgrades package in Debian/Ubuntu?
By default unattended-upgrades package should be installed on your system. But in case if its not installed use the following command to install it.
Use **[APT-GET Command][2]** or **[APT Command][3]** to install unattended-upgrades package.
```
$ sudo apt-get install unattended-upgrades
```
The below two files are allows you to customize this utility.
```
/etc/apt/apt.conf.d/50unattended-upgrades
/etc/apt/apt.conf.d/20auto-upgrades
```
### Make necessary changes in 50unattended-upgrades file
By default only minimal required options were enabled for security updates. Its not limited and you can configure many option in this to make this utility more useful.
I have trimmed the file and added only the enabled lines for better clarifications.
```
# vi /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
};
Unattended-Upgrade::DevRelease "false";
```
There are three origins are enabled and the details are below.
* **`${distro_id}:${distro_codename}:`**` ` It is necessary because security updates may pull in new dependencies from non-security sources.
* **`${distro_id}:${distro_codename}-security:`**` ` It is used to get a security updates from sources.
* **`${distro_id}ESM:${distro_codename}:`**` ` It is used to get a security updates for ESM (Extended Security Maintenance) users.
**Enable Email Notification:** If you would like to receive email notifications after every security update, then modify the following line (uncomment it and add your email id).
From:
```
//Unattended-Upgrade::Mail "root";
```
To:
```
Unattended-Upgrade::Mail "[email protected]";
```
**Auto Remove Unused Dependencies:** You may need to run “sudo apt autoremove” command after every update to remove unused dependencies from the system.
We can automate this task by making the changes in the following line (uncomment it and change “false” to “true”).
From:
```
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
```
To:
```
Unattended-Upgrade::Remove-Unused-Dependencies "true";
```
**Enable Automatic Reboot:** You may need to reboot your system when a security updates installed for kernel. To do so, make the following changes in the following line.
From:
```
//Unattended-Upgrade::Automatic-Reboot "false";
```
To: Uncomment it and change “false” to “true” to enable automatic reboot.
```
Unattended-Upgrade::Automatic-Reboot "true";
```
**Enable Automatic Reboot at The Specific Time:** If automatic reboot is enabled and you would like to perform the reboot at the specific time, then make the following changes.
From:
```
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
```
To: Uncomment it and change the time as per your requirement. I set it to reboot at 5 AM.
```
Unattended-Upgrade::Automatic-Reboot-Time "05:00";
```
### How to Enable Automatic Security Update?
Now, we have configured the necessary options. Once you are done.
Open the following file and verify it, both the values are set up correctly or not? It should not be a zeros. (1=enabled, 0=disabled).
```
# vi /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
```
**Details:**
* The first line makes apt to perform “apt-get update” automatically every day.
* The second line makes apt to install security updates automatically every day.
--------------------------------------------------------------------------------
via: https://www.2daygeek.com/automatic-security-update-unattended-upgrades-ubuntu-debian/
作者:[Magesh Maruthamuthu][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://www.2daygeek.com/author/magesh/
[b]: https://github.com/lujun9972
[1]: https://www.2daygeek.com/manually-install-security-updates-ubuntu-debian/
[2]: https://www.2daygeek.com/apt-get-apt-cache-command-examples-manage-packages-debian-ubuntu-systems/
[3]: https://www.2daygeek.com/apt-command-examples-manage-packages-debian-ubuntu-systems/

10
translated/talk/20180116 Command Line Heroes- Season 1- OS Wars.md
View File

@ -26,11 +26,11 @@ Saron Yitbarek好吧。这也许有点戏剧性但当我们谈论上世纪
我是 Saron Yitbarek你现在收听的是代码英雄一款红帽公司原创的博客节目。[00:01:30] 你问,什么是<ruby>代码英雄<rt>Command Line Hero</rt></ruby>如果你愿意创造而不仅仅是使用如果你相信开发者拥有构建美好未来的能力如果你希望拥有一个大家都有权利表达科技如何塑造生活的世界那么你我的朋友就是一位代码英雄。在本系列节目中我们将为你带来那些“白码起家”LCTT 译注:原文是 “from the command line up”应该是演绎自 “from the ground up”——白手起家改变技术的程序员故事。[00:02:00] 那么我是谁凭什么指导你踏上这段艰苦的旅程Saron Yitbarek 是哪根葱?嗯,事实上我觉得我跟你差不多。我是一名面向初学者的开发人员,我做的任何事都依赖于开源软件,我的世界就是如此。通过在博客中讲故事,我可以跳出无聊的日常工作,鸟瞰全景,希望这对你也一样有用。
我迫不及待地想知道,开源技术从何而来?我的意思是,我对<ruby>林纳斯·托瓦兹<rt>Linus Torvalds</rt></ruby>和 Linux^® 的荣耀有一些了解,[00:02:30] 我相信你也一样,但是说真的,开源并不是一开始就有的,对吗?如果我发自内心的感激这些最新、最棒的技术,比如 DevOps 和容器之类的,我感觉我对那些早期的开发者缺乏了解,我有必要了解这些东西来自何处。所以,让我们暂时先不用担心内存泄露和缓冲溢出。我们的旅程将从操作系统之战开始,这是一场波澜壮阔的桌面控制之战。[00:03:00] 这场战争亘古未有,因为:首先,在计算机时代,大公司拥有指数级的规模优势;其次,从未有过这么一场控制争夺战是如此变化多端。比尔·盖茨和史蒂夫·乔布斯? 他们也不知道结果会如何,但是到目前为止,这个故事进行到一半的时候,他们所争夺的所有东西都将发生改变、进化,最终上升到云端。
我迫不及待地想知道,开源技术从何而来?我的意思是,我对<ruby>林纳斯·托瓦兹<rt>Linus Torvalds</rt></ruby>和 Linux^® 的荣耀有一些了解,[00:02:30] 我相信你也一样,但是说真的,开源并不是一开始就有的,对吗?如果我发自内心的感激这些最新、最棒的技术,比如 DevOps 和容器之类的,我感觉我对那些早期的开发者缺乏了解,我有必要了解这些东西来自何处。所以,让我们暂时先不用担心内存泄露和缓冲溢出。我们的旅程将从操作系统之战开始,这是一场波澜壮阔的桌面控制之战。[00:03:00] 这场战争亘古未有,因为:首先,在计算机时代,大公司拥有指数级的规模优势;其次,从未有过这么一场控制争夺战是如此变化多端。比尔·盖茨和史蒂夫·乔布斯? 他们也不知道结果会如何,但是到目前为止,这个故事进行到一半的时候,他们所争夺的所有东西都将发生改变、进化,最终上升到云端。
[00:03:30] 好的,让我们回到 1983 年的秋季。还有六年我才出生。那时候的总统还是<ruby>罗纳德·里根<rt>Ronald Reagan</rt></ruby>,美国和苏联扬言要把地球拖入核战争之中。在檀香山(火奴鲁鲁)的市政中心正在举办一年一度的苹果公司销售会议。一群苹果公司的员工正在等待史蒂夫·乔布斯上台。他 28 岁,热情洋溢,看起来非常自信。乔布斯很严肃地对着麦克风说他邀请了三个行业专家来就软件进行了一次小组讨论。[00:04:00] 然而随后发生的事情你肯定想不到。超级俗气的 80 年代音乐响彻整个房间。一堆多彩灯管照亮了舞台,然后一个播音员的声音响起-
配音:女士们,先生们,现在是麦金塔软件的约会游戏。
配音:女士们,先生们,现在是麦金塔软件的约会游戏时间
Saron Yitbarek乔布斯的脸上露出一个大大的笑容台上有三个 CEO 都需要轮流向他示好。这基本上就是 80 年代钻石王老五,不过是科技界的。[00:04:30] 两个软件大佬讲完话后,然后就轮到第三个人讲话了。仅此而已不是吗?是的。新面孔比尔·盖茨带着一个大大的遮住了半张脸的方框眼镜。他宣称在 1984 年,微软的一半收入将来自于麦金塔软件。他的这番话引来了观众热情的掌声。[00:05:00] 但是他们不知道的是,在一个月后,比尔·盖茨将会宣布发布 Windows 1.0 的计划。你永远也猜不到乔布斯正在跟苹果未来最大的敌人打情骂俏。但微软和苹果即将经历科技史上最糟糕的婚礼。他们会彼此背叛、相互毁灭,但又深深地、痛苦地捆绑在一起。
@ -54,7 +54,7 @@ Ken Segal这则广告在公司内、在业界内都引起了共鸣成为
Saron Yitbarek[00:08:30] 因此,在争夺数十亿潜在消费者心智的过程中,苹果公司和微软公司的帝王们正在学着把自己塑造成救世主、非凡的英雄、一种对生活方式的选择。但比尔·盖茨知道一些苹果难以理解的事情。那就是在一个相互连接的世界里,没有人,即便是帝王,也不能独自完成任务。
[00:09:00] 1985 年 6 月 25 日。盖茨给当时的苹果 CEO John Scully 发了一份备忘录。那是一个迷失的年代。乔布斯刚刚被逐出公司,直到 1996 年才回到苹果。也许正是因为乔布斯离开了,盖茨才敢写这份东西。在备忘录中,他鼓励苹果授权制造商分发他们的操作系统。我想读一下备忘录的最后部分,让你们知道这份备忘录是多么的有洞察力。[00:09:30] 盖茨写道:“如果没有其他个人电脑制造商的支持,苹果现在不可能让他们的创新技术成为标准。苹果必须开放麦金塔的架构,以获得获得快速发展和建立标准所需的支持。”换句话说,你们不要再自己玩自己的了。你们必须有与他人合作的意愿。你们必须与开发者合作。
[00:09:00] 1985 年 6 月 25 日。盖茨给当时的苹果 CEO John Scully 发了一份备忘录。那是一个迷失的年代。乔布斯刚刚被逐出公司,直到 1996 年才回到苹果。也许正是因为乔布斯离开了,盖茨才敢写这份东西。在备忘录中,他鼓励苹果授权制造商分发他们的操作系统。我想读一下备忘录的最后部分,让你们知道这份备忘录是多么的有洞察力。[00:09:30] 盖茨写道:“如果没有其他个人电脑制造商的支持,苹果现在不可能让他们的创新技术成为标准。苹果必须开放麦金塔的架构,以获得快速发展和建立标准所需的支持。”换句话说,你们不要再自己玩自己的了。你们必须有与他人合作的意愿。你们必须与开发者合作。
[00:10:00]多年后你依然可以看到这条哲学思想,当微软首席执行官<ruby>史蒂夫·鲍尔默<rt>Steve Ballmer</rt></ruby>上台做主题演讲时他开始大喊“开发者开发者开发者开发者开发者开发者开发者开发者开发者。”你懂我的意思了吧。微软喜欢开发人员。虽然目前LCTT 译注:本播客发布于 2018 年初)他们不打算与这些开发人员共享源代码,但是他们确实想建立起整个合作伙伴生态系统。[00:10:30] 而当比尔·盖茨建议苹果公司也这么做时,如你可能已经猜到的,这个想法就被苹果公司抛到了九霄云外。他们的关系产生了间隙,五个月后,微软发布了 Windows 1.0。战争开始了。
@ -64,7 +64,7 @@ Saron Yitbarek[00:08:30] 因此,在争夺数十亿潜在消费者心智的
好的,让我们先来个背景故事吧。如果你已经听过了,那么请原谅我,但它很经典。当时是 1979 年,史蒂夫·乔布斯开车去<ruby>帕洛阿尔托<rt>Palo Alto</rt></ruby><ruby>施乐公园研究中心<rt>Xerox Park research center</rt></ruby>。[00:11:30] 那里的工程师一直在为他们所谓的图形用户界面开发一系列的元素。也许你听说过。它们有菜单、滚动条、按钮、文件夹和重叠的窗口。这是对计算机界面的一个美丽的新设想。这是前所未有的。作家兼记者 Steve Levy 会谈到它的潜力。
Steven Levy[00:12:00] 对于这个新界面来说,有很多令人激动的地方,它以前的交互界面更友好,以前用的所谓的命令行 —— 你和电脑之间的交互方式跟现实生活中的交互方式完全不同。鼠标和电脑上的图像让你可以做到像现实生活中的交互一样,你可以像指向现实生活中的东西一样指向电脑上的东西。这让事情变得简单多了。你无需要记住所有那些命令。
Steven Levy[00:12:00] 对于这个新界面来说,有很多令人激动的地方,它以前的交互界面更友好,以前用的所谓的命令行 —— 你和电脑之间的交互方式跟现实生活中的交互方式完全不同。鼠标和电脑上的图像让你可以做到像现实生活中的交互一样,你可以像指向现实生活中的东西一样指向电脑上的东西。这让事情变得简单多了。你无需要记住所有那些命令。
Saron Yitbarek[00:12:30] 不过,施乐的高管们并没有意识到他们正坐在金矿上。一如既往地,工程师比主管们更清楚它的价值。因此那些工程师,当被要求向乔布斯展示所有这些东西是如何工作时,有点紧张。然而这是毕竟是高管的命令。乔布斯觉得,用他的话来说,“这个产品天才本来能够让施乐公司垄断整个行业,可是它最终会被公司的经营者毁掉,因为他们对产品的好坏没有概念。”[00:13:00] 这话有些苛刻但是乔布斯带着一卡车施乐高管错过的想法离开了会议。这几乎包含了他需要革新桌面计算体验的所有东西。1983 年,苹果发布了 Lisa 电脑1984 年又发布了 Mac 电脑。这些设备的创意是抄袭自施乐公司的。
@ -96,7 +96,7 @@ Steven Vaughan-Nichols当时有几个类似的操作系统。他最关注的
Saron Yitbarek到 1991 年秋季,托瓦兹发布了 10000 行代码,世界各地的人们开始评头论足,然后进行优化、添加和修改代码。[00:23:00] 对于今天的开发人员来说,这似乎很正常,但请记住,在那个时候,像这样的开放协作是对微软、苹果和 IBM 已经做的很好的整个专有系统的道德侮辱。随后这种开放性被奉若神明。托瓦兹将 Linux 置于 GNU 通用公共许可证GPL之下。曾经保障斯托尔曼的 GNU 系统自由的许可证现在也将保障 Linux 的自由。Vaughan-Nichols 解释道,这种融入到 GPL 的重要性怎么强调都不过分,它基本上能永远保证软件的自由和开放性。
Steven Vaughan-Nichols[00:23:30] 事实上,根据 Linux 所遵循的许可协议,即 GPL 第 2 版,如果你想贩卖 Linux 或者向全世界展示它,你必须与他人共享代码,所以如果你对其做了一些改进,仅仅给别人使用是不够的。事实上你必须和他们分享所有这些变化的具体细节。然后,如果这些改进足够好,就会被 Linux 所吸收。
Steven Vaughan-Nichols[00:23:30] 事实上,根据 Linux 所遵循的许可协议,即 GPL 第 2 版,如果你想贩卖 Linux 或者向全世界展示它,你必须与他人共享代码,所以如果你对其做了一些改进,仅仅给别人使用是不够的。事实上你必须和他们分享所有这些变化的具体细节。然后,如果这些改进足够好,就会被 Linux 所吸收。
Saron Yitbarek[00:24:00] 事实证明,这种公开的方式极具吸引力。<ruby>埃里克·雷蒙德</rt>Eric Raymond</rt></ruby> 是这场运动的早期传道者之一,他在他那篇著名的文章中写道:“微软和苹果这样的公司一直在试图建造软件大教堂,而 Linux 及类似的软件则提供了一个由不同议程和方法组成的巨大集市,集市比大教堂有趣多了。”

146
translated/tech/20181213 Podman and user namespaces- A marriage made in heaven.md Normal file
View File

@ -0,0 +1,146 @@
[#]: collector: (lujun9972)
[#]: translator: (wxy)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Podman and user namespaces: A marriage made in heaven)
[#]: via: (https://opensource.com/article/18/12/podman-and-user-namespaces)
[#]: author: (Daniel J Walsh https://opensource.com/users/rhatdan)
Podman 和用户名字空间:天作之合
======
> 了解如何使用 Podman 在单独的用户空间运行容器。
![](https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/architecture_structure_planning_design_.png?itok=KL7dIDct)
[Podman][1] 是 [libpod][2] 库的一部分,使用户能够管理 pod、容器和容器镜像。在我的上一篇文章中我写过 [Podman 作为一种更安全的运行容器的方式][3]。在这里,我将解释如何使用 Podman 在单独的用户命名空间中运行容器。
我一直在思考<ruby>[用户命名空间][4]<rt>user namespace</rt></ruby>,它主要是由 Red Hat 的 Eric Biederman 开发的作为分离容器的一个很棒的功能。用户命名空间允许你指定用于运行容器的用户标识符UID和组标识符GID映射。这意味着你可以在容器内运行 UID 0在容器外运行 UID 100000。如果容器进程逃逸出了容器内核会将它们视为 UID 100000。不仅如此任何未映射到用户命名空间的 UID 所拥有的任何文件对象都将被视为 `nobody` 所拥有65534`kernel.overflowuid`),并且不允许容器进程访问,除非该对象可由“其他人”访问(世界可读/可写)。
如果你拥有一个权限为 [660][5] 的属主为“真实” `root` 的文件,并且用户命名空间中的容器进程尝试读取它,则会阻止它们访问它,并且会将该文件视为 `nobody` 所拥有。
### 示例
以下是它是如何工作的。首先,我在 `root` 拥有的系统中创建一个文件。
```
$ sudo bash -c "echo Test > /tmp/test"
$ sudo chmod 600 /tmp/test
$ sudo ls -l /tmp/test
-rw-------. 1 root root 5 Dec 17 16:40 /tmp/test
```
接下来,我将该文件卷挂载到一个使用用户命名空间映射 `0:100000:5000` 运行的容器中。
```
$ sudo podman run -ti -v /tmp/test:/tmp/test:Z --uidmap 0:100000:5000 fedora sh
# id
uid=0(root) gid=0(root) groups=0(root)
# ls -l /tmp/test
-rw-rw----. 1 nobody nobody 8 Nov 30 12:40 /tmp/test
# cat /tmp/test
cat: /tmp/test: Permission denied
```
上面的 `--uidmap` 设置告诉 Podman 在容器内映射一系列 5000 个 UID从容器外的 UID 100000开始因此范围是 100000-104999到容器内 UID 0 开始的范围(所以范围是 0-4999。在容器内部如果我的进程以 UID 1 运行,则它在主机上为 100001。
由于实际的 `UID=0` 未映射到容器中,因此 `root` 拥有的任何文件都将被视为 `nobody` 所拥有。即使容器内的进程具有 `CAP_DAC_OVERRIDE`,也无法覆盖此种保护。`DAC_OVERRIDE` 使根进程能够读/写系统上的任何文件,即使进程不是 `root` 用户拥有,也不是全局可读或可写的。
用户命名空间功能与主机上的功能不同。它们是命名空间功能。这意味着我的容器根只在容器内具有功能,实际上只在映射到用户命名空间的 UID 范围内。如果容器进程逃逸了容器,则它将没有任何功能而不是映射到用户命名空间的 UID包括 UID=0。即使进程可能以某种方式进入另一个容器如果容器使用不同范围的 UID它们也不具备这些功能。
请注意SELinux 和其他技术还限制了容器进程破开容器时会发生的情况。
### 使用 podman top 来显示用户名字空间
我们在 `podman top` 中添加了一些功能,允许你检查容器内运行的进程的用户名,并在主机上标识它们的真实 UID。
让我们首先使用我们的 UID 映射运行一个 `sleep` 容器。
```
$ sudo podman run --uidmap 0:100000:5000 -d fedora sleep 1000
```
现在运行 `podman top`
```
$ sudo podman top --latest user huser
USER   HUSER
root   100000
$ ps -ef | grep sleep
100000   21821 21809  0 08:04 ?         00:00:00 /usr/bin/coreutils --coreutils-prog-shebang=sleep /usr/bin/sleep 1000
```
注意 `podman top` 报告用户进程在容器内以 `root` 身份运行,但在主机(`HUSER`)上以 UID 100000 运行。此外,`ps` 命令确认 `sleep` 过程以 UID 100000 运行。
现在让我们运行第二个容器,但这次我们将选择一个单独的 UID 映射,从 200000 开始。
```
$ sudo podman run --uidmap 0:200000:5000 -d fedora sleep 1000
$ sudo podman top --latest user huser
USER   HUSER
root   200000
$ ps -ef | grep sleep
100000   21821 21809  0 08:04 ?         00:00:00 /usr/bin/coreutils --coreutils-prog-shebang=sleep /usr/bin/sleep 1000
200000   23644 23632  1 08:08 ?         00:00:00 /usr/bin/coreutils --coreutils-prog-shebang=sleep /usr/bin/sleep 1000
```
请注意,`podman top` 报告第二个容器在容器内以 `root` 身份运行,但主机上的 UID=200000。
另请参阅 `ps` 命令,它显示两个 `sleep` 进程都在运行:一个为 100000另一个为 200000。
这意味着在单独的用户命名空间内运行容器可以在进程之间进行传统的 UID 分离,这从一开始就是 Linux/Unix 的标准安全工具。
### 用户名字空间的问题
几年来,我一直主张用户命名空间应该作为每个人应该有的安全工具,但几乎没有人使用过。原因是没有任何文件系统支持或转移文件系统。
在容器中,你希望在许多容器之间共享**基本**镜像。上面的示例在每个示例中使用 Fedora 基本镜像。Fedora 镜像中的大多数文件都由实际的 UID=0 拥有。如果我使用用户名称空间 0:100000:5000 在此镜像上运行容器,默认情况下它会将所有这些文件视为 `nobody` 所拥有,因此我们需要移动所有这些 UID 以匹配用户名称空间。多年来,我想要一个挂载选项来告诉内核重新映射这些文件 UID 以匹配用户命名空间。上游内核存储开发人员继续调查并在此功能上取得进展,但这是一个难题。
Podman 可以在同一镜像上使用不同的用户名称空间,是由于自动 [chown][6] 内置于由 Nalin Dahyabhai 领导的团队开发的[容器/存储][7]中。Podman使用容器/存储Podman 第一次在新的用户命名空间中使用容器镜像,容器/存储 “chowns”更改所有权镜像中的所有文件到用户命名空间中映射的 UID 并创建新镜像。可以把它想象成 `fedora:0:100000:5000` 镜像。
当 Podman 在具有相同 UID 映射的镜像上运行另一个容器时它使用“预先设置所有权”的图像。当我在0:200000:5000 上运行第二个容器时,容器/存储会创建第二个镜像,我们称之为 `fedora:0:200000:5000`
请注意,如果你正在执行 `podman build``podman commit` 并将新创建的镜像推送到容器注册表Podman 将使用容器/存储来反转移位并将所有文件推回到实际 UID=0 的镜像。
这可能会导致在新的 UID 映射中创建容器时出现真正的减速,因为 `chown` 可能会很慢,具体取决于镜像中的文件数。此外,在普通 [OverlayFS][8] 上,镜像中的每个文件都会被复制。正常的 Fedora 镜像最多可能需要 30 秒才能完成 `chown` 并启动容器。
幸运的是Red Hat 内核存储团队(主要是 Vivek Goyal 和 Miklos Szeredi在内核 4.19 中为 OverlayFS 添加了一项新功能。该功能称为“仅元数据复制”。如果使用 `metacopy=on` 挂载覆盖文件系统作为挂载选项,则在更改文件属性时,它不会复制较低层的内容;内核创建新的 inode其中包含引用指向较低级别数据的属性。如果内容发生变化它仍会复制内容。如果你想试用它可以在 Red Hat Enterprise Linux 8 Beta 中使用此功能。
这意味着容器 `chown` 可能在几秒钟内发生,并且你不会将每个容器的存储空间加倍。
这使得像 Podman 这样的工具在不同的用户命名空间中运行容器是可行的,大大提高了系统的安全性。
### 前瞻
我想向 Podman 添加一个新标志,比如 `--userns=auto`,它会告诉它为你运行的每个容器自动选择一个唯一的用户命名空间。这类似于 SELinux 与单独的多类别安全MCS标签一起使用的方式。如果设置环境变量 `PODMAN_USERNS=auto`,则甚至不需要设置标志。
Podman 最终允许用户在不同的用户名称空间中运行容器。像 [Buildah][9] 和 [CRI-O][10] 这样的工具也可以利用用户命名空间。但是,对于 CRI-OKubernetes 需要了解哪个用户命名空间将运行容器引擎,而上游正在处理它。
在我的下一篇文章中,我将解释如何在用户命名空间中将 Podman 作为非 root 用户运行。
--------------------------------------------------------------------------------
via: https://opensource.com/article/18/12/podman-and-user-namespaces
作者:[Daniel J Walsh][a]
选题:[lujun9972][b]
译者:[wxy](https://github.com/wxy)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/rhatdan
[b]: https://github.com/lujun9972
[1]: https://podman.io/
[2]: https://github.com/containers/libpod
[3]: https://opensource.com/article/18/10/podman-more-secure-way-run-containers
[4]: http://man7.org/linux/man-pages/man7/user_namespaces.7.html
[5]: https://chmodcommand.com/chmod-660/
[6]: https://en.wikipedia.org/wiki/Chown
[7]: https://github.com/containers/storage
[8]: https://en.wikipedia.org/wiki/OverlayFS
[9]: https://buildah.io/
[10]: http://cri-o.io/

165
translated/tech/20190815 How To Set up Automatic Security Update (Unattended Upgrades) on Debian-Ubuntu.md Normal file
View File

@ -0,0 +1,165 @@
[#]: collector: (lujun9972)
[#]: translator: (tomjlw)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (How To Set up Automatic Security Update (Unattended Upgrades) on Debian/Ubuntu?)
[#]: via: (https://www.2daygeek.com/automatic-security-update-unattended-upgrades-ubuntu-debian/)
[#]: author: (Magesh Maruthamuthu https://www.2daygeek.com/author/magesh/)
如何在 Debian/Ubuntu 上设置自动安全更新(无人值守更新)
======
对于 Linux 管理员来说重要的任务之一是让系统保持最新状态。
这使得你的系统更加稳健并且可以避免不想要的访问与攻击。
在 Linux 上安装包裹小菜一碟。
用相似的方法我们也可以更新安全补丁。
这是一个向你展示如何配置系统接收自动安全更新的简单教程。
未经审查运行自动安全包更新会给你带来一定风险,但是也有一些好处。
如果你不想错过安全补丁且想要与最新的安全补丁保持同步,
那你应该借助无人值守更新机制设置自动安全更新。
如果你不想要自动安全更新的话,你可以**[在 Debian/Ubuntu 系统上手动安装安全更新][1]**。
我们有许多可以自动化更新的办法,然而我们将先采用官方的方法之后我们会介绍其它方法。
### 如何在 Debian/Ubuntu 上安装无人值守更新包
无人值守更新包默认应该装在你的系统上。但万一它没被安装,就用下面的命令来安装:
```
$ sudo apt-get install unattended-upgrades
```
下方两个文件可以使你自定义该机制。
```
/etc/apt/apt.conf.d/50unattended-upgrades
/etc/apt/apt.conf.d/20auto-upgrades
```
### 在无人值守更新文件中做出必要修改
默认情况下只有少数安全更新需要的选项被启用。无需被它们限制,你可以配置其中的许多选项以使得这个机制更加有用。
我修改了一下文件并仅加上被启用的行段以方便阐述。
```
# vi /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
};
Unattended-Upgrade::DevRelease "false";
```
有三个源被启用,细节如下:
* **`${distro_id}:${distro_codename}:`**` ` 这是必须的因为安全更新可能会从非安全来源拉取依赖。
* **`${distro_id}:${distro_codename}-security:`**` ` 这是用来从来源得到安全更新
* **`${distro_id}ESM:${distro_codename}:`**` ` 这是用来从 ESM(扩展安全维护)获得安全更新。
**启用邮件通知:** 如果你想要在每次安全更新后收到邮件通知,那么久修改以下行段(取消其注释并加上你的 email 账号)。
从:
```
//Unattended-Upgrade::Mail "root";
```
到:
```
Unattended-Upgrade::Mail "[email protected]";
```
**自动移除不用的依赖:** 你可能需要在每次更新后运行“sudo apt autoremove” 命令来从系统中移除不用的依赖。
我们可以通过修改以下行段来自动化这项任务取消注释并将“false”改成“true”
从:
```
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
```
到:
```
Unattended-Upgrade::Remove-Unused-Dependencies "true";
```
**启用自动重启:** 你可能需要在安全更新安装至内核后重启你的系统。你可以在以下行段做出修改:
从:
```
//Unattended-Upgrade::Automatic-Reboot "false";
```
取消注释并将“false”改成“true”以启用自动重启。
```
Unattended-Upgrade::Automatic-Reboot "true";
```
**启用特定时段的自动重启:** 如果自动重启已启用且你想要在特定时段进行重启,那么做出以下修改。
从:
```
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
```
取消注释并将时间改成你需要的时间。我将重启设置在早上5点。
```
Unattended-Upgrade::Automatic-Reboot-Time "05:00";
```
### 如何启用自动化安全更新?
现在我们已经配置好了必须选项,一旦配置好,
打开以下文件并确认是否值都已设置好值不应为0。1=启用0=禁止)。
```
# vi /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
```
**详情:**
* 第一行使 apt 每天自动运行 “apt-get update”。
* 第一行使 apt 每天自动安装安全更新。
--------------------------------------------------------------------------------
via: https://www.2daygeek.com/automatic-security-update-unattended-upgrades-ubuntu-debian/
作者:[Magesh Maruthamuthu][a]
选题:[lujun9972][b]
译者:[tomjlw](https://github.com/tomjlw)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://www.2daygeek.com/author/magesh/
[b]: https://github.com/lujun9972
[1]: https://www.2daygeek.com/manually-install-security-updates-ubuntu-debian/
[2]: https://www.2daygeek.com/apt-get-apt-cache-command-examples-manage-packages-debian-ubuntu-systems/
[3]: https://www.2daygeek.com/apt-command-examples-manage-packages-debian-ubuntu-systems/