“kernel-upgrade-required” 不是 applied、apply-failed、unapplied、needs-check、nothing-to-apply、unknown、check-failed 之一

Question 1

我不确定你的问题是什么，但是以下两个命令之间存在区别：

apt-get upgrade
apt-get dist-upgrade

通常（或者总是？）upgrade不会安装新内核，而dist-upgrade会。

从apt-get手册页中：

   upgrade
       upgrade is used to install the newest versions of all packages
       currently installed on the system from the sources enumerated in
       /etc/apt/sources.list. Packages currently installed with new
       versions available are retrieved and upgraded; under no
       circumstances are currently installed packages removed, or packages
       not already installed retrieved and installed. New versions of
       currently installed packages that cannot be upgraded without
       changing the install status of another package will be left at
       their current version. An update must be performed first so that
       apt-get knows that new versions of packages are available.

   dist-upgrade
       dist-upgrade in addition to performing the function of upgrade,
       also intelligently handles changing dependencies with new versions
       of packages; apt-get has a "smart" conflict resolution system, and
       it will attempt to upgrade the most important packages at the
       expense of less important ones if necessary. The dist-upgrade
       command may therefore remove some packages. The
       /etc/apt/sources.list file contains a list of locations from which
       to retrieve desired package files. See also apt_preferences(5) for
       a mechanism for overriding the general settings for individual
       packages.

容易混淆的是，apt upgrade不同于apt-get upgrade。我相信apt upgrade和相同apt-get dist-upgrade。

Rick 还表示他正在使用以下命令：

sudo apt-get upgrade linux-generic linux-headers-generic linux-image-generic

然而，以下内容就足够了：

sudo apt-get upgrade linux-generic

上述命令将升级所有软件包，并安装最新版本所需的任何新软件包linux-generic。（并且linux-generic依赖于linux-headers-generic和linux-image-generic。）

或者，如果您只想安装最新的版本linux-generic（及其依赖项），而不升级任何其他软件包，请考虑：

sudo apt-get install linux-generic

Answer

我不确定你的问题是什么，但是以下两个命令之间存在区别：

apt-get upgrade
apt-get dist-upgrade

通常（或者总是？）upgrade不会安装新内核，而dist-upgrade会。

从apt-get手册页中：

   upgrade
       upgrade is used to install the newest versions of all packages
       currently installed on the system from the sources enumerated in
       /etc/apt/sources.list. Packages currently installed with new
       versions available are retrieved and upgraded; under no
       circumstances are currently installed packages removed, or packages
       not already installed retrieved and installed. New versions of
       currently installed packages that cannot be upgraded without
       changing the install status of another package will be left at
       their current version. An update must be performed first so that
       apt-get knows that new versions of packages are available.

   dist-upgrade
       dist-upgrade in addition to performing the function of upgrade,
       also intelligently handles changing dependencies with new versions
       of packages; apt-get has a "smart" conflict resolution system, and
       it will attempt to upgrade the most important packages at the
       expense of less important ones if necessary. The dist-upgrade
       command may therefore remove some packages. The
       /etc/apt/sources.list file contains a list of locations from which
       to retrieve desired package files. See also apt_preferences(5) for
       a mechanism for overriding the general settings for individual
       packages.

容易混淆的是，apt upgrade不同于apt-get upgrade。我相信apt upgrade和相同apt-get dist-upgrade。

Rick 还表示他正在使用以下命令：

sudo apt-get upgrade linux-generic linux-headers-generic linux-image-generic

然而，以下内容就足够了：

sudo apt-get upgrade linux-generic

上述命令将升级所有软件包，并安装最新版本所需的任何新软件包linux-generic。（并且linux-generic依赖于linux-headers-generic和linux-image-generic。）

或者，如果您只想安装最新的版本linux-generic（及其依赖项），而不升级任何其他软件包，请考虑：

sudo apt-get install linux-generic

Question 2

因此，我发现 support [at] canonical/com 电子邮件确实有效，尽管它说它将我的消息退回给他们。他们的支持几乎立即做出了回应，并提供了适当的解决方案。

以下是他们的回答：

你好，Rick，

我可以确认，我们已经对 Livepatch 工具进行了一些改进，以便更好地识别 Livepatch 无法安装补丁来修复 CVE 的情况以及是否需要升级/重新启动内核包。我会确保将此错误转发给负责该更新的团队，以便更好地提醒需要升级包，而不是让它看起来像是失败/错误。

这就是您现在的情况。您正在运行的内核易受 L1TF 漏洞攻击 [1]。解决方法是升级到 4.15.0-32。我可以确认该版本已发布，因为我上周已经升级到它：客户端版本：8.0.3 机器 ID：已编辑机器令牌：已编辑架构：x86_64 cpu 型号：Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz 上次检查：2018-08-18T09：49：12.018793176-07：00 启动时间：2018-08-15T12：07：32-07：00 正常运行时间：70 小时 5 分钟 42 秒状态：- 内核：4.15.0-32.35-通用运行：true livepatch：检查状态：已检查补丁状态：无需应用版本：“” 修复：“”

请检查你的 /etc/apt/sources.list 以确保更新或安全包已启用：debhttp://us.archive.ubuntu.com/ubuntu/bionic-updates 主要受限宇宙多元宇宙 debhttp://security.ubuntu.com/ubuntu仿生安全主受限宇宙多元宇宙

此外，要查看启用更新和/或安全性并运行 apt update 后可用的软件包，命令如下：apt-cache policy linux-image-generic linux-image-generic：已安装：4.15.0.32.34 候选版本：4.15.0.32.34 版本表：*** 4.15.0.32.34 500 500http://us.archive.ubuntu.com/ubuntubionic-updates/main amd64 软件包 500http://security.ubuntu.com/ubuntubionic-security/main amd64 软件包 100 /var/lib/dpkg/status 4.15.0.20.23 500 500http://us.archive.ubuntu.com/ubuntubionic/main amd64 软件包

我希望这对你的情况有帮助。

谢谢，Chris Canonical 支持

[1]https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/L1TF

在 DigitalOcean 上，所有这些存储库都已安装。但是，问题在于它apt-get不会自动安装内核升级，因为它能如果其他软件与其不兼容，则会导致其他软件出现问题。

因此，由于我们的系统兼容且有定期备份，我使用以下命令对其进行了升级。

sudo apt-get upgrade linux-generic linux-headers-generic linux-image-generic

请记住重新启动系统以使更改生效。

sudo reboot

要手动运行修补程序，请执行以下操作：

sudo canonical-livepatch refresh

您应该会看到类似以下内容的内容。

刷新前：

kernel: 4.15.0-32.35-generic
fully-patched: true
version: ""

After refresh:

kernel: 4.15.0-32.35-generic
fully-patched: true
version: ""

Answer