Skip to main content Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed

Raspberry Pi unattended upgrade Raspbian to Debian Testing

Published: 27-07-2016 | Author: Remy van Elst | Text only version of this article

❗ This post is over seven years old. It may no longer be up to date. Opinions may have changed.

I'm working on a Nitrokey/SmartCard-HSM cluster article and therefore I needed three identical computers. The current version of Raspbian (2016-05-27) is based on Debian Jessie and comes with a version of OpenSC that is too old (0.14) to work with the Nitrokey/SmartCard-HSM. Since there is no Ubuntu 16.04 official image yet I decided to upgrade Raspbian to Debian Testing. Since I don't want to answer yes to any config file changes or service restarts I figured out how to do an unattended dist-upgrade.

The 3-Pi HSM cluster to be used for the cluster articles

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

The Nitrokey HSM is an open hardware and open software device. It is a USB version of the SmartCard-HSM. Both the SmartCard-HSM as the Nitrokey HSM have sources available and are fully supported by the OpenSC project.

I have multiple articles on the Nitrokey HSM/SmartCard-HSM. I also have a lot of professional experience with large expensive HSM hardware.

ARM repositories

Since Raspbian is a fork of Debian I first checked if there were any testing repositories in the mirrors and as it turns out, there are. Since the current version ships with OpenSC 0.14 and there is a 0.16 package in the repo here I suspected that that was the testing package. Installing it on Jessie failed however, so a dist-upgrade it was.


A regular repository change in sources.list and a dist-upgrade are very interactive. It involves manual editing and the apt upgrade asks a lot of questions, for example, retain a config file, restart services, changelogs, etc. Since I tend to reinstall Pi SD cards often I don't want to do that manual process every time. So here are the commands to do an unattended upgrade to testing. Which in my case works the 7 times I tried now, without asking questions. Do note that in your case it might hose your Pi and destroy all data and projects on it, so make sure you have a tested working backup.

Place this in a file named

# vim
# Remove any third party sources
rm -rf /etc/apt/sources.list.d/*

# Change te repo's
sed -i -e 's/jessie/testing/g' /etc/apt/sources.list

# Update package lists
apt-get update

DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get -q -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" dist-upgrade

# Remove no longer needed packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get -q -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" autoremove --purge


Save it and then run it to start the upgrade:

bash ./

Debian upgrade, unattended explanation

Debian packages can prompt a user during install to generate custom configuration, or in the case of MySQL, set a root password. It can also have messages with different priorities. The critical priority is (almost) never used so it won't prompt you. The noninteractive frontend tells the terminal that you're not able to answer any questions.

The two Dpkg::Options mean the following:

  • --force-confdef: upgrade the configuration file if there are no local changes
  • --force-confold: otherwise, preserve the existing configuration file

If you supply --force-confnew instead of --force-confold it will overwrite any changes by the new config file.

If you want to install a package unattended you know will ask questions (like MySQL), then you can use debconf to set the answer to those questions beforehand (scriptable, yay). In the case of MySQL on 12.04:

echo mysql-server-5.5 mysql-server/root_password password P@ssw0rd | debconf-set-selections
echo mysql-server-5.5 mysql-server/root_password_again password P@ss0wrd | debconf-set-selections

You can view all possible selections (questions) with the debconf-get- selections command:

debconf-get-selections | grep mysql-server


mysql-server-5.5  mysql-server/root_password_again  password  
mysql-server-5.5  mysql-server/root_password  password  
mysql-server-5.5  mysql-server/error_setting_password error 
mysql-server-5.5  mysql-server-5.5/postrm_remove_databases  boolean false
mysql-server-5.5  mysql-server-5.5/start_on_boot  boolean true

If debconf is not installed, the package debconf-utils provides it.

Tags: blog , debian , hsm , nitrokey , raspberry-pi , raspbian , smartcard-hsm