如何锁定RockyLinux的主要程序版本 | Word Count: 4.1k | Reading Time: 19mins | Post Views:
本文将详细介绍多种锁定Rocky Linux系统主版本的方法,防止意外升级到新版本。其中,有相当脚本内容由AI生成,并未得到完全验证,特别对于内部升级源的地址、管理脚本需要认真鉴别再使用。
2025.06 陕西·西安·秦汉通航公司
使用dnf版本锁定插件 安装dnf-plugin-versionlock 1 2 3 4 5 # 安装版本锁定插件 sudo dnf install -y dnf-plugin-versionlock # 验证安装 dnf list installed | grep versionlock
锁定整个系统版本 1 2 # 方法1:锁定所有已安装的包 sudo dnf versionlock add '*'
锁定特定关键包 1 2 3 4 5 6 7 8 # 锁定核心系统包 sudo dnf versionlock add kernel* sudo dnf versionlock add systemd* sudo dnf versionlock add glibc* sudo dnf versionlock add rocky-release* # 查看已锁定的包 sudo dnf versionlock list
创建锁定脚本 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 # !/bin/bash # lock_version.sh - 锁定Rocky Linux主版本 LOCK_FILE="/etc/dnf/plugins/versionlock.list" BACKUP_DIR="/etc/dnf/plugins/backups" echo "=== 锁定Rocky Linux系统版本 ===" # 备份当前锁定列表 if [ ! -d "$BACKUP_DIR" ]; then sudo mkdir -p "$BACKUP_DIR" fi sudo cp "$LOCK_FILE" "$BACKUP_DIR/versionlock.list.$(date +%Y%m%d_%H%M%S)" # 锁定关键包 echo "锁定核心包..." sudo dnf versionlock add \ rocky-release \ kernel \ systemd \ glibc \ openssl \ bash \ dnf \ yum \ rpm # 锁定所有rocky-repo相关包 echo "锁定仓库相关包..." for pkg in $(dnf list installed "rocky*" | grep -v "Installed Packages" | awk '{print $1}'); do sudo dnf versionlock add "$pkg" done # 锁定所有当前已安装的包(可选,但更彻底) echo "正在锁定所有已安装包..." sudo dnf versionlock add '*' echo "版本锁定完成!" echo "当前锁定的包数量: $(sudo dnf versionlock list | wc -l)"
使用yum/dnf配置锁定 配置dnf排除列表 1 2 3 4 5 6 # 编辑dnf配置文件 sudo nano /etc/dnf/dnf.conf # 添加以下排除规则 [main] excludepkgs=kernel*, rocky-release*, systemd*, glibc*, openssl*
创建版本锁定配置文件 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 # 创建专门的排除配置文件 sudo tee /etc/dnf/conf.d/version-lock.conf << 'EOF' # Rocky Linux 主版本锁定配置 # 创建时间: $(date ) # 系统版本: $(cat /etc/rocky-release) [version-lock] # 排除所有可能导致主版本升级的包 excludepkgs=kernel*, rocky-release*, systemd*, initscripts, glibc*, openssl* # 排除所有仓库元数据更新 metadata_timer_sync=0 # 禁用自动更新 automatic=0 EOF
通过仓库配置锁定 禁用自动仓库更新 1 2 3 4 5 6 7 8 9 # 检查当前启用的仓库 sudo dnf repolist enabled # 禁用所有仓库的自动更新 sudo dnf config-manager --setopt=*.metadata_timer_sync=0 --save # 禁用特定仓库 sudo dnf config-manager --set-disabled rocky-devel sudo dnf config-manager --set-disabled rocky-extras
固定仓库版本 1 2 3 4 5 6 7 8 9 10 # 备份原始仓库配置 sudo cp -r /etc/yum.repos.d /etc/yum.repos.d.backup.$(date +%Y%m%d) # 修改所有rocky仓库配置,固定到当前版本 CURRENT_VERSION=$(rpm -q rocky-release | sed 's/.*release-//' | cut -d- -f1) sudo find /etc/yum.repos.d -name "*.repo" -exec sed -i \ "s/\$releasever/$CURRENT_VERSION/g" {} \; echo "已将仓库版本固定到: $CURRENT_VERSION"
创建自定义锁定仓库配置 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 # 创建只包含当前版本更新的仓库 sudo tee /etc/yum.repos.d/rocky-locked.repo << EOF # Rocky Linux 锁定版本仓库 # 仅包含当前主版本的更新 [rocky-baseos-locked] name=Rocky Linux \$releasever - BaseOS - Locked baseurl=http://dl.rockylinux.org/pub/rocky/9/BaseOS/\$basearch/os/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 metadata_expire=never [rocky-appstream-locked] name=Rocky Linux \$releasever - AppStream - Locked baseurl=http://dl.rockylinux.org/pub/rocky/9/AppStream/\$basearch/os/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-Rocky-9 metadata_expire=never # 禁用其他所有仓库 [rocky*] enabled=0 EOF
使用systemd定时任务监控和防止升级 创建版本监控脚本 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 # !/bin/bash # monitor_version.sh - 监控并防止系统版本升级 LOG_FILE="/var/log/version-monitor.log" ALERT_EMAIL="admin@example.com" LOCK_FILE="/etc/.rocky-version-locked" # 记录日志 log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> "$LOG_FILE" } # 检查是否有版本升级尝试 check_upgrade_attempt() { # 检查最近的dnf/yum日志 if tail -100 /var/log/dnf.log 2>/dev/null | grep -q "Upgrading.*rocky-release"; then log "检测到rocky-release升级尝试!" return 1 fi # 检查是否有新版本的仓库元数据 if [ -f /var/cache/dnf/rocky*.xml.gz ]; then TIMESTAMP=$(stat -c %Y /var/cache/dnf/rocky*.xml.gz 2>/dev/null | head -1) NOW=$(date +%s) if [ $((NOW - TIMESTAMP)) -lt 3600 ]; then log "检测到新的仓库元数据更新" return 1 fi fi return 0 } # 阻止升级操作 prevent_upgrade() { log "执行阻止升级操作" # 清除新的仓库缓存 sudo rm -f /var/cache/dnf/rocky*.xml.gz # 重置版本锁定 if [ -f /etc/dnf/plugins/versionlock.list ]; then # 重新锁定关键包 for pkg in rocky-release kernel systemd; do if ! grep -q "^$pkg" /etc/dnf/plugins/versionlock.list; then sudo dnf versionlock add "$pkg*" >/dev/null 2>&1 fi done fi # 发送警报 echo "检测到系统版本升级尝试!已阻止。" | mail -s "Rocky Linux版本升级警报" "$ALERT_EMAIL" } # 主函数 main() { log "开始版本监控检查" if check_upgrade_attempt; then log "未检测到升级尝试" else log "检测到升级尝试,正在阻止..." prevent_upgrade fi } # 执行主函数 main
创建systemd服务 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 # 创建服务文件 sudo tee /etc/systemd/system/version-protect.service << 'EOF' [Unit] Description=Rocky Linux Version Protection Service After=network-online.target Wants=network-online.target [Service] Type=oneshot ExecStart=/usr/local/bin/monitor_version.sh User=root Group=root [Install] WantedBy=multi-user.target EOF
创建systemd定时器 1 2 3 4 5 6 7 8 9 10 11 sudo tee /etc/systemd/system/version-protect.timer << 'EOF' [Unit] Description=Run version protection every 5 minutes [Timer] OnBootSec=5min OnUnitActiveSec=5min [Install] WantedBy=timers.target EOF
启用监控服务 1 2 3 4 5 6 7 8 9 10 sudo cp monitor_version.sh /usr/local/bin/ sudo chmod +x /usr/local/bin/monitor_version.sh sudo chmod 700 /usr/local/bin/monitor_version.sh sudo systemctl daemon-reload sudo systemctl enable version-protect.timer sudo systemctl start version-protect.timer # 查看状态 sudo systemctl status version-protect.timer
使用rpm包验证和防护 创建rpm包验证脚本 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 # !/bin/bash # verify_packages.sh - 验证关键包未被更改 KEY_PACKAGES="rocky-release kernel systemd glibc" DATABASE="/var/lib/rpm/Packages" VERIFY_LOG="/var/log/rpm-verify.log" echo "=== 关键包完整性验证 $(date) ===" | tee -a "$VERIFY_LOG" for pkg in $KEY_PACKAGES; do # 获取包名 FULL_PKG=$(rpm -qa | grep "^$pkg" | head -1) if [ -n "$FULL_PKG" ]; then echo "验证包: $FULL_PKG" | tee -a "$VERIFY_LOG" # 验证包完整性 rpm -V "$FULL_PKG" 2>&1 | tee -a "$VERIFY_LOG" if [ ${PIPESTATUS[0]} -ne 0 ]; then echo "警告: $FULL_PKG 已被修改!" | tee -a "$VERIFY_LOG" # 记录到系统日志 logger -t version-lock "关键包 $FULL_PKG 已被修改" fi fi done echo "=== 验证完成 ===" | tee -a "$VERIFY_LOG"
设置rpm验证定时任务 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 # 添加cron定时任务 sudo crontab -l > /tmp/cron.bak echo "0 */6 * * * /usr/local/bin/verify_packages.sh" | sudo crontab - # 或使用systemd timer sudo tee /etc/systemd/system/package-verify.timer << 'EOF' [Unit] Description=Verify critical packages every 6 hours [Timer] OnCalendar=*-*-* */6:00:00 [Install] WantedBy=timers.target EOF
网络安全防护 配置防火墙规则限制外部更新 1 2 3 4 5 6 7 8 9 10 # 允许必要的更新源,阻止其他 sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="152.19.134.142" port port="80" protocol="tcp" accept' sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="152.19.134.198" port port="80" protocol="tcp" accept' # 阻止其他所有到更新服务器的连接 sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" destination address="dl.rockylinux.org" drop' sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv6" destination address="dl.rockylinux.org" drop' # 重新加载防火墙 sudo firewall-cmd --reload
使用本地镜像仓库 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 # 设置本地镜像源 sudo tee /etc/yum.repos.d/rocky-local.repo << 'EOF' [local-baseos] name=Rocky Linux Local - BaseOS baseurl=file:///var/www/html/rocky/BaseOS enabled=1 gpgcheck=0 [local-appstream] name=Rocky Linux Local - AppStream baseurl=file:///var/www/html/rocky/AppStream enabled=1 gpgcheck=0 EOF # 禁用官方仓库 sudo dnf config-manager --set-disabled rocky*
完整版本锁定脚本 主锁定脚本 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 # !/bin/bash # rocky-version-lock.sh - 完整的Rocky Linux版本锁定脚本 set -e # 颜色定义 RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # No Color # 日志文件 LOG_FILE="/var/log/rocky-version-lock.log" LOCK_FILE="/etc/.rocky-version-locked" # 记录日志 log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" } # 打印带颜色的消息 print_status() { echo -e "${GREEN}[✓]${NC} $1" | tee -a "$LOG_FILE" } print_warning() { echo -e "${YELLOW}[!]${NC} $1" | tee -a "$LOG_FILE" } print_error() { echo -e "${RED}[✗]${NC} $1" | tee -a "$LOG_FILE" } # 检查是否已锁定 check_lock() { if [ -f "$LOCK_FILE" ]; then CURRENT_VERSION=$(cat "$LOCK_FILE") log "系统已锁定到版本: $CURRENT_VERSION" return 0 fi return 1 } # 获取当前版本 get_current_version() { if [ -f /etc/rocky-release ]; then grep -oP 'release \K[0-9.]+' /etc/rocky-release else echo "unknown" fi } # 安装必要的工具 install_tools() { log "安装必要的工具..." # 安装dnf版本锁定插件 if ! rpm -q dnf-plugin-versionlock >/dev/null 2>&1; then dnf install -y dnf-plugin-versionlock 2>&1 | tee -a "$LOG_FILE" print_status "已安装dnf-plugin-versionlock" else print_status "dnf-plugin-versionlock 已安装" fi # 安装其他必要工具 dnf install -y yum-utils rpm-utils 2>&1 | tee -a "$LOG_FILE" } # 锁定核心包 lock_core_packages() { log "锁定核心系统包..." # 备份当前锁定列表 if [ -f /etc/dnf/plugins/versionlock.list ]; then cp /etc/dnf/plugins/versionlock.list /etc/dnf/plugins/versionlock.list.backup.$(date +%Y%m%d_%H%M%S) fi # 定义关键包列表 CORE_PACKAGES=" rocky-release kernel systemd glibc openssl bash dnf yum rpm initscripts grub2 firewalld NetworkManager " # 锁定每个关键包 for pkg in $CORE_PACKAGES; do # 获取完整的包名 FULL_PKG=$(rpm -qa | grep "^$pkg" | head -1) if [ -n "$FULL_PKG" ]; then dnf versionlock add "$FULL_PKG" 2>&1 | tee -a "$LOG_FILE" print_status "已锁定: $FULL_PKG" fi done # 锁定所有rocky*包 for pkg in $(rpm -qa | grep "^rocky"); do dnf versionlock add "$pkg" 2>&1 | tee -a "$LOG_FILE" done print_status "核心包锁定完成" } # 配置仓库锁定 lock_repositories() { log "配置仓库锁定..." # 备份原始仓库配置 REPO_BACKUP="/etc/yum.repos.d.backup.$(date +%Y%m%d_%H%M%S)" cp -r /etc/yum.repos.d "$REPO_BACKUP" print_status "仓库配置已备份到: $REPO_BACKUP" # 固定当前版本 CURRENT_VERSION=$(get_current_version) # 更新所有仓库配置,固定版本号 find /etc/yum.repos.d -name "*.repo" -type f | while read repo_file; do sed -i "s/\$releasever/$CURRENT_VERSION/g" "$repo_file" sed -i "s/\$basearch/x86_64/g" "$repo_file" # 固定架构 done # 禁用元数据自动更新 echo -e "[main]\ngpgcheck=1\ninstallonly_limit=3\nclean_requirements_on_remove=True\nmetadata_timer_sync=0" | tee /etc/dnf/dnf.conf print_status "仓库锁定配置完成" } # 创建防护服务 setup_protection_services() { log "设置防护服务..." # 创建监控脚本 cat > /usr/local/bin/rocky-monitor.sh << 'EOF' # !/bin/bash # 监控脚本 - 防止意外升级 LOCK_FILE="/etc/.rocky-version-locked" LOG="/var/log/rocky-monitor.log" check_upgrade() { # 检查是否有升级尝试 if journalctl -u dnf-makecache --since "1 hour ago" | grep -q "Metadata cache created"; then echo "[$(date)] 检测到仓库缓存更新" >> "$LOG" return 1 fi return 0 } if check_upgrade; then echo "[$(date)] 系统状态正常" >> "$LOG" else echo "[$(date)] 警告:检测到可能的升级尝试" >> "$LOG" # 可以添加通知逻辑 fi EOF chmod +x /usr/local/bin/rocky-monitor.sh # 创建systemd服务 cat > /etc/systemd/system/rocky-protect.service << EOF [Unit] Description=Rocky Linux Version Protection After=network.target [Service] Type=oneshot ExecStart=/usr/local/bin/rocky-monitor.sh User=root EOF cat > /etc/systemd/system/rocky-protect.timer << EOF [Unit] Description=Run version protection hourly [Timer] OnBootSec=15min OnUnitActiveSec=1h [Install] WantedBy=timers.target EOF systemctl daemon-reload systemctl enable rocky-protect.timer systemctl start rocky-protect.timer print_status "防护服务已设置" } # 主函数 main() { echo "=== Rocky Linux 版本锁定工具 ===" | tee -a "$LOG_FILE" # 检查root权限 if [ "$EUID" -ne 0 ]; then print_error "请使用root权限运行此脚本" exit 1 fi # 检查是否已锁定 if check_lock; then print_warning "系统已被锁定,是否重新锁定?(y/N)" read -r response case "$response" in [yY][eE][sS]|[yY]) print_status "继续锁定操作..." ;; *) print_status "退出" exit 0 ;; esac fi # 获取当前版本 CURRENT_VERSION=$(get_current_version) log "当前系统版本: $CURRENT_VERSION" # 执行锁定步骤 install_tools lock_core_packages lock_repositories setup_protection_services # 创建锁定标记 echo "$CURRENT_VERSION" > "$LOCK_FILE" chmod 600 "$LOCK_FILE" # 显示锁定状态 echo -e "\n${GREEN}=== 版本锁定完成 ===${NC}" | tee -a "$LOG_FILE" echo "锁定版本: $CURRENT_VERSION" | tee -a "$LOG_FILE" echo "锁定包数量: $(dnf versionlock list | wc -l)" | tee -a "$LOG_FILE" echo "日志文件: $LOG_FILE" | tee -a "$LOG_FILE" echo "锁定标记: $LOCK_FILE" | tee -a "$LOG_FILE" # 最终建议 echo -e "\n${YELLOW}=== 重要提示 ===${NC}" | tee -a "$LOG_FILE" echo "1. 定期检查系统安全更新" | tee -a "$LOG_FILE" echo "2. 需要升级时,运行解锁脚本" | tee -a "$LOG_FILE" echo "3. 监控日志文件: $LOG_FILE" | tee -a "$LOG_FILE" } # 解锁函数 unlock_version() { echo "=== 解锁系统版本 ===" # 移除版本锁定 dnf versionlock clear # 恢复原始仓库配置 if [ -d "/etc/yum.repos.d.backup."* ]; then LATEST_BACKUP=$(ls -td /etc/yum.repos.d.backup.* | head -1) if [ -n "$LATEST_BACKUP" ]; then rm -rf /etc/yum.repos.d cp -r "$LATEST_BACKUP" /etc/yum.repos.d print_status "已恢复仓库配置" fi fi # 删除锁定标记 rm -f "$LOCK_FILE" # 禁用防护服务 systemctl stop rocky-protect.timer systemctl disable rocky-protect.timer print_status "系统版本已解锁" } # 参数处理 case "$1" in lock) main ;; unlock) unlock_version ;; status) if check_lock; then print_status "系统已被锁定" else print_status "系统未锁定" fi ;; *) echo "使用方法: $0 {lock|unlock|status}" exit 1 ;; esac
使用脚本 1 2 3 4 5 6 7 8 9 10 11 # 赋予执行权限 chmod +x rocky-version-lock.sh # 锁定系统版本 sudo ./rocky-version-lock.sh lock # 查看状态 sudo ./rocky-version-lock.sh status # 解锁系统版本 sudo ./rocky-version-lock.sh unlock
手动验证和监控 创建验证报告脚本 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 # !/bin/bash # version-report.sh - 生成版本锁定报告 REPORT_FILE="/var/log/version-lock-report-$(date +%Y%m%d).txt" echo "=== Rocky Linux 版本锁定状态报告 ===" > "$REPORT_FILE" echo "生成时间: $(date)" >> "$REPORT_FILE" echo "" >> "$REPORT_FILE" # 1. 系统信息 echo "1. 系统信息:" >> "$REPORT_FILE" echo " Rocky版本: $(cat /etc/rocky-release 2>/dev/null || echo '未知')" >> "$REPORT_FILE" echo " 内核版本: $(uname -r)" >> "$REPORT_FILE" echo " 系统架构: $(uname -m)" >> "$REPORT_FILE" echo "" >> "$REPORT_FILE" # 2. 锁定包状态 echo "2. 版本锁定状态:" >> "$REPORT_FILE" echo " 锁定包数量: $(dnf versionlock list | wc -l 2>/dev/null || echo '未安装插件')" >> "$REPORT_FILE" echo "" >> "$REPORT_FILE" # 3. 关键包版本 echo "3. 关键包版本:" >> "$REPORT_FILE" for pkg in rocky-release kernel systemd glibc; do version=$(rpm -q "$pkg" 2>/dev/null || echo "未安装") echo " $pkg: $version" >> "$REPORT_FILE" done echo "" >> "$REPORT_FILE" # 4. 仓库状态 echo "4. 仓库配置:" >> "$REPORT_FILE" grep -h "^\[" /etc/yum.repos.d/*.repo 2>/dev/null | sed 's/^/ /' >> "$REPORT_FILE" echo "" >> "$REPORT_FILE" # 5. 监控状态 echo "5. 监控服务状态:" >> "$REPORT_FILE" systemctl status rocky-protect.timer 2>/dev/null | grep -E "(Active|Loaded)" | sed 's/^/ /' >> "$REPORT_FILE" echo "报告已生成: $REPORT_FILE"
注意事项 安全更新处理 虽然锁定版本,但仍需关注安全更新:
1 2 3 4 5 # 定期检查安全更新(不自动安装) sudo dnf check-update --security # 手动应用关键安全更新 sudo dnf update --security --skip-broken
备份策略 1 2 3 4 5 6 # 备份关键配置 sudo tar -czf /backup/rocky-lock-backup-$(date +%Y%m%d).tar.gz \ /etc/yum.repos.d \ /etc/dnf/ \ /etc/systemd/system/rocky-*.service \ /etc/systemd/system/rocky-*.timer
解锁时的注意事项
解锁前确保系统有完整备份
逐步测试更新,避免大规模升级
监控系统稳定性
最佳实践 分层锁定策略
第一层:dnf versionlock 锁定核心包
第二层:仓库配置固定版本
第三层:监控服务防止意外更新
定期审计 1 2 # 每周生成报告 0 0 * * 0 /usr/local/bin/version-report.sh
文档记录 通过以上方法,您可以有效地锁定Rocky Linux系统的主版本,防止意外升级,同时保持系统的稳定性和安全性
参考内容
Docker稳定性保障:Ubuntu环境版本锁定方案 Ubuntu Linux内核版本升级指南:mainline
