Merge "Enable unattended upgrades"

modules.env

@@ -145,7 +145,6 @@ INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-subunit2sql"]="o
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-sudoers"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-tmpreaper"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-ulimit"]="origin/master"
-INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-unattended_upgrades"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-user"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-zanata"]="origin/master"
 INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-zuul"]="origin/master"

modules/openstack_project/manifests/automatic_upgrades.pp

@@ -1,16 +0,0 @@
-# == Class: openstack_project::automatic_upgrades
-#
-class openstack_project::automatic_upgrades (
-  $origins = []
-) {
-
-  if $::osfamily == 'Debian' {
-    class { 'unattended_upgrades':
-      origins => $origins,
-    }
-  }
-  if $::osfamily == 'RedHat' {
-    include packagekit::cron
-  }
-
-}

modules/openstack_project/manifests/server.pp

@@ -30,8 +30,4 @@ class openstack_project::server (
     }
   }
 
-  class { 'openstack_project::automatic_upgrades':
-    origins => ["Puppetlabs:${lsbdistcodename}"],
-  }
-
 }

playbooks/roles/base-server/files/10periodic

@@ -0,0 +1,6 @@
+APT::Periodic::Enable "1";
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "5";
+APT::Periodic::Unattended-Upgrade "1";
+APT::Periodic::RandomSleep "1800";

playbooks/roles/base-server/files/50unattended-upgrades

@@ -0,0 +1,30 @@
+// Automatically upgrade packages from these (origin, archive) pairs
+Unattended-Upgrade::Allowed-Origins {
+    // ${distro_id} and ${distro_codename} will be automatically expanded
+    "${distro_id} stable";
+    "${distro_id} ${distro_codename}-security";
+    "${distro_id} ${distro_codename}-updates";
+//  "${distro_id} ${distro_codename}-proposed-updates";
+};
+
+// List of packages to not update
+Unattended-Upgrade::Package-Blacklist {
+//  "vim";
+//  "libc6";
+//  "libc6-dev";
+//  "libc6-i686";
+};
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. The package 'mailx'
+// must be installed or anything that provides /usr/bin/mail.
+Unattended-Upgrade::Mail "root";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if a
+// the file /var/run/reboot-required is found after the upgrade
+//Unattended-Upgrade::Automatic-Reboot "false";

playbooks/roles/base-server/tasks/Debian.yaml

@@ -18,3 +18,19 @@
     src: rsyslog.d_50-default.conf
     dest: /etc/rsyslog.d/50-default.conf
   notify: Restart rsyslog
+
+- name: Install apt-daily 10periodic file for unattended-upgrades
+  copy:
+     mode: 0444
+     src: 10periodic
+     dest: /etc/apt/apt.conf.d/10periodic
+     owner: root
+     group: root
+
+- name: Install 50unattended-upgrades file for unattended-upgrades
+  copy:
+     mode: 0444
+     src: 50unattended-upgrades
+     dest: /etc/apt/apt.conf.d/50unattended-upgrades
+     owner: root
+     group: root

playbooks/roles/base-server/vars/Debian.yaml

@@ -3,6 +3,8 @@ distro_packages:
   - emacs-nox
   - iputils-ping
   - vim-nox
+  - unattended-upgrades
+  - mailutils
 sftp_path: /usr/lib/openssh/sftp-server
 ssh_service_name: ssh
 ntp_service_name: ntp

playbooks/roles/base-server/vars/Ubuntu.trusty.yaml

@@ -3,6 +3,8 @@ distro_packages:
   - emacs23-nox
   - iputils-ping
   - vim-nox
+  - unattended-upgrades
+  - mailutils
 sftp_path: /usr/lib/openssh/sftp-server
 ssh_service_name: ssh
 ntp_service_name: ntp

testinfra/test_base.py

@@ -96,3 +96,36 @@ def test_timezone(host):
 def test_unbound(host):
     output = host.check_output('host git.openstack.org')
     assert 'has address' in output
+
+
+def test_unattended_upgrades(host):
+    if host.system_info.distribution in ['ubuntu', 'debian']:
+        package = host.package("unattended-upgrades")
+        assert package.is_installed
+
+        package = host.package("mailutils")
+        assert package.is_installed
+
+        cfg_file = host.file("/etc/apt/apt.conf.d/10periodic")
+        assert cfg_file.exists
+        assert cfg_file.contains('^APT::Periodic::Enable "1"')
+        assert cfg_file.contains('^APT::Periodic::Update-Package-Lists "1"')
+        assert cfg_file.contains('^APT::Periodic::Download-Upgradeable-Packages "1"')
+        assert cfg_file.contains('^APT::Periodic::AutocleanInterval "5"')
+        assert cfg_file.contains('^APT::Periodic::Unattended-Upgrade "1"')
+        assert cfg_file.contains('^APT::Periodic::RandomSleep "1800"')
+
+        cfg_file = host.file("/etc/apt/apt.conf.d/50unattended-upgrades")
+        assert cfg_file.contains('^Unattended-Upgrade::Mail "root"')
+
+    else:
+        package = host.package("yum-cron")
+        assert package.is_installed
+
+        service = host.service("crond")
+        assert service.is_enabled
+        assert service.is_running
+
+        cfg_file = host.file("/etc/yum/yum-cron.conf")
+        assert cfg_file.exists
+        assert cfg_file.contains('apply_updates = yes')