From d1ca8dbaa752703eee2c68e33aade87223602415 Mon Sep 17 00:00:00 2001
From: Matt Thompson <mattt@defunct.ca>
Date: Mon, 11 Apr 2016 13:22:08 +0100
Subject: [PATCH] Add ability to enable unattended upgrades

This commit adds the ability to enable automatic package upgrades via
openstack-ansible-security.  To enable, add the following variable to
your /etc/openstack_deploy/user_variables.yml file:

unattended_upgrades_enabled: true

To have the unattended upgrades system send e-mail notifications
when packages need updating or errors are encountered, add the
following to user_variables.yml:

unattended_upgrades_notifications: true

As many organisations do not subscribe to auto updates, this
functionality will remain disabled by default.

Note that the first iteration of this change does not allow deep
customisation of unatteded-upgrades.  This means that as it stands
only trusty-security (or $distro-security) updates will be applied.

Closes-Bug: #1568075

Change-Id: I22ba1a02acfbe2befb601af6a4099d53d988d856
---
 defaults/main.yml                      |  4 ++++
 doc/source/developer-notes/V-38481.rst | 20 +++++++++++-----
 files/20auto-upgrades                  |  2 ++
 tasks/apt.yml                          | 33 ++++++++++++++++++++++++++
 tests/test.yml                         | 23 ++++++++++++++++++
 5 files changed, 76 insertions(+), 6 deletions(-)
 create mode 100644 files/20auto-upgrades

diff --git a/defaults/main.yml b/defaults/main.yml
index 8e82c7f3..21da1f0d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -306,3 +306,7 @@ sudoers_remove_authenticate: no                   # V-58901
 #
 # V-38651 - System default umask for bash must be 077
 #umask_bash: 077                                  # V-38651
+
+## Unattended upgrades (APT) configuration
+unattended_upgrades_enabled: false
+unattended_upgrades_notifications: false
diff --git a/doc/source/developer-notes/V-38481.rst b/doc/source/developer-notes/V-38481.rst
index a4bf072e..bc435db4 100644
--- a/doc/source/developer-notes/V-38481.rst
+++ b/doc/source/developer-notes/V-38481.rst
@@ -1,10 +1,18 @@
 **Exception**
 
-Operating system patching is left up to the deployer to configure based on
-their business requirements and toleration for risk. Enabling automated
-updates in Ubuntu can be done with changes to the apt configuration.
+Operating system patching policies vary from organization to organization and
+are typically established based on business requirements and risk tolerance.
 
-Ubuntu's documentation on `automatic updates`_ covers a few options for
-configuring apt.
+If desired, automatic updates (using the ``unattended-upgrades`` package)
+can be enabled via openstack-ansible-security by setting the following
+variable to ``true``:
 
-.. _automatic updates: https://help.ubuntu.com/lts/serverguide/automatic-updates.html
+.. code-block:: yaml
+
+    unattended_upgrades: true
+
+Note that this will only apply updates made available to the distro-security
+(eg. trusty-security) repositories.
+
+**Deployers are urged to fully understand the impact of enabling automatic
+update before making the change.**
diff --git a/files/20auto-upgrades b/files/20auto-upgrades
new file mode 100644
index 00000000..8d6d7c82
--- /dev/null
+++ b/files/20auto-upgrades
@@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
diff --git a/tasks/apt.yml b/tasks/apt.yml
index 3a680ee6..27e23249 100644
--- a/tasks/apt.yml
+++ b/tasks/apt.yml
@@ -60,3 +60,36 @@
     - auth
     - cat1
     - V-38462
+
+- name: Install unattended-upgrades package (for V-38481)
+  apt:
+    name: unattended-upgrades
+    state: present
+  when: unattended_upgrades_enabled | bool
+  tags:
+    - apt
+    - cat2
+    - V-38481
+
+- name: V-38481 - System security patches and updates must be installed and up-to-date
+  copy:
+    src: 20auto-upgrades
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+  when: unattended_upgrades_enabled | bool
+  tags:
+    - apt
+    - cat2
+    - V-38481
+
+- name: Enable unattended upgrades notifications (for V-38481)
+  lineinfile:
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";'
+    line: 'Unattended-Upgrade::Mail "root";'
+  when:
+    - unattended_upgrades_enabled | bool
+    - unattended_upgrades_notifications | bool
+  tags:
+    - apt
+    - cat2
+    - V-38481
diff --git a/tests/test.yml b/tests/test.yml
index 246c9018..fd96783d 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -19,5 +19,28 @@
     - name: Ensure apt cache is updated before testing
       apt:
         update_cache: yes
+  post_tasks:
+    - name: Stat 20auto-upgrades file
+      stat:
+        path: /etc/apt/apt.conf.d/20auto-upgrades
+      register: auto_upgrades_file
+    - name: Slurp contents of 50unattended-upgrades file
+      slurp:
+        src: /etc/apt/apt.conf.d/50unattended-upgrades
+      register: unattended_upgrades_file_encoded
+    - name: Decode slurp'd 50-unattended-upgrades file
+      set_fact:
+        unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
+    - name: Ensure auto updates has been enabled
+      assert:
+        that:
+          - auto_upgrades_file.stat.exists
+    - name: Ensure that auto update notifications has been enabled
+      assert:
+        that:
+          - "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
   roles:
     - role: "{{ rolename }}"
+  vars:
+    unattended_upgrades_enabled: true
+    unattended_upgrades_notifications: true