Add ability to enable unattended upgrades
This commit adds the ability to enable automatic package upgrades via openstack-ansible-security. To enable, add the following variable to your /etc/openstack_deploy/user_variables.yml file: unattended_upgrades_enabled: true To have the unattended upgrades system send e-mail notifications when packages need updating or errors are encountered, add the following to user_variables.yml: unattended_upgrades_notifications: true As many organisations do not subscribe to auto updates, this functionality will remain disabled by default. Note that the first iteration of this change does not allow deep customisation of unatteded-upgrades. This means that as it stands only trusty-security (or $distro-security) updates will be applied. Closes-Bug: #1568075 Change-Id: I22ba1a02acfbe2befb601af6a4099d53d988d856
This commit is contained in:
Matt Thompson
parent
e44efd0fe7
commit
d1ca8dbaa7
|
|
@ -306,3 +306,7 @@ sudoers_remove_authenticate: no # V-58901
|
||||||
#
|
#
|
||||||
# V-38651 - System default umask for bash must be 077
|
# V-38651 - System default umask for bash must be 077
|
||||||
#umask_bash: 077 # V-38651
|
#umask_bash: 077 # V-38651
|
||||||
|
|
||||||
|
## Unattended upgrades (APT) configuration
|
||||||
|
unattended_upgrades_enabled: false
|
||||||
|
unattended_upgrades_notifications: false
|
||||||
|
|
|
||||||
|
|
@ -1,10 +1,18 @@
|
||||||
**Exception**
|
**Exception**
|
||||||
|
|
||||||
Operating system patching is left up to the deployer to configure based on
|
Operating system patching policies vary from organization to organization and
|
||||||
their business requirements and toleration for risk. Enabling automated
|
are typically established based on business requirements and risk tolerance.
|
||||||
updates in Ubuntu can be done with changes to the apt configuration.
|
|
||||||
|
|
||||||
Ubuntu's documentation on `automatic updates`_ covers a few options for
|
If desired, automatic updates (using the ``unattended-upgrades`` package)
|
||||||
configuring apt.
|
can be enabled via openstack-ansible-security by setting the following
|
||||||
|
variable to ``true``:
|
||||||
|
|
||||||
.. _automatic updates: https://help.ubuntu.com/lts/serverguide/automatic-updates.html
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
unattended_upgrades: true
|
||||||
|
|
||||||
|
Note that this will only apply updates made available to the distro-security
|
||||||
|
(eg. trusty-security) repositories.
|
||||||
|
|
||||||
|
**Deployers are urged to fully understand the impact of enabling automatic
|
||||||
|
update before making the change.**
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,2 @@
|
||||||
|
APT::Periodic::Update-Package-Lists "1";
|
||||||
|
APT::Periodic::Unattended-Upgrade "1";
|
||||||
|
|
@ -60,3 +60,36 @@
|
||||||
- auth
|
- auth
|
||||||
- cat1
|
- cat1
|
||||||
- V-38462
|
- V-38462
|
||||||
|
|
||||||
|
- name: Install unattended-upgrades package (for V-38481)
|
||||||
|
apt:
|
||||||
|
name: unattended-upgrades
|
||||||
|
state: present
|
||||||
|
when: unattended_upgrades_enabled | bool
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
- cat2
|
||||||
|
- V-38481
|
||||||
|
|
||||||
|
- name: V-38481 - System security patches and updates must be installed and up-to-date
|
||||||
|
copy:
|
||||||
|
src: 20auto-upgrades
|
||||||
|
dest: /etc/apt/apt.conf.d/20auto-upgrades
|
||||||
|
when: unattended_upgrades_enabled | bool
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
- cat2
|
||||||
|
- V-38481
|
||||||
|
|
||||||
|
- name: Enable unattended upgrades notifications (for V-38481)
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
|
regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";'
|
||||||
|
line: 'Unattended-Upgrade::Mail "root";'
|
||||||
|
when:
|
||||||
|
- unattended_upgrades_enabled | bool
|
||||||
|
- unattended_upgrades_notifications | bool
|
||||||
|
tags:
|
||||||
|
- apt
|
||||||
|
- cat2
|
||||||
|
- V-38481
|
||||||
|
|
|
||||||
|
|
@ -19,5 +19,28 @@
|
||||||
- name: Ensure apt cache is updated before testing
|
- name: Ensure apt cache is updated before testing
|
||||||
apt:
|
apt:
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
post_tasks:
|
||||||
|
- name: Stat 20auto-upgrades file
|
||||||
|
stat:
|
||||||
|
path: /etc/apt/apt.conf.d/20auto-upgrades
|
||||||
|
register: auto_upgrades_file
|
||||||
|
- name: Slurp contents of 50unattended-upgrades file
|
||||||
|
slurp:
|
||||||
|
src: /etc/apt/apt.conf.d/50unattended-upgrades
|
||||||
|
register: unattended_upgrades_file_encoded
|
||||||
|
- name: Decode slurp'd 50-unattended-upgrades file
|
||||||
|
set_fact:
|
||||||
|
unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
|
||||||
|
- name: Ensure auto updates has been enabled
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- auto_upgrades_file.stat.exists
|
||||||
|
- name: Ensure that auto update notifications has been enabled
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
|
||||||
roles:
|
roles:
|
||||||
- role: "{{ rolename }}"
|
- role: "{{ rolename }}"
|
||||||
|
vars:
|
||||||
|
unattended_upgrades_enabled: true
|
||||||
|
unattended_upgrades_notifications: true
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue