Merge "Add ability to enable unattended upgrades"

2016-04-18 19:18:03 +00:00 · 2016-04-18 19:18:03 +00:00 · dcb0ef9c6a
parent 5b5eabd2b8 d1ca8dbaa7
commit dcb0ef9c6a
5 changed files with 76 additions and 6 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -306,3 +306,7 @@ sudoers_remove_authenticate: no                   # V-58901
 #
 # V-38651 - System default umask for bash must be 077
 #umask_bash: 077                                  # V-38651
+
+## Unattended upgrades (APT) configuration
+unattended_upgrades_enabled: false
+unattended_upgrades_notifications: false
--- a/doc/source/developer-notes/V-38481.rst
+++ b/doc/source/developer-notes/V-38481.rst
@ -1,10 +1,18 @@
 **Exception**

-Operating system patching is left up to the deployer to configure based on
-their business requirements and toleration for risk. Enabling automated
-updates in Ubuntu can be done with changes to the apt configuration.
+Operating system patching policies vary from organization to organization and
+are typically established based on business requirements and risk tolerance.

-Ubuntu's documentation on `automatic updates`_ covers a few options for
-configuring apt.
+If desired, automatic updates (using the ``unattended-upgrades`` package)
+can be enabled via openstack-ansible-security by setting the following
+variable to ``true``:

-.. _automatic updates: https://help.ubuntu.com/lts/serverguide/automatic-updates.html
+.. code-block:: yaml
+
+    unattended_upgrades: true
+
+Note that this will only apply updates made available to the distro-security
+(eg. trusty-security) repositories.
+
+**Deployers are urged to fully understand the impact of enabling automatic
+update before making the change.**
--- a/files/20auto-upgrades
+++ b/files/20auto-upgrades
@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
--- a/tasks/apt.yml
+++ b/tasks/apt.yml
@ -60,3 +60,36 @@
    - auth
    - cat1
    - V-38462
+
+- name: Install unattended-upgrades package (for V-38481)
+  apt:
+    name: unattended-upgrades
+    state: present
+  when: unattended_upgrades_enabled | bool
+  tags:
+    - apt
+    - cat2
+    - V-38481
+
+- name: V-38481 - System security patches and updates must be installed and up-to-date
+  copy:
+    src: 20auto-upgrades
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+  when: unattended_upgrades_enabled | bool
+  tags:
+    - apt
+    - cat2
+    - V-38481
+
+- name: Enable unattended upgrades notifications (for V-38481)
+  lineinfile:
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";'
+    line: 'Unattended-Upgrade::Mail "root";'
+  when:
+    - unattended_upgrades_enabled | bool
+    - unattended_upgrades_notifications | bool
+  tags:
+    - apt
+    - cat2
+    - V-38481
--- a/tests/test.yml
+++ b/tests/test.yml
@ -19,5 +19,28 @@
    - name: Ensure apt cache is updated before testing
      apt:
        update_cache: yes
+  post_tasks:
+    - name: Stat 20auto-upgrades file
+      stat:
+        path: /etc/apt/apt.conf.d/20auto-upgrades
+      register: auto_upgrades_file
+    - name: Slurp contents of 50unattended-upgrades file
+      slurp:
+        src: /etc/apt/apt.conf.d/50unattended-upgrades
+      register: unattended_upgrades_file_encoded
+    - name: Decode slurp'd 50-unattended-upgrades file
+      set_fact:
+        unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
+    - name: Ensure auto updates has been enabled
+      assert:
+        that:
+          - auto_upgrades_file.stat.exists
+    - name: Ensure that auto update notifications has been enabled
+      assert:
+        that:
+          - "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
  roles:
    - role: "{{ rolename }}"
+  vars:
+    unattended_upgrades_enabled: true
+    unattended_upgrades_notifications: true