From ae0f98e0cde2b654ab194d391ab27a43f2c1d568 Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Tue, 5 Jun 2012 22:59:46 +0000 Subject: [PATCH] Use unattended upgrades. Stop using latest for packages installed by puppet. This way, all system packages get updated, not just some random ones. The unattended-upgrades config will email root. It is configured for openstack servers and jenkins slaves, but not template hosts so that it doesn't interfere with spin-up. Also, fix some bits in the gerrit module that were causing continuous restarts on gerrit-dev. Install emacs. Change-Id: I51c9083ccd3669f284fce4b50c36a37a0cac92d8 --- manifests/openstack.pp | 16 +++++------ manifests/site.pp | 3 +- modules/apt/files/10periodic | 6 ++++ modules/apt/files/50unattended-upgrades | 30 ++++++++++++++++++++ modules/apt/manifests/unattended-upgrades.pp | 24 ++++++++++++++++ modules/devstack_host/manifests/init.pp | 6 ++-- modules/gerrit/manifests/init.pp | 19 +++++++++---- modules/jenkins_jobs/manifests/init.pp | 2 +- modules/jenkins_slave/manifests/init.pp | 4 +-- modules/lodgeit/manifests/init.pp | 2 +- modules/logrotate/manifests/init.pp | 2 +- modules/meetbot/manifests/init.pp | 2 +- modules/pypimirror/manifests/init.pp | 2 +- modules/ssh/manifests/init.pp | 2 +- 14 files changed, 95 insertions(+), 25 deletions(-) create mode 100644 modules/apt/files/10periodic create mode 100644 modules/apt/files/50unattended-upgrades create mode 100644 modules/apt/manifests/unattended-upgrades.pp diff --git a/manifests/openstack.pp b/manifests/openstack.pp index e78d1fb9cd..76aae483ff 100644 --- a/manifests/openstack.pp +++ b/manifests/openstack.pp @@ -17,8 +17,12 @@ class openstack_base { $packages = ["puppet", "git", "python-setuptools", - "python-virtualenv"] - package { $packages: ensure => "latest" } + "python-virtualenv", + "python-software-properties", + "bzr", + "byobu", + "emacs23-nox"] + package { $packages: ensure => "present" } realize ( User::Virtual::Localuser["mordred"], @@ -34,7 +38,8 @@ class openstack_template ($iptables_public_tcp_ports) { include openstack_base include ssh include snmpd - + include apt::unattended-upgrades + class { 'iptables': public_tcp_ports => $iptables_public_tcp_ports, } @@ -50,11 +55,6 @@ class openstack_template ($iptables_public_tcp_ports) { hasrestart => true, require => Package['ntp'], } - - $packages = ["python-software-properties", - "bzr", - "byobu"] - package { $packages: ensure => "latest" } } # A server that we expect to run for some time diff --git a/manifests/site.pp b/manifests/site.pp index 20f55d93d5..56835b50a6 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -21,6 +21,7 @@ class openstack_cron { class openstack_jenkins_slave { include openstack_cron include tmpreaper + include apt::unattended-upgrades class { 'openstack_server': iptables_public_tcp_ports => [] } @@ -458,7 +459,7 @@ node /^oneiric.*\.slave\.openstack\.org$/ { include openstack_jenkins_slave package { "tox": - ensure => latest, + ensure => latest, # okay to use latest for pip provider => pip, require => Package[python-pip], } diff --git a/modules/apt/files/10periodic b/modules/apt/files/10periodic new file mode 100644 index 0000000000..83f51c6213 --- /dev/null +++ b/modules/apt/files/10periodic @@ -0,0 +1,6 @@ +APT::Periodic::Enable "1"; +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::AutocleanInterval "5"; +APT::Periodic::Unattended-Upgrade "1"; +APT::Periodic::RandomSleep "1800"; diff --git a/modules/apt/files/50unattended-upgrades b/modules/apt/files/50unattended-upgrades new file mode 100644 index 0000000000..486f4fbe23 --- /dev/null +++ b/modules/apt/files/50unattended-upgrades @@ -0,0 +1,30 @@ +// Automatically upgrade packages from these (origin, archive) pairs +Unattended-Upgrade::Allowed-Origins { + // ${distro_id} and ${distro_codename} will be automatically expanded + "${distro_id} stable"; + "${distro_id} ${distro_codename}-security"; + "${distro_id} ${distro_codename}-updates"; +// "${distro_id} ${distro_codename}-proposed-updates"; +}; + +// List of packages to not update +Unattended-Upgrade::Package-Blacklist { +// "vim"; +// "libc6"; +// "libc6-dev"; +// "libc6-i686"; +}; + +// Send email to this address for problems or packages upgrades +// If empty or unset then no email is sent, make sure that you +// have a working mail setup on your system. The package 'mailx' +// must be installed or anything that provides /usr/bin/mail. +Unattended-Upgrade::Mail "root@localhost"; + +// Do automatic removal of new unused dependencies after the upgrade +// (equivalent to apt-get autoremove) +//Unattended-Upgrade::Remove-Unused-Dependencies "false"; + +// Automatically reboot *WITHOUT CONFIRMATION* if a +// the file /var/run/reboot-required is found after the upgrade +//Unattended-Upgrade::Automatic-Reboot "false"; diff --git a/modules/apt/manifests/unattended-upgrades.pp b/modules/apt/manifests/unattended-upgrades.pp new file mode 100644 index 0000000000..e183433891 --- /dev/null +++ b/modules/apt/manifests/unattended-upgrades.pp @@ -0,0 +1,24 @@ +class apt::unattended-upgrades($email='') { + package { 'unattended-upgrades': + ensure => present; + } + + file { '/etc/apt/apt.conf.d/10periodic': + owner => 'root', + group => 'root', + mode => 444, + ensure => 'present', + source => "puppet:///modules/apt/10periodic", + replace => 'true', + } + + file { '/etc/apt/apt.conf.d/50unattended-upgrades': + owner => 'root', + group => 'root', + mode => 444, + ensure => 'present', + source => "puppet:///modules/apt/50unattended-upgrades", + replace => 'true', + } + +} diff --git a/modules/devstack_host/manifests/init.pp b/modules/devstack_host/manifests/init.pp index 5bebf09cef..35ef897e61 100644 --- a/modules/devstack_host/manifests/init.pp +++ b/modules/devstack_host/manifests/init.pp @@ -2,15 +2,15 @@ class devstack_host { package { "linux-headers-virtual": - ensure => "latest", + ensure => present, } package { "mysql-server": - ensure => "latest", + ensure => present, } package { "rabbitmq-server": - ensure => "latest", + ensure => present, require => File['rabbitmq-env.conf'], } diff --git a/modules/gerrit/manifests/init.pp b/modules/gerrit/manifests/init.pp index 244d55d775..bbddd3920e 100644 --- a/modules/gerrit/manifests/init.pp +++ b/modules/gerrit/manifests/init.pp @@ -116,16 +116,16 @@ class gerrit($virtual_hostname='', "apache2"] package { $packages: - ensure => "latest", + ensure => present, } package { "python-pip": - ensure => latest, + ensure => present, require => Package[python-dev] } package { "github2": - ensure => latest, + ensure => latest, # okay to use latest for pip provider => pip, require => Package[python-pip] } @@ -310,6 +310,16 @@ class gerrit($virtual_hostname='', require => File["/home/gerrit2/review_site/etc"] } + file { '/home/gerrit2/review_site/etc/gerrit.config.puppet': + owner => 'gerrit2', + group => 'gerrit2', + mode => 644, + ensure => 'present', + content => template('gerrit/gerrit.config.erb'), + replace => 'true', + require => File["/home/gerrit2/review_site/etc"] + } + file { '/home/gerrit2/review_site/hooks/change-merged': owner => 'root', group => 'root', @@ -507,10 +517,9 @@ class gerrit($virtual_hostname='', require => Exec["download:$war"], ensure => present, replace => 'true', - # user, group, and mode have to be set this way to avoid retriggering gerrit-init on every run + # user, and mode have to be set this way to avoid retriggering gerrit-init on every run # because gerrit init sets them this way owner => 'gerrit2', - group => 'gerrit2', mode => 644, } diff --git a/modules/jenkins_jobs/manifests/init.pp b/modules/jenkins_jobs/manifests/init.pp index 5b09940ff4..dac6b3c2d2 100644 --- a/modules/jenkins_jobs/manifests/init.pp +++ b/modules/jenkins_jobs/manifests/init.pp @@ -32,7 +32,7 @@ class jenkins_jobs($site, $projects) { } package { "python-jenkins": - ensure => latest, + ensure => latest, # okay to use latest for pip provider => pip, require => Package[python-pip], } diff --git a/modules/jenkins_slave/manifests/init.pp b/modules/jenkins_slave/manifests/init.pp index d1823968e5..02145855c0 100644 --- a/modules/jenkins_slave/manifests/init.pp +++ b/modules/jenkins_slave/manifests/init.pp @@ -76,11 +76,11 @@ class jenkins_slave($ssh_key, $sudo = false, $bare = false, $user = true) { } package { $packages: - ensure => "latest", + ensure => present, } package { "git-review": - ensure => latest, + ensure => latest, # okay to use latest for pip provider => pip, require => Package[python-pip], } diff --git a/modules/lodgeit/manifests/init.pp b/modules/lodgeit/manifests/init.pp index e77eed223a..f53bccad0c 100644 --- a/modules/lodgeit/manifests/init.pp +++ b/modules/lodgeit/manifests/init.pp @@ -11,7 +11,7 @@ class lodgeit { "drizzle", "python-mysqldb" ] - package { $packages: ensure => latest } + package { $packages: ensure => present } package { 'SQLAlchemy': provider => pip, diff --git a/modules/logrotate/manifests/init.pp b/modules/logrotate/manifests/init.pp index ec29bc85da..662074c200 100644 --- a/modules/logrotate/manifests/init.pp +++ b/modules/logrotate/manifests/init.pp @@ -3,7 +3,7 @@ class logrotate { package { "logrotate": - ensure => latest, + ensure => present, } file { "/etc/logrotate.d": diff --git a/modules/meetbot/manifests/init.pp b/modules/meetbot/manifests/init.pp index 156f9c0047..e0440c4086 100644 --- a/modules/meetbot/manifests/init.pp +++ b/modules/meetbot/manifests/init.pp @@ -36,7 +36,7 @@ class meetbot { } package { ['supybot', 'nginx', 'python-twisted']: - ensure => latest + ensure => present } service { "nginx": diff --git a/modules/pypimirror/manifests/init.pp b/modules/pypimirror/manifests/init.pp index f0f26da038..4997b73fc5 100644 --- a/modules/pypimirror/manifests/init.pp +++ b/modules/pypimirror/manifests/init.pp @@ -11,7 +11,7 @@ class pypimirror ( $base_url, } package { 'pip': - ensure => latest, + ensure => latest, # okay to use latest for pip provider => 'pip', require => Package['python-pip'], } diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp index 1e6cbe74e5..b3f17bd8c9 100644 --- a/modules/ssh/manifests/init.pp +++ b/modules/ssh/manifests/init.pp @@ -1,5 +1,5 @@ class ssh { - package { openssh-server: ensure => latest } + package { openssh-server: ensure => present } service { ssh: ensure => running, hasrestart => true,