From bf658dacda365c7a611763e779e26f6965349d7b Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Tue, 4 May 2021 08:46:06 -0700 Subject: [PATCH] Add support for Xenial ESM repos to our base roles This will run the ua tool to attach an UA token and to enable the esm-infra repos. We also update unattended upgrades to auto pull security updates from the ESM repos. Change-Id: Ifb487d12df7b799d5fd2973d56741e0757bc4d4f --- playbooks/roles/base/repos/tasks/Debian.yaml | 22 +++++++++++++++++++ .../base/server/files/50unattended-upgrades | 1 + 2 files changed, 23 insertions(+) diff --git a/playbooks/roles/base/repos/tasks/Debian.yaml b/playbooks/roles/base/repos/tasks/Debian.yaml index db0b156276..9dff540e0b 100644 --- a/playbooks/roles/base/repos/tasks/Debian.yaml +++ b/playbooks/roles/base/repos/tasks/Debian.yaml @@ -25,3 +25,25 @@ src: 'sources.list.{{ ansible_facts.lsb.codename }}.{{ ansible_facts.architecture }}' dest: /etc/apt/sources.list notify: Update apt cache + +- name: Configure Ubuntu ESM + block: + # Note technically this requires ubuntu-advantage-tools to be installed + # but the above notify to update apt caches won't have run by the time + # we get here. That should be ok because the Xenial nodes have all been + # around long enough to have ua installed. + - name: Get UA status + command: "ua status" + register: uastatus + - name: Attach UA + command: "ua attach --no-auto-enable {{ ubuntu_advantage_token }}" + when: "'This machine is not attached to a UA subscription.' in uastatus.stdout" + no_log: true + - name: Enable ESM + command: "ua enable esm-infra" + when: "'esm-infra yes enabled' not in uastatus.stdout" + when: + - ubuntu_advantage_token is defined + - enable_ubuntu_esm is defined and enable_ubuntu_esm + - ansible_distribution == 'Ubuntu' + - ansible_distribution_release == 'xenial' diff --git a/playbooks/roles/base/server/files/50unattended-upgrades b/playbooks/roles/base/server/files/50unattended-upgrades index 2634307d67..2fce27225b 100644 --- a/playbooks/roles/base/server/files/50unattended-upgrades +++ b/playbooks/roles/base/server/files/50unattended-upgrades @@ -5,6 +5,7 @@ Unattended-Upgrade::Allowed-Origins { "${distro_id} ${distro_codename}-security"; "${distro_id} ${distro_codename}-updates"; // "${distro_id} ${distro_codename}-proposed-updates"; + "${distro_id}ESM ${distro_codename}-infra-security"; }; // List of packages to not update