Add ability to enable unattended upgrades

This commit adds the ability to enable automatic package upgrades via
openstack-ansible-security.  To enable, add the following variable to
your /etc/openstack_deploy/user_variables.yml file:

unattended_upgrades_enabled: true

To have the unattended upgrades system send e-mail notifications
when packages need updating or errors are encountered, add the
following to user_variables.yml:

unattended_upgrades_notifications: true

As many organisations do not subscribe to auto updates, this
functionality will remain disabled by default.

Note that the first iteration of this change does not allow deep
customisation of unatteded-upgrades.  This means that as it stands
only trusty-security (or $distro-security) updates will be applied.

Closes-Bug: #1568075

Change-Id: I22ba1a02acfbe2befb601af6a4099d53d988d856
This commit is contained in:
Matt Thompson 2016-04-11 13:22:08 +01:00
parent e44efd0fe7
commit d1ca8dbaa7
5 changed files with 76 additions and 6 deletions

View File

@ -306,3 +306,7 @@ sudoers_remove_authenticate: no # V-58901
#
# V-38651 - System default umask for bash must be 077
#umask_bash: 077 # V-38651
## Unattended upgrades (APT) configuration
unattended_upgrades_enabled: false
unattended_upgrades_notifications: false

View File

@ -1,10 +1,18 @@
**Exception**
Operating system patching is left up to the deployer to configure based on
their business requirements and toleration for risk. Enabling automated
updates in Ubuntu can be done with changes to the apt configuration.
Operating system patching policies vary from organization to organization and
are typically established based on business requirements and risk tolerance.
Ubuntu's documentation on `automatic updates`_ covers a few options for
configuring apt.
If desired, automatic updates (using the ``unattended-upgrades`` package)
can be enabled via openstack-ansible-security by setting the following
variable to ``true``:
.. _automatic updates: https://help.ubuntu.com/lts/serverguide/automatic-updates.html
.. code-block:: yaml
unattended_upgrades: true
Note that this will only apply updates made available to the distro-security
(eg. trusty-security) repositories.
**Deployers are urged to fully understand the impact of enabling automatic
update before making the change.**

2
files/20auto-upgrades Normal file
View File

@ -0,0 +1,2 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

View File

@ -60,3 +60,36 @@
- auth
- cat1
- V-38462
- name: Install unattended-upgrades package (for V-38481)
apt:
name: unattended-upgrades
state: present
when: unattended_upgrades_enabled | bool
tags:
- apt
- cat2
- V-38481
- name: V-38481 - System security patches and updates must be installed and up-to-date
copy:
src: 20auto-upgrades
dest: /etc/apt/apt.conf.d/20auto-upgrades
when: unattended_upgrades_enabled | bool
tags:
- apt
- cat2
- V-38481
- name: Enable unattended upgrades notifications (for V-38481)
lineinfile:
dest: /etc/apt/apt.conf.d/50unattended-upgrades
regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";'
line: 'Unattended-Upgrade::Mail "root";'
when:
- unattended_upgrades_enabled | bool
- unattended_upgrades_notifications | bool
tags:
- apt
- cat2
- V-38481

View File

@ -19,5 +19,28 @@
- name: Ensure apt cache is updated before testing
apt:
update_cache: yes
post_tasks:
- name: Stat 20auto-upgrades file
stat:
path: /etc/apt/apt.conf.d/20auto-upgrades
register: auto_upgrades_file
- name: Slurp contents of 50unattended-upgrades file
slurp:
src: /etc/apt/apt.conf.d/50unattended-upgrades
register: unattended_upgrades_file_encoded
- name: Decode slurp'd 50-unattended-upgrades file
set_fact:
unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
- name: Ensure auto updates has been enabled
assert:
that:
- auto_upgrades_file.stat.exists
- name: Ensure that auto update notifications has been enabled
assert:
that:
- "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
roles:
- role: "{{ rolename }}"
vars:
unattended_upgrades_enabled: true
unattended_upgrades_notifications: true