Add ability to enable unattended upgrades

This commit adds the ability to enable automatic package upgrades via openstack-ansible-security. To enable, add the following variable to your /etc/openstack_deploy/user_variables.yml file: unattended_upgrades_enabled: true To have the unattended upgrades system send e-mail notifications when packages need updating or errors are encountered, add the following to user_variables.yml: unattended_upgrades_notifications: true As many organisations do not subscribe to auto updates, this functionality will remain disabled by default. Note that the first iteration of this change does not allow deep customisation of unatteded-upgrades. This means that as it stands only trusty-security (or $distro-security) updates will be applied. Closes-Bug: #1568075 Change-Id: I22ba1a02acfbe2befb601af6a4099d53d988d856
2016-04-11 13:22:08 +01:00 · 2016-04-11 13:22:08 +01:00 · d1ca8dbaa7
commit d1ca8dbaa7
parent e44efd0fe7
5 changed files with 76 additions and 6 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -306,3 +306,7 @@ sudoers_remove_authenticate: no                   # V-58901
 #
 # V-38651 - System default umask for bash must be 077
 #umask_bash: 077                                  # V-38651
+
+## Unattended upgrades (APT) configuration
+unattended_upgrades_enabled: false
+unattended_upgrades_notifications: false
--- a/doc/source/developer-notes/V-38481.rst
+++ b/doc/source/developer-notes/V-38481.rst
@ -1,10 +1,18 @@
 **Exception**

-Operating system patching is left up to the deployer to configure based on
-their business requirements and toleration for risk. Enabling automated
-updates in Ubuntu can be done with changes to the apt configuration.
+Operating system patching policies vary from organization to organization and
+are typically established based on business requirements and risk tolerance.

-Ubuntu's documentation on `automatic updates`_ covers a few options for
-configuring apt.
+If desired, automatic updates (using the ``unattended-upgrades`` package)
+can be enabled via openstack-ansible-security by setting the following
+variable to ``true``:

-.. _automatic updates: https://help.ubuntu.com/lts/serverguide/automatic-updates.html
+.. code-block:: yaml
+
+    unattended_upgrades: true
+
+Note that this will only apply updates made available to the distro-security
+(eg. trusty-security) repositories.
+
+**Deployers are urged to fully understand the impact of enabling automatic
+update before making the change.**
--- a/files/20auto-upgrades
+++ b/files/20auto-upgrades
@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
--- a/tasks/apt.yml
+++ b/tasks/apt.yml
@ -60,3 +60,36 @@
    - auth
    - cat1
    - V-38462
+
+- name: Install unattended-upgrades package (for V-38481)
+  apt:
+    name: unattended-upgrades
+    state: present
+  when: unattended_upgrades_enabled | bool
+  tags:
+    - apt
+    - cat2
+    - V-38481
+
+- name: V-38481 - System security patches and updates must be installed and up-to-date
+  copy:
+    src: 20auto-upgrades
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+  when: unattended_upgrades_enabled | bool
+  tags:
+    - apt
+    - cat2
+    - V-38481
+
+- name: Enable unattended upgrades notifications (for V-38481)
+  lineinfile:
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";'
+    line: 'Unattended-Upgrade::Mail "root";'
+  when:
+    - unattended_upgrades_enabled | bool
+    - unattended_upgrades_notifications | bool
+  tags:
+    - apt
+    - cat2
+    - V-38481
--- a/tests/test.yml
+++ b/tests/test.yml
@ -19,5 +19,28 @@
    - name: Ensure apt cache is updated before testing
      apt:
        update_cache: yes
+  post_tasks:
+    - name: Stat 20auto-upgrades file
+      stat:
+        path: /etc/apt/apt.conf.d/20auto-upgrades
+      register: auto_upgrades_file
+    - name: Slurp contents of 50unattended-upgrades file
+      slurp:
+        src: /etc/apt/apt.conf.d/50unattended-upgrades
+      register: unattended_upgrades_file_encoded
+    - name: Decode slurp'd 50-unattended-upgrades file
+      set_fact:
+        unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
+    - name: Ensure auto updates has been enabled
+      assert:
+        that:
+          - auto_upgrades_file.stat.exists
+    - name: Ensure that auto update notifications has been enabled
+      assert:
+        that:
+          - "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
  roles:
    - role: "{{ rolename }}"
+  vars:
+    unattended_upgrades_enabled: true
+    unattended_upgrades_notifications: true