Merge "Add ability to enable unattended upgrades"

defaults/main.yml

@@ -306,3 +306,7 @@ sudoers_remove_authenticate: no                   # V-58901
 #
 # V-38651 - System default umask for bash must be 077
 #umask_bash: 077                                  # V-38651
+
+## Unattended upgrades (APT) configuration
+unattended_upgrades_enabled: false
+unattended_upgrades_notifications: false

doc/source/developer-notes/V-38481.rst

@@ -1,10 +1,18 @@
 **Exception**
 
-Operating system patching is left up to the deployer to configure based on
+Operating system patching policies vary from organization to organization and
-their business requirements and toleration for risk. Enabling automated
+are typically established based on business requirements and risk tolerance.
-updates in Ubuntu can be done with changes to the apt configuration.
 
-Ubuntu's documentation on `automatic updates`_ covers a few options for
+If desired, automatic updates (using the ``unattended-upgrades`` package)
-configuring apt.
+can be enabled via openstack-ansible-security by setting the following
+variable to ``true``:
 
-.. _automatic updates: https://help.ubuntu.com/lts/serverguide/automatic-updates.html
+.. code-block:: yaml
+
+    unattended_upgrades: true
+
+Note that this will only apply updates made available to the distro-security
+(eg. trusty-security) repositories.
+
+**Deployers are urged to fully understand the impact of enabling automatic
+update before making the change.**

files/20auto-upgrades

@@ -0,0 +1,2 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";

tasks/apt.yml

@@ -60,3 +60,36 @@
     - auth
     - cat1
     - V-38462
+
+- name: Install unattended-upgrades package (for V-38481)
+  apt:
+    name: unattended-upgrades
+    state: present
+  when: unattended_upgrades_enabled | bool
+  tags:
+    - apt
+    - cat2
+    - V-38481
+
+- name: V-38481 - System security patches and updates must be installed and up-to-date
+  copy:
+    src: 20auto-upgrades
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+  when: unattended_upgrades_enabled | bool
+  tags:
+    - apt
+    - cat2
+    - V-38481
+
+- name: Enable unattended upgrades notifications (for V-38481)
+  lineinfile:
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    regexp: '^(\/\/)?Unattended-Upgrade::Mail "root";'
+    line: 'Unattended-Upgrade::Mail "root";'
+  when:
+    - unattended_upgrades_enabled | bool
+    - unattended_upgrades_notifications | bool
+  tags:
+    - apt
+    - cat2
+    - V-38481

tests/test.yml

@@ -19,5 +19,28 @@
     - name: Ensure apt cache is updated before testing
       apt:
         update_cache: yes
+  post_tasks:
+    - name: Stat 20auto-upgrades file
+      stat:
+        path: /etc/apt/apt.conf.d/20auto-upgrades
+      register: auto_upgrades_file
+    - name: Slurp contents of 50unattended-upgrades file
+      slurp:
+        src: /etc/apt/apt.conf.d/50unattended-upgrades
+      register: unattended_upgrades_file_encoded
+    - name: Decode slurp'd 50-unattended-upgrades file
+      set_fact:
+        unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
+    - name: Ensure auto updates has been enabled
+      assert:
+        that:
+          - auto_upgrades_file.stat.exists
+    - name: Ensure that auto update notifications has been enabled
+      assert:
+        that:
+          - "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
   roles:
     - role: "{{ rolename }}"
+  vars:
+    unattended_upgrades_enabled: true
+    unattended_upgrades_notifications: true