From da43930618d4c4d13bb9f3c3cada932c65f7de94 Mon Sep 17 00:00:00 2001 From: Kienan Stewart Date: Mon, 12 Jun 2023 10:09:30 -0400 Subject: [PATCH] ansible: Install and configure unattended-upgrades on Debian and Ubuntu The unattended-upgrades are disabled by default on CI nodes. Change-Id: Ifa86ae3fad626a69dcbfbf5829032fb3820128b3 --- automation/ansible/group_vars/node.yml | 1 + .../ansible/roles/common/defaults/main.yml | 2 ++ .../roles/common/tasks/setup-Debian.yml | 31 +++++++++++++++++++ .../unattended_upgrades_extra_repos.conf.j2 | 5 +++ 4 files changed, 39 insertions(+) create mode 100644 automation/ansible/roles/common/defaults/main.yml create mode 100644 automation/ansible/roles/common/templates/unattended_upgrades_extra_repos.conf.j2 diff --git a/automation/ansible/group_vars/node.yml b/automation/ansible/group_vars/node.yml index 02a0ca6..1bce15f 100644 --- a/automation/ansible/group_vars/node.yml +++ b/automation/ansible/group_vars/node.yml @@ -1,2 +1,3 @@ --- jenkins_user: true +unattended_upgrades: false diff --git a/automation/ansible/roles/common/defaults/main.yml b/automation/ansible/roles/common/defaults/main.yml new file mode 100644 index 0000000..70a3e63 --- /dev/null +++ b/automation/ansible/roles/common/defaults/main.yml @@ -0,0 +1,2 @@ +--- +unattended_upgrades: true diff --git a/automation/ansible/roles/common/tasks/setup-Debian.yml b/automation/ansible/roles/common/tasks/setup-Debian.yml index 0f70202..6a3ceb6 100644 --- a/automation/ansible/roles/common/tasks/setup-Debian.yml +++ b/automation/ansible/roles/common/tasks/setup-Debian.yml @@ -21,3 +21,34 @@ - name: Ensure common packages are installed. apt: "name={{ common_packages }} state=present" + +- name: Install unattended upgrades + apt: + name: 'unattended-upgrades' + state: "{{(unattended_upgrades|bool)|ternary('present', 'absent')}}" + +- name: Enable extra repos for unattended upgrades + template: + dest: /etc/apt/apt.conf.d/51unattended_upgrades_extra_repos.conf + src: unattended_upgrades_extra_repos.conf.j2 + vars: + repos_base: + - "${distro_id}:${distro_codename}-updates" + - "${distro_id}:${distro_codename}-backports" + repos_Ubuntu: + - "LP-PPA-efficios-ci:${distro_codename}" + repose_Debian: [] + repos: "{{repos_base|union(lookup('vars', 'repos_' + ansible_distribution, default=[]))}}" + +- name: Enable unattended upgrades + block: + - copy: + dest: /etc/apt/apt.conf.d/20auto-upgrades + content: "APT::Periodic::Update-Package-Lists \"1\";\nAPT::Periodic::Unattended-Upgrade \"1\";\n" + when: unattended_upgrades | bool + - file: + path: /etc/apt/apt.conf.d/20auto-upgrades + state: "{{(unattended_upgrades|bool)|ternary('file', 'absent')}}" + owner: root + group: root + mode: '0644' diff --git a/automation/ansible/roles/common/templates/unattended_upgrades_extra_repos.conf.j2 b/automation/ansible/roles/common/templates/unattended_upgrades_extra_repos.conf.j2 new file mode 100644 index 0000000..a3946e4 --- /dev/null +++ b/automation/ansible/roles/common/templates/unattended_upgrades_extra_repos.conf.j2 @@ -0,0 +1,5 @@ +Unattended-Upgrade::Allowed-Origins { +{% for entry in repos %} + "{{entry}}"; +{% endfor %} +} -- 2.34.1