ansible: Install and configure unattended-upgrades on Debian and Ubuntu

The unattended-upgrades are disabled by default on CI nodes.

Change-Id: Ifa86ae3fad626a69dcbfbf5829032fb3820128b3

diff --git a/automation/ansible/group_vars/node.yml b/automation/ansible/group_vars/node.yml
index 02a0ca6fcee84d1a68e58d0334c1744c84612800..1bce15fa8047bc514e8cbdbbc6cfbe0ca4425f60 100644 (file)
--- a/automation/ansible/group_vars/node.yml
+++ b/automation/ansible/group_vars/node.yml
@@ -1,2 +1,3 @@
 ---
 jenkins_user: true
+unattended_upgrades: false

diff --git a/automation/ansible/roles/common/defaults/main.yml b/automation/ansible/roles/common/defaults/main.yml
new file mode 100644 (file)
index 0000000..70a3e63
--- /dev/null
+++ b/automation/ansible/roles/common/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+unattended_upgrades: true

diff --git a/automation/ansible/roles/common/tasks/setup-Debian.yml b/automation/ansible/roles/common/tasks/setup-Debian.yml
index 0f70202a8e208e652d89793d1823a5d30dc2c844..6a3ceb6bb390a571046a6913525f83b1092872f0 100644 (file)
--- a/automation/ansible/roles/common/tasks/setup-Debian.yml
+++ b/automation/ansible/roles/common/tasks/setup-Debian.yml
@@ -21,3 +21,34 @@
 
 - name: Ensure common packages are installed.
   apt: "name={{ common_packages }} state=present"
+
+- name: Install unattended upgrades
+  apt:
+    name: 'unattended-upgrades'
+    state:  "{{(unattended_upgrades|bool)|ternary('present', 'absent')}}"
+
+- name: Enable extra repos for unattended upgrades
+  template:
+    dest: /etc/apt/apt.conf.d/51unattended_upgrades_extra_repos.conf
+    src: unattended_upgrades_extra_repos.conf.j2
+  vars:
+    repos_base:
+      - "${distro_id}:${distro_codename}-updates"
+      - "${distro_id}:${distro_codename}-backports"
+    repos_Ubuntu:
+      - "LP-PPA-efficios-ci:${distro_codename}"
+    repose_Debian: []
+    repos: "{{repos_base|union(lookup('vars', 'repos_' + ansible_distribution, default=[]))}}"
+
+- name: Enable unattended upgrades
+  block:
+    - copy:
+        dest: /etc/apt/apt.conf.d/20auto-upgrades
+        content: "APT::Periodic::Update-Package-Lists \"1\";\nAPT::Periodic::Unattended-Upgrade \"1\";\n"
+      when: unattended_upgrades | bool
+    - file:
+        path: /etc/apt/apt.conf.d/20auto-upgrades
+        state: "{{(unattended_upgrades|bool)|ternary('file', 'absent')}}"
+        owner: root
+        group: root
+        mode: '0644'

diff --git a/automation/ansible/roles/common/templates/unattended_upgrades_extra_repos.conf.j2 b/automation/ansible/roles/common/templates/unattended_upgrades_extra_repos.conf.j2
new file mode 100644 (file)
index 0000000..a3946e4
--- /dev/null
+++ b/automation/ansible/roles/common/templates/unattended_upgrades_extra_repos.conf.j2
@@ -0,0 +1,5 @@
+Unattended-Upgrade::Allowed-Origins {
+{% for entry in repos %}
+   "{{entry}}";
+{% endfor %}
+}