Enable unattended upgrades

Debian gets this from 'unattended-upgrades' and Red Hat family
gets it from yum-cron.

Change-Id: Ie00f6073ad1127b11a89e69816baf47011480dbf
This commit is contained in:
David Shrewsbury
2018-08-27 13:39:59 -04:00
parent 055f29d8ab
commit 6a8707a02d
9 changed files with 89 additions and 21 deletions

View File

@@ -145,7 +145,6 @@ INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-subunit2sql"]="o
INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-sudoers"]="origin/master" INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-sudoers"]="origin/master"
INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-tmpreaper"]="origin/master" INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-tmpreaper"]="origin/master"
INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-ulimit"]="origin/master" INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-ulimit"]="origin/master"
INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-unattended_upgrades"]="origin/master"
INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-user"]="origin/master" INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-user"]="origin/master"
INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-zanata"]="origin/master" INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-zanata"]="origin/master"
INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-zuul"]="origin/master" INTEGRATION_MODULES["$OPENSTACK_GIT_ROOT/openstack-infra/puppet-zuul"]="origin/master"

View File

@@ -1,16 +0,0 @@
# == Class: openstack_project::automatic_upgrades
#
class openstack_project::automatic_upgrades (
$origins = []
) {
if $::osfamily == 'Debian' {
class { 'unattended_upgrades':
origins => $origins,
}
}
if $::osfamily == 'RedHat' {
include packagekit::cron
}
}

View File

@@ -30,8 +30,4 @@ class openstack_project::server (
} }
} }
class { 'openstack_project::automatic_upgrades':
origins => ["Puppetlabs:${lsbdistcodename}"],
}
} }

View File

@@ -0,0 +1,6 @@
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::RandomSleep "1800";

View File

@@ -0,0 +1,30 @@
// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
// ${distro_id} and ${distro_codename} will be automatically expanded
"${distro_id} stable";
"${distro_id} ${distro_codename}-security";
"${distro_id} ${distro_codename}-updates";
// "${distro_id} ${distro_codename}-proposed-updates";
};
// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. The package 'mailx'
// must be installed or anything that provides /usr/bin/mail.
Unattended-Upgrade::Mail "root";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";

View File

@@ -18,3 +18,19 @@
src: rsyslog.d_50-default.conf src: rsyslog.d_50-default.conf
dest: /etc/rsyslog.d/50-default.conf dest: /etc/rsyslog.d/50-default.conf
notify: Restart rsyslog notify: Restart rsyslog
- name: Install apt-daily 10periodic file for unattended-upgrades
copy:
mode: 0444
src: 10periodic
dest: /etc/apt/apt.conf.d/10periodic
owner: root
group: root
- name: Install 50unattended-upgrades file for unattended-upgrades
copy:
mode: 0444
src: 50unattended-upgrades
dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root
group: root

View File

@@ -3,6 +3,8 @@ distro_packages:
- emacs-nox - emacs-nox
- iputils-ping - iputils-ping
- vim-nox - vim-nox
- unattended-upgrades
- mailutils
sftp_path: /usr/lib/openssh/sftp-server sftp_path: /usr/lib/openssh/sftp-server
ssh_service_name: ssh ssh_service_name: ssh
ntp_service_name: ntp ntp_service_name: ntp

View File

@@ -3,6 +3,8 @@ distro_packages:
- emacs23-nox - emacs23-nox
- iputils-ping - iputils-ping
- vim-nox - vim-nox
- unattended-upgrades
- mailutils
sftp_path: /usr/lib/openssh/sftp-server sftp_path: /usr/lib/openssh/sftp-server
ssh_service_name: ssh ssh_service_name: ssh
ntp_service_name: ntp ntp_service_name: ntp

View File

@@ -96,3 +96,36 @@ def test_timezone(host):
def test_unbound(host): def test_unbound(host):
output = host.check_output('host git.openstack.org') output = host.check_output('host git.openstack.org')
assert 'has address' in output assert 'has address' in output
def test_unattended_upgrades(host):
if host.system_info.distribution in ['ubuntu', 'debian']:
package = host.package("unattended-upgrades")
assert package.is_installed
package = host.package("mailutils")
assert package.is_installed
cfg_file = host.file("/etc/apt/apt.conf.d/10periodic")
assert cfg_file.exists
assert cfg_file.contains('^APT::Periodic::Enable "1"')
assert cfg_file.contains('^APT::Periodic::Update-Package-Lists "1"')
assert cfg_file.contains('^APT::Periodic::Download-Upgradeable-Packages "1"')
assert cfg_file.contains('^APT::Periodic::AutocleanInterval "5"')
assert cfg_file.contains('^APT::Periodic::Unattended-Upgrade "1"')
assert cfg_file.contains('^APT::Periodic::RandomSleep "1800"')
cfg_file = host.file("/etc/apt/apt.conf.d/50unattended-upgrades")
assert cfg_file.contains('^Unattended-Upgrade::Mail "root"')
else:
package = host.package("yum-cron")
assert package.is_installed
service = host.service("crond")
assert service.is_enabled
assert service.is_running
cfg_file = host.file("/etc/yum/yum-cron.conf")
assert cfg_file.exists
assert cfg_file.contains('apply_updates = yes')