Skip to content
Setup unattended-upgrades on Debian-based systems
Branch: master
Clone or download
Pull request Compare This branch is 2 commits ahead, 29 commits behind jnv:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
defaults
files
handlers
meta
tasks
templates
vars
.gitignore
.travis.yml
LICENSE
README.md
Vagrantfile
ansible.cfg
role.yml

README.md

Unattended-Upgrades Role for Ansible

Install and setup unattended-upgrades for Debian (since Wheezy), to periodically install security upgrades.

MODIFICATIONS in this fork:

  1. Removed references to Ubuntu (unneeded in our deployment).
  2. Switched debian box to debian/jessie64.
  3. Updated contents of auto-upgrades and unattended-upgrades.j2 with content from https://github.com/MikeTheCanuck/jQuery-infra-update.
  4. Updated name of auto-upgrades script from 20auto-upgrades to 02periodic (per the model found elsewhere).

Requirements

The role uses apt module which has additional dependencies. You can use bootstrap-debian role to setup common Ansible requirements on Debian-based systems.

If you set unattended_mail to an e-mail address, make sure mailx command is available and your system is able to send e-mails.

The role requires unattended-upgrades version 0.70 and newer, which is available since Debian Wheezy. This is due to Origins Patterns usage; if this is not available on your system, you may use the first version of the role.

Automatic Reboot

If you enable automatic reboot feature (unattended_automatic_reboot), the role will install update-notifier-common package, which is required for detecting and executing reboot after the upgrade. You may optionally define a specific time for rebooting (unattended_automatic_reboot_time).

NOTE: This feature is not currently supported on Debian Jessie, due to a missing replacement for the said package. Attempt to enable this feature on unsupported system will cause a failure. See the discussion in #6 for more details.

Disabled Cron Jobs

On some hosts you may find that the unattended-upgrade's cronfile /etc/cron.daily/apt file has been renamed to apt.disabled. This is possibly provider's decision, to save some CPU cycles. Use enable-standard-cronjobs role to reenable unattended-upgrades. See also discussion in #9.

Role Variables

  • unattended_origins_patterns: array of origins patterns to determine whether the package can be automatically installed, for more details see Origins Patterns below.
    • Default for Debian: ['origin=Debian,codename=${distro_codename},label=Debian-Security']
    • Default for Ubuntu: ['origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu']
  • unattended_package_blacklist: packages which won't be automatically upgraded
    • Default: []
  • unattended_autofix_interrupted_dpkg: whether on unclean dpkg exit to run dpkg --force-confold --configure -a
    • Default: true
  • unattended_minimal_steps: split the upgrade into the smallest possible chunks so that they can be interrupted with SIGUSR1.
    • Default: false
  • unattended_install_on_shutdown: install all unattended-upgrades when the machine is shuting down.
    • Default: false
  • unattended_mail: e-mail address to send information about upgrades or problems with unattended upgrades
    • Default: false (don't send any e-mail)
  • unattended_mail_only_on_error: send e-mail only on errors, otherwise e-mail will be sent every time there's a package upgrade.
    • Default: false
  • unattended_remove_unused_dependencies: do automatic removal of new unused dependencies after the upgrade.
    • Default: false
  • unattended_automatic_reboot: Automatically reboot system if any upgraded package requires it, immediately after the upgrade.
    • Default: false
  • unattended_automatic_reboot_time: Automatically reboot system if any upgraded package requires it, at the specific time (HH:MM) instead of immediately after the upgrade.
    • Default: false

Origins Patterns

Origins Pattern is a more powerful alternative to the Allowed Origins option used in previous versions of unattended-upgrade.

Pattern is composed from specific keywords:

  • a,archive,suite – e.g. stable, trusty-security (archive=stable)
  • c,component – e.g. main, crontrib, non-free (component=main)
  • l,label – e.g. Debian, Debian-Security, Ubuntu
  • o,origin – e.g. Debian, Unofficial Multimedia Packages, Ubuntu
  • n,codename – e.g. jessie, jessie-updates, trusty
  • site – e.g. http.debian.net

You can review the available repositories using apt-cache policy and debug your choice using unattended-upgrades -d command on a target system.

Additionally unattended-upgrades support two macros (variables), derived from /etc/debian_version:

  • ${distro_id} – Installed distribution name, e.g. Debian or Ubuntu.
  • ${distro_codename} – Installed codename, e.g. jessie or trusty.

Role Usage Example

- hosts: all
  roles:
  - role: jnv.unattended-upgrades
    unattended_origins_patterns:
    - 'origin=Ubuntu,archive=${distro_codename}-security'
    - 'o=Ubuntu,a=${distro_codename}-updates'
    unattended_package_blacklist: [cowsay, vim]
    unattended_mail: 'root@example.com'

Patterns Examples

By default, only security updates are allowed for both Ubuntu and Debian. You can add more patterns to allow unattended-updates install more packages automatically, however be aware that automated major updates may potentially break your system.

For Debian

# Archive based matching
unattended_origins_patterns:
  - 'origin=Debian,codename=${distro_codename},label=Debian-Security' # resolves to codename=jessie
  - 'o=Debian,a=stable'
  - 'o=Debian,a=stable-updates'
  - 'o=Debian,a=proposed-updates'

For Ubuntu

In Ubuntu, archive always contains the distribution codename

unattended_origins_patterns:
  - 'origin=Ubuntu,archive=${distro_codename}-security'
  - 'o=Ubuntu,a=${distro_codename}'
  - 'o=Ubuntu,a=${distro_codename}-updates'
  - 'o=Ubuntu,a=${distro_codename}-proposed-updates'

License

GPLv2

You can’t perform that action at this time.