Merge pull request #1594 from edx/derf/enable_unattended_upgrades

automatic upgrades on image creation, enable unattended upgrades daily

Merge pull request #1594 from edx/derf/enable_unattended_upgrades
automatic upgrades on image creation, enable unattended upgrades daily
0bf138f6 · Fred Smith · 6d7a34ed · 8c2b720f · 0bf138f6 · 0bf138f6
Commit 0bf138f6 authored Sep 30, 2014 by Fred Smith
4 changed files
--- a/playbooks/roles/security/defaults/main.yml
+++ b/playbooks/roles/security/defaults/main.yml
@@ -15,11 +15,20 @@
 # vars are namespace with the module name.
 #
 security_role_name: security
+# set to true to enable unattended upgrades nightly
+SECURITY_UNATTENDED_UPGRADES: false
+# set to true to upgrade all packages nightly.  false will only upgrade from security repo.
+SECURITY_UPDATE_ALL_PACKAGES: false
+# set to true to run aptitute safe-upgrade whenever ansible is run
+SECURITY_UPGRADE_ON_ANSIBLE: false
+

 #
 # OS packages
 #

-security_debian_pkgs: []
+security_debian_pkgs: 
+  - aptitude
+  - unattended-upgrades

 security_redhat_pkgs: []
--- a/playbooks/roles/security/tasks/security-ubuntu.yml
+++ b/playbooks/roles/security/tasks/security-ubuntu.yml
+#### Enable periodic security updates
+
+- name: install security packages
+  apt: name={{item}} state=latest
+  with_items: security_debian_pkgs 
+
+
+- name: update all system packages
+  apt: upgrade=safe
+  when: SECURITY_UPGRADE_ON_ANSIBLE
+
+- name: configure periodic unattended-upgrades
+  template: >
+    src=etc/apt/apt.conf.d/10periodic
+    dest=/etc/apt/apt.conf.d/10periodic
+    owner=root group=root mode=0644
+  when: SECURITY_UNATTENDED_UPGRADES
+
+- name: disable unattended-upgrades
+  file: path=/etc/apt/apt.conf.d/10periodic state=absent
+  when: not SECURITY_UNATTENDED_UPGRADES
+
+- name: only unattended-upgrade from security repo
+  template: >
+    src=etc/apt/apt.conf.d/20unattended-upgrade
+    dest=/etc/apt/apt.conf.d/20unattended-upgrade
+    owner=root group=root mode=0644
+  when: SECURITY_UNATTENDED_UPGRADES and not SECURITY_UPDATE_ALL_PACKAGES
+
+- name: disable security only updates on unattended-upgrades
+  file: path=/etc/apt/apt.conf.d/20unattended-upgrade state=absent
+  when: SECURITY_UPDATE_ALL_PACKAGES or not SECURITY_UNATTENDED_UPGRADES
+
+
 #### Bash security vulnerability

 - name: Check if we are vulnerable

--- a/playbooks/roles/security/templates/etc/apt/apt.conf.d/10periodic
+++ b/playbooks/roles/security/templates/etc/apt/apt.conf.d/10periodic
+APT::Periodic::Enable "1";
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
--- a/playbooks/roles/security/templates/etc/apt/apt.conf.d/20unattended-upgrade
+++ b/playbooks/roles/security/templates/etc/apt/apt.conf.d/20unattended-upgrade
+
+Unattended-Upgrade::Allowed-Origins {
+  "${distro_id} ${distro_codename}-security";
+};