Forge Home

unattended_upgrades

Puppet module that installs and configures the unattended upgrades service

35,505 downloads

29,304 latest version

4.5 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Support the Puppet Community by contributing to this module

You are welcome to contribute to this module by suggesting new features, currency updates, or fixes. Every contribution is valuable to help ensure that the module remains compatible with the latest Puppet versions and continues to meet community needs. Complete the following steps:

  1. Review the module’s contribution guidelines and any licenses. Ensure that your planned contribution aligns with the author’s standards and any legal requirements.
  2. Fork the repository on GitHub, make changes on a branch of your fork, and submit a pull request. The pull request must clearly document your proposed change.

For questions about updating the module, contact the module’s author.

Version information

  • 0.2.3 (latest)
  • 0.2.2
  • 0.2.1
  • 0.2.0
  • 0.1.2
  • 0.1.1
  • 0.1.0
released Feb 28th 2016
This version is compatible with:

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'andschwa-unattended_upgrades', '0.2.3'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add andschwa-unattended_upgrades
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install andschwa-unattended_upgrades --version 0.2.3

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

andschwa/unattended_upgrades — version 0.2.3 Feb 28th 2016

andschwa-unattended_upgrades

Table of Contents

  1. Overview
  2. Module Description
  3. Setup - The basics of getting started with andschwa-unattended_upgrades
  4. Usage - Configuration options and additional functionality
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module

Overview

This module installs the 'unattended-upgrades' package, installs the configuration files using templates, and ensures the service is running.

Note that this module is a bit superfluous if you're using puppetlabs/apt, as it can fully configure unattended upgrades. I realized this only after I wrote this package, and personally switched to it in the interest of simplicity. However, as this does not require the apt module as a dependency, it may still be useful to some.

Module Description

This module is intended for Ubuntu and Debian systems, where the 'unattended-upgrades' package is available. Alternatives include scheduling updates with cron by hand (and in fact, 'unattended-upgrades' utilizes cron), and using cron-apt (more detail here).

Setup

What andschwa-unattended_upgrades affects

  • Packages
    • unattended-upgrades
  • Services
    • unattended-upgrades
  • Files
    • /etc/apt/apt.conf.d/20auto-upgrades
    • /etc/apt/apt.conf.d/50unattended-upgrades

Beginning with andschwa-unattended_upgrades

The simplest use of this module is:

include unattended_upgrades

Usage

This module has one class, unattended_upgrades, with the following parameters:

$period                       = 1,                                             # Update period (in days)
$repos                        = {},                                            # Repos to upgrade
$blacklist                    = [],                                            # Packages to not update
$email                        = '',                                            # Email for update status
$autofix                      = true,                                          # Ensure updates keep getting ins
$minimal_steps                = true,                                          # Allows for shutdown during an u
$on_shutdown                  = false,                                         # Install only on shutdown
$on_error                     = false,                                         # Email only on errors, else alwa
$autoremove                   = false,                                         # Automatically remove unused dep
$auto_reboot                  = false,                                         # Automatically reboot if needed
$template_unattended_upgrades = 'unattended_upgrades/unattended-upgrades.erb', # Path to config template
$template_auto_upgrades       = 'unattended_upgrades/auto-upgrades.erb',       # Path to apt config template

Logs are at the usual /var/log/unattended-upgrades, and emails will be automatically sent if an email is given.

The $minimal_steps option will split the upgrade into the smallest possible chunks, which allows them to be safely interruped (with SIGUSR1). There is a small performance penalty, but it lets you shutdown the machine while an upgrade is in progess.

The $autofix option determines if unattended-upgrades will, upon an unclean dpkg exit, automatically run dpkg --force-confold --configure -a. It defaults to true so that updates will continue being automatically installed.

The $autoremove option will clean unused dependencies, further configuration is available via the periodic configurations in /etc/apt/apt.conf.d/.

Sample

# Unattended upgrades
$upgrade_blacklist = hiera_array('do_not_upgrade')
class {'::unattended_upgrades':
  period    => '1',
  repos     => {
    stable => {
      label => 'Debian-Security',
    },
  },
  blacklist => $upgrade_blacklist,
  email     => 'ops@company.com',
}

do_not_upgrade hash

You can define the do_not_upgrade hash in your module or in Hiera. Hiera is a more sensible location for this sort of thing.

{
  "do_not_upgrade": [
    "nginx(.*)",
    "apache2(.*)",
    "postgresql(.*)",
    "mysql(.*)",
    "redis-server",
    "haproxy",
    "elasticsearch"
  ]
}

Limitations

This module only works on systems using apt package management: Ubuntu and Debian (and their derivatives).

Development

Fork on GitHub, make a Pull Request.