From 71978cefcbbc8183b750a6812006f81bc471319b Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Mon, 19 Feb 2018 21:25:35 +0300
Subject: [PATCH] Enable unattended-upgrades for clouds

---
 roles/common/tasks/ubuntu.yml                 | 70 +++++++++----------
 roles/common/tasks/unattended-upgrades.yml    | 21 ++++++
 roles/common/templates/10periodic.j2          |  4 ++
 .../common/templates/50unattended-upgrades.j2 | 59 ++++++++++++++++
 4 files changed, 117 insertions(+), 37 deletions(-)
 create mode 100644 roles/common/tasks/unattended-upgrades.yml
 create mode 100644 roles/common/templates/10periodic.j2
 create mode 100644 roles/common/templates/50unattended-upgrades.j2

diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml
index 4c5705e4..ce337741 100644
--- a/roles/common/tasks/ubuntu.yml
+++ b/roles/common/tasks/ubuntu.yml
@@ -1,46 +1,42 @@
 ---
+- name: Cloud only tasks
+  block:
+  - name: Install software updates
+    apt: update_cache=yes upgrade=dist
 
-- name: Install software updates
-  apt: update_cache=yes upgrade=dist
-  tags:
-    - cloud
+  - name: Check if reboot is required
+    shell: >
+      if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
+    args:
+      executable: /bin/bash
+    register: reboot_required
 
-- name: Check if reboot is required
-  shell: >
-    if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
-  args:
-    executable: /bin/bash
-  register: reboot_required
-  tags:
-    - cloud
+  - name: Reboot
+    shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+    async: 1
+    poll: 0
+    when: reboot_required is defined and reboot_required.stdout == 'required'
+    ignore_errors: true
 
-- name: Reboot
-  shell: sleep 2 && shutdown -r now "Ansible updates triggered"
-  async: 1
-  poll: 0
-  when: reboot_required is defined and reboot_required.stdout == 'required'
-  ignore_errors: true
-  tags:
-    - cloud
+  - name: Wait until SSH becomes ready...
+    local_action:
+      module: wait_for
+      port: 22
+      host: "{{ inventory_hostname }}"
+      search_regex: OpenSSH
+      delay: 10
+      timeout: 320
+    when: reboot_required is defined and reboot_required.stdout == 'required'
+    become: false
 
-- name: Wait until SSH becomes ready...
-  local_action:
-    module: wait_for
-    port: 22
-    host: "{{ inventory_hostname }}"
-    search_regex: OpenSSH
-    delay: 10
-    timeout: 320
-  when: reboot_required is defined and reboot_required.stdout == 'required'
-  become: false
-  tags:
-    - cloud
+  - name: Include unatteded upgrades configuration
+    include_tasks: unattended-upgrades.yml
 
-- name: Disable MOTD on login and SSHD
-  replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
-  with_items:
-    - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
-    - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
+  - name: Disable MOTD on login and SSHD
+    replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
+    with_items:
+      - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
+      - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
   tags:
     - cloud
 
diff --git a/roles/common/tasks/unattended-upgrades.yml b/roles/common/tasks/unattended-upgrades.yml
new file mode 100644
index 00000000..378c16e3
--- /dev/null
+++ b/roles/common/tasks/unattended-upgrades.yml
@@ -0,0 +1,21 @@
+---
+- name: Install unattended-upgrades
+  apt:
+    name: unattended-upgrades
+    state: latest
+
+- name: Configure unattended-upgrades
+  template:
+    src: 50unattended-upgrades.j2
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Periodic upgrades configured
+  template:
+    src: 10periodic.j2
+    dest: /etc/apt/apt.conf.d/10periodic
+    owner: root
+    group: root
+    mode: 0644
diff --git a/roles/common/templates/10periodic.j2 b/roles/common/templates/10periodic.j2
new file mode 100644
index 00000000..5d37e9fc
--- /dev/null
+++ b/roles/common/templates/10periodic.j2
@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
diff --git a/roles/common/templates/50unattended-upgrades.j2 b/roles/common/templates/50unattended-upgrades.j2
new file mode 100644
index 00000000..0c55b702
--- /dev/null
+++ b/roles/common/templates/50unattended-upgrades.j2
@@ -0,0 +1,59 @@
+// Automatically upgrade packages from these (origin:archive) pairs
+Unattended-Upgrade::Allowed-Origins {
+    "${distro_id}:${distro_codename}-security";
+    "${distro_id}:${distro_codename}-updates";
+//  "${distro_id}:${distro_codename}-proposed";
+//  "${distro_id}:${distro_codename}-backports";
+};
+
+// List of packages to not update (regexp are supported)
+Unattended-Upgrade::Package-Blacklist {
+//  "vim";
+//  "libc6";
+//  "libc6-dev";
+//  "libc6-i686";
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+//Unattended-Upgrade::InstallOnShutdown "true";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+//Unattended-Upgrade::Mail "root";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+//Unattended-Upgrade::MailOnlyOnError "true";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+//Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+// Automatically reboot *WITHOUT CONFIRMATION*
+//  if the file /var/run/reboot-required is found after the upgrade
+//Unattended-Upgrade::Automatic-Reboot "false";
+
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";