run unattented updates on non-critial hosts

This commit is contained in:
Markus 2018-06-13 15:08:04 +02:00
parent 4ae4cb8b13
commit 0cafa543aa
5 changed files with 143 additions and 0 deletions

1
hosts
View File

@ -3,6 +3,7 @@ bacon.binary.kitchen ansible_host=172.23.2.3
aveta.binary.kitchen ansible_host=172.23.2.4 aveta.binary.kitchen ansible_host=172.23.2.4
sulis.binary.kitchen ansible_host=172.23.2.5 sulis.binary.kitchen ansible_host=172.23.2.5
nabia.binary.kitchen ansible_host=172.23.2.6 nabia.binary.kitchen ansible_host=172.23.2.6
forseti.binary.kitchen ansible_host=172.23.2.7
#pizza.binary.kitchen ansible_host=172.23.2.33 #pizza.binary.kitchen ansible_host=172.23.2.33
#apfelkuchen.binary.kitchen ansible_host=172.23.2.34 #apfelkuchen.binary.kitchen ansible_host=172.23.2.34
#schweinshaxn.binary.kitchen ansible_host=172.23.2.36 #schweinshaxn.binary.kitchen ansible_host=172.23.2.36

13
roles/uau/tasks/main.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: Install unattended upgrades
apt: name={{ item }}
with_items:
- unattended-upgrades
- debian-goodies
- name: Configure unattended upgrades
template: src={{ item }}.j2 dest=/etc/apt/apt.conf.d/{{ item }}
with_items:
- 02periodic
- 50unattended-upgrades

View File

@ -0,0 +1,18 @@
// {{ ansible_managed }}
// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";
// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";
// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";
// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";
// Do "apt-get autoclean" every n-days (0=disable)
APT::Periodic::AutocleanInterval "7";

View File

@ -0,0 +1,103 @@
// {{ ansible_managed }}
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted. The accepted keywords are:
// a,archive,suite (eg, "stable")
// c,component (eg, "main", "contrib", "non-free")
// l,label (eg, "Debian", "Debian-Security")
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
// n,codename (eg, "jessie", "jessie-updates")
// site (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// "o=Debian,n=jessie";
// "o=Debian,n=jessie-updates";
// "o=Debian,n=jessie-proposed-updates";
// "o=Debian,n=jessie,l=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
"origin=Debian,codename=${distro_codename}";
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "true";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in.
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
Acquire::http::Dl-Limit "500";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";

View File

@ -19,12 +19,14 @@
roles: roles:
- ldap-pam - ldap-pam
- member-sw - member-sw
- uau
- name: Setup BK monitoring server - name: Setup BK monitoring server
hosts: nabia.binary.kitchen hosts: nabia.binary.kitchen
roles: roles:
- librenms - librenms
- racktables - racktables
- uau
- name: Setup ldap server - name: Setup ldap server
hosts: helium.binary-kitchen.net hosts: helium.binary-kitchen.net
@ -40,29 +42,35 @@
hosts: beryllium.binary-kitchen.net hosts: beryllium.binary-kitchen.net
roles: roles:
- web - web
- uau
- name: Setup gogs server - name: Setup gogs server
hosts: boron.binary-kitchen.net hosts: boron.binary-kitchen.net
roles: roles:
- gogs - gogs
- uau
- name: Setup jabber server - name: Setup jabber server
hosts: carbon.binary-kitchen.net hosts: carbon.binary-kitchen.net
roles: roles:
- prosody - prosody
- uau
- name: Setup owncloud server - name: Setup owncloud server
hosts: nitrogen.binary-kitchen.net hosts: nitrogen.binary-kitchen.net
roles: roles:
- owncloud - owncloud
- uau
- name: Setup member server - name: Setup member server
hosts: oxygen.binary-kitchen.net hosts: oxygen.binary-kitchen.net
roles: roles:
- ldap-pam - ldap-pam
- member-sw - member-sw
- uau
- name: Setup hackmd server - name: Setup hackmd server
hosts: fluorine.binary-kitchen.net hosts: fluorine.binary-kitchen.net
roles: roles:
- hackmd - hackmd
- uau