diff --git a/host_vars/aeron.binary.kitchen b/host_vars/aeron.binary.kitchen index d616250..bddac63 100644 --- a/host_vars/aeron.binary.kitchen +++ b/host_vars/aeron.binary.kitchen @@ -5,3 +5,5 @@ radius_hostname: radius3.binary.kitchen slapd_hostname: ldap3.binary.kitchen slapd_replica_id: 3 slapd_role: slave + +uau_reboot: "false" diff --git a/host_vars/bacon.binary.kitchen b/host_vars/bacon.binary.kitchen index 0d0d5e9..0c55033 100644 --- a/host_vars/bacon.binary.kitchen +++ b/host_vars/bacon.binary.kitchen @@ -15,3 +15,5 @@ radius_hostname: radius1.binary.kitchen slapd_hostname: ldap1.binary.kitchen slapd_replica_id: 1 slapd_role: slave + +uau_reboot: "false" diff --git a/roles/uau/templates/50unattended-upgrades.j2 b/roles/uau/templates/50unattended-upgrades.j2 index 44e6e45..76eadc4 100644 --- a/roles/uau/templates/50unattended-upgrades.j2 +++ b/roles/uau/templates/50unattended-upgrades.j2 @@ -2,7 +2,7 @@ // Unattended-Upgrade::Origins-Pattern controls which packages are // upgraded. // -// Lines below have the format format is "keyword=value,...". A +// Lines below have the format "keyword=value,...". A // package will be upgraded only if the values in its metadata match // all the supplied keywords in a line. (In other words, omitted // keywords are wild cards.) The keywords originate from the Release @@ -31,6 +31,7 @@ Unattended-Upgrade::Origins-Pattern { // "origin=Debian,codename=${distro_codename}-proposed-updates"; "origin=Debian,codename=${distro_codename},label=Debian"; "origin=Debian,codename=${distro_codename},label=Debian-Security"; + "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"; // Archive or Suite based matching: // Note that this will silently match a different release after @@ -65,7 +66,7 @@ Unattended-Upgrade::Package-Blacklist { }; // This option allows you to control if on a unclean dpkg exit -// unattended-upgrades will automatically run +// unattended-upgrades will automatically run // dpkg --force-confold --configure -a // The default is true, to ensure updates keep getting installed //Unattended-Upgrade::AutoFixInterruptedDpkg "true"; @@ -93,9 +94,11 @@ Unattended-Upgrade::Package-Blacklist { // 'mailx' must be installed. E.g. "user@example.com" Unattended-Upgrade::Mail "root"; -// Set this value to "true" to get emails only on errors. Default -// is to always send a mail if Unattended-Upgrade::Mail is set -Unattended-Upgrade::MailOnlyOnError "true"; +// Set this value to one of: +// "always", "only-on-error" or "on-change" +// If this is not set, then any legacy MailOnlyOnError (boolean) value +// is used to chose between "only-on-error" and "on-change" +Unattended-Upgrade::MailReport "only-on-error"; // Remove unused automatically installed kernel-related packages // (kernel images, kernel headers and kernel version locked tools). @@ -145,3 +148,18 @@ Unattended-Upgrade::Automatic-Reboot "{{ uau_reboot }}"; // Print debugging information both in unattended-upgrades and // in unattended-upgrade-shutdown // Unattended-Upgrade::Debug "false"; + +// Allow package downgrade if Pin-Priority exceeds 1000 +// Unattended-Upgrade::Allow-downgrade "false"; + +// When APT fails to mark a package to be upgraded or installed try adjusting +// candidates of related packages to help APT's resolver in finding a solution +// where the package can be upgraded or installed. +// This is a workaround until APT's resolver is fixed to always find a +// solution if it exists. (See Debian bug #711128.) +// The fallback is enabled by default, except on Debian's sid release because +// uninstallable packages are frequent there. +// Disabling the fallback speeds up unattended-upgrades when there are +// uninstallable packages at the expense of rarely keeping back packages which +// could be upgraded or installed. +// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";