Ansible Role: unattended_upgrades

This role helps you install and set up unattended-upgrades on Ubuntu and Debian (since Wheezy) to automatically install security updates.

Requirements

• This role uses the apt module, which has its own dependencies.
• If you provide an email address with unattended_upgrades_mail, ensure that the mailx command is available on your system to send emails.
• The role requires unattended-upgrades version 0.70 or newer, available since Debian Wheezy and Ubuntu 12.04. This is necessary for the usage of Origins Patterns.

Automatic Reboot

If you enable the automatic reboot feature (unattended_upgrades_automatic_reboot), the role will try to install the update-notifier-common package. This package helps detect when a reboot is needed after updates. You can also set a specific time for the reboot (unattended_upgrades_automatic_reboot_time).

Note: This feature had issues in Debian Jessie but has since been fixed in the unattended-upgrades package.

Disabled Cron Jobs

On some systems, you may find that the cron file for unattended-upgrades (/etc/cron.daily/apt) has been renamed to apt.disabled. This could be a choice by the provider to save CPU resources. Use the enable-standard-cronjobs role to re-enable unattended-upgrades.

Role Variables

main

• unattended_upgrades_cache_valid_time: The time in seconds to update the apt cache if it's older than this value.
  • Default: 3600

auto-upgrades

• unattended_upgrades_enabled: Enable the update/upgrade process (0 = disable).
  • Default: 1
• unattended_upgrades_upgrade: Run the unattended-upgrade security upgrade script every n-days (0 = disabled).
  • Default: 1
• unattended_upgrades_update_package_list: Automatically run "apt-get update" every n-days (0 = disable).
  • Default: 1
• unattended_upgrades_download_upgradeable: Automatically run "apt-get upgrade --download-only" every n-days (0 = disable).
  • Default: 0
• unattended_upgrades_autoclean_interval: Run "apt-get autoclean" every n-days (0 = disable).
  • Default: 7
• unattended_upgrades_clean_interval: Run "apt-get clean" every n-days (0 = disable).
  • Default: 0
• unattended_upgrades_random_sleep: Maximum random interval in seconds after which the apt job starts (only for non-systemd systems).
  • Default: 1800 (30 minutes)
• unattended_upgrades_dl_limit: Limit the download speed in kB/sec.
  • Default: disabled

unattended-upgrades

• unattended_upgrades_origins_patterns: Determines if a package can be automatically installed. More details in Origins Patterns below.
  • Default for Debian: ['origin=Debian,codename=${distro_codename},label=Debian-Security']
  • Default for Ubuntu: ['origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu']
• unattended_upgrades_package_blacklist: Packages that won't be automatically upgraded.
  • Default: []
• unattended_upgrades_autofix_interrupted_dpkg: Whether to run dpkg --force-confold --configure -a upon an unclean dpkg exit.
  • Default: true
• unattended_upgrades_minimal_steps: Break the upgrade into the smallest chunks for easier interruption.
  • Default: true
• unattended_upgrades_install_on_shutdown: Install all unattended-upgrades when the machine is shutting down.
  • Default: false
• unattended_upgrades_mail: Email address to send upgrade notifications or issues.
  • Default: false (no email sent)
• unattended_upgrades_mail_only_on_error: Send an email only when there are errors; otherwise, send an email for every upgrade.
  • Default: false
• unattended_upgrades_remove_unused_dependencies: Automatically remove all unused dependencies after an upgrade.
  • Default: false
• unattended_upgrades_remove_new_unused_dependencies: Automatically remove new unused dependencies after an upgrade.
  • Default: true
• unattended_upgrades_automatic_reboot: Reboot the system automatically if a reboot is necessary after upgrades.
  • Default: false
• unattended_upgrades_automatic_reboot_time: Reboot the system automatically at a specific time (HH:MM) if necessary.
  • Default: false
• unattended_upgrades_update_days: Set the days of the week for applying updates. Days can be specified by name or as integers (0 = Sunday, 1 = Monday, etc.).
  • Default: disabled
• unattended_upgrades_ignore_apps_require_restart: Allows automatic upgrading of critical packages that require a restart.
  • Default: false
• unattended_upgrades_syslog_enable: Write events to syslog.
  • Default: false
• unattended_upgrades_syslog_facility: The syslog facility to write events to, if unattended_upgrades_syslog_enable is true.
  • Default: daemon
• unattended_upgrades_verbose: Verbosity level of APT during automated runs.
  • Default: 0 (no report)
• unattended_upgrades_dpkg_options: Options used during unattended-upgrades runs.
  • Default: []

Origins Patterns

Origins Patterns are a more flexible alternative to the Allowed Origins option from earlier versions of unattended-upgrade.

Patterns use specific keywords:

• a,archive,suite – e.g., stable, trusty-security (matching archive=stable)
• c,component – e.g., main, crontrib, non-free (matching component=main)
• l,label – e.g., Debian, Debian-Security, Ubuntu
• o,origin – e.g., Debian, Unofficial Multimedia Packages, Ubuntu
• n,codename – e.g., jessie, jessie-updates, trusty (only supported from unattended-upgrades >= 0.80)
• site – e.g., http.debian.net

You can check available repositories using apt-cache policy and debug your selections with the unattended-upgrades -d command.

Additionally, two macros derived from /etc/debian_version are supported:

• ${distro_id} – Installed distribution name (e.g. Debian or Ubuntu).
• ${distro_codename} – Installed codename (e.g. jessie or trusty).

Using ${distro_codename} is preferred over hardcoding "stable" or "oldstable" to ensure you receive necessary security updates.

Role Usage Examples

Example for Ubuntu, with custom origins patterns, blacklisted packages, and email notifications:

- hosts: all
  roles:
  - role: racqspace.unattended_upgrades
    vars:
      unattended_upgrades_origins_patterns:
        - 'origin=Ubuntu,archive=${distro_codename}-security'
        - 'o=Ubuntu,a=${distro_codename}-updates'
    unattended_upgrades_package_blacklist: [cowsay, vim]
    unattended_upgrades_mail: '[email protected]'

Note: You don’t need to specify unattended_upgrades_origins_patterns if you’re okay with the defaults.

Running Only on Debian-based Systems

If you manage multiple distributions in the same playbook, you can skip running this role on non-Debian systems by using a when condition:

- hosts: all
  roles:
     - role: racqspace.unattended_upgrades
       when: ansible_facts['os_family'] == 'Debian'

Patterns Examples

By default, only security updates are allowed for Ubuntu and Debian. You can add more patterns for automatic updates but be cautious as significant updates could break your system.

For Debian

unattended_upgrades_origins_patterns:
  - 'origin=Debian,codename=${distro_codename},label=Debian-Security' # security updates
  - 'o=Debian,codename=${distro_codename},label=Debian' # all updates
  - 'o=Debian,codename=${distro_codename},a=proposed-updates'

For Debian Wheezy, due to unattended-upgrades being an older version, use archive-based matching:

unattended_upgrades_origins_patterns:
  - 'origin=Debian,a=stable,label=Debian-Security' # security updates
  - 'o=Debian,a=stable,l=Debian' # all updates
  - 'o=Debian,a=proposed-updates'

For Ubuntu

In Ubuntu, the archive includes the distribution codename:

unattended_upgrades_origins_patterns:
  - 'origin=Ubuntu,archive=${distro_codename}-security'
  - 'o=Ubuntu,a=${distro_codename}'
  - 'o=Ubuntu,a=${distro_codename}-updates'
  - 'o=Ubuntu,a=${distro_codename}-proposed-updates'

For Raspbian

For Raspbian, updates can be either all or none:

Updating all:

unattended_upgrades_origins_patterns:
  - 'origin=Raspbian,codename=${distro_codename},label=Raspbian'

To disable updates on Raspbian:

unattended_upgrades_origins_patterns: []

License

MIT

Author Information

This role was created in 2021 by Clemens Kaserer.

Contributions by:

• @ckaserer