thedumbtechguy.unattended-upgrades

Panoramica Versioni Approfondimenti

Ansible Role: Unattended Upgrades

This is an Ansible role designed to set up unattended upgrades on Ubuntu. By default, it only applies security updates.

Requirements

This role has been tested on Ubuntu 16.04 and Ubuntu 16.10 only.

If you're using Debian, you might need to adjust the unattended_origins_patterns value since it defaults to Ubuntu targets.

Unattended Mail

If you provide an email address for unattended_mail, ensure that the mailx command is available and that your system can send emails.

Automatic Reboot

If you enable automatic reboot by setting unattended_automatic_reboot, the role will try to install the update-notifier-common package, which some systems need to detect and perform reboots after upgrades. You can also set a specific reboot time using unattended_automatic_reboot_time.

Variables

  • unattended_origins_patterns: A list of origin patterns to determine which packages can be automatically updated. See Origins Patterns for more details.
    • Default: ['origin=Ubuntu,archive=${distro_codename}-security']
  • unattended_package_blacklist: Packages that will not be automatically upgraded.
    • Default: []
  • unattended_autofix_interrupted_dpkg: Run dpkg --force-confold --configure -a if dpkg exits improperly.
    • Default: true
  • unattended_minimal_steps: Break the upgrade into the smallest chunks for easier interruption.
    • Default: false
  • unattended_install_on_shutdown: Install unattended upgrades when the machine is shutting down.
    • Default: false
  • unattended_mail: Email address to receive information about upgrades or issues.
    • Default: false (no email sent)
  • unattended_mail_only_on_error: Send an email only when there are errors—otherwise, email is sent for every upgrade.
    • Default: false
  • unattended_remove_unused_dependencies: Automatically remove new, unneeded dependencies after an upgrade.
    • Default: false
  • unattended_automatic_reboot: Reboot the system automatically if an upgraded package requires it, immediately after upgrading.
    • Default: false
  • unattended_automatic_reboot_time: Reboot the system at a specified time (HH:MM) if an upgrade requires it, instead of immediately.
    • Default: false
  • unattended_ignore_apps_require_restart: Unattended-upgrades will ignore certain critical packages that require restarts after upgrades. If set to true, those packages will be upgraded anyway.
    • Default: false

Origins Patterns

Origins Patterns are a more advanced way to specify Allowed Origins compared to older versions of unattended-upgrade.

Patterns use specific keywords:

  • a, archive, suite – e.g. stable, trusty-security (archive=stable)
  • c, component – e.g. main, contrib, non-free (component=main)
  • l, label – e.g. Debian, Debian-Security, Ubuntu
  • o, origin – e.g. Debian, Unofficial Multimedia Packages, Ubuntu
  • n, codename – e.g. jessie, trusty (only supported with unattended-upgrades >= 0.80)
  • site – e.g. http.debian.net

You can check the available repositories using apt-cache policy and debug with the unattended-upgrades -d command on your target system.

Additionally, unattended-upgrades support two variables from /etc/debian_version:

  • ${distro_id} – Name of the installed distribution, e.g. Debian or Ubuntu.
  • ${distro_codename} – Codename of the installed distribution, e.g. jessie or trusty.

It is recommended to use ${distro_codename} over stable or oldstable, as these can cause security updates to be missed when the stable version changes to oldstable. This ensures you receive necessary updates for your current distribution.

Usage Example

- hosts: all
  vars:
    unattended_origins_patterns:
      - 'origin=Ubuntu,archive=${distro_codename}-security'
      - 'o=Ubuntu,a=${distro_codename}-updates'
    unattended_package_blacklist: [cowsay, vim]
    unattended_mail: '[email protected]'
  roles:
    - setup_unattended_upgrades

Patterns Examples

By default, only security updates are allowed. You can add more patterns for automatic updates, but be cautious as major automated updates can break your system.

In Ubuntu, the archive always includes the distribution codename.

unattended_origins_patterns:
  - 'origin=Ubuntu,archive=${distro_codename}-security'
  - 'o=Ubuntu,a=${distro_codename}'
  - 'o=Ubuntu,a=${distro_codename}-updates'
  - 'o=Ubuntu,a=${distro_codename}-proposed-updates'

License

MIT / BSD

Author Information

This role was created by TheDumbTechGuy ( twitter | blog | galaxy )

Credits

This role is based on the original work of:

Informazioni sul progetto

Configure unattended upgrades for Linux.

role patches security updates
Installa
ansible-galaxy install thedumbtechguy.unattended-upgrades
GitHub repository
1 stelle
1 fork
1 problemi aperti
Licenza
Unknown
Download
1.7k
Proprietario