thedumbtechguy.unattended-upgrades
Ansible Role: Unattended Upgrades
This is an Ansible role designed to set up unattended upgrades on Ubuntu. By default, it only applies security updates.
Requirements
This role has been tested on
Ubuntu 16.04andUbuntu 16.10only.
If you're using Debian, you might need to adjust the unattended_origins_patterns value since it defaults to Ubuntu targets.
Unattended Mail
If you provide an email address for unattended_mail, ensure that the mailx command is available and that your system can send emails.
Automatic Reboot
If you enable automatic reboot by setting unattended_automatic_reboot, the role will try to install the update-notifier-common package, which some systems need to detect and perform reboots after upgrades. You can also set a specific reboot time using unattended_automatic_reboot_time.
Variables
- unattended_origins_patterns: A list of origin patterns to determine which packages can be automatically updated. See Origins Patterns for more details.- Default: ['origin=Ubuntu,archive=${distro_codename}-security']
 
- Default: 
- unattended_package_blacklist: Packages that will not be automatically upgraded.- Default: []
 
- Default: 
- unattended_autofix_interrupted_dpkg: Run- dpkg --force-confold --configure -aif- dpkgexits improperly.- Default: true
 
- Default: 
- unattended_minimal_steps: Break the upgrade into the smallest chunks for easier interruption.- Default: false
 
- Default: 
- unattended_install_on_shutdown: Install unattended upgrades when the machine is shutting down.- Default: false
 
- Default: 
- unattended_mail: Email address to receive information about upgrades or issues.- Default: false(no email sent)
 
- Default: 
- unattended_mail_only_on_error: Send an email only when there are errors—otherwise, email is sent for every upgrade.- Default: false
 
- Default: 
- unattended_remove_unused_dependencies: Automatically remove new, unneeded dependencies after an upgrade.- Default: false
 
- Default: 
- unattended_automatic_reboot: Reboot the system automatically if an upgraded package requires it, immediately after upgrading.- Default: false
 
- Default: 
- unattended_automatic_reboot_time: Reboot the system at a specified time (HH:MM) if an upgrade requires it, instead of immediately.- Default: false
 
- Default: 
- unattended_ignore_apps_require_restart: Unattended-upgrades will ignore certain critical packages that require restarts after upgrades. If set to- true, those packages will be upgraded anyway.- Default: false
 
- Default: 
Origins Patterns
Origins Patterns are a more advanced way to specify Allowed Origins compared to older versions of unattended-upgrade.
Patterns use specific keywords:
- a,- archive,- suite– e.g.- stable,- trusty-security(- archive=stable)
- c,- component– e.g.- main,- contrib,- non-free(- component=main)
- l,- label– e.g.- Debian,- Debian-Security,- Ubuntu
- o,- origin– e.g.- Debian,- Unofficial Multimedia Packages,- Ubuntu
- n,- codename– e.g.- jessie,- trusty(only supported with- unattended-upgrades>= 0.80)
- site– e.g.- http.debian.net
You can check the available repositories using apt-cache policy and debug with the unattended-upgrades -d command on your target system.
Additionally, unattended-upgrades support two variables from /etc/debian_version:
- ${distro_id}– Name of the installed distribution, e.g.- Debianor- Ubuntu.
- ${distro_codename}– Codename of the installed distribution, e.g.- jessieor- trusty.
It is recommended to use ${distro_codename} over stable or oldstable, as these can cause security updates to be missed when the stable version changes to oldstable. This ensures you receive necessary updates for your current distribution.
Usage Example
- hosts: all
  vars:
    unattended_origins_patterns:
      - 'origin=Ubuntu,archive=${distro_codename}-security'
      - 'o=Ubuntu,a=${distro_codename}-updates'
    unattended_package_blacklist: [cowsay, vim]
    unattended_mail: '[email protected]'
  roles:
    - setup_unattended_upgrades
Patterns Examples
By default, only security updates are allowed. You can add more patterns for automatic updates, but be cautious as major automated updates can break your system.
In Ubuntu, the archive always includes the distribution codename.
unattended_origins_patterns:
  - 'origin=Ubuntu,archive=${distro_codename}-security'
  - 'o=Ubuntu,a=${distro_codename}'
  - 'o=Ubuntu,a=${distro_codename}-updates'
  - 'o=Ubuntu,a=${distro_codename}-proposed-updates'
License
MIT / BSD
Author Information
This role was created by TheDumbTechGuy ( twitter | blog | galaxy )
Credits
This role is based on the original work of:
ansible-galaxy install thedumbtechguy.unattended-upgrades