Unattended Upgrades module for Puppet

Table of Contents

1. Overview
2. Module Description
3. Setup
4. Usage
5. Reference
   • Classes
   • Parameters
6. Limitations - OS compatibility, etc.
7. License

Overview

The unattended_upgrades module allows for the installation and configuration of automatic security (and other) updates through apt.

This functionality used to be part of the puppetlabs-apt module but was split off into its own module.

Module Description

The unattended_upgrades module automates the configuration of apt package updates.

Setup

What unattended_upgrades affects

• Package/configuration for unattended_upgrades

Beginning with unattended_upgrades

All you need to do is include the apt module, include apt, and this module, include unattended_upgrades for it to work.

This module relies on the apt module and will not work without it.

Usage

Using unattended_upgrades simply consists of including the module and if needed altering some of the default settings.

Reference

Classes

• unattended_upgrades: Main class, installs the necessary packages and writes the configuration.

Parameters

unattended_upgrades

• age ({}): A hash of settings with two possible keys:

  • min (2): Minimum age of a cache package file. File younger than min will not be deleted.
  • max (0): Maximum allowed age of a cache package file. File older than max will be deleted.

  Any of these keys can be specified and will be merged into the defaults:

  class { 'unattended_upgrades':
    age => { 'max' => 10 },
  }
  

• auto ({}): A hash of settings with these possible keys:

  • clean(0): Remove packages that can no longer be downloaded from cache every X days (0 = disabled).
  • fix_interrupted_dpkg(true): Try to fix package installation state.
  • reboot(false): Reboot system after package update installation.
  • reboot_time(now): If automatic reboot is enabled and needed, reboot at the specific time (instead of immediately). Expects a string in the format "HH:MM", using the 24 hour clock with leading zeros. Examples: "16:37" for 37 minutes past 4PM, or "02:03" for 3 minutes past 2AM.
  • remove(true): Remove unneeded dependencies after update installation.

  Any of these keys can be specified and will be merged into the defaults:

  class { 'unattended_upgrades':
    auto => { 'reboot' => true },
  }
  

• backup ({}): A hash with two possible keys:

  • archive_interval (0): Backup after n-days if archive contents changed.
  • level (3): Backup level.

  Any of these keys can be specified and will be merged into the defaults:

  class { 'unattended_upgrades':
    backup => { 'level' => 5 },
  }
  

• blacklist([]): A list of packages to not automatically upgrade.

• dl_limit(undef): Use a bandwidth limit for downloading, specified in kb/sec.

• enable (1): Enable the automatic installation of updates.

• install_on_shutdown (false): Install updates on shutdown instead of in the background.

• legacy_origin (true for Debian (squeeze), Ubuntu (precise, trusty, xenial, bionic and default), false for Debian (wheezy and default)): Use the legacy Unattended-Upgrade::Allowed-Origins setting or the modern Unattended-Upgrade::Origins-Pattern.

• mail: A hash to configure email behaviour with the following possible keys:

  • report (undef): Possible values are "always", "only-on-error" or "on-change". Defaults to "on-change". Note that "never" is achieved by not setting any to address.
  • only_on_error (true): Only send mail when something went wrong. Deprecated in unattended-upgrades 1.13 and newer in favor of report.
  • to (undef): Email address to send email too

  If the default for to is kept you will not receive any mail at all. You'll likely want to set this parameter.

  Any of these keys can be specified and will be merged into the defaults:

  class { 'unattended_upgrades':
    mail => { 'to' => 'admin@domain.tld', },
  }
  

• minimal_steps (true): Split the upgrade process into sections to allow shutdown during upgrade.

• origins: The repositories from which to automatically upgrade included packages.

• extra_origins: Additional repositories from which upgrades should be included. Can be used, if the default origins should be kept.

• package_ensure (installed): The ensure state for the 'unattended-upgrades' package.

• random_sleep (undef): Maximum amount of time (in seconds) that the apt cron job can sleep before the execution. The exact amount of time will be random but up to the value specified. The purpose is to avoid that servers/mirrors get hammered at exactly the same time when a lot of machines are switched on, e.g. 9:00 in the morning. Note: If this is left unset, the default value in the apt cron job applies, which is 1800 seconds.

• size (0): Maximum size of the cache in MB.

• update (1): Do "apt-get update" automatically every n-days.

• upgrade (1): Run the "unattended-upgrade" security upgrade script every n-days.

• days ([]): Set the days of the week that updates should be applied. The days can be specified as localized abbreviated or full names. Or as integers where "0" is Sunday, "1" is Monday etc.

• upgradeable_packages ({}): A hash with two possible keys:

  • download_only (0): Do "apt-get upgrade --download-only" every n-days.
  • debdelta (1): Use debdelta-upgrade to download updates if available.

  Any of these keys can be specified and will be merged into the defaults:

  class { 'unattended_upgrades':
    upgradeable_packages => { 'debdelta' => 1, },
  }
  

• verbose (0): Send report mail to root.

• options ({}): A hash of settings with these possible keys:

  • force_confdef (true) : Use the default option for new config files if one is available, don't prompt. If no default can be found, you will be prompted unless one of the confold or confnew options is also given
  • force_confold (true): Always use the old config files, don't prompt
  • force_confnew (false): Always use the new config files, don't prompt
  • force_confmiss (false): Always install missing config files

• remove_new_unused_deps (undef): Automatic removal of newly unused dependencies after the upgrade.

• remove_unused_kernel (undef): Remove unused automatically installed kernel-related packages.

• syslog_enable (undef): Enable logging to syslog. Default is False.

• syslog_facility (undef): Specify syslog facility. Default is daemon.

Limitations

This module should work across all versions of Debian, Ubuntu, and Linux Mint.

License

The original code for this module comes from Evolving Web and was licensed under the MIT license. Code added since the fork of that module into puppetlabs-apt is covered under the Apache License version 2 as is any code added since it was split off into this separate unattended_upgrades module.

The LICENSE contains both licenses.

Changelog

All notable changes to this project will be documented in this file. Each new release typically also includes the latest modulesync defaults. These should not affect the functionality of the module.

v6.0.0 (2021-09-29)

Full Changelog

Breaking changes:

• Drop support for Ubuntu 19.10 (EOL) #198 (smortex)
• Drop support of Puppet 5 (EOL) #196 (smortex)
• Drop support for Debian 8, 9 and Ubuntu 16.04 (EOL) #195 (smortex)

Implemented enhancements:

• Add support for Puppet 7 #197 (smortex)
• Add support for Debian 11 #193 (sboyd-m)
• add support for Package-Whitelist #188 (moritz-makandra)
• add SyslogEnable and SyslogFacility options to unattended-upgrades.erb #182 (kenyon)
• add the Unattended-Upgrade::MailReport setting to unattended-upgrades.erb #181 (kenyon)
• Support Ubuntu Extended Security Maintenance (ESM) #180 (raoulbhatia)

Fixed bugs:

• disable by default and deprecate dpkg "options" parameter #191 (anarcat)

Closed issues:

• Debian 11 changes name of security suite #187

Merged pull requests:

• Add a basic acceptance test #194 (smortex)
• Allow stdlib 8.0.0 #192 (smortex)
• Update dependencies #189 (saz)
• README: fix wording about the mail hash #183 (kenyon)

v5.1.0 (2020-08-23)

Full Changelog

Implemented enhancements:

• Add support for Debian 10 #150
• Support Remove-New-Unused-Dependencies #106
• Add new options remove_new_unused_deps and remove_unused_kernel #177 (gfa)

Closed issues:

• No version of 'puppet-unattended_upgrades' can satisfy all dependencies #167

Merged pull requests:

• unattended-upgrades.erb: update signal comment #178 (kenyon)
• Revert "Add Puppet management headers in the config files" #173 (smortex)
• Add Debian 10 support #172 (ekohl)

v5.0.0 (2020-05-22)

Full Changelog

Breaking changes:

• Drop EOL Linux Mint versions 13 and 17 #168 (ekohl)
• Drop Ubuntu 14.04 #164 (ekohl)
• Update Ubuntu releases per official support/EOL list #160 (raoulbhatia)
• drop Ubuntu 14.04 support #149 (bastelfreak)

Implemented enhancements:

• Allow additional origins without replacing the default one. #142 (fetzerms)

Fixed bugs:

• incorrect Debian OS origin string #145

Closed issues:

• new release #158
• Typo in Readme #155
• License in metadata.json doesn't match the dual licensing documented in the README. #93

Merged pull requests:

• Unify specs for all supported operating systems #170 (ekohl)
• Correct tests for catalog compilation failure #169 (ekohl)
• Remove the $xfacts variable #165 (ekohl)
• Drop file mode checking #163 (mmoll)
• Add Puppet management headers in the config files #162 (arthurbarton)
• Spec: Follow puppetlabs-apt "MODULES-10548: make files readonly" #161 (raoulbhatia)
• Fixed README typo. archive_internal to archive_interval #156 (jhawz)
• Allow puppetlabs/stdlib 6.x #154 (dhoppe)
• Remove duplicate CONTRIBUTING.md file #152 (dhoppe)
• Update README.md #151 (thepro101)
• * fix: debian origins since archive name changes, moved to codename … #148 (deubert-it)
• Allow puppetlabs/apt 7.x #147 (scoopex)
• Additional sanitization of params #143 (fetzerms)

v4.0.0 (2019-04-15)

Full Changelog

Breaking changes:

• modulesync 2.7.0 and drop puppet 4 #140 (bastelfreak)

Implemented enhancements:

• Add support for Unattended-Upgrade::Update-Days #139 (ostavnaas)
• Support support for the KDE Neon distribution #138 (smortex)

Closed issues:

• Support puppetlabs-apt > 5 #133

v3.2.1 (2018-10-14)

Full Changelog

Merged pull requests:

• modulesync 2.2.0 and allow puppet 6.x #134 (bastelfreak)
• Allow puppetlabs-apt 5 & 6 #132 (JayH5)
• allow puppetlabs/stdlib 5.x #130 (bastelfreak)
• Update README.md #129 (TheLimey)

v3.2.0 (2018-06-12)

Full Changelog

Implemented enhancements:

• Allow configuration of Unattended-Upgrade::Sender parameter #119
• Optional argument for specifing the Unattended-Upgrade::Sender config flag #120 (LarsErikP)

Closed issues:

• (Confirm) Ubuntu 18.04 support #124
• Typo - README.md - Reference/options "force_connew" #109

Merged pull requests:

• Add Ubuntu 18.04 LTS "bionic" to the list of supported OSes (fixes #124) #125 (mpdude)
• Remove docker nodesets #123 (bastelfreak)
• drop EOL OSs; fix puppet version range #121 (bastelfreak)
• Fix typo #117 (6uhrmittag)

v3.1.0 (2017-12-09)

Full Changelog

Closed issues:

• Duplicate declaration due to contain ::apt #110

Merged pull requests:

• release 3.1.0 #116 (bastelfreak)
• Add Ubuntu artful #115 (danielhoherd)

v3.0.1 (2017-10-28)

Full Changelog

Closed issues:

• Allowed-Origins contains ${distro_id}:${distro_codename} #107

Merged pull requests:

• Don't contain apt but include instead #111 (alexjfisher)

v3.0.0 (2017-07-07)

Full Changelog

Breaking changes:

• Use Data Types instead of validate_* functions #90 (raphink)

Implemented enhancements:

• Add Debian 9 - Stretch Support #102 (petems)
• Ubuntu: Add 17.04 Zesty Zapus. #89 (raoulbhatia)

Fixed bugs:

• Error when configuring unattended-upgrades #92
• Adds ::apt containment to main class #103 (petems)

Closed issues:

• Not setting up a daily cron #87

Merged pull requests:

• Update Debian upstream names #101 (petems)
• Refactor specs #100 (petems)
• Add tags to metadata.json #98 (petems)
• Allow newer apt modules to satisfy dependency #91 (cpick)
• cleanup README - typos, remove splunk and fix ToC #83 (pono)
• Modulesync 0.18.0 #82 (bastelfreak)

v2.2.0 (2017-01-12)

Full Changelog

Merged pull requests:

• Bump min version_requirement for Puppet #79 (juniorsysadmin)
• Include the release pocket on Ubuntu Xenial and Yakkety. #75 (MichaelGooden)
• Add missing badges #73 (dhoppe)
• Fix order of options to prevent swapping of lines #72 (leonkoens)

v2.1.0 (2016-10-05)

Full Changelog

Implemented enhancements:

• [WIP] Ubuntu updates #62 (raoulbhatia)

Closed issues:

• Puppet 4 compatibility? #63
• Version on Puppet Forge seems to be missing reboot_time parameter in template #59

Merged pull requests:

• Remove 'pe' requirement from metadata #66 (alexjfisher)
• Modulesync 0.9.1 #65 (bastelfreak)
• Make parameter validation more strict #64 (pkkm)
• LinuxMint: Add support for Linux Mint #61 (raoulbhatia)

v2.0.0 (2016-05-26)

Full Changelog

Implemented enhancements:

• Dependency cycle error if sources are managed exclusively by puppet #28

Closed issues:

• Documentation: random_sleep #54
• wrong documentation: legacy_origin #50
• unattended_upgrades module not loading - breaks on Apt::Update dependency #48

Merged pull requests:

• update default parameters for legacy_origin option #58 (GhostLyrics)
• Update from voxpupuli modulesync_config #57 (jyaworski)
• Add parameter to control reboot time #56 (mpdude)
• Small fix for random_sleep documentation. The value is set to undef i… #55 (spoofedpacket)
• add options support #52 (b4ldr)
• Default notify_update to false #51 (daenney)

v1.1.1 (2016-01-11)

Full Changelog

Merged pull requests:

• Fix typo #46 (mcanevet)

v1.1.0 (2016-01-09)

Full Changelog

Fixed bugs:

• content variable seems like it's required for the init file #18

Closed issues:

• New release? #38
• cannot set "install_on_shutdown" and "remove" #36
• No way to define different keys for "auto" in different hiera sources #35
• Clarify random_sleep documentation #34
• clean key of auto hash not documented #24
• Not working on Ubuntu #22
• potential dependency cycle for users #16
• Unattended-Upgrade::Allowed-Origins variables don't work #15
• unattended_upgrades doesn't work with puppet \< 3.5.0 (I think...) #13

Merged pull requests:

• Doc and implementation fixes #44 (daenney)
• Remediate rubocop offenses #43 (rnelson0)
• cleanup(params) make linter happy #42 (igalic)
• feat(msync) move secure line into .sync.yml #40 (igalic)
• Rename reference to puppet-community #39 (rnelson0)
• Include variable 'RandomSleep'. #33 (fbarbeira)
• Add optional notify_update parameter #31 (clauded)
• Small fix typo #27 (fbarbeira)
• Enhancements by merging Debian defaults, puppetlabs-apt and own research #26 (raoulbhatia)
• Document auto -> clean #25 (zeha)
• Support for Raspbian #19 (lbdr)
• Check for strict_variables setting before using defined(), fixes compatibility with Puppet \< 3.5.0 #17 (apeeters)
• unattended-upgrades are broken on Ubuntu by default due to origins typo #14 (cpick)

1.0.3 (2015-04-23)

Full Changelog

Closed issues:

• Duplicate declaration of Class[Apt] #12

Merged pull requests:

• Gemfile: Upgrade to rspec-puppet 2.1.0 #11 (daenney)

1.0.2 (2015-04-22)

Full Changelog

1.0.1 (2015-04-22)

Full Changelog

1.0.0 (2015-04-22)

Full Changelog

Closed issues:

• Add a contributing.md #6

Merged pull requests:

• Prepare 1.0.1 release: #10 (daenney)
• Setup deploy #9 (daenney)
• Rake travis changelog #8 (daenney)
• Add metadata.json #7 (underscorgan)
• travis: Test only latest Ruby and Puppet. #5 (daenney)
• Test updates #4 (underscorgan)
• Test fixes #1 (underscorgan)

* This Changelog was automatically generated by github_changelog_generator