jnv / ansible-role-unattended-upgrades Goto Github PK

The current jnv role is applying old syntax to new machines.

The section origins-pattern seems to have changed to allowed-origins as of 18.04.

We use the Github Action Super-Linter to lint the code base and found some errors in test.sh. You might want to consider fixing it, to make shellcheck happy. 😉 Thx!

2022-03-04 12:54:22 [INFO]   File:[/github/workspace/roles-generic/jnv.unattended-upgrades/tests/test.sh]
2022-03-04 12:54:22 [ERROR]   Found errors in [shellcheck] linter!
2022-03-04 12:54:22 [ERROR]   Error code: 1. Command output:
------

In /github/workspace/roles-generic/jnv.unattended-upgrades/tests/test.sh line 7:
red=''
^-^ SC2034 (warning): red appears unused. Verify use (or export if used externally).


In /github/workspace/roles-generic/jnv.unattended-upgrades/tests/test.sh line 8:
green=''
^---^ SC2034 (warning): green appears unused. Verify use (or export if used externally).


In /github/workspace/roles-generic/jnv.unattended-upgrades/tests/test.sh line 9:
neutral=''
^-----^ SC2034 (warning): neutral appears unused. Verify use (or export if used externally).

For more information:
  https://www.shellcheck.net/wiki/SC2034 -- green appears unused. Verify use ...

Per #44.

I get this on ubuntu 18:

[WARNING]: Could not find aptitude. Using apt-get instead

Please use force_apt_get: yes to avoid this.

Source: https://wiki.debian.org/UnattendedUpgrades

Add the ability to override for upgrades.

Should create the path/file /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf with the following

[Timer]
OnCalendar=
OnCalendar=01:00  -- Should be a customizable variable
RandomizedDelaySec=0 -- should be a customizable variable

Defaults (ubuntu 18.04 at least)

[Timer]
OnCalendar=*-*-* 6:00
RandomizedDelaySec=60m

After using this role on a couple of machines, it set up unattended upgrades (yay!), but it seems that it might be leaving behind a file /etc/apt/apt.conf.d/20auto-upgrades.ucf-dist?

CORP\marca@marcatest1:~$ sudo apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
N: Ignoring file '20auto-upgrades.ucf-dist' in directory '/etc/apt/apt.conf.d/' as it has an invalid filename extension

I'll try to take a look and see if I can figure out what's going on.

Hi,

I've added your role.

  roles:
    - { role: jnv.unattended-upgrades, sudo: yes }

However I've encountered the not writable error. Should I make the directory writable before running the role?

It seems that @cederberg has deleted his https://github.com/cederberg/ansible-bootstrap role.

Would you happen to have a clone or snapshot of it? Otherwise, references to it should be removed from the README.

(I had a snapshot of it - but sadly I deleted it to get the latest version of each role, only to be unable to download it!)

With Ubuntu 18.04 the variable in /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Origins-Pattern
changed to
Unattended-Upgrade:Allowed-Origins

Otherwise this error appears:
Traceback (most recent call last): File "/usr/bin/unattended-upgrade", line 1993, in <module> sys.exit(main(options)) File "/usr/bin/unattended-upgrade", line 1649, in main cache, options, allowed_origins, blacklisted_pkgs, whitelisted_pkgs) File "/usr/bin/unattended-upgrade", line 1340, in calculate_upgradable_pkgs ver_in_allowed_origin(pkg, allowed_origins) File "/usr/bin/unattended-upgrade", line 685, in ver_in_allowed_origin if is_allowed_origin(ver, allowed_origins): File "/usr/bin/unattended-upgrade", line 669, in is_allowed_origin if match_whitelist_string(allowed, origin): File "/usr/bin/unattended-upgrade", line 490, in match_whitelist_string for s in token.split("=")] ValueError: not enough values to unpack (expected 2, got 1)

Oh, missed this one. The role should make sure that file /etc/apt/apt.conf.d/10periodic used in the previous version is absent.

Follow-up to #31.

Since there is apt.conf.d directory, configuration files are applied in order and the file with higher number overrides previous. Therefore we don't need to modify original files; we just generate a new file with a high number, say 90-ansible-unattended-upgrades. Apt will happily manage defaults and no ucf-dist files will be generated.

Now, the question is how to handle the transition. Ideally we want to put 20auto-upgrades and 50unattended-upgrades files into a pristine state. Perhaps, like with 10periodic file, there can be a one-shot command to reinstall the package.

Several options exist to control logging to syslog (default is to log to separate files in /var/log). These options have been around for a while, and at least the unattended-upgrades version in Debian 10 (1.11.2) supports them.
The options are listed at the bottom of https://github.com/mvo5/unattended-upgrades/blob/1.11.2/README.md.
They would help to meet audit requirements in some environments, as it allows VMs to be destroyed and recreated, while still keeping the unattended-upgrades logs available if a central syslog server is used.

These syslog options should be supported by this ansible role.

Would you accept a PR for this?

While merging my current config with what this role provides, there seem to be no options for:

1. unattended_dev_release

// This option controls whether the development release of Ubuntu will be
// upgraded automatically. Valid values are "true", "false", and "auto".
Unattended-Upgrade::DevRelease "auto";

2. unattended_remove_unused_kernel_packages

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

//Acquire::http::Dl-Limit "70";

I would like to set the bandwith limit, but it's the only missing variable in that role. Is it possible to add it?

From playbook output:

[DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks instead. This feature will be removed in version 2.16. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

Hi,

I am trying to use your play with the default settings (install security updates but nothing else) like this:

- hosts: all
  roles:
    - role: jnv.unattended-upgrades
      unattended_mail: "[email protected]"

However, I am getting this failure when running it:

PLAY ***************************************************************************

TASK [setup] *******************************************************************
ok: [127.0.0.1]

TASK [jnv.unattended-upgrades : install unattended-upgrades] *******************
ok: [127.0.0.1]

TASK [jnv.unattended-upgrades : install reboot dependencies] *******************
skipping: [127.0.0.1]

TASK [jnv.unattended-upgrades : create APT auto-upgrades configuration] ********
ok: [127.0.0.1]

TASK [jnv.unattended-upgrades : create unattended-upgrades configuration] ******
fatal: [127.0.0.1]: FAILED! => {"changed": false, "failed": true, "msg": "AnsibleUndefinedVariable: ERROR! '__unattended_origins_patterns' is undefined"}

PLAY RECAP *********************************************************************
127.0.0.1               : ok=3    changed=0    unreachable=0    failed=1

Information about the system I am running this on:

$ ansible --version
ansible 2.0.0.2
  config file = 
  configured module search path = Default w/o overrides
$ cat /etc/debian_version 
8.3
$ cat /etc/issue
Debian GNU/Linux 8 \n \l
$ cat /etc/ansible/roles/jnv.unattended-upgrades/meta/.galaxy_install_info 
{install_date: 'Wed Feb 17 10:14:56 2016', version: v1.1.1}

Any idea how to fix this?

Not sure it's really an issue with this role, maybe more the host system, but I'll post it here anyway.

I have 2 systems where /etc/cron.daily/apt does not exist and is instead called /etc/cron.daily/apt.disabled. In this situation, the unattended-upgrades package does not get run.

Maybe there could be a check in this role to make sure that the necessary cron files exist? I'm not sure if they are standard across distributions though, so understand if it's not practical.

The "Unattended-Upgrade::Sender" is missing from available parameters.

The default, at least on Ubuntu is "root" which makes the mails sent go directly to Junk folder (at best or in trash for some recipients...)

Can you please add this parameters to vars and template ?

According to https://help.ubuntu.com/community/AutomaticSecurityUpdates (and several other sources):

If you want the script to automatically reboot when needed, you not only need to set Unattended-Upgrade::Automatic-Reboot "true", but you also need to have the "update-notifier-common" package installed. On minimal installations this is not installed by default and without it the automatic updater will never reboot and will not even tell you that you need to reboot manually if you have email notifications configured!

I think it would be nice to have a conditional task that installs the aforementioned package if necessary (that is, if the unattended_automatic_reboot variable is set to true).

Hi, I'm including this role in another open source project, and would like to be respectful of licensing. I'm having a bit of trouble with the attribution in this case:

$ grep -i copyright /Users/kvz/code/frey/roles/unattended-upgrades/v1.2.0/LICENSE
 Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
  We protect your rights with two steps: (1) copyright the software, and
a notice placed by the copyright holder saying it may be distributed
means either the Program or any derivative work under copyright law:
copyright notice and disclaimer of warranty; keep intact all the
    announcement including an appropriate copyright notice and a
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
to ask for permission.  For software which is copyrighted by the Free
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
the "copyright" line and a pointer to where the full notice is found.
    Copyright (C) <year>  <name of author>
    Gnomovision version 69, Copyright (C) year name of author
school, if any, to sign a "copyright disclaimer" for the program, if
  Yoyodyne, Inc., hereby disclaims all copyright interest in the program

Who should be credited here? It seems the license still holds <name of author>

When executing this roles following warning appears:

[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. 
Use 'import_tasks' for static inclusions or 'include_tasks' for dynamic inclusions. 
This feature will be removed in a future
release. 
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: include is kept for backwards compatibility but usage is discouraged. The module documentation details page may explain more about this rationale.. 
This feature will be removed in a future release. 
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

Hi,

Thank you for sharing this module. I have a couple of questions based on my current setup. I am using packer to build a virtualbox-ovf. Within my scripts and modules I am using Ansible to install a bunch of packages + the unattended ones.

The roles folder structure is identical to yours. While running the playbook all the tasks succeed as well however when i log on to the virtualbox vm to check if unattended was installed and /etc/apt/apt.conf.d/50unattened was modified..... I dont see any changes.

Any opinion on what could be causing this ? My main.yml calling the role looks like:

- hosts: all
  roles:
    - { role: qcs.users, sudo: yes }
    - qcs.base-pkgs
    - role: unattended

Output of my playbook when I run packer build:

virtualbox-ovf: TASK [unattended : include] ****************************************************
virtualbox-ovf: included: /tmp/packer-provisioner-ansible-local/roles/unattended/tasks/unattended-upgrades.yml for 127.0.0.1
virtualbox-ovf:
virtualbox-ovf: TASK [unattended : add distribution-specific variables] ************************
virtualbox-ovf: ok: [127.0.0.1]
virtualbox-ovf:
virtualbox-ovf: TASK [unattended : install unattended-upgrades] ********************************
virtualbox-ovf: ok: [127.0.0.1]
virtualbox-ovf:
virtualbox-ovf: TASK [unattended : install reboot dependencies] ********************************
virtualbox-ovf: skipping: [127.0.0.1]
virtualbox-ovf:
virtualbox-ovf: TASK [unattended : create APT auto-upgrades configuration] *********************
virtualbox-ovf: changed: [127.0.0.1]
virtualbox-ovf:
virtualbox-ovf: TASK [unattended : create unattended-upgrades configuration] *******************
virtualbox-ovf: changed: [127.0.0.1]
virtualbox-ovf:
virtualbox-ovf: PLAY RECAP *********************************************************************
virtualbox-ovf: 127.0.0.1                  : ok=19   changed=14   unreachable=0    failed=0

Using v1.4.0 of this module, with both reboot-notifier and update-notifier installed on the target host, I get:

TASK [jnv.unattended-upgrades : install update-notifier-common] *******************
fatal: [my_host]: FAILED! => {"changed": false, "msg": "No package matching 'update-notifier-common' is available"}
...ignoring

It would be nice, if APT::Periodic::Enable could be set explicitly by this role. Armbian, for example, installs
/etc/apt/apt.conf.d/02-armbian-periodic, which contains APT::Periodic::Enable "0";.

Looks like ansible galaxy hasn't yet picked up version 1.1.1

I think you have to go into "my roles" and hit "re-import"

Issue Type:
Bug Report
Ansible Version:
ansible 1.7.2
Environment:
Ubuntu 14.04

Summary:
/playbook.yml

---
- name: Create of user
hosts: 'all'
sudo: yes
roles:
  # Add main user with sudo access.
  - role: add_user
    add_user__user:
      name: 'ansible-runner'

/roles/add_user/vars/main.yml

---
_home_path: '/home/{{ add_user__user.name }}'

/group_vars/* or /host_vars/*

---
add_user__user:
  name: 'master'

/roles/add_user/task/main.yml

---
- include_vars: main.yml

- debug: msg='{{ _home_path }}'

If I run this task. I see this:

TASK: [add_user | debug msg='/home/ansible-runner'] ***************************
ok: [192.168.142.3] => {
"msg": "/home/ansible-runner"
}

I think that's right.

But if I change task to this:

/roles/add_user/task/main.yml

---
- debug: msg='{{ _home_path }}'

TASK: [add_user | debug msg='/home/ansible-runner'] ***************************
ok: [192.168.142.3] => {
"msg": "/home/master"
}

This is unpredictable. Why is the variable of the playbook has a low priority?

So it must be, or this is a bug?

Stretch enters hard freeze February 5th, per the release timeline. Would be nice if this role supported Stretch before the final release so we can test against it and have it ready to go on release day.

Thanks!

Hi,

I want to upgrade our OS from 15.10 (which runs the unattended upgrades beautifully) to 16.04...I upgraded the ami to 16.04 using packer and it didnt throw out any error but when i log on to a test machine i get the following error as soon as you run an apt-get update:

N: Ignoring file '50unattended-upgrades.ucf-dist' in directory '/etc/apt/apt.conf.d/' as it has an invalid filename extension

If unattended_mail is set, the logs will be mailed.
The default in Debian Stretch is to automagically install security updates, and in this case it would be nice to know what the changelog for these packages was.
This is done with apt-listchanges, which is triggered by default from /etc/apt/apt.conf.d/20listchanges. By default the apt-listchanges configuration file /etc/apt/listchanges.conf` lists:

which=news

Which for unattended installs such as apt, does not send mail.

Hence it would be a nice idea to expand this role so that:

1. the email_address in /etc/apt/listchanges.conf is also set to the value to unattended_mail.
2. introduce a new config option (unattended_mail_listchanges that sets which=both.

This should probably be done with the ini module, as /etc/apt/listchanges.conf is an ini file.

I can contribute with a PR if there is interest

I get the following warning when running my playbook.

ansible version 2.8.0
jnv.unattended-upgrades version: v1.7.0

TASK [jnv.unattended-upgrades : install update-notifier-common] ******************************************************************************************************************************************************************************
[DEPRECATION WARNING]: evaluating unattended_automatic_reboot as a bare variable, this behaviour will go away and you might need to add |bool to the expression in the future. Also see CONDITIONAL_BARE_VARS configuration toggle.. This     
feature will be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. 

My role definition:

    - role: jnv.unattended-upgrades
      vars:
        unattended_origins_patterns:
          - 'origin=Ubuntu,archive=${distro_codename}-security'
        unattended_automatic_reboot: true
      when: "unattended_upgrades|bool"

It would be nice if the deployed files would contain a "managed by ansible" header. Adding this line at the top would do the trick:

// {{ ansible_managed }}

If a PR helps, I will gladly provide one.. :)

I just figured out that you must put your vars/main.yml into defaults/main.yml instead. Otherwise the role variable defaults are not lowest precedence and you can't override them in your group_vars/* or host_vars/*.

See also: http://docs.ansible.com/playbooks_roles.html#role-default-variables

Hello,

I still have the 10Periodic file present which overwrites 20auto-upgrade. Can we add a task to delete the file when the playbook runs, instead of using the one-shot command?

I'm getting emails daily

/etc/cron.daily/apt:
Package 'apport' has conffile prompt and needs to be upgraded manually

I have unattended_mail:false (default), and unattended_autofix_interrupted_dpkg:true (default).

I'm not quite sure what needs to be done.

Apparently all systemd systems are suffering from this:

http://askubuntu.com/questions/824718/ubuntu-16-04-unattended-upgrades-runs-at-random-times

Not entire sure but it seems appropriate to add the timer override to this role, so there is predictable behavior.

Probably using molecule with Testinfra. It can be run on Travis.

Lighter solution with multi-distro testing: https://www.jeffgeerling.com/blog/2018/how-i-test-ansible-configuration-on-7-different-oses-docker

Hi!

I have been using this role with success on Ubuntu 16 LTS for a few years, and it worked just fine. Recently I re-created servers with Ubuntu 20 LTS, and it turns out the unattented-upgrades process is not started automatically anymore.

I am still investigating, but I believe the cron job is not running at all or something.

Did anyone meet a similar issue?

Even a confirmation that the role works for you on Ubuntu 20 will already be useful.

Thanks for your input!

Full configuration

I am using the role version v1.11.0 with this type of configuration:

unattended_automatic_reboot: true
unattended_remove_unused_dependencies: true
unattended_automatic_reboot_time: "18:30"

# Copied from __unattended_origins_patterns for Ubuntu
default_unattended_origins_pattern: 'origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu'

# Override to include other origins + the default one
unattended_origins_patterns:
  - '{{ default_unattended_origins_pattern }}'
  - 'origin=packagecloud.io/phusion/passenger'

The generated files are:

$ cat /etc/apt/apt.conf.d/20auto-upgrades
// Ansible managed
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::AutocleanInterval "7";

and:

$ cat /etc/apt/apt.conf.d/50unattended-upgrades
// Ansible managed

// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
Unattended-Upgrade::Origins-Pattern {
      "origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu";
      "origin=packagecloud.io/phusion/passenger";
  };

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
};

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "true";

// Do automatic removal of all unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "18:30";

// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
Unattended-Upgrade::OnlyOnACPower "False";

Thank you!

Hi,

on a wheezy installation (raspbian), I get this error when running unattended-upgrade:

Traceback (most recent call last):
  File "/usr/bin/unattended-upgrade", line 1011, in <module>
    main(options)
  File "/usr/bin/unattended-upgrade", line 793, in main
    allowed_origins=allowed_origins)
  File "/usr/bin/unattended-upgrade", line 75, in __init__
    self.adjust_candidate_versions()
  File "/usr/bin/unattended-upgrade", line 92, in adjust_candidate_versions
    if is_allowed_origin(pkg.candidate, self.allowed_origins):
  File "/usr/bin/unattended-upgrade", line 364, in is_allowed_origin
    if match_whitelist_string(allowed, origin):
  File "/usr/bin/unattended-upgrade", line 272, in match_whitelist_string
    what, token))
__main__.UnknownMatcherError: Unknown whitelist entry for macher 'codename' (token 'codename=wheezy')

ii  unattended-upgrades                   0.79.5+rpi1                             all          automatic installation of security upgrades

unattended-upgrades is > 0.70.

Can you give me any advice how to fix this properly?

Unfortunately I don't have time nor motivation to maintain this role anymore, so with this I announce that the jnv.unattended-upgrades role is deprecated.

This probably doesn't come as a surprise with multiple unanswered issues and pull requests. I originally hoped to finish the migration to v2.0 of this role with #32, but with the closure of Travis CI I have lost the testing setup. And since I don't use this role myself anymore (nor Ansible), I don't have any confidence in pushing changes to this role.

I appreciate all the time you spent with your contributions and I am sorry if your PR wasn't accepted.

What's next?

I have pushed one last update with link to this issue in the README and marked the role as deprecated in Galaxy.

I won't be accepting pull requests and bug reports, but I won't archive the repository to keep this issue open for comments.

I would like to collect alternatives and significant forks of this role in this issue. Please, comment with your recommendations – especially for roles with a migration path from this role!

Unresolved issues and pull requests

The following issues remain unresolved with this role:

• #32 and #66
• #46
• #47 and #85
• #53 and #59
• #57
• #63
• #64
• #68
• #78
• #82
• #89
• #91
• #94 and #92
• #97
• #40
• #58
• #83
• #84

Alternative roles

Check out the maintained fork of this role by @hifis-net: https://github.com/hifis-net/ansible-role-unattended-upgrades (hifis.unattended_upgrades on Galaxy).

Other roles with similar purpose (I haven't tested them, but they seem actively maintained and popular):

• https://galaxy.ansible.com/weareinteractive/apt
• https://galaxy.ansible.com/geerlingguy/security

Further recommendations are welcome, especially if they provide a migration path from this role.

Lately I've observed a few upgrades failing due to modified config files in /etc/. What I'd like to do is force keeping the customized config files, which is possible via dpkg options, but the role does not support appending any additional options to the unattended-upgrades config.

See here for an example implementation: StreisandEffect/streisand@24de9b9

I propose adding a new role var called unattended_dpkg_options and set it to an empty list. Users of the role can then override that var to enable upgrades of packages with modified config files, e.g.:

unattended_dpkg_options:
  - "--force-confdef"
  - "--force-confold"

Then we can loop over that list var in the existing templates/unattended-upgrades.j2 and write out any options. By default, the role behavior would not change. I'm amenable to setting the above vars as the default var values (strikes me as a sane default), but mostly I just want override capability.

@jnv If you agree, please assign issue to me and I'm happy to put together a PR.

Hey,

your build is failing. I expect that it'll work anyway, but reduce your travis output to go on 'passing' again.

Thanks a lot for your work.

Best regards,
Felix

In 'tasks/unattended-upgrades.yml' there are variables used from the host being provisioned.
in case you do not have those variables, those ansible facts are not present and provisioning fails.
a warning/message OR sensible defaults might make sense to implement.

thanks for a nice package guys!

systemctl list-timers
-Will cause trouble if you want to upgrade at a fixed time; planning backups prior upgrade for example.

No solution found yet.
Reference:
http://askubuntu.com/questions/824718/ubuntu-16-04-unattended-upgrades-runs-at-random-times

The latest version on galaxy is v1.11.0. The newer version are missing.

Is there any reason not to install bsd-mailx if unattended_mail has been set to TRUE?

This is the package I've always used for this, when configuring this functionality manually. I'd like to start using this role, but that package installation is missing. It shouldn't be necessary to install that and then run this role.

We could introduce variables like:

• install_mailer (boolean, defaults to False)
• mailer_package (defaults to bsd-mailx)

I could put together a PR if there are no objections.

It looks like the origins [security, updates] do not work on Wheezy.

Related: https://tickets.puppetlabs.com/browse/MODULES-568

Wondering what I did for this to happen. Using Ubuntu 18.04. I don't think that I edited this manually.

It's trying to install unattended-upgrades (1.1ubuntu1.18.04.14) ...

Line by line differences between versions                                                                                        
                                                                                                                                 
Old file: /etc/apt/apt.conf.d/50unattended-upgrades root.root 0644 2020-02-27 17:08:37                                           
New file: /etc/apt/apt.conf.d/50unattended-upgrades.ucftmp root.root 0644 2020-02-17 11:37:03                                    
                                                                                                                                 
// Unattended-Upgrade::Origins-Pattern controls which package | // Automatically upgrade packages from these (origin:archive)    
// upgraded. | //                                                                                                                
Unattended-Upgrade::Origins-Pattern { | // Note that in Ubuntu security updates may pull in new depen                            
 "origin=Ubuntu,archive=${distro_codename}-security"; | // from non-security sources (e.g. chromium). By allowing the            
 > // pocket these get automatically pulled in.                                                                                  
 > Unattended-Upgrade::Allowed-Origins {                                                                                         
 > "${distro_id}:${distro_codename}";                                                                                            
 > "${distro_id}:${distro_codename}-security";                                                                                   
 > // Extended Security Maintenance; doesn't necessarily                                                                         
 > // every release and this system may not have it inst                                                                         
 > // available, the policy for updates is such that una                                                                         
 > // should also install from here by default.                                                                                  
 > "${distro_id}ESMApps:${distro_codename}-apps-security                                                                         
 > "${distro_id}ESM:${distro_codename}-infra-security";                                                                          
 > // "${distro_id}:${distro_codename}-updates";                                                                                 
 > // "${distro_id}:${distro_codename}-proposed";                                                                                
 > // "${distro_id}:${distro_codename}-backports";                                                                               
 }; };                                                                                                                           
                                                                                                                                 
// List of packages to not update (regexp are supported) // List of packages to not update (regexp are supported)                
Unattended-Upgrade::Package-Blacklist { Unattended-Upgrade::Package-Blacklist {                                                  
 > // "vim";                                                                                                                     
 > // "libc6";                                                                                                                   
 > // "libc6-dev";                                                                                                               
 > // "libc6-i686";                                                                                                              
}; };