Giter VIP home page Giter VIP logo

puppet-unattended_upgrades's Introduction

Unattended Upgrades module for Puppet

Build Status Release Puppet Forge Puppet Forge - downloads Puppet Forge - endorsement Puppet Forge - scores puppetmodule.info docs AGPL v3 License

Table of Contents

  1. Overview
  2. Module Description
  3. Setup
  4. Usage
  5. Reference
  6. Limitations - OS compatibility, etc.
  7. License

Overview

The unattended_upgrades module allows for the installation and configuration of automatic security (and other) updates through apt.

This functionality used to be part of the puppetlabs-apt module but was split off into its own module.

Module Description

The unattended_upgrades module automates the configuration of apt package updates.

Setup

What unattended_upgrades affects

  • Package/configuration for unattended_upgrades

Beginning with unattended_upgrades

All you need to do is include the apt module, include apt, and this module, include unattended_upgrades for it to work.

This module relies on the apt module and will not work without it.

Usage

Using unattended_upgrades simply consists of including the module and if needed altering some of the default settings.

Reference

Classes

  • unattended_upgrades: Main class, installs the necessary packages and writes the configuration.

Parameters

unattended_upgrades

  • age ({}): A hash of settings with two possible keys:

    • min (2): Minimum age of a cache package file. File younger than min will not be deleted.
    • max (0): Maximum allowed age of a cache package file. File older than max will be deleted.

    Any of these keys can be specified and will be merged into the defaults:

    class { 'unattended_upgrades':
  age => { 'max' => 10 },
}

  • auto ({}): A hash of settings with these possible keys:

    • clean(0): Remove packages that can no longer be downloaded from cache every X days (0 = disabled). Also supports 'always' as value to execute this operation every time the script is executed.
    • fix_interrupted_dpkg(true): Try to fix package installation state.
    • reboot(false): Reboot system after package update installation.
    • reboot_withusers(true): If automatic reboot is enabled and needed, reboot even if there are users currently logged in.
    • reboot_time(now): If automatic reboot is enabled and needed, reboot at the specific time (instead of immediately). Expects a string in the format "HH:MM", using the 24 hour clock with leading zeros. Examples: "16:37" for 37 minutes past 4PM, or "02:03" for 3 minutes past 2AM.
    • remove(true): Remove unneeded dependencies after update installation.

    Any of these keys can be specified and will be merged into the defaults:

    class { 'unattended_upgrades':
  auto => { 'reboot' => true },
}

  • backup ({}): A hash with two possible keys:

    • archive_interval (0): Backup after n-days if archive contents changed.
    • level (3): Backup level.

    Any of these keys can be specified and will be merged into the defaults:

    class { 'unattended_upgrades':
  backup => { 'level' => 5 },
}

  • blacklist([]): A list of packages to not automatically upgrade.

  • dl_limit(undef): Use a bandwidth limit for downloading, specified in kb/sec.

  • enable (1): Enable the automatic installation of updates.

  • install_on_shutdown (false): Install updates on shutdown instead of in the background.

  • mail: A hash to configure email behaviour with the following possible keys:

    • report (undef): Possible values are "always", "only-on-error" or "on-change". Defaults to "on-change". Note that "never" is achieved by not setting any to address.
    • only_on_error (true): Only send mail when something went wrong. Deprecated in unattended-upgrades 1.13 and newer in favor of report.
    • to (undef): Email address to send email too

    If the default for to is kept you will not receive any mail at all. You'll likely want to set this parameter.

    Any of these keys can be specified and will be merged into the defaults:

    class { 'unattended_upgrades':
  mail => { 'to' => '[email protected]', },
}

  • minimal_steps (true): Split the upgrade process into sections to allow shutdown during upgrade.

  • origins: The repositories from which to automatically upgrade included packages.

    The default origins can be replaced with contents of an array:

    class { 'unattended_upgrades':
  origins => [
    'origin=${distro_id},suite=${distro_codename}',
    'origin=${distro_id},suite=${distro_codename}-security',
    'origin=${distro_id},suite=${distro_codename}-backports',
    'origin=${distro_id},suite=${distro_codename}-updates',
  ],
}

  • extra_origins: Additional repositories from which upgrades should be included. Can be used, if the default origins should be kept.

  • package_ensure (installed): The ensure state for the 'unattended-upgrades' package.

  • random_sleep (undef): Maximum amount of time (in seconds) that the apt cron job can sleep before the execution. The exact amount of time will be random but up to the value specified. The purpose is to avoid that servers/mirrors get hammered at exactly the same time when a lot of machines are switched on, e.g. 9:00 in the morning. Note: If this is left unset, the default value in the apt cron job applies, which is 1800 seconds.

  • size (0): Maximum size of the cache in MB.

  • update (1): Do "apt-get update" automatically every n-days. Also supports 'always' as value to execute this operation every time the script is executed.

  • upgrade (1): Run the "unattended-upgrade" security upgrade script every n-days. Also supports 'always' as value to execute this operation every time the script is executed.

  • days ([]): Set the days of the week that updates should be applied. The days can be specified as localized abbreviated or full names. Or as integers where "0" is Sunday, "1" is Monday etc.

  • upgradeable_packages ({}): A hash with two possible keys:

    • download_only (0): Do "apt-get upgrade --download-only" every n-days. Also supports 'always' as value to execute this operation every time the script is executed.
    • debdelta (1): Use debdelta-upgrade to download updates if available.

    Any of these keys can be specified and will be merged into the defaults:

    class { 'unattended_upgrades':
  upgradeable_packages => { 'debdelta' => 1, },
}

  • verbose (0): Send report mail to root.

  • remove_new_unused_deps (undef): Automatic removal of newly unused dependencies after the upgrade.

  • remove_unused_kernel (undef): Remove unused automatically installed kernel-related packages.

  • syslog_enable (undef): Enable logging to syslog. Default is False.

  • syslog_facility (undef): Specify syslog facility. Default is daemon.

  • only_on_ac_power (undef): Download and install upgrades only on AC power. Default is true.

  • allow_downgrade (undef): Allow package downgrade if Pin-Priority exceeds 1000. Default is false.

Limitations

This module should work across all versions of Debian, Ubuntu, and Linux Mint.

License

The original code for this module comes from Evolving Web and was licensed under the MIT license. Code added since the fork of that module into puppetlabs-apt is covered under the Apache License version 2 as is any code added since it was split off into this separate unattended_upgrades module.

The LICENSE contains both licenses.

puppet-unattended_upgrades's People

Contributors

alexjfisher avatar anarcat avatar bastelfreak avatar bbriggs avatar clauded avatar daenney avatar dan33l avatar deubert-it avatar dhoppe avatar djmofcourse avatar ekohl avatar fbarbeira avatar fetzerms avatar gfa avatar ghoneycutt avatar hufschmidt avatar igalic avatar juniorsysadmin avatar jyaworski avatar kenyon avatar larserikp avatar nibalizer avatar petems avatar pkkm avatar raoulbhatia avatar rnelson0 avatar smortex avatar towo avatar yastupin avatar zilchms avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

underscorgan mattkirby apeeters raoulbhatia bdellegrazie cregkly zeha mickaelperrin fbarbeira proteon johnduarte mcanevet slm0n87 vzctl renshordijk spoofedpacket dschaaff unibonn udienz alexjfisher leonkoens michaelgooden juniorsysadmin bastelfreak neatnerdprime yastupin jarekherisz nordunet rfpronk blupman petems bigcommerce sfu-rcg ekohl marvinheimbrodt larserikp mpdude comport3 thelimey jayh5 opus-codium ostavnaas rfletcher jjico jhalderm cfire tuningyourcode drshawnkwang vico-research-and-consulting deubert-it thepro101 jhawz arthurbarton kenyon djschaap softwire chrisongthb moritz-makandra syseleven regiohelden anarcat evgeni b1-systems hufschmidt makandra jps-help clambertus weaselp icann-dns andrei693

puppet-unattended_upgrades's Issues

Puppet 4 compatibility?

The change log for version 1.0.3 says 'Tested on Puppet 4.', however the compatibility on the Puppet Forge says 'Puppet >= 3.4.0 < 4.0.0'. Small discrepancy there it seems?

potential dependency cycle for users

The 3 requires here could cause issues for users: 886245f#diff-60ae41fd0a31977447947f59940ee9a4R54

We ran into an issue where new hosts coming up couldn't find packages that were in our repo because the apt-get update wasn't running before packages were installed. A solution would be something like this in site.pp:

Class['apt::update'] -> Package <| |>

However, the requires here cause a dependency cycle if you do that. apt::conf notifies Exec['apt_update'] (in apt::setting), so Package['unattended-upgrades'] gets chained before the apt update, but my spaceship operator up there wants to chain it after.

We ran into this problem with our own in-house unattended-upgrades module which had the exact same dependency (probably for the same reason :)). The only way for a user of your module in our situation to work around this would be:

Class['apt::update'] -> Package <| title != "unattended-upgrades" |>

which would work but is very hacky.

If you don't chain here, of course, you run the risk that the apt-periodic daily cron job runs after you've put down these config files but before the unattended-upgrades package is installed. In practice, that's going to require some incredibly exact timing, and the result is just a failed cron job and not a failed puppet run. We decided the risk was worthwhile.

It's occurred to us that perhaps we're doing something wrong with the above chaining, but we can't figure out what the "right" way to do it would be. Any ideas?

Typo - README.md - Reference/options "force_connew"

File in question: puppet-unattended_upgrades/README.md
Line: 162
Solution: force_connew -> force_confnew

The documentation contains a typo at
Reference -> Parameters -> options

force_connew (false): Always use the new config files, don't prompt

The key is named : force_confnew

See: puppet-unattended_upgrades/manifests/params.pp

                                    'force_confold'        => true,
                                    'force_confnew'        => false,
                                    'force_confmiss'       => false, }```

Error while evaluating a Resource Statement, Duplicate declaration: Package[unattended-upgrades] is already declared

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 7.23.0
  • Ruby: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]
  • Distribution: Debian GNU/Linux 12 (bookworm)
  • Module version: 8.0.0

How to reproduce (e.g Puppet code you use)

# Basic config for all Debian nodes
class profile::debianapt {
  # install basic packages
  class { 'apt':
    update => {
      frequency => 'daily',
    },
    purge  => {
      'sources.list' => true
    },
  }
  apt::source { "deb.debian.org-${facts['os']['distro']['codename']}":
    location => 'http://deb.debian.org/debian/',
    repos    => 'main non-free-firmware non-free contrib',
    include  => {src => true}
  }
# noch mehr apt sources

  class { 'unattended_upgrades':
    auto                   => {
      clean  => 'always',
      remove => true
      },
    enable                 => true,
    origins                => [
    'origin=${distro_id},suite=${distro_codename}',
    'origin=${distro_id},suite=${distro_codename}-security',
    'origin=${distro_id},suite=${distro_codename}-backports',
    'origin=${distro_id},suite=${distro_codename}-updates',
    ],
    remove_new_unused_deps => true,
  }
}

What are you seeing

error about duplicate declaration when trying to run puppet agent --test

What behaviour did you expect instead

successfully configuring unattended upgrades

Output log

root:/etc/puppet/code/environments/production# puppet agent --test
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Package[unattended-upgrades] is already declared at (file: /etc/puppet/code/environments/production/modules/profile/manifests/debianapt.pp, line: 16); cannot redeclare (file: /etc/puppet/code/environments/production/modules/unattended_upgrades/manifests/init.pp, line: 50) (file: /etc/puppet/code/environments/production/modules/unattended_upgrades/manifests/init.pp, line: 50, column: 3) on node puppet.jmbfountain.de
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

Any additional information you'd like to impart

I'm fairly new to both Puppet and Ruby, so this might just be an error I made and don't know how to correctly google.

I installed the module using puppet module install puppet-unattended_upgrades --version 8.0.0 and declared it using

class { 'unattended_upgrades':
  age => { 'max' => 10 },
}

as shown in the README.

However, if I then try to roll this out to an agent, it says it can't declare unattended_upgrades in the init.pp of the unattended_Upgrades module because it's already declared.

Dependency cycle error if sources are managed exclusively by puppet

Description

If you use the purge option of the main ::apt class, and want to manage sources exclusively in Puppet, then you fall in a dependency cycle error when using this module.

Problem

The sources are purged, they need to be updated, but they wait for apt::conf of this module and apt::conf require the Package['unattended-upgrades'] that can't be installed because sources are purged or wait for Class['apt::update'] .

Testing code

    class base::apt inherits base {

      $ubuntu_location = 'http://archive.ubuntu.com/ubuntu'
      $ubuntu_repos = 'main universe'

      class { 'apt':
        purge => {
          'sources.list'   => true,
          'sources.list.d' => true,
          'preferences'    => true,
          'preferences.d'  => true
        },
      }

      apt::source { 'ubuntu':
        location    => $ubuntu_location,
        release     => $lsbdistcodename,
        repos       => $ubuntu_repos,
        include_src => true,
      }

      apt::source { 'ubuntu_updates':
        location    => $ubuntu_location,
        release     => "${lsbdistcodename}-updates",
        repos       => $ubuntu_repos,
        include_src => true,
      }

      apt::source { 'ubuntu_security':
        location    => $ubuntu_location,
        release     => "${lsbdistcodename}-security",
        repos       => $ubuntu_repos,
        include_src => true,
      }
    }

My base class includes many modules and some of them use also the ::apt class, like the docker one garethr-docker and the unattended-upgrades.

So, I need to execute apt_update before installating anything.

class base {
   Class['apt::update'] -> Package<| |>
    include 'base::apt'
    include 'unattended-upgrades'
    include 'base::install' # list of packages to install
}

Then my node is simply:

node default {
    include 'base'
}

(Confirm) Ubuntu 18.04 support

On Ubuntu 18.04 (with Puppet 5.4.0), I get the following error message in my master's log:

(Scope(Class[Unattended_upgrades::Params])) Ubuntu 18.04 "bionic" has reached End of Life - please upgrade!

Ubuntu 18.04 is the latest LTS release.

content variable seems like it's required for the init file

When I try to run this as-is I get:

Error: Must pass content to Apt::Conf[auto-upgrades] at /etc/puppet/modules/unattended_upgrades/manifests/init.pp:63 on node

If I modify it to (adding the content line)

  apt::conf { 'auto-upgrades':
    ensure   => absent,
    priority => 20,
    content  => '',
    require  => Package['unattended-upgrades'],
  }

It works.

I don't know whether this is something that should be fixed in the apt module since we're doing an "absent" here, but that's what I did in the short term to fix it.

Add support for Debian 10

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: all
  • Ruby: all
  • Distribution: Debian 10
  • Module version: 4.0.0

How to reproduce (e.g Puppet code you use)

Include the unattended upgrades class without additional parameters and run unattended-upgrades --dry-run --debug

class profile::debian {
  include unattended_upgrades
}

What are you seeing

An error occurred, see output log

What behavior did you expect instead

Working unattended-upgrades ;-)

Output log

An error occurred: not enough values to unpack (expected 2, got 1)
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrades", line 1663, in main
    install_start_time)
  File "/usr/bin/unattended-upgrades", line 1841, in run
    cache, options, allowed_origins, blacklist, whitelist)
  File "/usr/bin/unattended-upgrades", line 1438, in calculate_upgradable_pkgs
    ver_in_allowed_origin(pkg, allowed_origins)
  File "/usr/bin/unattended-upgrades", line 731, in ver_in_allowed_origin
    if is_allowed_origin(ver, allowed_origins):
  File "/usr/bin/unattended-upgrades", line 715, in is_allowed_origin
    if match_whitelist_string(allowed, origin):
  File "/usr/bin/unattended-upgrades", line 565, in match_whitelist_string
    for s in token.split("=")]
ValueError: not enough values to unpack (expected 2, got 1)
Extracting content from /var/log/unattended-upgrades/unattended-upgrades-dpkg.log since 2019-11-13 15:49:26
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrades", line 2195, in <module>
    sys.exit(main(options))
  File "/usr/bin/unattended-upgrades", line 1663, in main
    install_start_time)
  File "/usr/bin/unattended-upgrades", line 1841, in run
    cache, options, allowed_origins, blacklist, whitelist)
  File "/usr/bin/unattended-upgrades", line 1438, in calculate_upgradable_pkgs
    ver_in_allowed_origin(pkg, allowed_origins)
  File "/usr/bin/unattended-upgrades", line 731, in ver_in_allowed_origin
    if is_allowed_origin(ver, allowed_origins):
  File "/usr/bin/unattended-upgrades", line 715, in is_allowed_origin
    if match_whitelist_string(allowed, origin):
  File "/usr/bin/unattended-upgrades", line 565, in match_whitelist_string
    for s in token.split("=")]
ValueError: not enough values to unpack (expected 2, got 1)

Any additional information you'd like to impart

The 50unattended-upgrades has changed slightly in Debian 10 (Buster) so it now looks like:

Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,codename=${distro_codename}-updates";
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";

instead of:


Unattended-Upgrade::Origins-Pattern {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        "${distro_id}:${distro_codename}-updates";
};

Unattended-Upgrade::Allowed-Origins variables don't work

Noticed that the Allowed-Origins variables are passing through with {} characters around them, which breaks the unattended-upgrades package because those characters shouldn't be there in the actual config file. Upon examination of /manifests/params.pp, I saw that there were lint errors warning about single quoted strings containing variables which were ignored, see here for documentation:

http://puppet-lint.com/checks/single_quote_string_with_variables/

These variables in params.pp should be double quoted, which I am going to change and test on my own PE server. I will advise if that works.

buildin function merge got deprecated in puppet 8

Affected Puppet, Ruby, OS and module versions/distributions

  • PuppetServer: 8.0.0
  • PuppetAgent: 8.0.0
  • Ruby: 3.1.2p20
  • Distribution: Debuan 12
  • Module version: 7.1.0+ (commit 69eb8b7)

How to reproduce (e.g Puppet code you use)

Just perform a run with puppet 8

What are you seeing

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, deprecation. merge. This function is deprecated, please use stdlib::merge instead. at ["<..>/modules/unattended_upgrades/manifests/init.pp", 35] (file: "<..>/modules/unattended_upgrades/manifests/init.pp, line: 35, column: 11) on node <..>

Possible solution

using puppet internal function

diff --git a/manifests/init.pp b/manifests/init.pp
index a4e4b98..5b7af1e 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -32,19 +32,19 @@ class unattended_upgrades (
   # apt::conf settings require the apt class to work
   include apt
 
-  $_age = merge($unattended_upgrades::default_age, $age)
+  $_age = $unattended_upgrades::default_age + $age
   assert_type(Unattended_upgrades::Age, $_age)
 
-  $_auto = merge($unattended_upgrades::default_auto, $auto)
+  $_auto = $unattended_upgrades::default_auto + $auto
   assert_type(Unattended_upgrades::Auto, $_auto)
 
-  $_backup = merge($unattended_upgrades::default_backup, $backup)
+  $_backup = $unattended_upgrades::default_backup + $backup
   assert_type(Unattended_upgrades::Backup, $_backup)
 
-  $_mail = merge($unattended_upgrades::default_mail, $mail)
+  $_mail = $unattended_upgrades::default_mail + $mail
   assert_type(Unattended_upgrades::Mail, $_mail)
 
-  $_upgradeable_packages = merge($unattended_upgrades::default_upgradeable_packages, $upgradeable_packages)
+  $_upgradeable_packages = $unattended_upgrades::default_upgradeable_packages + $upgradeable_packages
   assert_type(Unattended_upgrades::Upgradeable_packages, $_upgradeable_packages)
 
   package { 'unattended-upgrades':

incorrect Debian OS origin string

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: all
  • Ruby: all
  • Distribution: all
  • Module version: v4.0.0

How to reproduce (e.g Puppet code you use)

Include the unattended upgrades class without additional parameters.

class profile::debian {
  include unattended_upgrades
}

What are you seeing

https://github.com/voxpupuli/puppet-unattended_upgrades/blob/v4.0.0/manifests/params.pp#L71

This line sets the origins for Debian 9 stretch to origin=Debian,archive=stable,label=Debian-Security. However, as of July 2019, Debian 9 stretch is no longer 'stable' but 'oldstable' and Debian 10 buster is now stable.

What behaviour did you expect instead

The origin string for Debian 9 stretch should be origin=Debian,archive=oldstable,label=Debian-Security

Output log

N/A

Any additional information you'd like to impart

I believe this is a simple fix of changing the names in the manifests/params.pp file. However, one may want to consider using the distribution codename in the string which may be more resistant to changes, i.e., when Debian upgrades what is considered 'stable'.

See these commits for the last time this changed (2017): c20f1fc & 5fe39f8; also PR #102 .

Support puppetlabs-apt > 5

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 5
  • Module version: all

Currently this module has a dependency on puppetlabs-apt < 5.0.0. However, latest version is 6.1.1. It would be nice to support < 7.0.0.

Add syslog support

What are you seeing

No way of setting Unattended-Upgrade::SyslogEnable to true

What behaviour did you expect instead

A parameter to enable syslog support

Any additional information you'd like to impart

As far as I can see, Unattended-Upgrade::SyslogEnable exists since 2016.

Typo in Readme

Readme has incorrect key, archive_internal for backup, it should be archive_interval.

new release

i plan on making a new release of this module once #148 gets into shape (fixing #145 and #150 hopefully) since we need this so that the module doesn't conflict with latest apt (> 7).

objections?

Allow configuration of Unattended-Upgrade::Sender parameter

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 5.3.5
  • Ruby: 2.4.3
  • Distribution: Ubuntu 16.04 LTS. 14.04 LTS is not affected, because of the unattended-upgrades package version available in that release.
  • Module version: Verfied on both 2.2.0 and 3.1.0

How to reproduce (e.g Puppet code you use)

N/A

What are you seeing

There are no parameters to this module, allowing to configure the "Unattended-Upgrade::Sender" paramter, added in this commit: mvo5/unattended-upgrades@cdce03d (funny thing is - it is not very well documented...)

What behaviour did you expect instead

The possibility to configure this option.

Output log

mail returned: 0
smtp-server: 504 5.5.2 : Sender address rejected: need fully-qualified address

Any additional information you'd like to impart

Of course; this will cause the mails from unattended-upgrades to fail when you try to send e-mail to external addess via an external SMTP server.

unattended_upgrades doesn't work with puppet < 3.5.0 (I think...)

puppetmaster version = 3.4.3
Ubuntu 14.04

When trying to use the unattended_upgrades module on my Ubuntu 14.04 server, it kept failing with

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Please explicitly
specify unattended_upgrades::legacy_origin and unattended_upgrades::origins at /etc/puppet
/environments> /production/modules/unattended_upgrades/manifests/params.pp:46 on node
blah.blah.com

I compared the puppetlabs apt module with this module to see how it was different and noted this comment in the code:

# prior to puppet 3.5.0, defined couldn't test if a variable was defined
# strict variables wasn't added until 3.5.0, so this should be fine.

I replaced the $xfacts assignment in the params.pp with the equivalent in the apt module (which does a puppet version check and behaves differently because of strict variables) and it worked.

Relax valadation for newer Periodic interval options

Since apt version 1.5~beta2, APT::Periodic can take intervals in seconds, minutes and hours by adding suffixes (s, m, or h), so you can get things like:

APT::Periodic::Unattended-Upgrade "3h";

Unfortunately, the validation in the puppet module requires that this be either an integer or the string 'always', so it is not possible to pass any of these alternative intervals.

It would be nice if the validation was relaxed, so these can be passed!

document the origin configurations in README

Hi,

I am playing around with your module. It's nice but I am missing deeper origin configuration options.

E.g. we often have the following configuration

"origin=Debian,n=oldstable";
"origin=Debian,n=oldstable-updates";
"origin=Debian,n=oldstable-proposed-updates";
"origin=Debian,n=oldstable,l=Debian-Security";

So it's nice that it is possible to activate the Security origin by default but what if I want the other origins, too?

How does the origin parameter works? The documentation isn't very verbose about it.

Additionally it would be great if it would be possible to activate the other three with Boolean parameters as well.

So I wouldn't be forced to use hard coded strings for different distributions.

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 5
  • Ruby: ruby 2.3.3p222 (2016-11-21) [x86_64-linux-gnu]
  • Distribution: Debian 8
  • Module version: newest

random_sleep is ignored on machines using systemd

Hi!

It seems that on Debian machines running systemd (at least on Debian Buster), the random_sleep parameter is ignored.

Indeed, apt transitioned from a cronjob to a systemd timer. /etc/cron.daily/apt-compat now starts with:

# Systemd systems use a systemd timer unit which is preferable to
# run. We want to randomize the apt update and unattended-upgrade
# runs as much as possible to avoid hitting the mirrors all at the
# same time. The systemd time is better at this than the fixed
# cron.daily time
if [ -d /run/systemd/system ]; then
    exit 0
fi

This means the cronjob exits if systemd is running. If that's the case, the machine uses /lib/systemd/system/apt-daily.timer instead to manage automated updates. On Buster, this file looks like:

[Unit]
Description=Daily apt download activities

[Timer]
OnCalendar=*-*-* 6,18:00
RandomizedDelaySec=12h
Persistent=true

[Install]
WantedBy=timers.target

It also seems RandomizedDelaySec is hard coded. I don't see a bug on apt for this issue, but I'll open one shortly.

To fix this issue, this module would need to modify the timer using the value passed to random_sleep and reload systemd daemons.

Cheers,

Duplicate declaration due to contain ::apt

In one of our profile classes for managing apt we call unattended_upgrades and the apt class. The change in Version 3.0.0 to use contain ::apt causes a duplicate declaration error.

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 4.10.X
  • Ruby:
  • Distribution: Ubuntu >= 14
  • Module version: 3.0.0

How to reproduce (e.g Puppet code you use)

Call unattended_upgrades and apt class in the same Puppet class code without hiera:

# install and manage unattended upgrades
class {'unattended_upgrades':
    enable        => bool2num($unattended_upgrades),
    auto          => {
        reboot => true,
        remove => true,
        clean  => 7,
    },
    origins       => [
        '${distro_id}:${distro_codename}-security',
        '${distro_id}:${distro_codename}-updates',
        '${distro_id}:${distro_codename}-backports',
        'Puppetlabs:${distro_codename}',
    ],
    minimal_steps => false,
}

# basic configuration
class { 'apt':
    purge => {
        'sources.list'   => true,
        'sources.list.d' => true,
        'preferences'    => true,
        'preferences.d'  => true,
    },
    proxy => {
        'host' => $proxy_host,
        'port' => $proxy_port,
    },
}

What are you seeing

Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, Duplicate declaration: Class[Apt] is already declared; cannot redeclare at /etc/puppetlabs/code/environments/development/modules/profiles/manifests/base/apt.pp:132 at /etc/puppetlabs/code/environments/development/modules/profiles/manifests/base/apt.pp:132:5 on node yxz

Any additional information you'd like to impart

Is there a way to work around this in my code?

Version on Puppet Forge seems to be missing reboot_time parameter in template

Hello,

The version of this module on puppet forge seems to be missing the reboot_time parameter in the unattended-upgrades.erb template. If i look in the github repo i see this line: Unattended-Upgrade::Automatic-Reboot-Time "<%= @_auto['reboot_time'].to_s %>"; but this is missing in the version i pulled from puppet forge.

I have reinstalled the module to be sure i had the latest and i still faced the same problem, i can work around the problem by manually adding the option but i just wanted to let you guys know about this issue.

Documentation: random_sleep

Just a small issue with the default for random_sleep in the documentation - it states random_sleep should default to 300 seconds, however in init.pp it is set to undef:

$random_sleep = undef

so APT::Periodic::RandomSleep is then left unset in /etc/apt/apt.conf.d/10periodic and falls back on the default value in /etc/cron.daily/apt, which is 1800 seconds.

T

Apt upgrade

cannot set "install_on_shutdown" and "remove"

If I set:
class {'unattended_upgrades':
enable => '1',
install_on_shutdown => true,
auto => { 'reboot' => false, 'remove' => false, },
}
I get
Unattended-Upgrade::InstallOnShutdown "true";
Unattended-Upgrade::Remove-Unused-Dependencies "false";

Setting
class {'unattended_upgrades':
enable => '1',
install_on_shutdown => false,
auto => { 'reboot' => false, 'remove' => false, },
}
I get
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Why I cannot get updates at shutdown and remove unused dependencies at the same time?

minimize changes with default unattended-upgrades configuration

I'd like us to consider the idea that this module should do a minimal diff with a default unattended-upgrades configuration.

There are two main ways of doing so:

  1. do not touch the default config at all and instead configure in a separate file
  2. do rewrite the configuration but keep the existing commented out lines

We could also mix and match, for example new features like #144 could be done in a separate file completely.

What do people think here?

Duplicate declaration of Class[Apt]

When configuring an apt proxy with the puppetlabs/apt (2.0.0) module as

class {'::apt':
    proxy => {
        'host' => 'host',
        'port' => '3128',
    },
}

and configuring unattended_upgrades in parallel, one runs into

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: Class[Apt] is already declared;

I would suspect that this include is the reason. As apt is allreday defined with our custom proxy settings...

Allowed-Origins contains ${distro_id}:${distro_codename}

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 4.8.2
  • Ruby: 2.3.3
  • Distribution: Ubuntu 17.04 Zesty
  • Module version: 3.0.0

How to reproduce (e.g Puppet code you use)

FILE: site/profile/manifests/base.pp

# Base profile (includes component modules for all nodes)
class profile::base {
  include unattended_upgrades

  # (... unrelated package and service declaration here ...)
}

What are you seeing

After puppet agent has run on the target machine the unattended_upgrades configuration contains the following:

FILE: /etc/apt/apt.conf.d/50unattended-upgrades

// This file is managed by Puppet. DO NOT EDIT.
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
Unattended-Upgrade::AutoFixInterruptedDpkg "true";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "true";

// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
Unattended-Upgrade::InstallOnShutdown "false";


// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "now";

What behaviour did you expect instead

The Allowed-Origins section should look like this:

Unattended-Upgrade::Allowed-Origins {
        "Ubuntu:zesty";
        "Ubuntu:zesty-security";
};

Output log

$ puppet --version
4.8.2
$ facter --version
2.4.6
$ facter | grep dist
lsbdistcodename => zesty
lsbdistdescription => Ubuntu 17.04
lsbdistid => Ubuntu
lsbdistrelease => 17.04
lsbmajdistrelease => 17.04
os => {"name"=>"Ubuntu", "family"=>"Debian", "release"=>{"major"=>"17.04", "full"=>"17.04"}, "lsb"=>{"distcodename"=>"zesty", "distid"=>"Ubuntu", "distdescription"=>"Ubuntu 17.04", "distrelease"=>"17.04", "majdistrelease"=>"17.04"}}
$

Any additional information you'd like to impart

It looks like the variables ${distro_id} and ${distro_codename} are encapsulated in ${os} on our Ubuntu system.

Error when configuring unattended-upgrades

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 4.10.0
  • Distribution: Ubuntu 16.04
  • Module version: 2.2.1-rc0 (latest git version as of 20170511)

How to reproduce (e.g Puppet code you use)

I have this one:

class { 'unattended_upgrades':
auto => { 'remove' => true },
}

And feed it into puppet. I get the same error with 2.2.0 (after hacking the apt depdency version)

I get the same version without auto remove.

What are you seeing

root@cctest2:/var/opt# puppet apply < /etc/puppet/manifests/unattended-upgrades.pp
Warning: /etc/puppetlabs/puppet/hiera.yaml: Use of 'hiera.yaml' version 3 is deprecated. It should be converted to version 5
(in /etc/puppetlabs/puppet/hiera.yaml)
Warning: This method is deprecated, please use the stdlib validate_legacy function, with Pattern[]. There is further documentation for validate_legacy function in the README. at ["/etc/puppetlabs/code/environments/production/modules/apt/manifests/setting.pp", 21]:
(at /etc/puppetlabs/code/environments/production/modules/stdlib/lib/puppet/functions/deprecation.rb:25:in `deprecation')
Warning: Unknown variable: '::apt::config_files'. at /etc/puppetlabs/code/environments/production/modules/apt/manifests/setting.pp:34:12
Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Operator '[]' is not applicable to an Undef Value. at /etc/puppetlabs/code/environments/production/modules/apt/manifests/setting.pp:34:12 at /etc/puppetlabs/code/environments/production/modules/apt/manifests/conf.pp:15 on node cctest2

Not entirely sure if this is an error in the apt package (I am using 4.0.0) or unattended-upgrades, but it triggers with unattende-upgrades.

What behaviour did you expect instead

Output log

Any additional information you'd like to impart

new release

i plan on making a new release of this module once #148 gets into shape (fixing #145 and #150 hopefully) since we need this so that the module doesn't conflict with latest apt (> 7).

objections?

New release?

Would it be possible to do a new release? There are several bugfixes since 1.0.3 that are quite relevant, for instance I just got bitten by the invalid Allowed-Origins lines that was fixed in September (23475aa).

[Ubuntu 20.04.3] Traceback when running unattended-upgrades --debug --dry-run

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 7.9.0
  • Ruby: ruby 2.7.3p183
  • Distribution: Ubuntu 20.04.3 LTS
  • Module version: 6.0.0

How to reproduce (e.g Puppet code you use)

  class {'unattended_upgrades':
    auto => {
      'reboot' => false
    },
    blacklist => ['*php*','nginx*'],
    enable => 1,
    mail => {
      'to' => 'its_me@and_my_monkey.foo,
    },
    update => 1,
    days => ['3'],
    options => {
      'force_confold' => true
    },
    syslog_enable => true
  }

What are you seeing

/home/me# unattended-upgrades --debug --dry-run
Enabled logging to syslog via daemon facility 
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=@distro_codename,label=Debian-Security
Initial blacklist: *php* nginx*
Initial whitelist (not strict): 
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/apt.puppetlabs.com_dists_focal_puppet7_binary-all_Packages'  a=focal,c=puppet7,v=,o=Puppetlabs,l=Puppetlabs arch='all' site='apt.puppetlabs.com' IndexType='Debian Package Index' Size=32441 ID:41> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/apt.puppetlabs.com_dists_focal_puppet7_binary-amd64_Packages'  a=focal,c=puppet7,v=,o=Puppetlabs,l=Puppetlabs arch='amd64' site='apt.puppetlabs.com' IndexType='Debian Package Index' Size=86051 ID:40> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/apt.puppet.com_dists_focal_puppet7_binary-all_Packages'  a=focal,c=puppet7,v=,o=Puppetlabs,l=Puppetlabs arch='all' site='apt.puppet.com' IndexType='Debian Package Index' Size=32441 ID:39> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/apt.puppet.com_dists_focal_puppet7_binary-amd64_Packages'  a=focal,c=puppet7,v=,o=Puppetlabs,l=Puppetlabs arch='amd64' site='apt.puppet.com' IndexType='Debian Package Index' Size=86051 ID:38> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/packages.microsoft.com_ubuntu_19.10_prod_dists_eoan_main_binary-amd64_Packages'  a=eoan,c=main,v=,o=microsoft-ubuntu-eoan-prod eoan,l=microsoft-ubuntu-eoan-prod eoan arch='amd64' site='packages.microsoft.com' IndexType='Debian Package Index' Size=300619 ID:37> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/ppa.launchpad.net_ondrej_php_ubuntu_dists_focal_main_i18n_Translation-en'  a=focal,c=main,v=20.04,o=LP-PPA-ondrej-php,l=***** The main PPA for supported PHP versions with many PECL extensions ***** arch='' site='ppa.launchpad.net' IndexType='Debian Translation Index' Size=414121 ID:36> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/ppa.launchpad.net_ondrej_php_ubuntu_dists_focal_main_binary-amd64_Packages'  a=focal,c=main,v=20.04,o=LP-PPA-ondrej-php,l=***** The main PPA for supported PHP versions with many PECL extensions ***** arch='amd64' site='ppa.launchpad.net' IndexType='Debian Package Index' Size=700400 ID:35> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/packages.cisofy.com_community_lynis_deb_dists_stable_main_binary-amd64_Packages'  a=stable,c=main,v=,o=CISOfy,l= arch='amd64' site='packages.cisofy.com' IndexType='Debian Package Index' Size=924 ID:34> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/packages.tideways.com_apt-packages-main_dists_any-version_main_binary-amd64_Packages'  a=any-version,c=main,v=,o=cloudsmith/tideways/apt-packages-main,l= arch='amd64' site='packages.tideways.com' IndexType='Debian Package Index' Size=56752 ID:33> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/packages.microsoft.com_ubuntu_20.04_prod_dists_focal_main_binary-amd64_Packages'  a=focal,c=main,v=,o=microsoft-ubuntu-focal-prod focal,l=microsoft-ubuntu-focal-prod focal arch='amd64' site='packages.microsoft.com' IndexType='Debian Package Index' Size=614778 ID:32> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-security_multiverse_i18n_Translation-en'  a=focal-security,c=multiverse,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=32050 ID:31> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-security_multiverse_binary-amd64_Packages'  a=focal-security,c=multiverse,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=206267 ID:30> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-security_universe_i18n_Translation-en'  a=focal-security,c=universe,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=1145824 ID:29> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-security_universe_binary-amd64_Packages'  a=focal-security,c=universe,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=4070775 ID:28> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-security_restricted_i18n_Translation-en'  a=focal-security,c=restricted,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=1206973 ID:27> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-security_restricted_binary-amd64_Packages'  a=focal-security,c=restricted,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=2978371 ID:26> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-security_main_i18n_Translation-en'  a=focal-security,c=main,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=3254185 ID:25> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-security_main_binary-amd64_Packages'  a=focal-security,c=main,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=5003204 ID:24> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-backports_universe_i18n_Translation-en'  a=focal-backports,c=universe,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=5847 ID:23> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-backports_universe_binary-amd64_Packages'  a=focal-backports,c=universe,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=21419 ID:22> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-backports_main_i18n_Translation-en'  a=focal-backports,c=main,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=3960 ID:21> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-backports_main_binary-amd64_Packages'  a=focal-backports,c=main,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=9195 ID:20> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-updates_multiverse_i18n_Translation-en'  a=focal-updates,c=multiverse,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=40558 ID:19> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-updates_multiverse_binary-amd64_Packages'  a=focal-updates,c=multiverse,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=218271 ID:18> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-updates_universe_i18n_Translation-en'  a=focal-updates,c=universe,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=1676961 ID:17> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-updates_universe_binary-amd64_Packages'  a=focal-updates,c=universe,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=5124786 ID:16> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-updates_restricted_i18n_Translation-en'  a=focal-updates,c=restricted,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=1314054 ID:15> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-updates_restricted_binary-amd64_Packages'  a=focal-updates,c=restricted,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=3210739 ID:14> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-updates_main_i18n_Translation-en'  a=focal-updates,c=main,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=4153355 ID:13> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal-updates_main_binary-amd64_Packages'  a=focal-updates,c=main,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=6862565 ID:12> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_multiverse_i18n_Translation-de'  a=focal,c=multiverse,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=457469 ID:11> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_multiverse_i18n_Translation-en'  a=focal,c=multiverse,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=463922 ID:10> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_multiverse_binary-amd64_Packages'  a=focal,c=multiverse,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=728512 ID:9> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_universe_i18n_Translation-de'  a=focal,c=universe,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=13048280 ID:8> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_universe_i18n_Translation-en'  a=focal,c=universe,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=27037832 ID:7> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_universe_binary-amd64_Packages'  a=focal,c=universe,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=50750067 ID:6> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_restricted_i18n_Translation-de'  a=focal,c=restricted,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=27451 ID:5> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_restricted_i18n_Translation-en'  a=focal,c=restricted,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=47433 ID:4> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_restricted_binary-amd64_Packages'  a=focal,c=restricted,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=266945 ID:3> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_main_i18n_Translation-de'  a=focal,c=main,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=2706203 ID:2> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_main_i18n_Translation-en'  a=focal,c=main,v=20.04,o=Ubuntu,l=Ubuntu arch='' site='archive.ubuntu.com' IndexType='Debian Translation Index' Size=3027779 ID:1> with -32768 pin
Marking not allowed <apt_pkg.PackageFile object: filename:'/var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_focal_main_binary-amd64_Packages'  a=focal,c=main,v=20.04,o=Ubuntu,l=Ubuntu arch='amd64' site='archive.ubuntu.com' IndexType='Debian Package Index' Size=5826751 ID:0> with -32768 pin
An error occurred: nothing to repeat at position 0
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrades", line 1985, in main
    res = run(options, rootdir, mem_log, logfile_dpkg,
  File "/usr/bin/unattended-upgrades", line 2126, in run
    cache = UnattendedUpgradesCache(rootdir=rootdir)
  File "/usr/bin/unattended-upgrades", line 171, in __init__
    apt.Cache.__init__(self, rootdir=rootdir)
  File "/usr/lib/python3/dist-packages/apt/cache.py", line 170, in __init__
    self.open(progress)
  File "/usr/bin/unattended-upgrades", line 333, in open
    self.apply_pinning(self.pinning_from_config())
  File "/usr/bin/unattended-upgrades", line 291, in pinning_from_config
    pins.extend(self.pinning_from_regex_list(  # type: ignore
  File "/usr/bin/unattended-upgrades", line 264, in pinning_from_regex_list
    if re.match(regex, pkg.name):
  File "/usr/lib/python3.8/re.py", line 191, in match
    return _compile(pattern, flags).match(string)
  File "/usr/lib/python3.8/re.py", line 304, in _compile
    p = sre_compile.compile(pattern, flags)
  File "/usr/lib/python3.8/sre_compile.py", line 764, in compile
    p = sre_parse.parse(p, flags)
  File "/usr/lib/python3.8/sre_parse.py", line 948, in parse
    p = _parse_sub(source, state, flags & SRE_FLAG_VERBOSE, 0)
  File "/usr/lib/python3.8/sre_parse.py", line 443, in _parse_sub
    itemsappend(_parse(source, state, verbose, nested + 1,
  File "/usr/lib/python3.8/sre_parse.py", line 668, in _parse
    raise source.error("nothing to repeat",
re.error: nothing to repeat at position 0

What behaviour did you expect instead

Because its wednesday i would see a dry-run for Upgrades (i also try it without --dry-run..same result)

Output log

Any additional information you'd like to impart

Please allow setting allow-releaseinfo-change Debian/Ubuntu

Please add the option to specify

--allow-releaseinfo-change

On manual update, system prompts

Get:12 https://dl.ubnt.com/unifi/debian stable InRelease [3023 B]
E: Repository 'https://dl.ubnt.com/unifi/debian stable InRelease' changed its 'Codename' value from 'unifi-6.2' to 'unifi-6.4'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.
Do you want to accept these changes and continue updating from this repository? [y/N]

Please make this configurable inside
options ({}): A hash of settings.

Not setting up a daily cron

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 3.7
  • Ruby: 2.1.5p273
  • Distribution: Deb Jessie
  • Module version: Latest

How to reproduce (e.g Puppet code you use)

class { 'unattended_upgrades':
require => Class['apt']
}

What are you seeing

nothing related to unattended upgrades in /etc/cron.daily

What behaviour did you expect instead

A file in /etc/cron.daily and security updates installed when daily cron runs

Output log

No logs created for unattended upgrades

Any additional information you'd like to impart

No way to define different keys for "auto" in different hiera sources

I'd like to have a merge behavior by default, using the following hierarchy:

common.yaml

unattended_upgrades::auto:
  remove: false
  reboot: true

nodes/foo.yaml

unattended_upgrades::auto:
  reboot: false

Unfortunately, hiera_hash() isn't used for the auto parameter, so we end with the default priority lookup instead, and "remove:false" isn't used on node foo.

unattended_upgrades module not loading - breaks on Apt::Update dependency

It fails to generate the config file, even with me doing a very basic "include unattended_upgrades" without arguments.

root@bitlbee:~# puppet agent --test --environment test --trace
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for bitlbee.org
Error: Failed to apply catalog: Could not find dependent Class[Apt::Update] for File[/etc/apt/apt.conf.d/50unattended-upgrades] at /etc/puppet/environments/test/modules/apt/manifests/setting.pp:63

I'm not using the apt module much otherwise, except for some pinning tweaks.

Debian 11 changes name of security suite

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: any
  • Ruby: any
  • Distribution: Debian 11 AKA bullseye
  • Module version:

What behaviour did you expect instead

Debian 11 should get these origins:

            'origin=Debian,codename=${distro_codename},label=Debian',
            'origin=Debian,codename=${distro_codename}-security,label=Debian-Security',

from apt policy:

 500 http://security.debian.org bullseye-security/main amd64 Packages
     release o=Debian,a=testing-security,n=bullseye-security,l=Debian-Security,c=main,b=amd64
     origin security.debian.org

Also see the Debian 11 release notes:
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive

No version of 'puppet-unattended_upgrades' can satisfy all dependencies

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 5.5.20
  • Ruby: N/A
  • Distribution: Ubuntu 18.04.4 LTS
  • Module version: 4.0.0

How to reproduce (e.g Puppet code you use)

puppet module install puppet-unattended_upgrades

What are you seeing

[email protected]:~# puppet module install puppet-unattended_upgrades
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Error: Could not install module 'puppet-unattended_upgrades' (???)
  No version of 'puppet-unattended_upgrades' can satisfy all dependencies
    Use `puppet module install --ignore-dependencies` to install only this module
[email protected]:~#

What behaviour did you expect instead

The module to be installed and available to use.

Output log

[email protected]:~# puppet module install puppet-unattended_upgrades
Notice: Preparing to install into /etc/puppetlabs/code/environments/production/modules ...
Notice: Downloading from https://forgeapi.puppet.com ...
Error: Could not install module 'puppet-unattended_upgrades' (???)
  No version of 'puppet-unattended_upgrades' can satisfy all dependencies
    Use `puppet module install --ignore-dependencies` to install only this module
[email protected]:~#

Any additional information you'd like to impart

[email protected]:~# puppet module list
/etc/puppetlabs/code/environments/production/modules
├── duxklr-manageusers (v1.0.2)
├── example42-puppi (v2.2.11)
├── example42-timezone (v2.0.16)
├── gbrown-yumrepos (v0.0.3)
├── herculesteam-augeasproviders_base (v2.1.0)
├── herculesteam-augeasproviders_core (v2.6.0)
├── herculesteam-augeasproviders_mounttab (v2.1.1)
├── herculesteam-augeasproviders_shellvar (v4.0.0)
├── herculesteam-augeasproviders_ssh (v3.3.0)
├── herculesteam-augeasproviders_sysctl (v2.5.0)
├── nanliu-staging (v1.0.3)
├── pdxcat-nrpe (v2.1.1)
├── puppet-puppetboard (v6.1.0)
├── puppet-python (v3.0.1)
├── puppetlabs-apache (v5.4.0)
├── puppetlabs-apt (v7.4.1)
├── puppetlabs-concat (v6.2.0)
├── puppetlabs-firewall (v2.3.0)
├── puppetlabs-inifile (v3.1.0)
├── puppetlabs-motd (v4.1.0)
├── puppetlabs-mount_providers (v2.0.1)
├── puppetlabs-ntp (v8.3.0)
├── puppetlabs-postgresql (v6.4.0)
├── puppetlabs-puppetdb (v7.4.0)
├── puppetlabs-registry (v3.1.0)
├── puppetlabs-stdlib (v6.3.0)
├── puppetlabs-translate (v2.2.0)
├── puppetlabs-vcsrepo (v3.1.0)
├── razorsedge-snmp (v3.2.0)
├── saz-locales (v2.5.1)
├── saz-sudo (v6.0.0)
├── stahnma-epel (v1.3.1)
└── thias-sysctl (v1.0.6)
/etc/puppetlabs/code/modules (no modules installed)
/opt/puppetlabs/puppet/modules (no modules installed)
[email protected]:~#

clean key of auto hash not documented

According to documentation, valid keys for auto parameter are fix_interrupted_dpkg, reboot and remove, but code also uses the key clean to configure APT::Periodic::AutocleanInterval.

I guess is should be documented too.

Not working on Ubuntu

Ever since I upgraded from puppetlabs-apt v1.80 to v2.10 and puppet-unattended_upgrades (this package) unattended upgrades stopped upgrading my clients completely. I checked the log file

# /var/log/unattended-upgrades/unattended-upgrades.log
2015-08-08 07:54:28,800 INFO Initial blacklisted packages:
2015-08-08 07:54:28,800 INFO Starting unattended upgrades script
2015-08-08 07:54:28,800 INFO Allowed origins are: ['o=Ubuntu,a={precise}-security', 'o=Ubuntu,a={precise}-updates']
2015-08-08 07:54:33,790 INFO Packages that are auto removed: ''
2015-08-08 07:54:33,791 INFO No packages found that can be upgraded unattended

and noticed the inappropriate curly braces in the origin {precise}-security. This is due to a critical typo in params.pp which causes invalid syntax in /etc/apt/apt.conf.d/50unattended-upgrades.

I will submit a pull request to fix this issue shortly.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.