diff options
-rw-r--r-- | README | 22 | ||||
-rw-r--r-- | files/10periodic | 7 | ||||
-rw-r--r-- | files/lucid/50unattended-upgrades | 34 | ||||
-rw-r--r-- | files/wheezy/50unattended-upgrades | 63 | ||||
-rw-r--r-- | manifests/init.pp | 4 | ||||
-rw-r--r-- | manifests/unattended_upgrades.pp | 13 | ||||
-rw-r--r-- | templates/proxy.erb | 4 | ||||
-rw-r--r-- | templates/sources.list.volatile.erb | 8 |
8 files changed, 140 insertions, 15 deletions
@@ -129,18 +129,6 @@ pull in the templates/site_apt/sources.list file: $custom_sources_list = template('site_apt/sources.list') -$custom_key_dir ---------------- - -If you have different apt-key files that you want to get added to your -apt keyring, you can set this variable to a path in your fileserver -where individual key files can be placed. If this is set and keys -exist there, this module will 'apt-key add' each key. - -The debian-archive-keyring package is installed and kept current up to the -latest revision (this includes the backports archive keyring). - - Classes ======= @@ -235,6 +223,16 @@ Class parameters: include apt::dist_upgrade class { 'apt': codename => 'wheezy', notify => Exec['apt_dist-upgrade'] } +* custom_key_dir + + If you have different apt-key files that you want to get added to your + apt keyring, you can set this variable to a path in your fileserver + where individual key files can be placed. If this is set and keys + exist there, this module will 'apt-key add' each key. + + The debian-archive-keyring package is installed and kept current up to the + latest revision (this includes the backports archive keyring). + apt::apticron ------------- diff --git a/files/10periodic b/files/10periodic new file mode 100644 index 0000000..6c06232 --- /dev/null +++ b/files/10periodic @@ -0,0 +1,7 @@ +// this file is managed by puppet ! +// +//See https://wiki.ubuntu.com/AutomaticUpdates for more details about this feature. +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::AutocleanInterval "7"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/files/lucid/50unattended-upgrades b/files/lucid/50unattended-upgrades new file mode 100644 index 0000000..9c22a64 --- /dev/null +++ b/files/lucid/50unattended-upgrades @@ -0,0 +1,34 @@ +// this file is managed by puppet ! +// +//See https://wiki.ubuntu.com/AutomaticUpdates for more details about this feature. + +// allowed (origin, archive) pairs +Unattended-Upgrade::Allowed-Origins { + "Ubuntu lucid-security"; + "Ubuntu lucid-updates"; +}; + +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; +Unattended-Upgrade::Mail "root"; +Unattended-Upgrade::MailOnlyOnError "true"; + +APT::UnattendedUpgrades::LogDir "/var/log/"; +APT::UnattendedUpgrades::LogFile "unattended_upgrades.log"; + +Unattended-Upgrade::Package-Blacklist { + // we don't want the kernel to be updated so nagios still can give a warning if there is + // a manual update (and reboot) left + + "linux-image-*"; + + // unfortunately there seems to be a bug in unattended-upgrades <= 0.62 that wildcards aren't recognized: + //2009-12-11 13:41:43,267 INFO Initial blacklisted packages: linux-image-* + //2009-12-11 13:41:43,267 INFO Starting unattended upgrades script + //2009-12-11 13:41:43,267 INFO Allowed origins are: ["['Debian', 'stable']", "['Debian-Security', 'stable']"] + //2009-12-11 13:41:45,233 INFO Packages that are upgraded: linux-image-2.6.26-2-amd64 + //2009-12-11 13:41:45,233 INFO Writing dpkg log to '/var/log/unattended-upgrades-dpkg_2009-12-11_13:41:45.233713.log' + //2009-12-11 13:42:11,988 INFO All upgrades installed + +}; + diff --git a/files/wheezy/50unattended-upgrades b/files/wheezy/50unattended-upgrades new file mode 100644 index 0000000..300f1fe --- /dev/null +++ b/files/wheezy/50unattended-upgrades @@ -0,0 +1,63 @@ +// Automatically upgrade packages from these origin patterns +Unattended-Upgrade::Origins-Pattern { + // Archive or Suite based matching: + // Note that this will silently match a different release after + // migration to the specified archive (e.g. testing becomes the + // new stable). + "o=Debian,a=stable"; + "o=Debian,a=stable-updates"; + "o=Debian,a=proposed-updates"; + "origin=Debian,archive=stable,label=Debian-Security"; +}; + +// List of packages to not update +Unattended-Upgrade::Package-Blacklist { +// "vim"; +// "libc6"; +// "libc6-dev"; +// "libc6-i686"; +}; + +// This option allows you to control if on a unclean dpkg exit +// unattended-upgrades will automatically run +// dpkg --force-confold --configure -a +// The default is true, to ensure updates keep getting installed +//Unattended-Upgrade::AutoFixInterruptedDpkg "false"; + +// Split the upgrade into the smallest possible chunks so that +// they can be interrupted with SIGUSR1. This makes the upgrade +// a bit slower but it has the benefit that shutdown while a upgrade +// is running is possible (with a small delay) +//Unattended-Upgrade::MinimalSteps "true"; + +// Install all unattended-upgrades when the machine is shuting down +// instead of doing it in the background while the machine is running +// This will (obviously) make shutdown slower +//Unattended-Upgrade::InstallOnShutdown "true"; + +// Send email to this address for problems or packages upgrades +// If empty or unset then no email is sent, make sure that you +// have a working mail setup on your system. A package that provides +// 'mailx' must be installed. E.g. "user@example.com" +Unattended-Upgrade::Mail "root"; + +// Set this value to "true" to get emails only on errors. Default +// is to always send a mail if Unattended-Upgrade::Mail is set +//Unattended-Upgrade::MailOnlyOnError "true"; + +// Do automatic removal of new unused dependencies after the upgrade +// (equivalent to apt-get autoremove) +//Unattended-Upgrade::Remove-Unused-Dependencies "false"; + +// Automatically reboot *WITHOUT CONFIRMATION* if a +// the file /var/run/reboot-required is found after the upgrade +//Unattended-Upgrade::Automatic-Reboot "false"; + + +// Use apt bandwidth limit feature, this example limits the download +// speed to 70kb/sec +//Acquire::http::Dl-Limit "70"; + +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/manifests/init.pp b/manifests/init.pp index 3f8e1c8..c5afb2b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -113,9 +113,9 @@ class apt( $apt_base_dir = "${common::moduledir::module_dir_path}/apt" modules_dir { 'apt': } - if $::custom_key_dir { + if $custom_key_dir { file { "${apt_base_dir}/keys.d": - source => $::custom_key_dir, + source => $custom_key_dir, recurse => true, owner => root, group => root, diff --git a/manifests/unattended_upgrades.pp b/manifests/unattended_upgrades.pp index c538831..2a6fe9e 100644 --- a/manifests/unattended_upgrades.pp +++ b/manifests/unattended_upgrades.pp @@ -14,9 +14,20 @@ class apt::unattended_upgrades { require => Package['unattended-upgrades'], } - if $apt::custom_preferences != false { + if defined(File['apt_config']) { Apt_conf['50unattended-upgrades'] { before => File['apt_config'], } } + + if $operatingsystem == 'ubuntu' { + file { '/etc/apt/apt.conf.d/10periodic': + ensure => present, + owner => root, + group => root, + mode => 0644, + source => 'puppet:///modules/apt/10periodic', + require => Package['unattended-upgrades'], + } + } } diff --git a/templates/proxy.erb b/templates/proxy.erb new file mode 100644 index 0000000..01c9861 --- /dev/null +++ b/templates/proxy.erb @@ -0,0 +1,4 @@ +Acquire { +<% if apt_http_proxy != false %> HTTP::Proxy "<%= apt_http_proxy %>";<% end %> +<% if apt_ftp_proxy != false %> FTP::Proxy "<%= apt_ftp_proxy %>";<% end %> +}; diff --git a/templates/sources.list.volatile.erb b/templates/sources.list.volatile.erb new file mode 100644 index 0000000..cc9316b --- /dev/null +++ b/templates/sources.list.volatile.erb @@ -0,0 +1,8 @@ +# This file is brought to you by puppet + +# backports +<% if (lsbdistcodename == "sid" || lsbdistcodename == "unstable") -%> +# There are no backports for for <%= lsbdistcodename %> +<% else -%> +deb http://volatile.debian.org/debian-volatile <%= lsbdistcodename %>/volatile main contrib non-free +<% end -%> |