Arturo Borrero Gonzalez has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/398259 )
Change subject: Revert "Revert "cloud: setup for attended upgrade process"" ...................................................................... Revert "Revert "cloud: setup for attended upgrade process"" This reverts commit ea71c8fe2f97359599a6f87c04c2d000e05c474a. There was a mistake in the variable names. Change-Id: Ibccc1e3050412d9ac9bddbd14069a118c7808256 Signed-off-by: Arturo Borrero Gonzalez <aborr...@wikimedia.org> --- M hieradata/labs.yaml A hieradata/labs/project-proxy/common.yaml M hieradata/labs/tools/common.yaml M modules/apt/manifests/unattendedupgrades.pp M modules/profile/manifests/base/labs.pp 5 files changed, 50 insertions(+), 7 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/59/398259/1 diff --git a/hieradata/labs.yaml b/hieradata/labs.yaml index aa078d5..bf7c323 100644 --- a/hieradata/labs.yaml +++ b/hieradata/labs.yaml @@ -17,6 +17,8 @@ recursor: 'labs-recursor0.wikimedia.org' recursor_secondary: 'labs-recursor1.wikimedia.org' +profile::base::labs::unattended_wmf: 'present' +profile::base::labs::unattended_distro: 'present' profile::openstack::main::version: 'liberty' profile::openstack::base::region: "%{::site}" profile::openstack::main::nova_controller: 'labcontrol1001.wikimedia.org' diff --git a/hieradata/labs/project-proxy/common.yaml b/hieradata/labs/project-proxy/common.yaml new file mode 100644 index 0000000..9a76d8a --- /dev/null +++ b/hieradata/labs/project-proxy/common.yaml @@ -0,0 +1,2 @@ +profile::base::labs::unattended_wmf: 'absent' +profile::base::labs::unattended_distro: 'absent' diff --git a/hieradata/labs/tools/common.yaml b/hieradata/labs/tools/common.yaml index c62e87a..3e03999 100644 --- a/hieradata/labs/tools/common.yaml +++ b/hieradata/labs/tools/common.yaml @@ -1,3 +1,6 @@ +profile::base::labs::unattended_wmf: 'absent' +profile::base::labs::unattended_distro: 'absent' + "profile::base::core_dump_pattern": core classes: - role::aptly::client diff --git a/modules/apt/manifests/unattendedupgrades.pp b/modules/apt/manifests/unattendedupgrades.pp index c02745c..414afcc 100644 --- a/modules/apt/manifests/unattendedupgrades.pp +++ b/modules/apt/manifests/unattendedupgrades.pp @@ -1,13 +1,26 @@ -class apt::unattendedupgrades($ensure=present) { +# Manage unattended updates across cloud instances +# Note: security updates can not be disabled (enabled by default) +# +# [*unattended_wmf*] +# present/absent to enable/disable wmf packages +# +# [*unattended_distro*] +# present/absent to enable/disable updates in stable packages + +class apt::unattendedupgrades( + $unattended_distro='present', + $unattended_wmf='present', + ) { + # package installation should enable security upgrades by default package { 'unattended-upgrades': - ensure => $ensure, + ensure => 'present', } # dpkg tries to determine the most conservative default action in case of # conffile conflict. This tells dpkg to use that action without asking apt::conf { 'dpkg-force-confdef': - ensure => present, + ensure => 'present', priority => '00', key => 'Dpkg::Options::', value => '--force-confdef', @@ -16,20 +29,36 @@ # In case of conffile conflicts, tell dpkg to keep the old conffile without # asking apt::conf { 'dpkg-force-confold': - ensure => present, + ensure => 'present', priority => '00', key => 'Dpkg::Options::', value => '--force-confold', } apt::conf { 'auto-upgrades': - ensure => $ensure, + ensure => 'present', priority => '20', key => 'APT::Periodic::Unattended-Upgrade', value => '1', } + # https://wiki.debian.org/StableUpdates + # https://www.debian.org/News/2011/20110215 + apt::conf { 'unattended-upgrades-updates': + ensure => $unattended_distro, + priority => '52', + # Key with trailing '::' to append to potentially existing entry + key => 'Unattended-Upgrade::Origins-Pattern::', + # lint:ignore:single_quote_string_with_variables + value => 'origin=${distro_id},codename=${distro_codename}-updates', + # lint:endignore + } + + # Unattended should update WMF packages + # https://apt.wikimedia.org/wikimedia/ + # https://wikitech.wikimedia.org/wiki/APT_repository apt::conf { 'unattended-upgrades-wikimedia': + ensure => $unattended_wmf, priority => '51', # Key with trailing '::' to append to potentially existing entry key => 'Unattended-Upgrade::Origins-Pattern::', diff --git a/modules/profile/manifests/base/labs.pp b/modules/profile/manifests/base/labs.pp index 23816b3..59c9b25 100644 --- a/modules/profile/manifests/base/labs.pp +++ b/modules/profile/manifests/base/labs.pp @@ -1,6 +1,13 @@ -class profile::base::labs { - include ::apt::unattendedupgrades +class profile::base::labs( + $unattended_wmf = hiera('profile::base::labs::unattended_wmf'), + $unattended_distro = hiera('profile::base::labs::unattended_distro'), + ) { + include ::apt::noupgrade + class {'::apt::unattendedupgrades': + unattended_wmf => $unattended_wmf, + unattended_distro => $unattended_distro, + } # Labs instances /var is quite small, provide our own default # to keep less records (T71604). -- To view, visit https://gerrit.wikimedia.org/r/398259 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibccc1e3050412d9ac9bddbd14069a118c7808256 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Arturo Borrero Gonzalez <aborr...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits