diff options
author | root <root@localhost> | 2018-09-16 22:21:28 +0200 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2018-09-16 22:26:55 +0200 |
commit | b9c90f087cb54a0b8be222dbdcd88c8a73ef4f57 (patch) | |
tree | 51f19339b7cb1da0633bca404ff31f87584351fd | |
parent | bb00f4ab450131094096b7ae74cf3edcdaa224db (diff) | |
download | puppet.DEV-b9c90f087cb54a0b8be222dbdcd88c8a73ef4f57.tar.gz puppet.DEV-b9c90f087cb54a0b8be222dbdcd88c8a73ef4f57.tar.bz2 puppet.DEV-b9c90f087cb54a0b8be222dbdcd88c8a73ef4f57.zip |
Add voxpopulis's unattended_upgrade module.
49 files changed, 2689 insertions, 0 deletions
diff --git a/code/environments/production/modules/unattended_upgrades/CHANGELOG.md b/code/environments/production/modules/unattended_upgrades/CHANGELOG.md new file mode 100644 index 0000000..7a8377a --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/CHANGELOG.md @@ -0,0 +1,222 @@ +# Changelog + +All notable changes to this project will be documented in this file. +Each new release typically also includes the latest modulesync defaults. +These should not affect the functionality of the module. + +## [v3.2.0](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/v3.2.0) (2018-06-12) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/v3.1.0...v3.2.0) + +**Implemented enhancements:** + +- Allow configuration of Unattended-Upgrade::Sender parameter [\#119](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/119) +- Optional argument for specifing the Unattended-Upgrade::Sender config flag [\#120](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/120) ([LarsErikP](https://github.com/LarsErikP)) + +**Closed issues:** + +- \(Confirm\) Ubuntu 18.04 support [\#124](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/124) +- Typo - README.md - Reference/options "force\_connew" [\#109](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/109) + +**Merged pull requests:** + +- Add Ubuntu 18.04 LTS "bionic" to the list of supported OSes \(fixes \#124\) [\#125](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/125) ([mpdude](https://github.com/mpdude)) +- Remove docker nodesets [\#123](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/123) ([bastelfreak](https://github.com/bastelfreak)) +- drop EOL OSs; fix puppet version range [\#121](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/121) ([bastelfreak](https://github.com/bastelfreak)) +- Fix typo [\#117](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/117) ([6uhrmittag](https://github.com/6uhrmittag)) + +## [v3.1.0](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/v3.1.0) (2017-12-09) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/v3.0.1...v3.1.0) + +**Closed issues:** + +- Duplicate declaration due to contain ::apt [\#110](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/110) + +**Merged pull requests:** + +- release 3.1.0 [\#116](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/116) ([bastelfreak](https://github.com/bastelfreak)) +- Add Ubuntu artful [\#115](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/115) ([danielhoherd](https://github.com/danielhoherd)) + +## [v3.0.1](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/v3.0.1) (2017-10-28) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/v3.0.0...v3.0.1) + +**Closed issues:** + +- Allowed-Origins contains ${distro\_id}:${distro\_codename} [\#107](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/107) + +**Merged pull requests:** + +- Don't `contain` `apt` but `include` instead [\#111](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/111) ([alexjfisher](https://github.com/alexjfisher)) + +## [v3.0.0](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/v3.0.0) (2017-07-07) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/v2.2.0...v3.0.0) + +**Breaking changes:** + +- Use Data Types instead of validate\_\* functions [\#90](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/90) ([raphink](https://github.com/raphink)) + +**Implemented enhancements:** + +- Add Debian 9 - Stretch Support [\#102](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/102) ([petems](https://github.com/petems)) +- Ubuntu: Add 17.04 Zesty Zapus. [\#89](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/89) ([raoulbhatia](https://github.com/raoulbhatia)) + +**Fixed bugs:** + +- Error when configuring unattended-upgrades [\#92](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/92) +- Adds ::apt containment to main class [\#103](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/103) ([petems](https://github.com/petems)) + +**Closed issues:** + +- Not setting up a daily cron [\#87](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/87) + +**Merged pull requests:** + +- Update Debian upstream names [\#101](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/101) ([petems](https://github.com/petems)) +- Refactor specs [\#100](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/100) ([petems](https://github.com/petems)) +- Add tags to metadata.json [\#98](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/98) ([petems](https://github.com/petems)) +- Allow newer apt modules to satisfy dependency [\#91](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/91) ([cpick](https://github.com/cpick)) +- cleanup README - typos, remove splunk and fix ToC [\#83](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/83) ([pono](https://github.com/pono)) +- Modulesync 0.18.0 [\#82](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/82) ([bastelfreak](https://github.com/bastelfreak)) + +## [v2.2.0](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/v2.2.0) (2017-01-12) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/v2.1.0...v2.2.0) + +**Merged pull requests:** + +- Bump min version\_requirement for Puppet [\#79](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/79) ([juniorsysadmin](https://github.com/juniorsysadmin)) +- Include the release pocket on Ubuntu Xenial and Yakkety. [\#75](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/75) ([MichaelGooden](https://github.com/MichaelGooden)) +- Add missing badges [\#73](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/73) ([dhoppe](https://github.com/dhoppe)) +- Fix order of options to prevent swapping of lines [\#72](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/72) ([leonkoens](https://github.com/leonkoens)) + +## [v2.1.0](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/v2.1.0) (2016-10-05) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/v2.0.0...v2.1.0) + +**Implemented enhancements:** + +- \[WIP\] Ubuntu updates [\#62](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/62) ([raoulbhatia](https://github.com/raoulbhatia)) + +**Closed issues:** + +- Puppet 4 compatibility? [\#63](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/63) +- Version on Puppet Forge seems to be missing reboot\_time parameter in template [\#59](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/59) + +**Merged pull requests:** + +- Remove 'pe' requirement from metadata [\#66](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/66) ([alexjfisher](https://github.com/alexjfisher)) +- Modulesync 0.9.1 [\#65](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/65) ([bastelfreak](https://github.com/bastelfreak)) +- Make parameter validation more strict [\#64](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/64) ([pkkm](https://github.com/pkkm)) +- LinuxMint: Add support for Linux Mint [\#61](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/61) ([raoulbhatia](https://github.com/raoulbhatia)) + +## [v2.0.0](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/v2.0.0) (2016-05-26) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/v1.1.1...v2.0.0) + +**Implemented enhancements:** + +- Dependency cycle error if sources are managed exclusively by puppet [\#28](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/28) + +**Closed issues:** + +- Documentation: random\_sleep [\#54](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/54) +- wrong documentation: legacy\_origin [\#50](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/50) +- unattended\_upgrades module not loading - breaks on Apt::Update dependency [\#48](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/48) + +**Merged pull requests:** + +- update default parameters for legacy\_origin option [\#58](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/58) ([GhostLyrics](https://github.com/GhostLyrics)) +- Update from voxpupuli modulesync\_config [\#57](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/57) ([jyaworski](https://github.com/jyaworski)) +- Add parameter to control reboot time [\#56](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/56) ([mpdude](https://github.com/mpdude)) +- Small fix for random\_sleep documentation. The value is set to undef i… [\#55](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/55) ([spoofedpacket](https://github.com/spoofedpacket)) +- add options support [\#52](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/52) ([b4ldr](https://github.com/b4ldr)) +- Default `notify\_update` to false [\#51](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/51) ([daenney](https://github.com/daenney)) + +## [v1.1.1](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/v1.1.1) (2016-01-11) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/v1.1.0...v1.1.1) + +**Merged pull requests:** + +- Fix typo [\#46](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/46) ([mcanevet](https://github.com/mcanevet)) + +## [v1.1.0](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/v1.1.0) (2016-01-09) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/1.0.3...v1.1.0) + +**Fixed bugs:** + +- content variable seems like it's required for the init file [\#18](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/18) + +**Closed issues:** + +- New release? [\#38](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/38) +- cannot set "install\_on\_shutdown" and "remove" [\#36](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/36) +- No way to define different keys for "auto" in different hiera sources [\#35](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/35) +- Clarify random\_sleep documentation [\#34](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/34) +- clean key of auto hash not documented [\#24](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/24) +- Not working on Ubuntu [\#22](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/22) +- potential dependency cycle for users [\#16](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/16) +- Unattended-Upgrade::Allowed-Origins variables don't work [\#15](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/15) +- unattended\_upgrades doesn't work with puppet \< 3.5.0 \(I think...\) [\#13](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/13) + +**Merged pull requests:** + +- Doc and implementation fixes [\#44](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/44) ([daenney](https://github.com/daenney)) +- Remediate rubocop offenses [\#43](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/43) ([rnelson0](https://github.com/rnelson0)) +- cleanup\(params\) make linter happy [\#42](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/42) ([igalic](https://github.com/igalic)) +- feat\(msync\) move secure line into .sync.yml [\#40](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/40) ([igalic](https://github.com/igalic)) +- Rename reference to puppet-community [\#39](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/39) ([rnelson0](https://github.com/rnelson0)) +- Include variable 'RandomSleep'. [\#33](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/33) ([fbarbeira](https://github.com/fbarbeira)) +- Add optional notify\_update parameter [\#31](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/31) ([clauded](https://github.com/clauded)) +- Small fix typo [\#27](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/27) ([fbarbeira](https://github.com/fbarbeira)) +- Enhancements by merging Debian defaults, puppetlabs-apt and own research [\#26](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/26) ([raoulbhatia](https://github.com/raoulbhatia)) +- Document auto -\> clean [\#25](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/25) ([zeha](https://github.com/zeha)) +- Support for Raspbian [\#19](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/19) ([lbdr](https://github.com/lbdr)) +- Check for strict\_variables setting before using defined\(\), fixes compatibility with Puppet \< 3.5.0 [\#17](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/17) ([apeeters](https://github.com/apeeters)) +- unattended-upgrades are broken on Ubuntu by default due to origins typo [\#14](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/14) ([cpick](https://github.com/cpick)) + +## [1.0.3](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/1.0.3) (2015-04-23) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/1.0.2...1.0.3) + +**Closed issues:** + +- Duplicate declaration of Class\[Apt\] [\#12](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/12) + +**Merged pull requests:** + +- Gemfile: Upgrade to rspec-puppet 2.1.0 [\#11](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/11) ([daenney](https://github.com/daenney)) + +## [1.0.2](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/1.0.2) (2015-04-22) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/1.0.1...1.0.2) + +## [1.0.1](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/1.0.1) (2015-04-22) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/1.0.0...1.0.1) + +## [1.0.0](https://github.com/voxpupuli/puppet-unattended_upgrades/tree/1.0.0) (2015-04-22) + +[Full Changelog](https://github.com/voxpupuli/puppet-unattended_upgrades/compare/886245f2cb7614a8c749d34e6f08ee17b92c970f...1.0.0) + +**Closed issues:** + +- Add a contributing.md [\#6](https://github.com/voxpupuli/puppet-unattended_upgrades/issues/6) + +**Merged pull requests:** + +- Prepare 1.0.1 release: [\#10](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/10) ([daenney](https://github.com/daenney)) +- Setup deploy [\#9](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/9) ([daenney](https://github.com/daenney)) +- Rake travis changelog [\#8](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/8) ([daenney](https://github.com/daenney)) +- Add metadata.json [\#7](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/7) ([underscorgan](https://github.com/underscorgan)) +- travis: Test only latest Ruby and Puppet. [\#5](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/5) ([daenney](https://github.com/daenney)) +- Test updates [\#4](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/4) ([underscorgan](https://github.com/underscorgan)) +- Test fixes [\#1](https://github.com/voxpupuli/puppet-unattended_upgrades/pull/1) ([underscorgan](https://github.com/underscorgan)) + + + +\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* diff --git a/code/environments/production/modules/unattended_upgrades/CONTRIBUTING.md b/code/environments/production/modules/unattended_upgrades/CONTRIBUTING.md new file mode 100644 index 0000000..8cac3bd --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/CONTRIBUTING.md @@ -0,0 +1,97 @@ +This module has grown over time based on a range of contributions from +people using it. If you follow these contributing guidelines your patch +will likely make it into a release a little quicker. + + +## Contributing + +Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms. [Contributor Code of Conduct](https://voxpupuli.org/coc/). + +1. Fork the repo. + +1. Create a separate branch for your change. + +1. Run the tests. We only take pull requests with passing tests, and + documentation. + +1. Add a test for your change. Only refactoring and documentation + changes require no new tests. If you are adding functionality + or fixing a bug, please add a test. + +1. Squash your commits down into logical components. Make sure to rebase + against the current master. + +1. Push the branch to your fork and submit a pull request. + +Please be prepared to repeat some of these steps as our contributors review +your code. + +## Dependencies + +The testing and development tools have a bunch of dependencies, +all managed by [bundler](http://bundler.io/) according to the +[Puppet support matrix](http://docs.puppetlabs.com/guides/platforms.html#ruby-versions). + +By default the tests use a baseline version of Puppet. + +If you have Ruby 2.x or want a specific version of Puppet, +you must set an environment variable such as: + + export PUPPET_VERSION="~> 4.2.0" + +Install the dependencies like so... + + bundle install + +## Syntax and style + +The test suite will run [Puppet Lint](http://puppet-lint.com/) and +[Puppet Syntax](https://github.com/gds-operations/puppet-syntax) to +check various syntax and style things. You can run these locally with: + + bundle exec rake lint + bundle exec rake validate + +## Running the unit tests + +The unit test suite covers most of the code, as mentioned above please +add tests if you're adding new functionality. If you've not used +[rspec-puppet](http://rspec-puppet.com/) before then feel free to ask +about how best to test your new feature. + +To run your all the unit tests + + bundle exec rake spec SPEC_OPTS='--format documentation' + +To run a specific spec test set the `SPEC` variable: + + bundle exec rake spec SPEC=spec/foo_spec.rb + +To run the linter, the syntax checker and the unit tests: + + bundle exec rake test + + +## Integration tests + +The unit tests just check the code runs, not that it does exactly what +we want on a real machine. For that we're using +[beaker](https://github.com/puppetlabs/beaker). + +This fires up a new virtual machine (using vagrant) and runs a series of +simple tests against it after applying the module. You can run this +with: + + bundle exec rake acceptance + +This will run the tests on an Ubuntu 12.04 virtual machine. You can also +run the integration tests against Centos 6.5 with. + + BEAKER_set=centos-64-x64 bundle exec rake acceptances + +If you don't want to have to recreate the virtual machine every time you +can use `BEAKER_DESTROY=no` and `BEAKER_PROVISION=no`. On the first run you will +at least need `BEAKER_PROVISION` set to yes (the default). The Vagrantfile +for the created virtual machines will be in `.vagrant/beaker_vagrant_fies`. + +# vim: syntax=markdown diff --git a/code/environments/production/modules/unattended_upgrades/Gemfile b/code/environments/production/modules/unattended_upgrades/Gemfile new file mode 100644 index 0000000..1527b39 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/Gemfile @@ -0,0 +1,78 @@ +source ENV['GEM_SOURCE'] || "https://rubygems.org" + +def location_for(place, fake_version = nil) + if place =~ /^(git[:@][^#]*)#(.*)/ + [fake_version, { :git => $1, :branch => $2, :require => false }].compact + elsif place =~ /^file:\/\/(.*)/ + ['>= 0', { :path => File.expand_path($1), :require => false }] + else + [place, { :require => false }] + end +end + +group :test do + gem 'puppetlabs_spec_helper', '~> 2.6.0', :require => false + gem 'rspec-puppet', '~> 2.5', :require => false + gem 'rspec-puppet-facts', :require => false + gem 'rspec-puppet-utils', :require => false + gem 'puppet-lint-leading_zero-check', :require => false + gem 'puppet-lint-trailing_comma-check', :require => false + gem 'puppet-lint-version_comparison-check', :require => false + gem 'puppet-lint-classes_and_types_beginning_with_digits-check', :require => false + gem 'puppet-lint-unquoted_string-check', :require => false + gem 'puppet-lint-variable_contains_upcase', :require => false + gem 'metadata-json-lint', :require => false + gem 'redcarpet', :require => false + gem 'rubocop', '~> 0.49.1', :require => false if RUBY_VERSION >= '2.3.0' + gem 'rubocop-rspec', '~> 1.15.0', :require => false if RUBY_VERSION >= '2.3.0' + gem 'mocha', '~> 1.4.0', :require => false + gem 'coveralls', :require => false + gem 'simplecov-console', :require => false + gem 'rack', '~> 1.0', :require => false if RUBY_VERSION < '2.2.2' + gem 'parallel_tests', :require => false +end + +group :development do + gem 'travis', :require => false + gem 'travis-lint', :require => false + gem 'guard-rake', :require => false + gem 'overcommit', '>= 0.39.1', :require => false +end + +group :system_tests do + gem 'winrm', :require => false + if beaker_version = ENV['BEAKER_VERSION'] + gem 'beaker', *location_for(beaker_version) + else + gem 'beaker', '>= 3.9.0', :require => false + end + if beaker_rspec_version = ENV['BEAKER_RSPEC_VERSION'] + gem 'beaker-rspec', *location_for(beaker_rspec_version) + else + gem 'beaker-rspec', :require => false + end + gem 'serverspec', :require => false + gem 'beaker-hostgenerator', '>= 1.1.10', :require => false + gem 'beaker-puppet_install_helper', :require => false + gem 'beaker-module_install_helper', :require => false +end + +group :release do + gem 'github_changelog_generator', :require => false, :git => 'https://github.com/skywinder/github-changelog-generator' if RUBY_VERSION >= '2.2.2' + gem 'puppet-blacksmith', :require => false + gem 'voxpupuli-release', :require => false, :git => 'https://github.com/voxpupuli/voxpupuli-release-gem' + gem 'puppet-strings', '~> 1.0', :require => false +end + + + +if facterversion = ENV['FACTER_GEM_VERSION'] + gem 'facter', facterversion.to_s, :require => false, :groups => [:test] +else + gem 'facter', :require => false, :groups => [:test] +end + +ENV['PUPPET_VERSION'].nil? ? puppetversion = '~> 5.0' : puppetversion = ENV['PUPPET_VERSION'].to_s +gem 'puppet', puppetversion, :require => false, :groups => [:test] + +# vim: syntax=ruby diff --git a/code/environments/production/modules/unattended_upgrades/LICENSE b/code/environments/production/modules/unattended_upgrades/LICENSE new file mode 100644 index 0000000..1807ab9 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/LICENSE @@ -0,0 +1,35 @@ +Copyright (c) 2011 Evolving Web Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + + +Copyright 2014 Puppet Labs, 2015 Puppet Community + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + diff --git a/code/environments/production/modules/unattended_upgrades/README.md b/code/environments/production/modules/unattended_upgrades/README.md new file mode 100644 index 0000000..48d3e65 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/README.md @@ -0,0 +1,175 @@ +# Unattended Upgrades module for Puppet + +[![Build Status](https://travis-ci.org/voxpupuli/puppet-unattended_upgrades.png?branch=master)](https://travis-ci.org/voxpupuli/puppet-unattended_upgrades) +[![Puppet Forge](https://img.shields.io/puppetforge/v/puppet/unattended_upgrades.svg)](https://forge.puppetlabs.com/puppet/unattended_upgrades) +[![Puppet Forge - downloads](https://img.shields.io/puppetforge/dt/puppet/unattended_upgrades.svg)](https://forge.puppetlabs.com/puppet/unattended_upgrades) +[![Puppet Forge - endorsement](https://img.shields.io/puppetforge/e/puppet/unattended_upgrades.svg)](https://forge.puppetlabs.com/puppet/unattended_upgrades) +[![Puppet Forge - scores](https://img.shields.io/puppetforge/f/puppet/unattended_upgrades.svg)](https://forge.puppetlabs.com/puppet/unattended_upgrades) + +#### Table of Contents + +1. [Overview](#overview) +1. [Module Description](#module-description) +1. [Setup](#setup) +1. [Usage](#usage) +1. [Reference](#reference) + * [Classes](#classes) + * [Parameters](#parameters) +1. [Limitations - OS compatibility, etc.](#limitations) +1. [License](#license) + +## Overview + +The unattended\_upgrades module allows for the installation and configuration +of automatic security (and other) updates through apt. + +This functionality used to be part of the puppetlabs-apt module but was split +off into its own module. + +## Module Description + +The unattended\_upgrades module automates the configuration of apt package updates. + +## Setup + +### What unattended\_upgrades affects + +* Package/configuration for unattended\_upgrades + +### Beginning with unattended\_upgrades + +All you need to do is include the apt module, `include apt`, and this module, +`include unattended_upgrades` for it to work. + +This module relies on the [apt](https://forge.puppetlabs.com/puppetlabs/apt) +module and will not work without it. + +## Usage + +Using unattended\_upgrades simply consists of including the module and if needed +altering some of the default settings. + +## Reference + +### Classes + +* `unattended_upgrades`: Main class, installs the necessary packages and writes + the configuration. + +### Parameters + +#### unattended\_upgrades + +* `age` (`{}`): A hash of settings with two possible keys: + * `min` (`2`): Minimum age of a cache package file. File younger than `min` will + not be deleted. + * `max` (`0`): Maximum allowed age of a cache package file. File older than `max` + will be deleted. + + Any of these keys can be specified and will be merged into the defaults: + + ```puppet + class { 'unattended_upgrades': + age => { 'max' => 10 }, + } + ``` + +* `auto` (`{}`): A hash of settings with these possible keys: + * `clean`(`0`): Remove packages that can no longer be downloaded from cache every + X days (`0` = disabled). + * `fix_interrupted_dpkg`(`true`): Try to fix package installation state. + * `reboot`(`false`): Reboot system after package update installation. + * `reboot_time`(`now`): If automatic reboot is enabled and needed, reboot at the + specific time (instead of immediately). + * `remove`(`true`): Remove unneeded dependencies after update installation. + + Any of these keys can be specified and will be merged into the defaults: + + ```puppet + class { 'unattended_upgrades': + auto => { 'reboot' => true }, + } + ``` + +* `backup` (`{}`): A hash with two possible keys: + * `archive_internal` (`0`): Backup after n-days if archive contents changed. + * `level` (`3`): Backup level. + + Any of these keys can be specified and will be merged into the defaults: + + ```puppet + class { 'unattended_upgrades': + backup => { 'level' => 5 }, + } + ``` + +* `blacklist`(`[]`): A list of packages to **not** automatically upgrade. +* `dl_limit`(`undef`): Use a bandwidth limit for downloading, specified in kb/sec. +* `enable` (`1`): Enable the automatic installation of updates. +* `install_on_shutdown` (`false`): Install updates on shutdown instead of in the + background. +* `legacy_origin` (`true` for Debian (squeeze), Ubuntu (precise, trusty, utopic, + vivid, wily, xenial, yakkety, zesty, artful, bionic and default), `false` for Debian (wheezy and default)): + Use the legacy `Unattended-Upgrade::Allowed-Origins` setting or the modern `Unattended-Upgrade::Origins-Pattern`. +* `mail`: A hash to configure email behaviour with two possible keys: + * `only_on_error` (`true`): Only send mail when something went wrong + * `to` (`undef`): Email address to send email too + + If the default for `to` is kept you will not receive any mail at all. You'll + likely want to set this parameter. + + Any of these keys can be specified and will be merged into the defaults: + + ```puppet + class { 'unattended_upgrades': + mail => { 'to' => 'admin@domain.tld', }, + } + ``` + +* `minimal_steps` (`true`): Split the upgrade process into sections to allow + shutdown during upgrade. +* `origins`: The repositories from which to automatically upgrade included packages. +* `package_ensure` (`installed`): The ensure state for the 'unattended-upgrades' + package. +* `random_sleep` (`undef`): Maximum amount of time (in seconds) that the apt cron + job can sleep before the execution. The exact amount of time will be random but + up to the value specified. The purpose is to avoid that servers/mirrors get + hammered at exactly the same time when a lot of machines are switched on, e.g. + 9:00 in the morning. Note: If this is left unset, the default value in the apt + cron job applies, which is 1800 seconds. +* `size` (`0`): Maximum size of the cache in MB. +* `update` (`1`): Do "apt-get update" automatically every n-days. +* `upgrade` (`1`): Run the "unattended-upgrade" security upgrade script every n-days. +* `upgradeable_packages` (`{}`): A hash with two possible keys: + * `download_only` (`0`): Do "apt-get upgrade --download-only" every n-days. + * `debdelta` (`1`): Use debdelta-upgrade to download updates if available. + + Any of these keys can be specified and will be merged into the defaults: + + ```puppet + class { 'unattended_upgrades': + upgradeable_packages => { 'debdelta' => 1, }, + } + ``` + +* `verbose` (`0`): Send report mail to root. +* `options` (`{}`): A hash of settings with these possible keys: + * `force_confdef` (`true`) : Use the default option for new config files if one + is available, don't prompt. If no default can be found, you will be prompted + unless one of the confold or confnew options is also given + * `force_confold` (`true`): Always use the old config files, don't prompt + * `force_confnew` (`false`): Always use the new config files, don't prompt + * `force_conmiss` (`false`): Always install missing config files + +## Limitations + +This module should work across all versions of Debian, Ubuntu, and Linux Mint. + +## License + +The original code for this module comes from Evolving Web and was licensed under +the MIT license. Code added since the fork of that module into puppetlabs-apt is +covered under the Apache License version 2 as is any code added since it was split +off into this separate unattended\_upgrades module. + +The LICENSE contains both licenses. diff --git a/code/environments/production/modules/unattended_upgrades/Rakefile b/code/environments/production/modules/unattended_upgrades/Rakefile new file mode 100644 index 0000000..279580a --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/Rakefile @@ -0,0 +1,92 @@ +require 'puppetlabs_spec_helper/rake_tasks' + +# load optional tasks for releases +# only available if gem group releases is installed +begin + require 'puppet_blacksmith/rake_tasks' + require 'voxpupuli/release/rake_tasks' + require 'puppet-strings/tasks' +rescue LoadError +end + +PuppetLint.configuration.log_format = '%{path}:%{line}:%{check}:%{KIND}:%{message}' +PuppetLint.configuration.fail_on_warnings = true +PuppetLint.configuration.send('relative') +PuppetLint.configuration.send('disable_140chars') +PuppetLint.configuration.send('disable_class_inherits_from_params_class') +PuppetLint.configuration.send('disable_documentation') +PuppetLint.configuration.send('disable_single_quote_string_with_variables') + +exclude_paths = %w( + pkg/**/* + vendor/**/* + .vendor/**/* + spec/**/* +) +PuppetLint.configuration.ignore_paths = exclude_paths +PuppetSyntax.exclude_paths = exclude_paths + +desc 'Auto-correct puppet-lint offenses' +task 'lint:auto_correct' do + PuppetLint.configuration.fix = true + Rake::Task[:lint].invoke +end + +desc 'Run acceptance tests' +RSpec::Core::RakeTask.new(:acceptance) do |t| + t.pattern = 'spec/acceptance' +end + +desc 'Run tests metadata_lint, release_checks' +task test: [ + :metadata_lint, + :release_checks, +] + +desc "Run main 'test' task and report merged results to coveralls" +task test_with_coveralls: [:test] do + if Dir.exist?(File.expand_path('../lib', __FILE__)) + require 'coveralls/rake/task' + Coveralls::RakeTask.new + Rake::Task['coveralls:push'].invoke + else + puts 'Skipping reporting to coveralls. Module has no lib dir' + end +end + +desc "Print supported beaker sets" +task 'beaker_sets', [:directory] do |t, args| + directory = args[:directory] + + metadata = JSON.load(File.read('metadata.json')) + + (metadata['operatingsystem_support'] || []).each do |os| + (os['operatingsystemrelease'] || []).each do |release| + if directory + beaker_set = "#{directory}/#{os['operatingsystem'].downcase}-#{release}" + else + beaker_set = "#{os['operatingsystem'].downcase}-#{release}-x64" + end + + filename = "spec/acceptance/nodesets/#{beaker_set}.yml" + + puts beaker_set if File.exists? filename + end + end +end + +begin + require 'github_changelog_generator/task' + GitHubChangelogGenerator::RakeTask.new :changelog do |config| + version = (Blacksmith::Modulefile.new).version + config.future_release = "v#{version}" if version =~ /^\d+\.\d+.\d+$/ + config.header = "# Changelog\n\nAll notable changes to this project will be documented in this file.\nEach new release typically also includes the latest modulesync defaults.\nThese should not affect the functionality of the module." + config.exclude_labels = %w{duplicate question invalid wontfix wont-fix modulesync skip-changelog} + config.user = 'voxpupuli' + metadata_json = File.join(File.dirname(__FILE__), 'metadata.json') + metadata = JSON.load(File.read(metadata_json)) + config.project = metadata['name'] + end +rescue LoadError +end +# vim: syntax=ruby diff --git a/code/environments/production/modules/unattended_upgrades/checksums.json b/code/environments/production/modules/unattended_upgrades/checksums.json new file mode 100644 index 0000000..51c202a --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/checksums.json @@ -0,0 +1,49 @@ +{ + "CHANGELOG.md": "0c78eb1a6de83f1ef4f345f5a55ac1d3", + "CONTRIBUTING.md": "8df0e5be30b6bca932fb5e34c2264522", + "Gemfile": "e0ccc2d1aa1c92e49ffd9bf223e19e9e", + "LICENSE": "af8fc9990a9f7c14ace9fc6725030015", + "README.md": "5c8a680236d95ba64a82836197992ef8", + "Rakefile": "3c6f218e7e63e1a6e24251f365423e49", + "manifests/init.pp": "7878b90d3bca0cc7d974c4ff3a4ec7aa", + "manifests/params.pp": "16a749c1f9922ffe250665127300de27", + "metadata.json": "6969f35d506ba326f56874cbffb829c8", + "spec/acceptance/nodesets/archlinux-2-x64.yml": "daafcfcb4c8c8766856f52cec6ae5e86", + "spec/acceptance/nodesets/centos-511-x64.yml": "ca8258bc835dd985a1754689d124cd66", + "spec/acceptance/nodesets/centos-6-x64.yml": "58065782a8d40780d9728257a23504cd", + "spec/acceptance/nodesets/centos-66-x64-pe.yml": "e68e03dc562bf58f7c5bba54a1a34619", + "spec/acceptance/nodesets/centos-66-x64.yml": "7ffa6d9164a88668fcd51a1988c4dc03", + "spec/acceptance/nodesets/centos-7-x64.yml": "68d3556f670b8ac0a169a8270ff8c37a", + "spec/acceptance/nodesets/centos-72-x64.yml": "194841a65e8835ac9ee6620e60b58f80", + "spec/acceptance/nodesets/debian-78-x64.yml": "56af2760a64c13a0bccd59404435939c", + "spec/acceptance/nodesets/debian-82-x64.yml": "26f2f696e6073549fe0a844f9a46f85b", + "spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml": "b3dc2d81918fcc6d56855c88ba5b7ce8", + "spec/acceptance/nodesets/ec2/image_templates.yaml": "516f9c4c3407993a100090ce9e1a643c", + "spec/acceptance/nodesets/ec2/rhel-73-x64.yml": "e74670a1cb8eea32afc879a5d786f9bd", + "spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml": "2506efcc9fb420132edc37bf88d6e21d", + "spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml": "87efd97ff1b073c3448f429a8ffc5a7c", + "spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml": "e9db4dd16c60c52b433694130c2583a0", + "spec/acceptance/nodesets/fedora-24-x64.yml": "431cd85b87a65a55af193a360aa52f26", + "spec/acceptance/nodesets/fedora-25-x64.yml": "807fbf45f95fc7bc2af8c689d34e4160", + "spec/acceptance/nodesets/fedora-26-x64.yml": "e7ee1e18590548ff098192c2127c6697", + "spec/acceptance/nodesets/fedora-27-x64.yml": "326a10c4eb327ccd85775dfa0f76e5c1", + "spec/acceptance/nodesets/ubuntu-server-1204-x64.yml": "0dd7639bf95bfb18169ebba9a2bac163", + "spec/acceptance/nodesets/ubuntu-server-1404-x64.yml": "7455367b784060b921360b29a56cd74c", + "spec/acceptance/nodesets/ubuntu-server-1604-x64.yml": "37673118cc3bf052755d65fb5dd90226", + "spec/classes/coverage_spec.rb": "166c74e93a4e70e9de79ae69f3c10e1d", + "spec/classes/debian_spec.rb": "2442460f6ac65b57dbed1f0b5cd5613a", + "spec/classes/other_debians_spec.rb": "0b3dc9c91f64539ceb567a7338665d21", + "spec/classes/ubuntu_spec.rb": "928636e6095d7fa33fdbcc82e07cfd69", + "spec/classes/unattended_upgrades_spec.rb": "415fb4fee7d0146845a1e76372099fdf", + "spec/default_facts.yml": "3da74b0aff340a4fbcca9cc4eba104c1", + "spec/spec_helper.rb": "72093296acb026b92861c5ba6d724836", + "templates/options.erb": "97aa1236f113cb60f9c5d27977b81184", + "templates/periodic.erb": "074b7624345880e6573eb29c42616846", + "templates/unattended-upgrades.erb": "d1d6539e2edb043dc655b4eb7b7b8357", + "types/age.pp": "3d47a787ed3ab14b44672b9f64e23218", + "types/auto.pp": "6d8360f54ff62b9adde435e317297e93", + "types/backup.pp": "a7953de96a5214ef66007c7ab3c4fc32", + "types/mail.pp": "ed5c5a20fcb64bf405d318ee5772a093", + "types/options.pp": "b1f9d825940157b76f4d4c2d75dd22ea", + "types/upgradeable_packages.pp": "d20aa65992ef1c6721ffb7530fe6189e" +}
\ No newline at end of file diff --git a/code/environments/production/modules/unattended_upgrades/manifests/init.pp b/code/environments/production/modules/unattended_upgrades/manifests/init.pp new file mode 100644 index 0000000..35915a6 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/manifests/init.pp @@ -0,0 +1,77 @@ +class unattended_upgrades ( + Unattended_upgrades::Age $age = {}, + Unattended_upgrades::Auto $auto = { 'fix_interrupted_dpkg' => true, 'remove' => false, 'reboot' => true, 'reboot_time' => '02:00', }, + Unattended_upgrades::Backup $backup = {}, + Array $blacklist = [], + Optional[Integer[0]] $dl_limit = undef, + Integer[0, 1] $enable = 1, + Boolean $install_on_shutdown = false, + Boolean $legacy_origin = $::unattended_upgrades::params::legacy_origin, + Unattended_upgrades::Mail $mail = {}, + Boolean $minimal_steps = true, + Array $origins = $::unattended_upgrades::params::origins, + String $package_ensure = installed, + Optional[Integer[0]] $random_sleep = undef, + Optional[String] $sender = undef, + Integer[0] $size = 0, + Integer[0] $update = 1, + Integer[0] $upgrade = 1, + Unattended_upgrades::Upgradeable_packages $upgradeable_packages = {}, + Integer[0] $verbose = 0, + Boolean $notify_update = false, + Unattended_upgrades::Options $options = {}, +) inherits ::unattended_upgrades::params { + + # apt::conf settings require the apt class to work + include apt + + $_age = merge($::unattended_upgrades::default_age, $age) + assert_type(Unattended_upgrades::Age, $_age) + + $_auto = merge($::unattended_upgrades::default_auto, $auto) + assert_type(Unattended_upgrades::Auto, $_auto) + + $_backup = merge($::unattended_upgrades::default_backup, $backup) + assert_type(Unattended_upgrades::Backup, $_backup) + + $_mail = merge($::unattended_upgrades::default_mail, $mail) + assert_type(Unattended_upgrades::Mail, $_mail) + + $_upgradeable_packages = merge($::unattended_upgrades::default_upgradeable_packages, $upgradeable_packages) + assert_type(Unattended_upgrades::Upgradeable_packages, $_upgradeable_packages) + + $_options = merge($unattended_upgrades::default_options, $options) + assert_type(Unattended_upgrades::Options, $_options) + + package { 'unattended-upgrades': + ensure => $package_ensure, + } + + apt::conf { 'unattended-upgrades': + priority => 50, + content => template("${module_name}/unattended-upgrades.erb"), + require => Package['unattended-upgrades'], + notify_update => $notify_update, + } + + apt::conf { 'periodic': + priority => 10, + content => template("${module_name}/periodic.erb"), + require => Package['unattended-upgrades'], + notify_update => $notify_update, + } + + apt::conf { 'auto-upgrades': + ensure => absent, + priority => 20, + require => Package['unattended-upgrades'], + notify_update => $notify_update, + } + apt::conf { 'options': + priority => 10, + content => template("${module_name}/options.erb"), + require => Package['unattended-upgrades'], + notify_update => $notify_update, + } + +} diff --git a/code/environments/production/modules/unattended_upgrades/manifests/params.pp b/code/environments/production/modules/unattended_upgrades/manifests/params.pp new file mode 100644 index 0000000..1457c28 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/manifests/params.pp @@ -0,0 +1,150 @@ +# +class unattended_upgrades::params { + + if $::osfamily != 'Debian' { + fail('This module only works on Debian or derivatives like Ubuntu') + } + + $default_auto = { 'fix_interrupted_dpkg' => true, 'remove' => true, 'reboot' => false, 'clean' => 0, 'reboot_time' => 'now', } + $default_mail = { 'only_on_error' => true, } + $default_backup = { 'archive_interval' => 0, 'level' => 3, } + $default_age = { 'min' => 2, 'max' => 0, } + $default_upgradeable_packages = { 'download_only' => 0, 'debdelta' => 1, } + $default_options = { 'force_confdef' => true, + 'force_confold' => true, + 'force_confnew' => false, + 'force_confmiss' => false, } + # prior to puppet 3.5.0, defined couldn't test if a variable was defined + # strict variables wasn't added until 3.5.0, so this should be fine. + if ! $::settings::strict_variables { + $xfacts = { + 'lsbdistid' => $::lsbdistid, + 'lsbdistcodename' => $::lsbdistcodename, + 'lsbmajdistrelease' => $::lsbmajdistrelease, + 'lsbdistrelease' => $::lsbdistrelease, + } + } else { + # Strict variables facts lookup compatibility + $xfacts = { + 'lsbdistid' => defined('$lsbdistid') ? { + true => $::lsbdistid, + default => undef, + }, + 'lsbdistcodename' => defined('$lsbdistcodename') ? { + true => $::lsbdistcodename, + default => undef, + }, + 'lsbmajdistrelease' => defined('$lsbmajdistrelease') ? { + true => $::lsbmajdistrelease, + default => undef, + }, + 'lsbdistrelease' => defined('$lsbdistrelease') ? { + true => $::lsbdistrelease, + default => undef, + }, + } + } + + case $xfacts['lsbdistid'] { + 'debian', 'raspbian': { + case $xfacts['lsbdistcodename'] { + 'squeeze': { + $legacy_origin = true + $origins = ['${distro_id} ${distro_codename}-security', #lint:ignore:single_quote_string_with_variables + '${distro_id} ${distro_codename}-lts',] #lint:ignore:single_quote_string_with_variables + } + 'wheezy': { + $legacy_origin = false + $origins = [ + 'origin=Debian,archive=oldoldstable,label=Debian-Security', + ] + } + 'jessie': { + $legacy_origin = false + $origins = [ + 'origin=Debian,archive=oldstable,label=Debian-Security', + ] + } + 'stretch': { + $legacy_origin = false + $origins = [ + 'origin=Debian,codename=${distro_codename}', + 'origin=Debian,codename=${distro_codename}-updates', + 'origin=Debian,archive=${distro_codename},label=Debian-Security', + 'origin=IT-Zukunft-Schule,archive=${distro_codename},label=IT-Zukunft-Schule', + ] + } + default: { + $legacy_origin = false + $origins = ['origin=Debian,codename=${distro_codename},label=Debian-Security',] #lint:ignore:single_quote_string_with_variables + } + } + } + 'ubuntu': { + case $xfacts['lsbdistcodename'] { + 'precise': { + $legacy_origin = true + $origins = [ + '${distro_id}:${distro_codename}-security', #lint:ignore:single_quote_string_with_variables + ] + + } + 'trusty', 'wily': { + $legacy_origin = true + $origins = [ + '${distro_id}:${distro_codename}-security', #lint:ignore:single_quote_string_with_variables + ] + } + 'xenial', 'yakkety', 'zesty', 'artful', 'bionic': { + $legacy_origin = true + $origins = [ + '${distro_id}:${distro_codename}', #lint:ignore:single_quote_string_with_variables + '${distro_id}:${distro_codename}-security', #lint:ignore:single_quote_string_with_variables + ] + } + default: { + warning("Ubuntu ${xfacts['lsbdistrelease']} \"${xfacts['lsbdistcodename']}\" has reached End of Life - please upgrade!") + $legacy_origin = true + $origins = [ + '${distro_id}:${distro_codename}-security', #lint:ignore:single_quote_string_with_variables + ] + } + } + } + 'LinuxMint': { + case $xfacts['lsbmajdistrelease'] { + # Linux Mint 13 is based on Ubuntu 12.04 + '13': { + $legacy_origin = true + $origins = [ + 'Ubuntu:precise-security', + ] + } + # Linux Mint 17* is based on Ubuntu 14.04. + '17': { + $legacy_origin = true + $origins = [ + 'Ubuntu:trusty-security', + ] + } + # Linux Mint 18* is based on Ubuntu 16.04 + '18': { + $legacy_origin = true + $origins = [ + 'Ubuntu:xenial-security', + ] + } + default: { + $legacy_origin = true + $origins = [ + '${distro_id}:${distro_codename}-security', #lint:ignore:single_quote_string_with_variables + ] + } + } + } + default: { + $legacy_origin = undef + $origins = undef + } + } +} diff --git a/code/environments/production/modules/unattended_upgrades/manifests/params.pp.testing b/code/environments/production/modules/unattended_upgrades/manifests/params.pp.testing new file mode 100644 index 0000000..2cef999 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/manifests/params.pp.testing @@ -0,0 +1,147 @@ +# +class unattended_upgrades::params { + + if $::osfamily != 'Debian' { + fail('This module only works on Debian or derivatives like Ubuntu') + } + + $default_auto = { 'fix_interrupted_dpkg' => true, 'remove' => true, 'reboot' => false, 'clean' => 0, 'reboot_time' => 'now', } + $default_mail = { 'only_on_error' => true, } + $default_backup = { 'archive_interval' => 0, 'level' => 3, } + $default_age = { 'min' => 2, 'max' => 0, } + $default_upgradeable_packages = { 'download_only' => 0, 'debdelta' => 1, } + $default_options = { 'force_confdef' => true, + 'force_confold' => true, + 'force_confnew' => false, + 'force_confmiss' => false, } + # prior to puppet 3.5.0, defined couldn't test if a variable was defined + # strict variables wasn't added until 3.5.0, so this should be fine. + if ! $::settings::strict_variables { + $xfacts = { + 'lsbdistid' => $::lsbdistid, + 'lsbdistcodename' => $::lsbdistcodename, + 'lsbmajdistrelease' => $::lsbmajdistrelease, + 'lsbdistrelease' => $::lsbdistrelease, + } + } else { + # Strict variables facts lookup compatibility + $xfacts = { + 'lsbdistid' => defined('$lsbdistid') ? { + true => $::lsbdistid, + default => undef, + }, + 'lsbdistcodename' => defined('$lsbdistcodename') ? { + true => $::lsbdistcodename, + default => undef, + }, + 'lsbmajdistrelease' => defined('$lsbmajdistrelease') ? { + true => $::lsbmajdistrelease, + default => undef, + }, + 'lsbdistrelease' => defined('$lsbdistrelease') ? { + true => $::lsbdistrelease, + default => undef, + }, + } + } + + case $xfacts['lsbdistid'] { + 'debian', 'raspbian': { + case $xfacts['lsbdistcodename'] { + 'squeeze': { + $legacy_origin = true + $origins = ['${distro_id} ${distro_codename}-security', #lint:ignore:single_quote_string_with_variables + '${distro_id} ${distro_codename}-lts',] #lint:ignore:single_quote_string_with_variables + } + 'wheezy': { + $legacy_origin = false + $origins = [ + 'origin=Debian,archive=oldoldstable,label=Debian-Security', + ] + } + 'jessie': { + $legacy_origin = false + $origins = [ + 'origin=Debian,archive=oldstable,label=Debian-Security', + ] + } + 'stretch': { + $legacy_origin = false + $origins = [ + 'origin=Debian,archive=${distro_codename},label=Debian-Security', + ] + } + default: { + $legacy_origin = false + $origins = ['origin=Debian,codename=${distro_codename},label=Debian-Security',] #lint:ignore:single_quote_string_with_variables + } + } + } + 'ubuntu': { + case $xfacts['lsbdistcodename'] { + 'precise': { + $legacy_origin = true + $origins = [ + '${distro_id}:${distro_codename}-security', #lint:ignore:single_quote_string_with_variables + ] + + } + 'trusty', 'wily': { + $legacy_origin = true + $origins = [ + '${distro_id}:${distro_codename}-security', #lint:ignore:single_quote_string_with_variables + ] + } + 'xenial', 'yakkety', 'zesty', 'artful', 'bionic': { + $legacy_origin = true + $origins = [ + '${distro_id}:${distro_codename}', #lint:ignore:single_quote_string_with_variables + '${distro_id}:${distro_codename}-security', #lint:ignore:single_quote_string_with_variables + ] + } + default: { + warning("Ubuntu ${xfacts['lsbdistrelease']} \"${xfacts['lsbdistcodename']}\" has reached End of Life - please upgrade!") + $legacy_origin = true + $origins = [ + '${distro_id}:${distro_codename}-security', #lint:ignore:single_quote_string_with_variables + ] + } + } + } + 'LinuxMint': { + case $xfacts['lsbmajdistrelease'] { + # Linux Mint 13 is based on Ubuntu 12.04 + '13': { + $legacy_origin = true + $origins = [ + 'Ubuntu:precise-security', + ] + } + # Linux Mint 17* is based on Ubuntu 14.04. + '17': { + $legacy_origin = true + $origins = [ + 'Ubuntu:trusty-security', + ] + } + # Linux Mint 18* is based on Ubuntu 16.04 + '18': { + $legacy_origin = true + $origins = [ + 'Ubuntu:xenial-security', + ] + } + default: { + $legacy_origin = true + $origins = [ + '${distro_id}:${distro_codename}-security', #lint:ignore:single_quote_string_with_variables + ] + } + } + } + default: { + $legacy_origin = undef + $origins = undef + } + } +} diff --git a/code/environments/production/modules/unattended_upgrades/metadata.json b/code/environments/production/modules/unattended_upgrades/metadata.json new file mode 100644 index 0000000..6357daf --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/metadata.json @@ -0,0 +1,55 @@ +{ + "name": "puppet-unattended_upgrades", + "version": "3.2.0", + "author": "Vox Pupuli", + "summary": "Provides an interface for managing Apt unattended_upgrades with Puppet", + "license": "Apache-2.0", + "source": "https://github.com/voxpupuli/puppet-unattended_upgrades.git", + "project_page": "https://github.com/voxpupuli/puppet-unattended_upgrades", + "issues_url": "https://github.com/voxpupuli/puppet-unattended_upgrades/issues", + "dependencies": [ + { + "name": "puppetlabs/stdlib", + "version_requirement": ">= 4.13.1 < 5.0.0" + }, + { + "name": "puppetlabs/apt", + "version_requirement": ">= 2.2.0 < 5.0.0" + } + ], + "data_provider": null, + "tags": [ + "unattended-upgrades", + "unattended_upgrades", + "apt", + "patching", + "security", + "debian" + ], + "operatingsystem_support": [ + { + "operatingsystem": "Debian", + "operatingsystemrelease": [ + "8", + "9" + ] + }, + { + "operatingsystem": "Ubuntu", + "operatingsystemrelease": [ + "14.04", + "16.04", + "16.10", + "17.04", + "17.10", + "18.04" + ] + } + ], + "requirements": [ + { + "name": "puppet", + "version_requirement": ">= 4.10.0 < 6.0.0" + } + ] +} diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/archlinux-2-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/archlinux-2-x64.yml new file mode 100644 index 0000000..89b6300 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/archlinux-2-x64.yml @@ -0,0 +1,13 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + archlinux-2-x64: + roles: + - master + platform: archlinux-2-x64 + box: archlinux/archlinux + hypervisor: vagrant +CONFIG: + type: foss diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-511-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-511-x64.yml new file mode 100644 index 0000000..089d646 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-511-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-511-x64: + roles: + - master + platform: el-5-x86_64 + box: puppetlabs/centos-5.11-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-6-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-6-x64.yml new file mode 100644 index 0000000..16abc8f --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-6-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-6-x64: + roles: + - master + platform: el-6-x86_64 + box: centos/6 + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-66-x64-pe.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-66-x64-pe.yml new file mode 100644 index 0000000..1e7aea6 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-66-x64-pe.yml @@ -0,0 +1,17 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-66-x64: + roles: + - master + - database + - dashboard + platform: el-6-x86_64 + box: puppetlabs/centos-6.6-64-puppet-enterprise + hypervisor: vagrant +CONFIG: + type: pe +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-66-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-66-x64.yml new file mode 100644 index 0000000..42455e7 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-66-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-66-x64: + roles: + - master + platform: el-6-x86_64 + box: puppetlabs/centos-6.6-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-7-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-7-x64.yml new file mode 100644 index 0000000..e05a3ae --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-7-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-7-x64: + roles: + - master + platform: el-7-x86_64 + box: centos/7 + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-72-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-72-x64.yml new file mode 100644 index 0000000..85af89d --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/centos-72-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + centos-72-x64: + roles: + - master + platform: el-7-x86_64 + box: puppetlabs/centos-7.2-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/debian-78-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/debian-78-x64.yml new file mode 100644 index 0000000..6ef6de8 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/debian-78-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + debian-78-x64: + roles: + - master + platform: debian-7-amd64 + box: puppetlabs/debian-7.8-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/debian-82-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/debian-82-x64.yml new file mode 100644 index 0000000..9897a8f --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/debian-82-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + debian-82-x64: + roles: + - master + platform: debian-8-amd64 + box: puppetlabs/debian-8.2-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml new file mode 100644 index 0000000..19dd43e --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/amazonlinux-2016091.yml @@ -0,0 +1,31 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +# Amazon Linux is not a RHEL clone. +# +HOSTS: + amazonlinux-2016091-x64: + roles: + - master + platform: centos-6-x86_64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: amazonlinux-2016091-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ec2-user +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/image_templates.yaml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/image_templates.yaml new file mode 100644 index 0000000..e50593e --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/image_templates.yaml @@ -0,0 +1,34 @@ +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# see also: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +# Hint: image IDs (ami-*) for the same image are different per location. +# +AMI: + # Amazon Linux AMI 2016.09.1 (HVM), SSD Volume Type + amazonlinux-2016091-eu-central-1: + :image: + :aio: ami-af0fc0c0 + :region: eu-central-1 + # Red Hat Enterprise Linux 7.3 (HVM), SSD Volume Type + rhel-73-eu-central-1: + :image: + :aio: ami-e4c63e8b + :region: eu-central-1 + # SUSE Linux Enterprise Server 12 SP2 (HVM), SSD Volume Type + sles-12sp2-eu-central-1: + :image: + :aio: ami-c425e4ab + :region: eu-central-1 + # Ubuntu Server 16.04 LTS (HVM), SSD Volume Type + ubuntu-1604-eu-central-1: + :image: + :aio: ami-fe408091 + :region: eu-central-1 + # Microsoft Windows Server 2016 Base + windows-2016-base-eu-central-1: + :image: + :aio: ami-88ec20e7 + :region: eu-central-1 diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/rhel-73-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/rhel-73-x64.yml new file mode 100644 index 0000000..7fac823 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/rhel-73-x64.yml @@ -0,0 +1,29 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +HOSTS: + rhel-73-x64: + roles: + - master + platform: el-7-x86_64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: rhel-73-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ec2-user +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml new file mode 100644 index 0000000..8542154 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/sles-12sp2-x64.yml @@ -0,0 +1,29 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +HOSTS: + sles-12sp2-x64: + roles: + - master + platform: sles-12-x86_64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: sles-12sp2-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ec2-user +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml new file mode 100644 index 0000000..9cf59d5 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/ubuntu-1604-x64.yml @@ -0,0 +1,29 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +HOSTS: + ubuntu-1604-x64: + roles: + - master + platform: ubuntu-16.04-amd64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: ubuntu-1604-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ubuntu +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml new file mode 100644 index 0000000..0932e29 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ec2/windows-2016-base-x64.yml @@ -0,0 +1,29 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# Additional ~/.fog config file with AWS EC2 credentials +# required. +# +# see: https://github.com/puppetlabs/beaker/blob/master/docs/how_to/hypervisors/ec2.md +# +HOSTS: + windows-2016-base-x64: + roles: + - master + platform: windows-2016-64 + hypervisor: ec2 + # refers to image_tempaltes.yaml AMI[vmname] entry: + vmname: windows-2016-base-eu-central-1 + # refers to image_tempaltes.yaml entry inside AMI[vmname][:image]: + snapshot: aio + # t2.micro is free tier eligible (https://aws.amazon.com/en/free/): + amisize: t2.micro + # required so that beaker sanitizes sshd_config and root authorized_keys: + user: ec2-user +CONFIG: + type: aio + :ec2_yaml: spec/acceptance/nodesets/ec2/image_templates.yaml +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/fedora-24-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/fedora-24-x64.yml new file mode 100644 index 0000000..820b62d --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/fedora-24-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + fedora-24-x64: + roles: + - master + platform: fedora-24-x86_64 + box: fedora/24-cloud-base + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/fedora-25-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/fedora-25-x64.yml new file mode 100644 index 0000000..54dd330 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/fedora-25-x64.yml @@ -0,0 +1,16 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +HOSTS: + fedora-25-x64: + roles: + - master + platform: fedora-25-x86_64 + box: fedora/25-cloud-base + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/fedora-26-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/fedora-26-x64.yml new file mode 100644 index 0000000..598822b --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/fedora-26-x64.yml @@ -0,0 +1,16 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +HOSTS: + fedora-26-x64: + roles: + - master + platform: fedora-26-x86_64 + box: fedora/26-cloud-base + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/fedora-27-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/fedora-27-x64.yml new file mode 100644 index 0000000..c2b61eb --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/fedora-27-x64.yml @@ -0,0 +1,18 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# platform is fedora 26 because there is no puppet-agent +# for fedora 27 as of 2017-11-17 +HOSTS: + fedora-27-x64: + roles: + - master + platform: fedora-26-x86_64 + box: fedora/27-cloud-base + hypervisor: vagrant +CONFIG: + type: aio +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ubuntu-server-1204-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ubuntu-server-1204-x64.yml new file mode 100644 index 0000000..29102c5 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ubuntu-server-1204-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + ubuntu-server-1204-x64: + roles: + - master + platform: ubuntu-12.04-amd64 + box: puppetlabs/ubuntu-12.04-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml new file mode 100644 index 0000000..054e658 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + ubuntu-server-1404-x64: + roles: + - master + platform: ubuntu-14.04-amd64 + box: puppetlabs/ubuntu-14.04-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ubuntu-server-1604-x64.yml b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ubuntu-server-1604-x64.yml new file mode 100644 index 0000000..bc85e0e --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/acceptance/nodesets/ubuntu-server-1604-x64.yml @@ -0,0 +1,15 @@ +--- +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +HOSTS: + ubuntu-server-1604-x64: + roles: + - master + platform: ubuntu-16.04-amd64 + box: puppetlabs/ubuntu-16.04-64-nocm + hypervisor: vagrant +CONFIG: + type: foss +... +# vim: syntax=yaml diff --git a/code/environments/production/modules/unattended_upgrades/spec/classes/coverage_spec.rb b/code/environments/production/modules/unattended_upgrades/spec/classes/coverage_spec.rb new file mode 100644 index 0000000..de44654 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/classes/coverage_spec.rb @@ -0,0 +1,4 @@ +require 'rspec-puppet' + +at_exit { RSpec::Puppet::Coverage.report! } +# vim: syntax=ruby diff --git a/code/environments/production/modules/unattended_upgrades/spec/classes/debian_spec.rb b/code/environments/production/modules/unattended_upgrades/spec/classes/debian_spec.rb new file mode 100644 index 0000000..c2d4ec2 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/classes/debian_spec.rb @@ -0,0 +1,146 @@ +require 'spec_helper' + +# rubocop:disable Style/RegexpLiteral +describe 'unattended_upgrades' do + let(:file_unattended) { '/etc/apt/apt.conf.d/50unattended-upgrades' } + let(:file_periodic) { '/etc/apt/apt.conf.d/10periodic' } + let(:file_options) { '/etc/apt/apt.conf.d/10options' } + + shared_examples 'Debian specs' do + let(:params) { {} } + + it { is_expected.to compile.with_all_deps } + + it do + is_expected.to create_file(file_periodic).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + /APT::Periodic::Enable "1";/ + ).with_content( + /APT::Periodic::BackupArchiveInterval "0";/ + ).with_content( + /APT::Periodic::BackupLevel "3";/ + ).with_content( + /APT::Periodic::MaxAge "0";/ + ).with_content( + /APT::Periodic::MinAge "2";/ + ).with_content( + /APT::Periodic::MaxSize "0";/ + ).with_content( + /APT::Periodic::Update-Package-Lists "1";/ + ).with_content( + /APT::Periodic::Download-Upgradeable-Packages "0";/ + ).with_content( + /APT::Periodic::Download-Upgradeable-Packages-Debdelta "1";/ + ).with_content( + /APT::Periodic::Unattended-Upgrade "1";/ + ).with_content( + /APT::Periodic::AutocleanInterval "0";/ + ).with_content( + /APT::Periodic::Verbose "0";/ + ) + end + + it do + is_expected.to contain_apt__conf('auto-upgrades').with( + ensure: 'absent' + ) + end + it do + is_expected.to create_file(file_options).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + /^Dpkg::Options\s{/ + ).with_content( + /^\s+\"--force-confdef\";/ + ).with_content( + /^\s+\"--force-confold\";/ + ).without_content( + /\"--force-confnew\";/ + ).without_content( + /\"--force-confmiss\";/ + ) + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge(fqdn: 'unattended-upgrades.example.com', + path: '/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin:/root/bin') + end + + if facts[:operatingsystem] == 'Debian' + it_behaves_like 'Debian specs' + + case facts[:lsbdistcodename] + when 'squeeze' + context 'with defaults on Debian 6 Squeeze' do + it do + is_expected.to create_file(file_unattended).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + # This section varies for different releases + /\Unattended-Upgrade::Allowed-Origins\ {\n + \t"\${distro_id}\ \${distro_codename}-security";\n + \t"\${distro_id}\ \${distro_codename}-lts";\n + };/x + ) + end + end + when 'wheezy' + context 'with defaults on Debian 7 wheezy' do + it do + is_expected.to create_file(file_unattended).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + # This section varies for different releases + /\Unattended-Upgrade::Origins-Pattern\ {\n + \t"origin=Debian,archive=oldoldstable,label=Debian-Security";\n + };/x + ) + end + end + when 'jessie' + context 'with defaults on Debian 8 Jessie' do + it do + is_expected.to create_file(file_unattended).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + # This section varies for different releases + /\Unattended-Upgrade::Origins-Pattern\ {\n + \t"origin=Debian,archive=oldstable,label=Debian-Security";\n + };/x + ) + end + end + when 'stretch' + context 'with defaults on Debian 9 Stretch' do + it do + is_expected.to create_file(file_unattended).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + # This section varies for different releases + /\Unattended-Upgrade::Origins-Pattern\ {\n + \t"origin=Debian,archive=stable,label=Debian-Security";\n + };/x + ) + end + end + end + end + end + end +end diff --git a/code/environments/production/modules/unattended_upgrades/spec/classes/other_debians_spec.rb b/code/environments/production/modules/unattended_upgrades/spec/classes/other_debians_spec.rb new file mode 100644 index 0000000..a4dcd2f --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/classes/other_debians_spec.rb @@ -0,0 +1,128 @@ +require 'spec_helper' +describe 'unattended_upgrades' do + let(:file_unattended) { '/etc/apt/apt.conf.d/50unattended-upgrades' } + let(:file_periodic) { '/etc/apt/apt.conf.d/10periodic' } + let(:file_options) { '/etc/apt/apt.conf.d/10options' } + + context 'with defaults on Raspbian' do + let(:facts) do + { + os: { + name: 'Raspbian', + family: 'Debian', + release: { + full: '8.0' + } + }, + osfamily: 'Debian', + lsbdistid: 'Raspbian', + lsbdistcodename: 'jessie', + lsbrelease: '8.0' + } + end + + it do + is_expected.to create_file(file_unattended).with( + owner: 'root', + group: 'root', + mode: '0644' + ) + end + end + + context 'with defaults on Linux Mint 13 Maya' do + let(:facts) do + { + os: { + name: 'LinuxMint', + family: 'Debian', + release: { + full: '13' + } + }, + osfamily: 'Debian', + lsbdistid: 'LinuxMint', + lsbdistcodename: 'maya', + lsbdistrelease: '13', + lsbmajdistrelease: '13' + } + end + + it do + is_expected.to create_file(file_unattended).with( + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644' + ).with_content( + # This is the only section that's different for Ubuntu compared to Debian + %r{\Unattended-Upgrade::Allowed-Origins\ {\n + \t"Ubuntu\:precise-security";\n + };}x + ) + end + end + + context 'with defaults on Linux Mint 17.3 Rosa' do + let(:facts) do + { + os: { + name: 'LinuxMint', + family: 'Debian', + release: { + full: '17.3' + } + }, + osfamily: 'Debian', + lsbdistid: 'LinuxMint', + lsbdistcodename: 'rosa', + lsbdistrelease: '17.3', + lsbmajdistrelease: '17' + } + end + + it do + is_expected.to create_file(file_unattended).with( + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644' + ).with_content( + # This is the only section that's different for Ubuntu compared to Debian + %r{\Unattended-Upgrade::Allowed-Origins\ {\n + \t"Ubuntu\:trusty-security";\n + };}x + ) + end + end + + context 'with defaults on Linux Mint 18 Sarah' do + let(:facts) do + { + os: { + name: 'LinuxMint', + family: 'Debian', + release: { + full: '18' + } + }, + osfamily: 'Debian', + lsbdistid: 'LinuxMint', + lsbdistcodename: 'sarah', + lsbdistrelease: '18', + lsbmajdistrelease: '18' + } + end + + it do + is_expected.to create_file(file_unattended).with( + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0644' + ).with_content( + # This is the only section that's different for Ubuntu compared to Debian + %r{\Unattended-Upgrade::Allowed-Origins\ {\n + \t"Ubuntu\:xenial-security";\n + };}x + ) + end + end +end diff --git a/code/environments/production/modules/unattended_upgrades/spec/classes/ubuntu_spec.rb b/code/environments/production/modules/unattended_upgrades/spec/classes/ubuntu_spec.rb new file mode 100644 index 0000000..6d756bb --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/classes/ubuntu_spec.rb @@ -0,0 +1,131 @@ +require 'spec_helper' + +# rubocop:disable Style/RegexpLiteral +describe 'unattended_upgrades' do + let(:file_unattended) { '/etc/apt/apt.conf.d/50unattended-upgrades' } + let(:file_periodic) { '/etc/apt/apt.conf.d/10periodic' } + let(:file_options) { '/etc/apt/apt.conf.d/10options' } + + shared_examples 'Ubuntu specs' do + let(:params) { {} } + + it { is_expected.to compile.with_all_deps } + + it do + is_expected.to create_file(file_periodic).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + /APT::Periodic::Enable "1";/ + ).with_content( + /APT::Periodic::BackupArchiveInterval "0";/ + ).with_content( + /APT::Periodic::BackupLevel "3";/ + ).with_content( + /APT::Periodic::MaxAge "0";/ + ).with_content( + /APT::Periodic::MinAge "2";/ + ).with_content( + /APT::Periodic::MaxSize "0";/ + ).with_content( + /APT::Periodic::Update-Package-Lists "1";/ + ).with_content( + /APT::Periodic::Download-Upgradeable-Packages "0";/ + ).with_content( + /APT::Periodic::Download-Upgradeable-Packages-Debdelta "1";/ + ).with_content( + /APT::Periodic::Unattended-Upgrade "1";/ + ).with_content( + /APT::Periodic::AutocleanInterval "0";/ + ).with_content( + /APT::Periodic::Verbose "0";/ + ) + end + + it do + is_expected.to contain_apt__conf('auto-upgrades').with( + ensure: 'absent' + ) + end + it do + is_expected.to create_file(file_options).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + /^Dpkg::Options\s{/ + ).with_content( + /^\s+\"--force-confdef\";/ + ).with_content( + /^\s+\"--force-confold\";/ + ).without_content( + /\"--force-confnew\";/ + ).without_content( + /\"--force-confmiss\";/ + ) + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge(fqdn: 'unattended-upgrades.example.com', + path: '/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin:/root/bin') + end + + case facts[:operatingsystem] + when 'Ubuntu' + it_behaves_like 'Ubuntu specs' + case facts[:lsbdistcodename] + when 'precise' + context 'with defaults on Ubuntu 12.04 Precise' do + it do + is_expected.to create_file(file_unattended).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + # This is the only section that's different for Ubuntu compared to Debian + /\Unattended-Upgrade::Allowed-Origins\ {\n + \t"\${distro_id}\:\${distro_codename}-security";\n + };/x + ) + end + end + when 'trusty' + context 'with defaults on Ubuntu 14.04 Trusty' do + it do + is_expected.to create_file(file_unattended).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + # This is the only section that's different for Ubuntu compared to Debian + /\Unattended-Upgrade::Allowed-Origins\ {\n + \t"\${distro_id}\:\${distro_codename}-security";\n + };/x + ) + end + end + when 'xenial' + context 'with defaults on Ubuntu 16.04 Xenial' do + it do + is_expected.to create_file(file_unattended).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + # This is the only section that's different for Ubuntu compared to Debian + /\Unattended-Upgrade::Allowed-Origins\ {\n + \t"\${distro_id}\:\${distro_codename}";\n + \t"\${distro_id}\:\${distro_codename}-security";\n + };/x + ) + end + end + end + end + end + end +end diff --git a/code/environments/production/modules/unattended_upgrades/spec/classes/unattended_upgrades_spec.rb b/code/environments/production/modules/unattended_upgrades/spec/classes/unattended_upgrades_spec.rb new file mode 100644 index 0000000..e79a680 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/classes/unattended_upgrades_spec.rb @@ -0,0 +1,436 @@ +require 'spec_helper' + +# rubocop:disable Style/RegexpLiteral +describe 'unattended_upgrades' do + let(:file_unattended) { '/etc/apt/apt.conf.d/50unattended-upgrades' } + let(:file_periodic) { '/etc/apt/apt.conf.d/10periodic' } + let(:file_options) { '/etc/apt/apt.conf.d/10options' } + + shared_examples 'basic specs' do + let(:params) { {} } + + context 'baseline specs' do + it { is_expected.to compile.with_all_deps } + + it do + is_expected.to contain_package('unattended-upgrades') + is_expected.to compile.with_all_deps + is_expected.to contain_class('unattended_upgrades::params') + is_expected.to contain_class('unattended_upgrades') + is_expected.to contain_class('apt') + end + + it do + is_expected.to contain_apt__conf('unattended-upgrades').with( + require: 'Package[unattended-upgrades]', + notify_update: false + ) + end + + it do + is_expected.to contain_apt__conf('periodic').with( + require: 'Package[unattended-upgrades]', + notify_update: false + ) + end + + it do + is_expected.to contain_apt__conf('options').with( + require: 'Package[unattended-upgrades]', + notify_update: false + ) + end + + it { is_expected.to create_file(file_unattended).without_content(/Unattended-Upgrade::Sender/) } + end + + context 'set all the things' do + let :params do + { + age: { 'min' => 1, 'max' => 20 }, + size: 1000, + update: 5, + upgradeable_packages: { + 'download_only' => 5, + 'debdelta' => 5 + }, + upgrade: 5, + auto: { + 'clean' => 5, + 'fix_interrupted_dpkg' => false, + 'remove' => false, + 'reboot' => true, + 'reboot_time' => '03:00' + }, + verbose: 1, + legacy_origin: true, + origins: %w[bananas], + blacklist: %w[foo bar], + minimal_steps: false, + install_on_shutdown: true, + mail: { + 'to' => 'root@localhost', + 'only_on_error' => true + }, + sender: 'root@server.example.com', + dl_limit: 70, + random_sleep: 300, + notify_update: true, + options: { + 'force_confdef' => false, + 'force_confold' => false, + 'force_confnew' => true, + 'force_confmiss' => true + } + } + end + + it { is_expected.to contain_package('unattended-upgrades') } + + it do + is_expected.to contain_apt__conf('unattended-upgrades').with( + require: 'Package[unattended-upgrades]', + notify_update: true + ) + end + + it do + is_expected.to contain_apt__conf('periodic').with( + require: 'Package[unattended-upgrades]', + notify_update: true + ) + end + + it do + is_expected.to contain_apt__conf('options').with( + require: 'Package[unattended-upgrades]', + notify_update: true + ) + end + + it do + is_expected.to create_file(file_unattended).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + /Unattended-Upgrade::Allowed-Origins {\n\t"bananas";\n};/ + ).with_content( + /Unattended-Upgrade::Package-Blacklist {\n\t"foo";\n\t"bar";\n};/ + ).with_content( + /Unattended-Upgrade::AutoFixInterruptedDpkg "false";/ + ).with_content( + /Unattended-Upgrade::MinimalSteps "false";/ + ).with_content( + /Unattended-Upgrade::InstallOnShutdown "true";/ + ).with_content( + /Unattended-Upgrade::Remove-Unused-Dependencies "false";/ + ).with_content( + /Unattended-Upgrade::Automatic-Reboot "true";/ + ).with_content( + /Unattended-Upgrade::Automatic-Reboot-Time "03:00";/ + ).with_content( + /Unattended-Upgrade::Mail "root@localhost";/ + ).with_content( + /Unattended-Upgrade::Sender "root@server.example.com";/ + ).with_content( + /Unattended-Upgrade::MailOnlyOnError "true";/ + ).with_content( + /Acquire::http::Dl-Limit "70";/ + ) + end + + it do + is_expected.to create_file(file_periodic).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + /APT::Periodic::Enable "1";/ + ).with_content( + /APT::Periodic::BackupArchiveInterval "0";/ + ).with_content( + /APT::Periodic::BackupLevel "3";/ + ).with_content( + /APT::Periodic::MaxAge "20";/ + ).with_content( + /APT::Periodic::MinAge "1";/ + ).with_content( + /APT::Periodic::MaxSize "1000";/ + ).with_content( + /APT::Periodic::Update-Package-Lists "5";/ + ).with_content( + /APT::Periodic::Download-Upgradeable-Packages "5";/ + ).with_content( + /APT::Periodic::Download-Upgradeable-Packages-Debdelta "5";/ + ).with_content( + /APT::Periodic::Unattended-Upgrade "5";/ + ).with_content( + /APT::Periodic::AutocleanInterval "5";/ + ).with_content( + /APT::Periodic::Verbose "1";/ + ).with_content( + /APT::Periodic::RandomSleep "300";/ + ) + end + + it do + is_expected.to create_file(file_options).with( + owner: 'root', + group: 'root', + mode: '0644' + ).with_content( + /^Dpkg::Options\s{/ + ).without_content( + /"--force-confdef";/ + ).without_content( + /"--force-confold";/ + ).with_content( + /^\s+"--force-confnew";/ + ).with_content( + /^\s+"--force-confmiss";/ + ) + end + it do + is_expected.to contain_apt__conf('auto-upgrades').with( + ensure: 'absent' + ) + end + end + + describe 'validation tests' do + context 'bad install_on_shutdown' do + let :params do + { + install_on_shutdown: 'foo' + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad legacy_origin' do + let :params do + { + legacy_origin: 'foo' + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad minimal_steps' do + let :params do + { + minimal_steps: 'foo' + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad blacklist' do + let :params do + { + blacklist: 'foo' + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad origins' do + let :params do + { + origins: 'foo' + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad auto' do + let :params do + { + auto: 'foo' + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad mail' do + let :params do + { + mail: 'foo' + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad backup' do + let :params do + { + backup: 'foo' + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad age' do + let :params do + { + age: 'foo' + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad size' do + let :params do + { + size: 'foo' + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad upgradeable_packages' do + let :params do + { + upgradeable_packages: 'foo' + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad mail[\'only_on_error\']' do + let :params do + { + mail: { 'only_on_error' => 'foo' } + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad options[\'force_confdef\']' do + let :params do + { + options: { 'force_confdef' => 'foo' } + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad options[\'force_confold\']' do + let :params do + { + options: { 'force_confold' => 'foo' } + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad options[\'force_confnew\']' do + let :params do + { + options: { 'force_confnew' => 'foo' } + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad options[\'force_confmiss\']' do + let :params do + { + options: { 'force_confmiss' => 'foo' } + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /got String/) + end + end + context 'bad options[\'invalid_key\']' do + let :params do + { + options: { 'invalid_key' => true } + } + end + + it do + expect do + subject.call + end.to raise_error(Puppet::Error, /unrecognized key 'invalid_key'/) + end + end + end + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge(fqdn: 'unattended-upgrades.example.com', + path: '/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/puppetlabs/bin:/root/bin') + end + + it_behaves_like 'basic specs' + end + end +end diff --git a/code/environments/production/modules/unattended_upgrades/spec/default_facts.yml b/code/environments/production/modules/unattended_upgrades/spec/default_facts.yml new file mode 100644 index 0000000..13c4165 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/default_facts.yml @@ -0,0 +1,14 @@ +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config +# +# use default_module_facts.yaml for module specific +# facts. +# +# Hint if using with rspec-puppet-facts ("on_supported_os.each"): +# if a same named fact exists in facterdb it will be overridden. +--- +concat_basedir: "/tmp" +ipaddress: "172.16.254.254" +is_pe: false +macaddress: "AA:AA:AA:AA:AA:AA" diff --git a/code/environments/production/modules/unattended_upgrades/spec/spec_helper.rb b/code/environments/production/modules/unattended_upgrades/spec/spec_helper.rb new file mode 100644 index 0000000..ea74a52 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/spec/spec_helper.rb @@ -0,0 +1,35 @@ +require 'puppetlabs_spec_helper/module_spec_helper' +require 'rspec-puppet-facts' +include RspecPuppetFacts + +# This file is managed via modulesync +# https://github.com/voxpupuli/modulesync +# https://github.com/voxpupuli/modulesync_config + +if Dir.exist?(File.expand_path('../../lib', __FILE__)) + require 'coveralls' + require 'simplecov' + require 'simplecov-console' + SimpleCov.formatters = [ + SimpleCov::Formatter::HTMLFormatter, + SimpleCov::Formatter::Console + ] + SimpleCov.start do + track_files 'lib/**/*.rb' + add_filter '/spec' + add_filter '/vendor' + add_filter '/.vendor' + end +end + +RSpec.configure do |c| + default_facts = { + puppetversion: Puppet.version, + facterversion: Facter.version + } + default_facts.merge!(YAML.load(File.read(File.expand_path('../default_facts.yml', __FILE__)))) if File.exist?(File.expand_path('../default_facts.yml', __FILE__)) + default_facts.merge!(YAML.load(File.read(File.expand_path('../default_module_facts.yml', __FILE__)))) if File.exist?(File.expand_path('../default_module_facts.yml', __FILE__)) + c.default_facts = default_facts +end + +# vim: syntax=ruby diff --git a/code/environments/production/modules/unattended_upgrades/templates/options.erb b/code/environments/production/modules/unattended_upgrades/templates/options.erb new file mode 100644 index 0000000..3c6e2d6 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/templates/options.erb @@ -0,0 +1,11 @@ +Dpkg::Options { +<%- @_options.sort_by{|key,value| key}.each do |config, value| + if %w(force_confdef force_confold force_confnew force_confmiss).include?(config) then + if value then -%> + "--<%= config.sub('_','-') -%>"; + <%- end + else + scope.function_fail(["#{config} not a valid key for $unattended_upgrades::options"]) + end +end -%> +} diff --git a/code/environments/production/modules/unattended_upgrades/templates/periodic.erb b/code/environments/production/modules/unattended_upgrades/templates/periodic.erb new file mode 100644 index 0000000..780821c --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/templates/periodic.erb @@ -0,0 +1,62 @@ +APT::Periodic::Enable "<%= @enable %>"; +# - Enable the update/upgrade script (0=disable) +# +APT::Periodic::BackupArchiveInterval "<%= @_backup['archive_interval'] %>"; +# - Backup after n-days if archive contents changed.(0=disable) +# +APT::Periodic::BackupLevel "<%= @_backup['level'] %>"; +# - Backup level.(0=disable), 1 is invalid. +# +APT::Periodic::MaxAge "<%= @_age['max'] %>"; +# - Set maximum allowed age of a cache package file. If a cache +# package file is older it is deleted (0=disable) +# +APT::Periodic::MinAge "<%= @_age['min'] %>"; +# - Set minimum age of a package file. If a file is younger it +# will not be deleted (0=disable). Usefull to prevent races +# and to keep backups of the packages for emergency. +# +APT::Periodic::MaxSize "<%= @size %>"; +# - Set maximum size of the cache in MB (0=disable). If the cache +# is bigger, cached package files are deleted until the size +# requirement is met (the biggest packages will be deleted +# first). +# +APT::Periodic::Update-Package-Lists "<%= @update %>"; +# - Do "apt-get update" automatically every n-days (0=disable) +# +APT::Periodic::Download-Upgradeable-Packages "<%= @_upgradeable_packages['download_only'] %>"; +# - Do "apt-get upgrade --download-only" every n-days (0=disable) +# +APT::Periodic::Download-Upgradeable-Packages-Debdelta "<%= @_upgradeable_packages['debdelta'] %>"; +# - Use debdelta-upgrade to download updates if available (0=disable) +# +APT::Periodic::Unattended-Upgrade "<%= @upgrade %>"; +# - Run the "unattended-upgrade" security upgrade script +# every n-days (0=disabled) +# Requires the package "unattended-upgrades" and will write +# a log in /var/log/unattended-upgrades +# +APT::Periodic::AutocleanInterval "<%= @_auto['clean'] %>"; +# - Do "apt-get autoclean" every n-days (0=disable) +# +APT::Periodic::Verbose "<%= @verbose %>"; +# - Send report mail to root +# 0: no report (or null string) +# 1: progress report (actually any string) +# 2: + command outputs (remove -qq, remove 2>/dev/null, add -d) +# 3: + trace on +<%- unless @random_sleep.nil? -%> +# +APT::Periodic::RandomSleep "<%= @random_sleep %>"; +# - The apt cron job will delay its execution by a random +# time span between zero and 'APT::Periodic::RandomSleep' +# seconds. +# This is done because otherwise everyone would access the +# mirror servers at the same time and put them collectively +# under very high strain. +# You can set this to '0' if you are using a local mirror and +# do not care about the load spikes. +# Note that sleeping in the apt job will be delaying the +# execution of all subsequent cron.daily jobs. +<%- end -%> diff --git a/code/environments/production/modules/unattended_upgrades/templates/unattended-upgrades.erb b/code/environments/production/modules/unattended_upgrades/templates/unattended-upgrades.erb new file mode 100644 index 0000000..c31b2df --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/templates/unattended-upgrades.erb @@ -0,0 +1,78 @@ +// Automatically upgrade packages from these (origin:archive) pairs +// +// Note that in Ubuntu security updates may pull in new dependencies +// from non-security sources (e.g. chromium). By allowing the release +// pocket these get automatically pulled in. +<%- if @legacy_origin -%> +Unattended-Upgrade::Allowed-Origins { +<%- else -%> +Unattended-Upgrade::Origins-Pattern { +<%- end -%> +<% @origins.each do |origin| -%> + "<%= origin %>"; +<% end -%> +}; + +// List of packages to not update (regexp are supported) +Unattended-Upgrade::Package-Blacklist { +<% @blacklist.each do |package| -%> + "<%= package %>"; +<% end -%> +}; + +// This option allows you to control if on a unclean dpkg exit +// unattended-upgrades will automatically run +// dpkg --force-confold --configure -a +// The default is true, to ensure updates keep getting installed +Unattended-Upgrade::AutoFixInterruptedDpkg "<%= @_auto['fix_interrupted_dpkg'].to_s %>"; + +// Split the upgrade into the smallest possible chunks so that +// they can be interrupted with SIGUSR1. This makes the upgrade +// a bit slower but it has the benefit that shutdown while a upgrade +// is running is possible (with a small delay) +Unattended-Upgrade::MinimalSteps "<%= @minimal_steps.to_s %>"; + +// Install all unattended-upgrades when the machine is shuting down +// instead of doing it in the background while the machine is running +// This will (obviously) make shutdown slower +Unattended-Upgrade::InstallOnShutdown "<%= @install_on_shutdown.to_s %>"; + +<%- unless @_mail['to'].nil? -%> +// Send email to this address for problems or packages upgrades +// If empty or unset then no email is sent, make sure that you +// have a working mail setup on your system. A package that provides +// 'mailx' must be installed. E.g. "user@example.com" + +Unattended-Upgrade::Mail "<%= @_mail['to'] %>"; + +<%- if @_mail['only_on_error'] -%> +// Set this value to "true" to get emails only on errors. Default +// is to always send a mail if Unattended-Upgrade::Mail is set +Unattended-Upgrade::MailOnlyOnError "<%= @_mail['only_on_error'].to_s %>"; +<%- end -%> +<%- end -%> + +<%- if @sender -%> +// Use the specified value in the "From" field of outgoing mails. +// Defaults to "root" +Unattended-Upgrade::Sender "<%= @sender %>"; + +<%- end -%> +// Do automatic removal of new unused dependencies after the upgrade +// (equivalent to apt-get autoremove) +Unattended-Upgrade::Remove-Unused-Dependencies "<%= @_auto['remove'].to_s %>"; + +// Automatically reboot *WITHOUT CONFIRMATION* +// if the file /var/run/reboot-required is found after the upgrade +Unattended-Upgrade::Automatic-Reboot "<%= @_auto['reboot'].to_s %>"; + +// If automatic reboot is enabled and needed, reboot at the specific +// time instead of immediately +// Default: "now" +Unattended-Upgrade::Automatic-Reboot-Time "<%= @_auto['reboot_time'].to_s %>"; + +<%- unless @dl_limit.nil? -%> +// Use apt bandwidth limit feature, this example limits the download +// speed to 70kb/sec +Acquire::http::Dl-Limit "<%= @dl_limit %>"; +<%- end -%> diff --git a/code/environments/production/modules/unattended_upgrades/types/age.pp b/code/environments/production/modules/unattended_upgrades/types/age.pp new file mode 100644 index 0000000..d6cdc2f --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/types/age.pp @@ -0,0 +1,6 @@ +type Unattended_upgrades::Age = Struct[ + { + Optional['min'] => Integer[0], + Optional['max'] => Integer[0], + } +] diff --git a/code/environments/production/modules/unattended_upgrades/types/auto.pp b/code/environments/production/modules/unattended_upgrades/types/auto.pp new file mode 100644 index 0000000..bc3a896 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/types/auto.pp @@ -0,0 +1,9 @@ +type Unattended_upgrades::Auto = Struct[ + { + Optional['clean'] => Integer[0], + Optional['fix_interrupted_dpkg'] => Boolean, + Optional['reboot'] => Boolean, + Optional['reboot_time'] => String, + Optional['remove'] => Boolean, + } +] diff --git a/code/environments/production/modules/unattended_upgrades/types/backup.pp b/code/environments/production/modules/unattended_upgrades/types/backup.pp new file mode 100644 index 0000000..e0206cc --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/types/backup.pp @@ -0,0 +1,6 @@ +type Unattended_upgrades::Backup = Struct[ + { + Optional['archive_interval'] => Integer[0], + Optional['level'] => Integer[0], + } +] diff --git a/code/environments/production/modules/unattended_upgrades/types/mail.pp b/code/environments/production/modules/unattended_upgrades/types/mail.pp new file mode 100644 index 0000000..329d515 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/types/mail.pp @@ -0,0 +1,6 @@ +type Unattended_upgrades::Mail = Struct[ + { + Optional['only_on_error'] => Boolean, + Optional['to'] => String, + } +] diff --git a/code/environments/production/modules/unattended_upgrades/types/options.pp b/code/environments/production/modules/unattended_upgrades/types/options.pp new file mode 100644 index 0000000..a0e9150 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/types/options.pp @@ -0,0 +1,8 @@ +type Unattended_upgrades::Options = Struct[ + { + Optional['force_confdef'] => Boolean, + Optional['force_confold'] => Boolean, + Optional['force_confnew'] => Boolean, + Optional['force_confmiss'] => Boolean, + } +] diff --git a/code/environments/production/modules/unattended_upgrades/types/upgradeable_packages.pp b/code/environments/production/modules/unattended_upgrades/types/upgradeable_packages.pp new file mode 100644 index 0000000..ce41a94 --- /dev/null +++ b/code/environments/production/modules/unattended_upgrades/types/upgradeable_packages.pp @@ -0,0 +1,6 @@ +type Unattended_upgrades::Upgradeable_packages = Struct[ + { + Optional['download_only'] => Integer[0], + Optional['debdelta'] => Integer[0], + } +] |