Closed jnv closed 2 years ago
I am willing to create a PR which merges all apt configuration(s) into a new file/template called 90-ansible-unattended-upgrades
.
Let me know, if this is what you want.
@veger Thanks, that would definitely help! However, I would like to create some proper tests first, perhaps to catch regressions: #29.
Seems a good idea to do that first, let me know when you are ready to implement this issue
@veger Looks like tests are in place now. I think you can create a PR. If you're no longer interested, let us know so that someone else can do it.
This was a quick one so I just did it myself. I don't believe we need to bother unwinding changes to the default settings with code; I've handled it with documentation in a new note. Please review; it's included in my PR above.
I am not using ansible for work anymore as I changed jobs in the meantime. So no problem you did the PR yourself! :+1:
I don't know if I even have $.02 here but I'll cast a vote in the other direction -- I think modifying the standard file continues to be the least surprising behavior. If I wanted to inspect a system's unattended-upgrades configuration, I would look at 50unattended-upgrades
. It would be both unexpected and opaque to have this configuration live in two places with inheritance and overrides.
This issue is really a cosmetic problem (the message is N
for "notice") that is not unique to the ansible case. One would get the same notice from any customization to this file, including manual ones.
FWIW apt in Ubuntu ignores ucf files since 18.04: https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1645687
@dnrce It's not just cosmetic. On OS upgrades, users will be asked if they should overwrite the file or leave as-is, and won't be able to continue without input. This is a barrier to automation. While, yes, it would be nice to have all configuration in the same file (that's cosmetic, I would say), it's less important (IMHO) than having fully unattended upgrades, which I believe is the goal here.
@dnrce it's true what @colans notes that this is not just cosmetic. See my report in #68 -- the other thing is that you note:
If I wanted to inspect a system's unattended-upgrades configuration, I would look at 50unattended-upgrades.
This is also not true. The file lives in a conf.d
structure, so it would be natural to assume that all these files in /etc/apt/apt.conf.d/
are numbered for a reason and override each other according to the order that they are numbered. If this file is named 90-ansible-unattended-upgrades
as is proposed in the PR description, then it would only be very very expected and not surprising that the behavior was defined there, and as a bonus the file name would give away that some ansible role placed it there :)
Now, the question is how to handle the transition.
It's possible to prompt users during playbook runtime: https://www.reddit.com/r/ansible/comments/cgpgpt/vars_prompt_in_a_role/eul7srs/
[ edit: vars_prompt is not the solution, need pause
and prompt
https://docs.ansible.com/ansible/latest/modules/pause_module.html ]
90-ansible-unattended-upgrades
does NOT exist20auto-upgrades
and 50unattended-upgrades
.I don't know which dpkg-related command to use to restore the file. I have tried to run sudo apt install --reinstall -o Dpkg::Options::="--force-confask,confnew,confmiss" unattended-upgrades
on a system (16.04) with the role applied. The modified files stay put... but the ucf-dist files are there.
So maybe it's fine to just look at files and copy .ucf-dist
files back in place? They are there for a reason?
50unattended-upgrades.ucf-dist
or 20auto-upgrades.ucf-dist
exist and if 90-ansible-unattended-upgrades
does not exist.20auto-upgrades
and 50unattended-upgrades
. In this case, we just copy back the .ucf-dist
files.I am closing this issue since this role has been deprecated. Feel free to suggest alternatives in #98.
This issue has been moved to the new project @ https://github.com/hifis-net/ansible-role-unattended-upgrades/issues/10
Follow-up to #31.
Since there is apt.conf.d directory, configuration files are applied in order and the file with higher number overrides previous. Therefore we don't need to modify original files; we just generate a new file with a high number, say
90-ansible-unattended-upgrades
. Apt will happily manage defaults and no ucf-dist files will be generated.Now, the question is how to handle the transition. Ideally we want to put
20auto-upgrades
and50unattended-upgrades
files into a pristine state. Perhaps, like with10periodic
file, there can be a one-shot command to reinstall the package.