search

jnv / ansible-role-unattended-upgrades

[DEPRECATED] Setup unattended-upgrades on Debian-based systems
https://github.com/jnv/ansible-role-unattended-upgrades/issues/98
GNU General Public License v2.0
272 stars 94 forks source link

Cron not triggering for Ubuntu 20, anyone? #90

Closed thbar closed 2 years ago

thbar commented 2 years ago

Hi!

I have been using this role with success on Ubuntu 16 LTS for a few years, and it worked just fine. Recently I re-created servers with Ubuntu 20 LTS, and it turns out the unattented-upgrades process is not started automatically anymore.

I am still investigating, but I believe the cron job is not running at all or something.

Did anyone meet a similar issue?

Even a confirmation that the role works for you on Ubuntu 20 will already be useful.

Thanks for your input!

Full configuration

I am using the role version v1.11.0 with this type of configuration:

unattended_automatic_reboot: true
unattended_remove_unused_dependencies: true
unattended_automatic_reboot_time: "18:30"

# Copied from __unattended_origins_patterns for Ubuntu
default_unattended_origins_pattern: 'origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu'

# Override to include other origins + the default one
unattended_origins_patterns:
  - '{{ default_unattended_origins_pattern }}'
  - 'origin=packagecloud.io/phusion/passenger'

The generated files are:

$ cat /etc/apt/apt.conf.d/20auto-upgrades
// Ansible managed
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::AutocleanInterval "7";

and:

$ cat /etc/apt/apt.conf.d/50unattended-upgrades
// Ansible managed

// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
Unattended-Upgrade::Origins-Pattern {
      "origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu";
      "origin=packagecloud.io/phusion/passenger";
  };

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
};

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "true";

// Do automatic removal of all unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "18:30";

// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
Unattended-Upgrade::OnlyOnACPower "False";

Thank you!

thbar commented 2 years ago

I have figured it out, and the good news it that it is not related at all to this role.

Sharing the juicy bits in case it helps someone else later.

The culprit was lying in /etc/apt/apt.conf.d/ with a file named 99ansible, taking precedence on everything else in the folder, which included things like:

APT::Periodic::Enable "0";
# SNIP
APT::Periodic::Unattended-Upgrade "0";

A call to apt-config dump could have helped to evaluate the final config and assert on it.