disable unattended-updates

[schulze-b1]

i saw in apt logs that there are unattended-updates being installed nightly. this program comes from the pre-installed package unattended-updates. we do not want this in an enterprise environment that there are updates installed without our knowledge and action. what is the osism way to disable this on all our ubuntu hosts?

[berendt]

Run the cleanup role. The role includes a task that uninstalls the unattended-upgrades package.

https://github.com/osism/ansible-collection-commons/blob/main/roles/cleanup/tasks/packages-Debian.yml#L19-L25

[schulze-b1]

is this anywhere documented? i couldn't find anything related to the cleanup role in https://docs.osism.tech/appendix/commands.html or the docs in general.

[berendt]

The append is out of date. Run osism apply. This will print out a table of all available commands on a manager.

[fkr]

@berendt Would it make sense to document steps like these as ‘typical post-install steps’?

[berendt]

The cleanup role is already part of the bootstrap playbook:

https://github.com/osism/ansible-playbooks/blob/main/playbooks/generic/bootstrap.yml#L64

As well as the maintenance playbook:

https://github.com/osism/ansible-playbooks/blob/main/playbooks/generic/maintenance.yml#L84

Both plays are the preferred way to do the bootstrap/maintenance. Not sure if it makes sense to document post-install tasks that are already part of the standard procedure.

[fkr]

@schulze-b1 if this is ‘standard procedure’ already - what could’ve improved the situation for you to be aware of ‘this standard procedure’?

[berendt]

Stale. Please re-open if required.