kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Initial Chef repository

Browse Source
This commit is contained in:
Greg Karékinian
2015-07-21 19:45:23 +02:00
parent 7e5401fc71
commit ee4079fa85
1151 changed files with 185163 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
cookbooks/unattended-upgrades/CHANGELOG.md Normal file
View File

@@ -0,0 +1,22 @@
unattended-upgrades
===================
v0.1.2 (2014-07-01)
-------------------
Fixes
* Fixed missing auto-upgrades.conf, preventing cron triggering these upgrades
Changes
* no longer installs mailutils - a warning will be emitted if a mailer can't be detected instead
Features
* Now with unit and integration tests
v0.1.0 (2014-05-08)
-------------------
- First officially published release. Ubuntu support tested on 12.04

95
cookbooks/unattended-upgrades/README.md Normal file
View File

@@ -0,0 +1,95 @@
# unattended-upgrades cookbook
This cookbook configures the unattended-upgrades package which performs automatic package updates on debian systems.
Build status:
[![Build Status](https://travis-ci.org/jeremyolliver/cookbook-unattended-upgrades.png?branch=master)](https://travis-ci.org/jeremyolliver/cookbook-unattended-upgrades)
CI automatically runs linting and unit tests. You may also run more thorough integration tests via Vagrant as well. See below for details on how to do that.
# Requirements
Debian or Ubuntu Operating System and the `apt` cookbook
# Usage
Simply include the cookbook "unattended-upgrades". Common config that you may want to change:
`node['unattended-upgrades']['admin_email']` Defaults to `'root@localhost'` Set to nil to disable email notification, or any other external email
`node['unattended-upgrades']['allowed_origins']`
Default value (at default precedence) is:
{
'security' => true,
'updates' => false,
'proposed' => false,
'backports' => false
}
You can change this to enable non-critical updates by setting in a role or environment:
"default_attributes": {
"unattended-upgrades": {
"allowed_origins": {
"updates": true
}
}
}
Please note that if you set your own changes at an `override` precedence, then the two hashes will not be merged together, and the full list should be specified again. e.g. alternately:
"override_attributes": {
"unattended-upgrades": {
"allowed_origins": {
"security": true,
"updates": true,
"proposed": false,
"backports": false
}
}
}
TODO: Third party PPA's are not yet supported in the allowed origins section
`node['unattended-upgrades']['mail_only_on_error']` Set this to `true` if you want to skip mails for successful updates, however it can be helpful for troubleshooting to have a record of when packages were updated if you need to correlate when an error started occurring with the time packages were updated.
`node['unattended-upgrades']['minimal_steps']` Set this to `true` if you expect to be able to reboot the server with minimal interruption and the updates might be running at the time. With this left on the default value of false, the server will wait for all updates to complete before shutting down. See the full attributes list and the comments in the template file for more information. This cookbook has strived to provide configurable attributes for as many options as possible to allow maximum flexibility.
# Attributes
* `['unattended-upgrades']['admin_email']`
* `['unattended-upgrades']['package_blacklist']`
* `['unattended-upgrades']['autofix_dpkg']`
* `['unattended-upgrades']['minimal_steps']`
* `['unattended-upgrades']['install_on_shutdown']`
* `['unattended-upgrades']['mail_only_on_error']`
* `['unattended-upgrades']['remove_unused_dependencies']`
* `['unattended-upgrades']['automatic_reboot']`
* `['unattended-upgrades']['download_limit']`
* `['unattended_upgrades']['update_package_lists_interval']`
* `['unattended_upgrades']['upgrade_interval']`
* `['unattended_upgrades']['download_upgradeable_interval']`
* `['unattended_upgrades']['autoclean_interval']`
# Recipes
`unattended-upgrades::default`
# Cookbook Development
Running the tests for this cookbook involves:
Requires:
* ruby 1.9.2+
* bundler (`gem install bundler` and `bundle install`)
* Vagrant 1.2+ (and Virtualbox)
* `vagrant plugin install vagrant-berkshelf`
Run the lint tests via: `bundle exec rake style`. Run the full integration tests via: `bundle exec kitchen converge all` and `bundle exec kitchen verify all`. To remove the VM's `bundle exec kitchen destroy all`
# Author
Author:: Jeremy Olliver (<jeremy.olliver@gmail.com>)

24
cookbooks/unattended-upgrades/attributes/default.rb Normal file
View File

@@ -0,0 +1,24 @@
default['unattended-upgrades']['admin_email'] = 'root@localhost' # Set to nil to disable, or override to another value
default['unattended-upgrades']['package_blacklist'] = []
default['unattended-upgrades']['autofix_dpkg'] = true # Strongly advised not to change
default['unattended-upgrades']['minimal_steps'] = false # Set to true to split upgrade into steps making it easier to interrupt
default['unattended-upgrades']['install_on_shutdown'] = false
default['unattended-upgrades']['mail_only_on_error'] = false
default['unattended-upgrades']['remove_unused_dependencies'] = false
default['unattended-upgrades']['automatic_reboot'] = false
default['unattended-upgrades']['download_limit'] = nil # Set to Integer representing kb/sec limit
default['unattended-upgrades']['allowed_origins'] = {
'security' => true,
'updates' => false,
'proposed' => false,
'backports' => false
}
default['unattended-upgrades']['apt_recipe'] = 'default'
# interval settings in days
default['unattended-upgrades']['update_package_lists_interval'] = 1
default['unattended-upgrades']['upgrade_interval'] = 1 # In order for unattended upgrades to run at all, this must be set to an integer greater than or equal to 1
default['unattended-upgrades']['download_upgradeable_interval'] = nil
default['unattended-upgrades']['autoclean_interval'] = nil

45
cookbooks/unattended-upgrades/files/default/test/default_test.rb Normal file
View File

@@ -0,0 +1,45 @@
require File.expand_path('../support/helpers', __FILE__)
describe_recipe 'unattended-upgrades::default' do
include Helpers::Unattended_upgrades
describe 'packages' do
it 'installs unattended-upgrades' do
package("unattended-upgrades").must_be_installed
end
end
describe 'files' do
let(:config) { file("/etc/apt/apt.conf.d/50unattended-upgrades") }
let(:autoconfig) { file("/etc/apt/apt.conf.d/20auto-upgrades") }
it 'should have correct file permissions' do
config.must_have(:mode, "644")
autoconfig.must_have(:mode, "644")
end
it 'should have correct owner' do
config.must_have(:owner, "root")
autoconfig.must_have(:owner, "root")
end
it 'should have correct group' do
config.must_have(:group, "root")
autoconfig.must_have(:group, "root")
end
it 'should contain the correct config' do
config.must_include "Unattended-Upgrade::Mail \"#{node['unattended-upgrades']['admin_email']}\";"
end
it 'should contain the security updates origin' do
# Although this test may fail on a setup with minitest-handler running on a live server - security updates really shouldn't be turned off
config.must_include '"${distro_id}:${distro_codename}-security";'
end
it 'should run unattended upgrades according to the schedule' do
# Test might fail if unattended upgrades is disabled via run interval setting - but why run this test if the software is turned off?
autoconfig.must_include "APT::Periodic::Unattended-Upgrade \"#{node['unattended-upgrades']['upgrade_interval']}\";"
end
end
end

9
cookbooks/unattended-upgrades/files/default/test/support/helpers.rb Normal file
View File

@@ -0,0 +1,9 @@
require 'minitest/spec'
module Helpers
module Unattended_upgrades
include MiniTest::Chef::Assertions
include MiniTest::Chef::Context
include MiniTest::Chef::Resources
end
end

32
cookbooks/unattended-upgrades/metadata.json Normal file
View File

@@ -0,0 +1,32 @@
{
"name": "unattended-upgrades",
"version": "0.1.2",
"description": "Installs/Configures unattended-upgrades",
"long_description": "# unattended-upgrades cookbook\n\nThis cookbook configures the unattended-upgrades package which performs automatic package updates on debian systems.\n\nBuild status:\n\n[![Build Status](https://travis-ci.org/jeremyolliver/cookbook-unattended-upgrades.png?branch=master)](https://travis-ci.org/jeremyolliver/cookbook-unattended-upgrades)\n\nCI automatically runs linting and unit tests. You may also run more thorough integration tests via Vagrant as well. See below for details on how to do that.\n\n# Requirements\n\nDebian or Ubuntu Operating System and the `apt` cookbook\n\n# Usage\n\nSimply include the cookbook \"unattended-upgrades\". Common config that you may want to change:\n\n`node['unattended-upgrades']['admin_email']` Defaults to `'root@localhost'` Set to nil to disable email notification, or any other external email\n\n`node['unattended-upgrades']['allowed_origins']`\n\nDefault value (at default precedence) is:\n\n {\n 'security' => true,\n 'updates' => false,\n 'proposed' => false,\n 'backports' => false\n }\n\nYou can change this to enable non-critical updates by setting in a role or environment:\n\n \"default_attributes\": {\n \"unattended-upgrades\": {\n \"allowed_origins\": {\n \"updates\": true\n }\n }\n }\n\nPlease note that if you set your own changes at an `override` precedence, then the two hashes will not be merged together, and the full list should be specified again. e.g. alternately:\n\n \"override_attributes\": {\n \"unattended-upgrades\": {\n \"allowed_origins\": {\n \"security\": true,\n \"updates\": true,\n \"proposed\": false,\n \"backports\": false\n }\n }\n }\n\nTODO: Third party PPA's are not yet supported in the allowed origins section\n\n`node['unattended-upgrades']['mail_only_on_error']` Set this to `true` if you want to skip mails for successful updates, however it can be helpful for troubleshooting to have a record of when packages were updated if you need to correlate when an error started occurring with the time packages were updated.\n\n`node['unattended-upgrades']['minimal_steps']` Set this to `true` if you expect to be able to reboot the server with minimal interruption and the updates might be running at the time. With this left on the default value of false, the server will wait for all updates to complete before shutting down. See the full attributes list and the comments in the template file for more information. This cookbook has strived to provide configurable attributes for as many options as possible to allow maximum flexibility.\n\n# Attributes\n\n* `['unattended-upgrades']['admin_email']`\n* `['unattended-upgrades']['package_blacklist']`\n* `['unattended-upgrades']['autofix_dpkg']`\n* `['unattended-upgrades']['minimal_steps']`\n* `['unattended-upgrades']['install_on_shutdown']`\n* `['unattended-upgrades']['mail_only_on_error']`\n* `['unattended-upgrades']['remove_unused_dependencies']`\n* `['unattended-upgrades']['automatic_reboot']`\n* `['unattended-upgrades']['download_limit']`\n* `['unattended_upgrades']['update_package_lists_interval']`\n* `['unattended_upgrades']['upgrade_interval']`\n* `['unattended_upgrades']['download_upgradeable_interval']`\n* `['unattended_upgrades']['autoclean_interval']`\n\n# Recipes\n\n`unattended-upgrades::default`\n\n# Cookbook Development\n\nRunning the tests for this cookbook involves:\n\nRequires:\n* ruby 1.9.2+\n* bundler (`gem install bundler` and `bundle install`)\n* Vagrant 1.2+ (and Virtualbox)\n* `vagrant plugin install vagrant-berkshelf`\n\nRun the lint tests via: `bundle exec rake style`. Run the full integration tests via: `bundle exec kitchen converge all` and `bundle exec kitchen verify all`. To remove the VM's `bundle exec kitchen destroy all`\n\n# Author\n\nAuthor:: Jeremy Olliver (<jeremy.olliver@gmail.com>)\n",
"maintainer": "Jeremy Olliver",
"maintainer_email": "jeremy.olliver@gmail.com",
"license": "Apache 2.0",
"platforms": {
"ubuntu": ">= 0.0.0"
},
"dependencies": {
"apt": ">= 0.0.0"
},
"recommendations": {
},
"suggestions": {
},
"conflicting": {
},
"providing": {
"unattended-upgrades::default": ">= 0.0.0"
},
"replacing": {
},
"attributes": {
},
"groupings": {
},
"recipes": {
}
}

14
cookbooks/unattended-upgrades/metadata.rb Normal file
View File

@@ -0,0 +1,14 @@
name "unattended-upgrades"
maintainer "Jeremy Olliver"
maintainer_email "jeremy.olliver@gmail.com"
license "Apache 2.0"
description "Installs/Configures unattended-upgrades"
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version "0.1.2"
# supports "debian" # Untested
supports "ubuntu"
depends "apt"
provides "unattended-upgrades::default"

63
cookbooks/unattended-upgrades/recipes/default.rb Normal file
View File

@@ -0,0 +1,63 @@
#
# Cookbook Name:: unattended-upgrades
# Recipe:: default
#
# Copyright (C) 2013 Jeremy Olliver
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# include apt::default (or an alternate apt recipe)
include_recipe "apt::#{node['unattended-upgrades']['apt_recipe']}"
package 'unattended-upgrades'
# Stock systems should already have a compatible mail delivery mechanism (e.g. mailx binary) installed - warn if one is not detected
ruby_block 'warn-on-missing-mailer' do
block do
Chef::Log.warn("No mail package detected. If you want to be able to mail the output of unattended-upgrades, you should a package provides the `mailx` such as 'mailutils' or 'heirloom-mailx'")
end
not_if 'which mailx'
end
template '/etc/apt/apt.conf.d/50unattended-upgrades' do
source 'unattended-upgrades.conf.erb'
owner 'root'
group 'root'
mode '0644'
variables(
:allowed_origins => node['unattended-upgrades']['allowed_origins'],
:package_blacklist => node['unattended-upgrades']['package_blacklist'],
:autofix_dpkg => node['unattended-upgrades']['autofix_dpkg'],
:minimal_steps => node['unattended-upgrades']['minimal_steps'],
:install_on_shutdown => node['unattended-upgrades']['install_on_shutdown'],
:admin_email => node['unattended-upgrades']['admin_email'],
:mail_only_on_error => node['unattended-upgrades']['mail_only_on_error'],
:remove_unused_dependencies => node['unattended-upgrades']['remove_unused_dependencies'],
:automatic_reboot => node['unattended-upgrades']['automatic_reboot'],
:download_limit => node['unattended-upgrades']['download_limit']
)
end
template '/etc/apt/apt.conf.d/20auto-upgrades' do
source 'auto-upgrades.conf.erb'
owner 'root'
group 'root'
mode '0644'
variables(
:update_package_lists_interval => node['unattended-upgrades']['update_package_lists_interval'],
:upgrade_interval => node['unattended-upgrades']['upgrade_interval'],
:download_upgradeable_interval => node['unattended-upgrades']['download_upgradeable_interval'],
:autoclean_interval => node['unattended-upgrades']['autoclean_interval'],
)
end

4
cookbooks/unattended-upgrades/templates/default/auto-upgrades.conf.erb Normal file
View File

@@ -0,0 +1,4 @@
<% if @update_package_lists_interval -%>APT::Periodic::Update-Package-Lists "<%= @update_package_lists_interval %>";<% end -%>
<% if @upgrade_interval -%>APT::Periodic::Unattended-Upgrade "<%= @upgrade_interval %>";<% end -%>
<% if @download_upgradeable_interval -%>APT::Periodic::Download-Upgradeable-Packages "<%= @download_upgradeable_interval %>";<% end -%>
<% if @autoclean_interval -%>APT::Periodic::AutocleanInterval "<%= @autoclean_interval%>";<% end -%>

67
cookbooks/unattended-upgrades/templates/default/unattended-upgrades.conf.erb Normal file
View File

@@ -0,0 +1,67 @@
// File configured by chef - don't edit manually
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
<% @allowed_origins.each do |origin, enabled| %>
<%= '//' unless enabled %> "${distro_id}:${distro_codename}-<%= origin %>";
<% end %>
};
// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
<% @package_blacklist.each do |pkg| %>
"<%= pkg %>";
<% end %>
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
Unattended-Upgrade::AutoFixInterruptedDpkg "<%= @autofix_dpkg %>";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::MinimalSteps "<%= @minimal_steps %>";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
Unattended-Upgrade::InstallOnShutdown "<%= @install_on_shutdown %>";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed.
//Unattended-Upgrade::Mail "root@localhost";
<% if @admin_email %>Unattended-Upgrade::Mail "<%= @admin_email %>";<% end %>
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";
Unattended-Upgrade::MailOnlyOnError "<%= @mail_only_on_error %>";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
Unattended-Upgrade::Remove-Unused-Dependencies "<%= @remove_unused_dependencies %>";
// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot "<%= @automatic_reboot %>";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
<% if @download_limit %>Acquire::http::Dl-Limit "<%= @download_limit %>";<% end %>