Configures apt timers via Ansible

Builds on the work by @rmol in #5853. Slots in overrides to the apt-daily{,-upgrade} timers, shipped with the 'apt' package, to provide fine-grained control over the update and reboot times. Ensures that the apt lists are updated approximately 1h prior to the package upgrade. Lowered the time-fuzzing to 20m on each action, so that even at the extremes, there's still a 20m window for an apt update to complete. Uses a modulus to determine the sooner update time. (cherry picked from commit 34fdc7a)
freedomofpress · Mar 9, 2021 · 20996b5 · 20996b5
1 parent 2d1960a
commit 20996b5
Show file tree

Hide file tree

Showing 8 changed files with 40 additions and 9 deletions.
diff --git a/install_files/ansible-base/roles/common/defaults/main.yml b/install_files/ansible-base/roles/common/defaults/main.yml
@@ -53,3 +53,11 @@ unused_packages:
   - wireless-tools
   - wpasupplicant
   - snapd
+
+# Template declaration for setting the upgrade time to a predictable time,
+# matching the 'daily_reboot_time' time via sdconfig.
+unattended_upgrades_timer_overrides:
+  - src: apt-daily-timer-override.j2
+    dest: /etc/systemd/system/apt-daily.timer.d/override.conf
+  - src: apt-daily-upgrade-timer-override.j2
+    dest: /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf
diff --git a/install_files/ansible-base/roles/common/handlers/main.yml b/install_files/ansible-base/roles/common/handlers/main.yml
@@ -10,3 +10,7 @@
 - name: update apt cache
   apt:
     update_cache: yes
+
+- name: systemd daemon-reload
+  systemd:
+    daemon_reload: yes
diff --git a/install_files/ansible-base/roles/common/tasks/main.yml b/install_files/ansible-base/roles/common/tasks/main.yml
@@ -27,6 +27,7 @@
   when:
     - ansible_distribution_release == "focal"
   tags:
+    - ua
     - reboot
 
 - include: remove_unused_packages.yml

diff --git a/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml b/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml
@@ -2,6 +2,24 @@
 # Configuration for unattended upgrades is almost exclusively managed by the
 # securedrop-config package under Focal.
 
+- name: Create override dirs for apt-daily timers
+  file:
+    state: directory
+    mode: "0755"
+    path: "{{ item.dest|dirname }}"
+  with_items: "{{ unattended_upgrades_timer_overrides }}"
+
+- name: Add overrides for apt-daily timers
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "0644"
+  notify: systemd daemon-reload
+  with_items: "{{ unattended_upgrades_timer_overrides }}"
+
+  # Ensure daemon-reload has happened before starting/enabling
+- meta: flush_handlers
+
 - name: Ensure apt-daily and apt-daily-upgrade services are unmasked, started and enabled.
   systemd:
     name: "{{ item }}"

diff --git a/install_files/ansible-base/roles/common/templates/apt-daily-timer-override.j2 b/install_files/ansible-base/roles/common/templates/apt-daily-timer-override.j2
@@ -0,0 +1,5 @@
+[Timer]
+OnCalendar=
+OnCalendar=*-*-* {{ (daily_reboot_time|int - 1) % 24 }}:00
+RandomizedDelaySec=20m
+Persistent=true
diff --git a/install_files/ansible-base/roles/common/templates/apt-daily-upgrade-timer-override.j2 b/install_files/ansible-base/roles/common/templates/apt-daily-upgrade-timer-override.j2
@@ -0,0 +1,4 @@
+[Timer]
+OnCalendar=
+OnCalendar=*-*-* {{ daily_reboot_time }}:00
+RandomizedDelaySec=20m
diff --git a/..._files/securedrop-config-focal/etc/systemd/system/apt-daily-upgrade.timer.d/override.conf b/..._files/securedrop-config-focal/etc/systemd/system/apt-daily-upgrade.timer.d/override.conf
diff --git a/install_files/securedrop-config-focal/etc/systemd/system/apt-daily.timer.d/override.conf b/install_files/securedrop-config-focal/etc/systemd/system/apt-daily.timer.d/override.conf
-Original file line number
+Diff line change
@@ Expand Up / @@ -27,6 +27,7 @@ @@
       when:
         - ansible_distribution_release == "focal"
       tags:
+        - ua
         - reboot
     - include: remove_unused_packages.yml
@@ Expand Down @@