Enables a number of measures to ensure the workspace receives security updates. See the Playbook docs for background.
Ubuntu operating system.
Unattended security updates are enabled by default on Ubuntu. However, on cloud VMs, this feature can cause issues with a dpkg lock conflict during provisioning. It is therefore currently disabled on SURF Research Cloud. This role works around this issue by providing the following features:
- Install the latest security updates at execution-time.
- Achieved by installing the
unattended-upgrades
package and runningunattended-upgrades
at execution time.
- Start checking for and auto-installing new security updates after a certain time.
The periodic updates are enabled via a bootstrapping systemd timer: upgrade-bootstrap.timer
. This timer ensures that there is a delay (see Variables below) between the time the system boots, and the time the system starts checking for security updates. Without this delay, a security update might theoretically be triggered while Ansible is still working on executing components, which would lead to a dpkg conflict. upgrade-bootstrap.timer
calls the upgrade-bootstrap
service, which itself enables the standard Ubuntu unattended upgrade timers: apt-daily.timer
and apt-daily-upgrade.timer
. The bootstrap service also uninstalls itself, after the unattended upgrade timers have been activated.
The update-bootstrap.timer
utilizes the systemd
Persistent=true
property to ensure that if a user stops the system before the set delay time, the timer is still triggered next time the system start.
The Ubuntu apt-daily
and apt-daily-upgrade
timers use the same mechanism, so if an update is scheduled at a time when the system is down, it will be scheduled when the system is next started up. Note that there is a random delay between 0 and 60 minutes after boot before these timers are triggered. So theoretically, starting a workspace for a short time (<60 minutes) and then restarting it again can mean that security updates are never triggered. As of Nov 2023, there is not way around this, save disabling the RandomizedDelaySec
property of these timers. However, this is suboptimal: the random delay is in place to ensure that machines don't all connect to Ubuntu's apt repository simultaneously. systemd
currently does not allow executing a timer immediately after boot only when a run was missed due to downtime, but with a random delay in all other cases.
security_updates_firstrun
: Boolean (default:true
). Whether to install available updates when the component is executed.security_updates_periodic
: Boolean (default:true
). Whether to enable periodic unattended upgrades.security_updates_delay_time
: Integer (default:30
). How many minutes after boot should periodic unattended upgrades be enabled?
2023 Written by Dawa Ometto (Utrecht University)