Ensure unattended-upgrades reboots the hosts nightly

Unattended upgrades will reboot the system if and only if the dependency that is being updated requires a reboot. However, SecureDrop relies on cron-apt's reboot to ensure the memory is regularly cleared from the system. In order to reboot on a daily basis, we drop the updates-required flag in /var/run to tell unattended-upgrades that the system should be rebooted at the scheduled time. The absence of update-notifier-common package will make daily reboots silently fail, so adding explicitly to the apt package install step to ensure it's installed as it's not pulled in the Depends field of unattended-upgrades.
freedomofpress · Jan 21, 2021 · 37cf001 · 37cf001
1 parent 79de2a4
commit 37cf001
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 3 deletions.
diff --git a/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml b/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml
@@ -1,9 +1,12 @@
 ---
-- name: Install unattended-upgrades package.
+- name: Install unattended-upgrades package and update-notifier-common
   apt:
-    name: unattended-upgrades
-    state: latest
+    name: "{{ item }}"
+    state: present
     update_cache: yes
+  with_items:
+    - unattended-upgrades
+    - update-notifier-common
   tags:
     - apt
     - unattended-upgrades
@@ -29,3 +32,12 @@
   tags:
     - apt
     - unattended-upgrades
+
+- name: Add cron job to indicate to unattended-upgrades that a reboot is required.
+  cron:
+    name: Indicate that a reboot is required at the scheduled time.
+    job: "touch /var/run/reboot-required"
+    hour: "*/12"
+  tags:
+    - cron
+    - unatted-upgrades
diff --git a/molecule/testinfra/common/test_automatic_updates.py b/molecule/testinfra/common/test_automatic_updates.py
@@ -237,6 +237,20 @@ def test_unattended_upgrades_functional(host):
         assert expected_result in c.stdout
 
 
+def test_reboot_required_cron(host):
+    """
+    Unatteded-upgrades does not reboot the system if the updates don't require it.
+    However, we use daily reboots for SecureDrop to ensure memory is cleared periodically.
+    Here, we ensure that reboot-required flag is dropped twice daily to ensure the system
+    is rebooted every day at the scheduled time.
+    """
+    if host.system_info.codename != "xenial":
+        with host.sudo():
+            cronlist = host.run("crontab -l").stdout
+            cronjob = "* */12 * * * touch /var/run/reboot-required"
+            assert cronjob in cronlist
+
+
 def test_all_packages_updated(host):
     """
     Ensure a safe-upgrade has already been run, by checking that no