diff --git a/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml b/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml index 63b2d6a40bd..94c026d7830 100644 --- a/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml +++ b/install_files/ansible-base/roles/common/tasks/unattended_upgrades.yml @@ -1,9 +1,12 @@ --- -- name: Install unattended-upgrades package. +- name: Install unattended-upgrades package and update-notifier-common apt: - name: unattended-upgrades - state: latest + name: "{{ item }}" + state: present update_cache: yes + with_items: + - unattended-upgrades + - update-notifier-common tags: - apt - unattended-upgrades @@ -29,3 +32,12 @@ tags: - apt - unattended-upgrades + +- name: Add cron job to indicate to unattended-upgrades that a reboot is required. + cron: + name: Indicate that a reboot is required at the scheduled time. + job: "touch /var/run/reboot-required" + hour: "*/12" + tags: + - cron + - unatted-upgrades diff --git a/molecule/testinfra/common/test_automatic_updates.py b/molecule/testinfra/common/test_automatic_updates.py index b497ceea2b1..5fb7c1a2e5c 100644 --- a/molecule/testinfra/common/test_automatic_updates.py +++ b/molecule/testinfra/common/test_automatic_updates.py @@ -237,6 +237,20 @@ def test_unattended_upgrades_functional(host): assert expected_result in c.stdout +def test_reboot_required_cron(host): + """ + Unatteded-upgrades does not reboot the system if the updates don't require it. + However, we use daily reboots for SecureDrop to ensure memory is cleared periodically. + Here, we ensure that reboot-required flag is dropped twice daily to ensure the system + is rebooted every day at the scheduled time. + """ + if host.system_info.codename != "xenial": + with host.sudo(): + cronlist = host.run("crontab -l").stdout + cronjob = "* */12 * * * touch /var/run/reboot-required" + assert cronjob in cronlist + + def test_all_packages_updated(host): """ Ensure a safe-upgrade has already been run, by checking that no