[Question] Automated security update and scheduled reboot

[jdaln]

Hello!

So far, it seems that automated security update and scheduled reboot are not part of this role, at least for Ubuntu.

Do you have any plans to add this in the future? Does it even make sense within this role from your point of view?

[konstruktoid]

Hi @jdaln, automatic_updates: true might do what you want, see https://github.com/konstruktoid/ansible-role-hardening/blob/master/tasks/automatic_updates.yml.

Nothing wrong with adding a automatic_reboot variable (dpkg: Unattended-Upgrade::Automatic-Reboot, dnf_automatic: reboot ).

Will add soonish.

[jdaln]

Hi @konstruktoid , thank you!
When I wrote this initially, I had a bug in my search function in VSCode. Indeed, the only missing part seems to be an automatic_reboot for it to work fully automatically so that would be much appreciated, thanks! I initially mistakenly thought that reboot_ubuntu was for this but later came to understand that it was intended to be used during the playbook run.

What led me to think that it was not handled, in addition to my broken search, is that, by default Ubuntu unattended-upgrades did not have "${distro_id}:${distro_codename}-updates"; and there were many updates. Actually this is what I want, since I only want the security ones and reboot on kernel updates with automatic-reboots.

[konstruktoid]

yeah, I should add more options to the Unattended-Upgrade (reboot, security patches etc)

[konstruktoid]

I merged #709 as an initial base

[jdaln]

Thank you @konstruktoid !
Sorry for the silence, I've been quite busy. I'll give it a try and check with my different setups by the end of the week.

[jdaln]

@konstruktoid
Master branch tested yesterday and today and a few new things appeared during execution compared to latest release:

Ansible Timeout (12s) waiting for privilege escalation prompt at some point during the playbook (cannot recall which one)

this was solved by adding

[defaults]
timeout = 30

to /etc/ansible/ansible.cfg

Also, here are a few things without any strong opinions:

If I am not mistaking this will take all updates:

        "${distro_id}:${distro_codename}";

Perhaps there should be a feature_flag but should it be ON or OFF by default? On Debian, I have been running servers with only

        "origin=Debian,label=Debian-Security;

for 5 years and it has been the best among all the trials for Debian. Of course, the updates will come with "${distro_id}:${distro_codename}"; but I am wondering about the stability when doing all of them. My experience with Ubuntu is still a bit limited.

Now, one last thing that could be important to have is the configurable Unattended-Upgrade:Automatic-Reboot-Time
Perhaps something similar to what https://github.com/hifis-net/ansible-collection-toolkit/tree/main/roles/unattended_upgrades does?

[jdaln]

I can of course open a PR but just wanting to know your opinion on the points mentioned, when you have time to look at it.

[konstruktoid]

Yeah, "${distro_id}:${distro_codename}"; is an oversight from my part, and it should be remove (or an option).

Unattended-Upgrade::Automatic-Reboot-Time is indeed an good option, and in addition to the clock setting it would be nice to have an randomize option, so not all servers are rebooted at the same time (which is the risk with the current code as well).

If you want and have the time to write a PR that would be great.

[jdaln]

What do you see as a risk with the services restarting with the default settings? At least I have not experienced any issue with that. One risk there can be with these unattended updates might be when there is a configuration change and it wants to replace the current one. For this side, I can check on my long running server what is configured.

[konstruktoid]

no, not restarting the services, but rebooting the servers.

[jdaln]

Got it! Since everything is a server (most services are), I mixed it. I indeed met the problem of the simultaneous restarts on a hypervisor in the past 👍 . I'll be on this next week

[konstruktoid]

Sounds awesome, thanks for you help :)

[jdaln]

Current result on the Debian/Ubuntu side:

Unattended-Upgrade::Allowed-Origins {
                "${distro_id}:${distro_codename}-security";
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
};

Unattended-Upgrade::Package-Blacklist {
};

Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:07";