Unattended upgrades cherry-pick chef-osrf/pull/212 (#132)

Signed-off-by: Crola1702 <[email protected]>
ros-infrastructure · Oct 11, 2023 · 7ecc981 · 7ecc981
1 parent c90397e
commit 7ecc981
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 0 deletions.
diff --git a/attributes/agent.rb b/attributes/agent.rb
@@ -29,3 +29,6 @@
 # The set of Jenkins labels that will be applied to agents created with this recipe.
 # The example build farm configurations assume that the 'buildagent' label is the default for building sourcedeb and binarydeb packages. Other labels may be used to control where other jobs run.
 default['ros_buildfarm']['agent']['labels'] = %w(buildagent)
+
+# Prevents docker and containerd from getting updates and restarting mid build. See https://github.com/ros2/ci/issues/702
+default['ros_buildfarm']['unattended_upgrades']['package_blacklist'] = %w[docker.io containerd]
diff --git a/files/default/apt-daily-upgrade.timer.override b/files/default/apt-daily-upgrade.timer.override
@@ -0,0 +1,4 @@
+[Timer]
+OnCalendar=
+OnCalendar=*-*-* 01:00
+RandomizedDelaySec=30m
diff --git a/recipes/agent.rb b/recipes/agent.rb
@@ -1,6 +1,29 @@
 apt_update
 package 'docker.io'
 
+# Create a directory for the apt-daily-upgrade.timer.d override (doesn't exist by default)
+directory '/etc/systemd/system/apt-daily-upgrade.timer.d' do
+  recursive true
+end
+
+# Moves the unattended daily upgrades to 1am
+cookbook_file '/etc/systemd/system/apt-daily-upgrade.timer.d/override.conf' do
+  source 'apt-daily-upgrade.timer.override'
+  notifies :reload_or_try_restart, 'systemd_unit[apt-daily-upgrade.timer]', :delayed
+end
+
+systemd_unit 'apt-daily-upgrade.timer' do
+  action :nothing
+end
+
+template '/etc/apt/apt.conf.d/50unattended-upgrades' do
+  source '50unattended-upgrades.erb'
+  variables(
+    blacklist: node['ros_buildfarm']['unattended_upgrades']['package_blacklist']
+  )
+
+end
+
 # Add a containerd service override to work around
 # https://bugs.launchpad.net/ubuntu/+source/unattended-upgrades/+bug/1870876?comments=all
 directory '/etc/systemd/system/containerd.service.d' do

diff --git a/templates/default/50unattended-upgrades.erb b/templates/default/50unattended-upgrades.erb
@@ -0,0 +1,19 @@
+Unattended-Upgrade::Allowed-Origins {
+        "${distro_id}:${distro_codename}";
+        "${distro_id}:${distro_codename}-security";
+        // Extended Security Maintenance; doesn't necessarily exist for
+        // every release and this system may not have it installed, but if
+        // available, the policy for updates is such that unattended-upgrades
+        // should also install from here by default.
+        "${distro_id}ESMApps:${distro_codename}-apps-security";
+        "${distro_id}ESM:${distro_codename}-infra-security";
+        //	"${distro_id}:${distro_codename}-updates";
+        //	"${distro_id}:${distro_codename}-proposed";
+        //	"${distro_id}:${distro_codename}-backports";
+};
+
+Unattended-Upgrade::Package-Blacklist {
+        <% @blacklist.each do |pkg| %>
+          "<%= pkg %>";
+        <% end %>
+};