Browse Source

apt, bird, kernel, nginx, unattended-upgrades: update for stretch

Karsten Böddeker 6 years ago
parent
commit
8a1f8fd093

+ 1 - 1
apt/init.sls

@@ -49,7 +49,7 @@ apt-icinga2:
     - comments:
       - "# Icinga2 repo"
     - human_name: Icinga2 repo
-    - name: deb http://packages.icinga.org/debian icinga-jessie main
+    - name: deb http://packages.icinga.org/debian icinga-{{ grains.oscodename }} main
     - file: /etc/apt/sources.list.d/icinga2.list
     - key_url: http://packages.icinga.org/icinga.key
 

+ 17 - 0
apt/sources.list.Debian.stretch

@@ -0,0 +1,17 @@
+#
+# /etc/apt/sources.list (Salt managed)
+#
+
+deb http://deb.debian.org/debian/ stretch main non-free contrib
+deb-src http://deb.debian.org/debian/ stretch main non-free contrib
+
+deb http://security.debian.org/ stretch/updates main contrib non-free
+deb-src http://security.debian.org/ stretch/updates main contrib non-free
+
+# stretch-updates, previously known as 'volatile'
+deb http://deb.debian.org/debian/ stretch-updates main contrib non-free
+deb-src http://deb.debian.org/debian/ stretch-updates main contrib non-free
+
+# stretch-backports, previously on backports.debian.org
+deb http://deb.debian.org/debian stretch-backports main contrib non-free
+deb-src http://deb.debian.org/debian stretch-backports main contrib non-free

+ 7 - 2
bird/init.sls

@@ -8,6 +8,7 @@ include:
   - network.interfaces
 
 bird-repo:
+{% if grains.oscodename in ['jessie', 'wheezy'] %}
   pkgrepo.managed:
     - comments: "# Official bird repo"
     - human_name: Official bird repository
@@ -15,14 +16,18 @@ bird-repo:
     - dist: {{ grains['oscodename'] }}
     - file: /etc/apt/sources.list.d/bird.list
     - key_url: salt://bird/bird_apt.key
-
+{% else %}
+  file.absent:
+    - name: /etc/apt/sources.list.d/bird.list
+{% endif %}
 
 bird-pkg:
   pkg.installed:
     - name: bird
+{% if grains.oscodename in ['jessie', 'wheezy'] %}
     - require:
       - pkgrepo: bird-repo
-
+{% endif %}
 
 # Make sure both services are enabled
 bird:

+ 6 - 2
kernel/init.sls

@@ -10,7 +10,9 @@
 linux-kernel:
   pkg.latest:
     - name: linux-image-{{ version }}
-    - fromrepo: jessie-backports
+{% if grains.oscodename in ['jessie'] %}
+    - fromrepo: {{ grains.oscodename }}-backports
+{% endif %}
 
 {#
  # Install kernel headers if we might need to compile a batman_adv module on this node.
@@ -19,5 +21,7 @@ linux-kernel:
 linux-headers:
   pkg.latest:
     - name: linux-headers-{{ version }}
-    - fromrepo: jessie-backports
+{% if grains.oscodename in ['jessie'] %}
+    - fromrepo: {{ grains.oscodename }}-backports
+{% endif %}
 {% endif %}

+ 2 - 2
nginx/init.sls

@@ -7,8 +7,8 @@
 nginx:
   pkg.installed:
     - name: {{nginx_pkg}}
-{% if grains['oscodename'] == 'jessie' %}
-    - fromrepo: jessie-backports
+{% if grains.oscodename in ['jessie'] %}
+    - fromrepo: {{ grains.oscodename }}-backports
 {% endif %}
   service.running:
     - enable: TRUE

+ 72 - 0
unattended-upgrades/50unattended-upgrades.Debian.stretch

@@ -0,0 +1,72 @@
+//
+// Unattended Upgrades Configuration (Salt managed)
+//
+
+// Automatically upgrade packages from these origin patterns
+Unattended-Upgrade::Origins-Pattern {
+        // Archive or Suite based matching:
+        // Note that this will silently match a different release after
+        // migration to the specified archive (e.g. testing becomes the
+        // new stable).
+        "o=Debian,n=stretch";
+        "o=Debian,n=stretch,a=stable-updates";
+        "o=Debian,n=stretch,a=proposed-updates";
+        "o=Debian,n=stretch,l=Debian-Security";
+        "o=Debian Backports,n=stretch-backports,l=Debian Backports";
+        "origin=Debian,archive=stable,label=Debian-Security";
+        "origin=Debian,archive=oldstable,label=Debian-Security";
+};
+
+// List of packages to not update
+Unattended-Upgrade::Package-Blacklist {
+	"libc6";
+	"libc6-dev";
+	"libc6-i686";
+	"bird";
+	"fastd";
+	"batman-adv-dkms";
+};
+
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run 
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
+
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGUSR1. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+//Unattended-Upgrade::MinimalSteps "true";
+
+// Install all unattended-upgrades when the machine is shuting down
+// instead of doing it in the background while the machine is running
+// This will (obviously) make shutdown slower
+//Unattended-Upgrade::InstallOnShutdown "true";
+
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+Unattended-Upgrade::Mail "root";
+
+// Set this value to "true" to get emails only on errors. Default
+// is to always send a mail if Unattended-Upgrade::Mail is set
+//Unattended-Upgrade::MailOnlyOnError "true";
+
+// Do automatic removal of new unused dependencies after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+// Automatically reboot *WITHOUT CONFIRMATION* if a 
+// the file /var/run/reboot-required is found after the upgrade 
+Unattended-Upgrade::Automatic-Reboot "false";
+
+
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
+
+// Force dpkg to keep any existing configuration file regardless of
+// what the package might bring
+DPkg::Options:: "--force-confold";