3

I have a subset of servers that are running Ubuntu and I am trying to create a playbook that will only apply security updates to them. I am aware that unattended-upgrades will do this for me, but I want more control over when it runs and when they get applied.

I found this SF question showing how to use apt-get to install updates from a specific repo file:

How do you use apt-get to only install critical security updates on ubuntu?

I have my playbook creating this file if it doesn't exist, but I can't seem to get the apt module to recognize the sources.list as an option and only read this file and not do the entire update list. Here is what I have so far:

# apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list
- name: Ubuntu - Install the security updates
  apt:
    force_apt_get: yes
    state: latest
    upgrade: yes
    dpkg_options: "Dir::Etc::SourceList=/etc/apt/security.sources.list"
  register: apt_output

When I run the playbook against a test virtualbox image it shows it will upgrade 144 packages when aptitude shows only 80 security packages needed.

Any ideas how I can pass the sources.list file as an option to the apt module?

Ken S.
  • 479
  • 5
  • 14
  • The `dpkg_options` is for options for dpkg. Not APT configuration options. I am pretty sure whatever you put in dpkg_options is going to have `Dpkg::Options::=` prefixed to it. – Zoredache May 02 '18 at 22:40
  • https://github.com/ansible/ansible/blob/devel/lib/ansible/modules/packaging/os/apt.py#L417 – Zoredache May 02 '18 at 22:42
  • 2
    I am not sure if there is any way to do this via the ansible apt module. You may need to use shell/command. – Zoredache May 02 '18 at 22:44

1 Answers1

1

when ansible apt module is not sufficient - use the shell module:

- name: Ubuntu - Install the security updates
  shell: apt-get update && apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list
Roman Spiak
  • 519
  • 2
  • 9