Enable unattended-upgrades fleet-wide; keep Elasticsearch undisturbed#277
Merged
Conversation
Previously unattended-upgrades was masked on the base AMI (so no host got automatic security fixes) and additionally stopped on Elasticsearch nodes. This applies security updates everywhere while ensuring ES is never restarted automatically. - New profile::unattended_upgrades (included from profile::base): unmasks and enables unattended-upgrades.service plus the apt-daily/apt-daily-upgrade timers (and their trigger .service units, which must be unmasked or the timers refuse to start), writes 20auto-upgrades + a 52- override, and pins Automatic-Reboot off. Package blacklist is Hiera-driven. - Elasticsearch nodes: drop the blunt "stop unattended-upgrades" and instead blacklist the elasticsearch package (Hiera) and set needrestart to list-only, so library security fixes land on disk without bouncing ES. ES is restarted only via instance refresh, guarded by the decommission-node cron. - Normalize dev profile file modes (755 -> 644) to match global. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…file Blacklisting the elasticsearch package is a correctness invariant for every ES node, not a tunable. Move it out of per-role Hiera and into profile::elastic::service, which drops its own apt.conf.d entry that appends to Unattended-Upgrade::Package-Blacklist. An ES node can no longer come up without it. - profile::elastic::service writes /etc/apt/apt.conf.d/53-elasticsearch-blacklist - Drop the package_blacklist param from profile::unattended_upgrades and the blacklist block from its 52- template (now reboot-only) - Remove profile::unattended_upgrades::package_blacklist from all elastic Hiera Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
infrahouse8
approved these changes
Jun 28, 2026
Member
Author
Live verification (
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Two conflicting goals:
Current state met neither: the base AMI ships unattended-upgrades masked (so e.g. bookstack got no security fixes), and Elasticsearch nodes additionally forced the service
stopped.Approach
Separate "apply updates" from "restart services".
Fleet-wide (
profile::unattended_upgrades, included fromprofile::base):unattended-upgrades.serviceand theapt-daily/apt-daily-upgradetimers. The timers' trigger.serviceunits must be unmasked too, or the timers refuse to start (unit to trigger not loaded)./etc/apt/apt.conf.d/20auto-upgradesand a52-override;Automatic-Reboot "false".profile::unattended_upgrades::package_blacklist).Elasticsearch nodes (
profile::elastic::service):ensure => stopped.elasticsearchpackage from automatic upgrades (Hiera) — ES version changes flow through AMI rebuild + instance refresh, guarded by the existingdecommission-nodecron.$nrconf{restart} = 'l') so library security fixes (openssl/glibc) land on disk without bouncing the ES process. The restart is deferred to the controlled rolling replacement.Also normalizes some dev profile file modes (
755 → 644) to match global.Verification
Applied on a production node:
unmask-*execs run once, then idempotent.apt-daily.timer/apt-daily-upgrade.timer→ running.unattended-upgrades.service→active (running)(the expected--wait-for-signalshutdown applier).🤖 Generated with Claude Code