Sets unattended-upgrades reboot time to daily_reboot_time

Revision, based on discussion. It turns out that setting reboot time to "now" causes reboots even during download-only stages, which isn't the behavior we want. Let's stagger the actions: * apt-get update * apt-get upgrade * reboot all approximately 1h apart (with 20m random delay on the apt-get actions). This reverts commit bddeb5e.
freedomofpress · Mar 9, 2021 · 74fadb8 · 74fadb8
1 parent b349d71
commit 74fadb8
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 12 deletions.
diff --git a/install_files/ansible-base/roles/common/defaults/main.yml b/install_files/ansible-base/roles/common/defaults/main.yml
@@ -1,8 +1,4 @@
 ---
-# Set the time at which the servers reboot to apply nightly updates
-# and aid in clearing memory. Only the hour is configurable.
-daily_reboot_time: 4 # An integer between 0 and 23
-
 disabled_kernel_modules:
   - btusb
   - bluetooth
@@ -61,3 +57,11 @@ unattended_upgrades_timer_overrides:
     dest: /etc/systemd/system/apt-daily.timer.d/override.conf
   - src: apt-daily-upgrade-timer-override.j2
     dest: /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf
+
+# Set the time at which the servers reboot to apply nightly updates
+# and aid in clearing memory. Only the hour is configurable, via sdconfig.
+# The other options are for unattended-upgrades, when to run
+# 'apt-get update' and 'apt-get upgrade'.
+daily_reboot_time: 4 # An integer between 0 and 23
+daily_update_time: "{{ (daily_reboot_time|int - 2) % 24 }}"
+daily_upgrade_time: "{{ (daily_reboot_time|int - 1) % 24 }}"
diff --git a/install_files/ansible-base/roles/common/templates/80securedrop.j2 b/install_files/ansible-base/roles/common/templates/80securedrop.j2
@@ -1,7 +1,8 @@
 {% if ansible_distribution_release == "focal" %}
-// Reboot should happen after nightly upgrades. Timing of upgrade
-// is configured via apt.daily.timer
-Unattended-Upgrade::Automatic-Reboot-Time "now";
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+Unattended-Upgrade::Automatic-Reboot-Time "{{ daily_reboot_time }}:00";
 APT::Periodic::Enable "1";
 {% endif %}
 // Don't install packages from "Recommends" field, we'll manage dependencies

diff --git a/install_files/ansible-base/roles/common/templates/apt-daily-timer-override.j2 b/install_files/ansible-base/roles/common/templates/apt-daily-timer-override.j2
@@ -1,5 +1,5 @@
 [Timer]
 OnCalendar=
-OnCalendar=*-*-* {{ (daily_reboot_time|int - 1) % 24 }}:00
+OnCalendar=*-*-* {{ daily_update_time }}:00
 RandomizedDelaySec=20m
 Persistent=true
diff --git a/install_files/ansible-base/roles/common/templates/apt-daily-upgrade-timer-override.j2 b/install_files/ansible-base/roles/common/templates/apt-daily-upgrade-timer-override.j2
@@ -1,4 +1,4 @@
 [Timer]
 OnCalendar=
-OnCalendar=*-*-* {{ daily_reboot_time }}:00
+OnCalendar=*-*-* {{ daily_upgrade_time }}:00
 RandomizedDelaySec=20m
diff --git a/molecule/testinfra/common/test_automatic_updates.py b/molecule/testinfra/common/test_automatic_updates.py
@@ -199,7 +199,7 @@ def test_cron_apt_cron_jobs(host, cron_job):
     "APT::Periodic::Enable": "1",
     "Unattended-Upgrade::AutoFixInterruptedDpkg": "true",
     "Unattended-Upgrade::Automatic-Reboot": "true",
-    "Unattended-Upgrade::Automatic-Reboot-Time": "now",
+    "Unattended-Upgrade::Automatic-Reboot-Time": "4:00",
     "Unattended-Upgrade::Automatic-Reboot-WithUsers": "true",
     "Unattended-Upgrade::Origins-Pattern": [
         "origin=${distro_id},archive=${distro_codename}",
@@ -285,16 +285,24 @@ def test_apt_daily_services_and_timers_enabled(host, service):
 
 
 def test_apt_daily_timer_schedule(host):
+    """
+    Timer for running apt-daily, i.e. 'apt-get update', should be 2h
+    before the daily_reboot_time.
+    """
     if host.system_info.codename != "xenial":
         c = host.run("systemctl show apt-daily.timer")
-        assert "TimersCalendar={ OnCalendar=*-*-* 03:00:00 ;" in c.stdout
+        assert "TimersCalendar={ OnCalendar=*-*-* 02:00:00 ;" in c.stdout
         assert "RandomizedDelayUSec=20m" in c.stdout
 
 
 def test_apt_daily_upgrade_timer_schedule(host):
+    """
+    Timer for running apt-daily-upgrade, i.e. 'apt-get upgrade', should be 1h
+    before the daily_reboot_time, and 1h after the apt-daily time.
+    """
     if host.system_info.codename != "xenial":
         c = host.run("systemctl show apt-daily-upgrade.timer")
-        assert "TimersCalendar={ OnCalendar=*-*-* 04:00:00 ;" in c.stdout
+        assert "TimersCalendar={ OnCalendar=*-*-* 03:00:00 ;" in c.stdout
         assert "RandomizedDelayUSec=20m" in c.stdout