diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 8cca9447d39e8fb0aa15720cdbe308ae6619e347..4eab1fc7f3abca90075341a31e025933cfd37442 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -283,6 +283,10 @@ The role implements the following: expire within less than 30 days). Roles that want their certificates checked should deploy a ``.conf`` to directory ``/etc/check_certificate/`` with paths to certificate files, one per line. Certificates are checked on daily basis. +* Deploys ``apticron`` package that performs checks for available package + upgrades on daily basis. Mails are delivered to local ``root`` account, and + can be redirected elsewhere via aliases. If using ``mail_forwarder`` or + ``mail_server`` roles on the same server, aliases can be set-up through them. Role dependencies diff --git a/docs/usage.rst b/docs/usage.rst index ccddc92b1e18b92bd727d95d1b387b9828a9e6de..8067591df6a9c92e50705d8313de67f8a2a5b21d 100644 --- a/docs/usage.rst +++ b/docs/usage.rst @@ -2155,6 +2155,37 @@ Handlers alone can be invoked specifically with command similar to:: The ``handlers`` variable is treated as boolean, and by default it is not set. +Checking for available package upgrades +--------------------------------------- + +One of the more annoying chores when you maintain your own infrastructure is +making sure everything is up-to-date. And this has to be done - both in order to +ensure for problem-free experience for users (yourself included), and for making +sure there are no security vulnerabilities that could be exploited by a (random) +adversary. + +*Majic Ansible Roles* try to keep you covered on this front as well. As part of +regular deployment, the ``common`` role will deploy and configure ``apticron`` - +a nifty little script that runs on hourly basis and checks if any of your +system-provided packages are outdated. + +If ``apticron`` detects an outdated package, it will output this information to +standard output, which will result in the cron daemon sending out an e-mail to +the local root account. These mails can be further directed towards other mail +accounts via aliases (easily achieveable if you use either the +``mail_forwarder`` or ``mail_server`` roles). + +No packages will be upgraded automatically - ensuring you can make sure upgrades +occur correctly and do not cause major outage without anyone being present to +fix them. + +Another useful package you may want to look into is ``needrestart`` - which runs +as a hook during the upgrade process to detect any processes that seem to be +running with outdated libraries, allowing you to restart them as well. This +package is *not* installed by the ``common`` role out-of-the-box, but you can +easily do so by updating the ``common_packagtes`` setting. + + Where to go next? -----------------