Forge Home


Puppet module that installs and configures the unattended upgrades service

Andrew Schwartzmeyer



28,349 latest version

4.5 quality score

Version information

  • 0.2.3 (latest)
  • 0.2.2
  • 0.2.1
  • 0.2.0
  • 0.1.2
  • 0.1.1
  • 0.1.0
released Feb 28th 2016
This version is compatible with:
  • Ubuntu

Start using this module


andschwa/unattended_upgrades — version 0.2.3 Feb 28th 2016


Table of Contents

  1. Overview
  2. Module Description
  3. Setup - The basics of getting started with andschwa-unattended_upgrades
  4. Usage - Configuration options and additional functionality
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module


This module installs the 'unattended-upgrades' package, installs the configuration files using templates, and ensures the service is running.

Note that this module is a bit superfluous if you're using puppetlabs/apt, as it can fully configure unattended upgrades. I realized this only after I wrote this package, and personally switched to it in the interest of simplicity. However, as this does not require the apt module as a dependency, it may still be useful to some.

Module Description

This module is intended for Ubuntu and Debian systems, where the 'unattended-upgrades' package is available. Alternatives include scheduling updates with cron by hand (and in fact, 'unattended-upgrades' utilizes cron), and using cron-apt (more detail here).


What andschwa-unattended_upgrades affects

  • Packages
    • unattended-upgrades
  • Services
    • unattended-upgrades
  • Files
    • /etc/apt/apt.conf.d/20auto-upgrades
    • /etc/apt/apt.conf.d/50unattended-upgrades

Beginning with andschwa-unattended_upgrades

The simplest use of this module is:

include unattended_upgrades


This module has one class, unattended_upgrades, with the following parameters:

$period                       = 1,                                             # Update period (in days)
$repos                        = {},                                            # Repos to upgrade
$blacklist                    = [],                                            # Packages to not update
$email                        = '',                                            # Email for update status
$autofix                      = true,                                          # Ensure updates keep getting ins
$minimal_steps                = true,                                          # Allows for shutdown during an u
$on_shutdown                  = false,                                         # Install only on shutdown
$on_error                     = false,                                         # Email only on errors, else alwa
$autoremove                   = false,                                         # Automatically remove unused dep
$auto_reboot                  = false,                                         # Automatically reboot if needed
$template_unattended_upgrades = 'unattended_upgrades/unattended-upgrades.erb', # Path to config template
$template_auto_upgrades       = 'unattended_upgrades/auto-upgrades.erb',       # Path to apt config template

Logs are at the usual /var/log/unattended-upgrades, and emails will be automatically sent if an email is given.

The $minimal_steps option will split the upgrade into the smallest possible chunks, which allows them to be safely interruped (with SIGUSR1). There is a small performance penalty, but it lets you shutdown the machine while an upgrade is in progess.

The $autofix option determines if unattended-upgrades will, upon an unclean dpkg exit, automatically run dpkg --force-confold --configure -a. It defaults to true so that updates will continue being automatically installed.

The $autoremove option will clean unused dependencies, further configuration is available via the periodic configurations in /etc/apt/apt.conf.d/.


# Unattended upgrades
$upgrade_blacklist = hiera_array('do_not_upgrade')
class {'::unattended_upgrades':
  period    => '1',
  repos     => {
    stable => {
      label => 'Debian-Security',
  blacklist => $upgrade_blacklist,
  email     => '',

do_not_upgrade hash

You can define the do_not_upgrade hash in your module or in Hiera. Hiera is a more sensible location for this sort of thing.

  "do_not_upgrade": [


This module only works on systems using apt package management: Ubuntu and Debian (and their derivatives).


Fork on GitHub, make a Pull Request.