To effectively manage and stagger automated upgrades across multiple groups of Ubuntu servers, scheduling upgrades on specific days for different server groups offers a structured and reliable method. This approach ensures that upgrades are rolled out in a controlled manner, reducing the risk of potential disruptions.
Here’s an example Ansible playbook that illustrates how to set this up. It installs unattended-upgrades and configures systemd timers to manage upgrades on specific weekdays for three distinct groups of servers.
Playbook — - hosts: all become: yes vars: unattended_upgrade_groups: - name: staging_batch1 schedule: “Mon *-*-* 02:00:00” # Updates on Monday - name: staging_batch2 schedule: “Wed *-*-* 02:00:00” # Updates on Wednesday - name: staging_batch3 schedule: “Fri *-*-* 02:00:00” # Updates on Friday tasks: - name: Install unattended-upgrades apt: name: unattended-upgrades state: present - name: Disable automatic updates to control manually copy: dest: /etc/apt/apt.conf.d/20auto-upgrades content: | APT::Periodic::Update-Package-Lists “1”; APT::Periodic::Download-Upgradeable-Packages “0”; APT::Periodic::AutocleanInterval “7”; APT::Periodic::Unattended-Upgrade “0”; mode: ‘0644’ - name: Setup systemd service and timer for each group loop: “{{ unattended_upgrade_groups }}” block: - name: Create systemd service for unattended-upgrades for {{ item.name }} copy: dest: “/etc/systemd/system/unattended-upgrades-{{ item.name }}.service” content: | [Unit] Description=Run unattended upgrades for {{ item.name }} [Service] Type=oneshot ExecStart=/usr/bin/unattended-upgrade mode: ‘0644’ - name: Create systemd timer for {{ item.name }} copy: dest: “/etc/systemd/system/unattended-upgrades-{{ item.name }}.timer” content: | [Unit] Description=Timer for unattended upgrades on {{ item.schedule }} for {{ item.name }} [Timer] OnCalendar={{ item.schedule }} Persistent=true [Install] WantedBy=timers.target mode: ‘0644’ - name: Enable the timer for {{ item.name }} systemd: name: “unattended-upgrades-{{ item.name }}.timer” enabled: yes - name: Start the timer for {{ item.name }} systemd: name: “unattended-upgrades-{{ item.name }}.timer” state: started