new-site/infra/ansible/roles/security-updates/templates/docker-version-guard.sh.j2
justin 97e8664cbf Add security-updates Ansible role for automated patching
Comprehensive security update automation:

1. Debian OS (unattended-upgrades) — tightened to security-only:
   - Removed general Debian updates (prevents feature/breaking changes)
   - Only Debian-Security origins auto-installed
   - Email admin on every upgrade via ops@performancewest.net
   - Auto-reboot at 4 AM if kernel update requires it
   - needrestart auto-restarts services after library updates

2. Docker CE — major version guard:
   - Patch updates within pinned major version auto-applied
   - Major version jumps held + admin alerted for manual review
   - docker-ce, docker-ce-cli, containerd.io all version-guarded

3. Container base images — daily at 3:30 AM:
   - Pulls latest base images for all docker-compose services
   - Compares image digests — only rebuilds if changed
   - Restarts only affected services (not full stack)
   - Alerts admin on rebuild failures requiring manual intervention
   - Covers both prod and dev compose projects

4. k3s — weekly Sunday at 3:45 AM:
   - Patch updates within current minor auto-applied
   - Minor/major upgrades alert admin for manual review
   - Verifies node Ready status after update
   - Alerts on failures with investigation instructions

5. Admin notifications via SMTP:
   - [INFO] for successful patches
   - [WARNING] for available major upgrades needing review
   - [CRITICAL] for failures requiring immediate intervention
   - Falls back to syslog if SMTP unavailable

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-30 01:24:57 -05:00

35 lines
2.4 KiB
Django/Jinja

#!/usr/bin/env bash
# ══════════════════════════════════════════════════════════════════════════════
# Docker Version Guard — Performance West
#
# Checks if a Docker CE major version upgrade is available. If so, holds the
# current packages and alerts the admin. Patch updates within the pinned
# major version are allowed to flow through unattended-upgrades.
#
# Run by: apt pre-invoke hook or manually
# ══════════════════════════════════════════════════════════════════════════════
set -euo pipefail
PINNED_MAJOR="{{ docker_major_version_pin }}"
ALERT_SCRIPT="/usr/local/bin/pw-security-alert"
current_version=$(dpkg-query -W -f='${Version}' docker-ce 2>/dev/null || echo "0.0.0")
current_major=$(echo "$current_version" | grep -oP '^\d+' || echo "0")
# Check what's available
apt-get update -qq 2>/dev/null
available_version=$(apt-cache policy docker-ce 2>/dev/null | grep 'Candidate:' | awk '{print $2}')
available_major=$(echo "$available_version" | grep -oP '5:\K\d+' || echo "$current_major")
if [ "$available_major" != "$PINNED_MAJOR" ] && [ "$available_major" != "$current_major" ]; then
# Major version jump detected — hold packages and alert admin
apt-mark hold docker-ce docker-ce-cli containerd.io 2>/dev/null || true
logger -t "pw-docker-guard" "Docker CE major upgrade available: $current_version -> $available_version (held)"
$ALERT_SCRIPT "Docker CE Major Upgrade Available — Manual Review Required" \
"A Docker CE major version upgrade is available but has been held:\n\n Current: $current_version (major $current_major)\n Available: $available_version (major $available_major)\n Pinned major: $PINNED_MAJOR\n\nMajor Docker upgrades may include breaking changes. Please review the changelog and upgrade manually:\n\n apt-mark unhold docker-ce docker-ce-cli containerd.io\n apt-get update && apt-get upgrade docker-ce docker-ce-cli containerd.io\n systemctl restart docker\n cd {{ project_dir }} && docker compose up -d" \
"warning"
else
# Same major — ensure packages are NOT held (allow patch updates)
apt-mark unhold docker-ce docker-ce-cli containerd.io 2>/dev/null || true
fi