ConfDroid Puppet Modules - Automatic

#confdroid #updates #puppet #foreman

Introducing confdroid_automatic: Hands-Off OS Updates for Your Rocky 9 Servers

Keeping operating systems patched is one of the most important — yet often neglected — parts of server maintenance. Security updates arrive regularly, and manually applying them across dozens or hundreds of machines quickly becomes a burden and a source of risk.

That’s why I’m happy to release confdroid_automatic, the latest addition to the Confdroid Puppet collection.

This module brings reliable, automated OS updates to Rocky 9 (and other RHEL 9-based) systems by managing dnf-automatic declaratively with Puppet 8. It installs the necessary packages, configures update behavior, applies correct SELinux contexts, and ensures the systemd timer runs as expected.

Why Automated Updates Matter

Security patches close vulnerabilities before attackers can exploit them. dnf-automatic already does most of the heavy lifting out of the box — it can download and apply updates on a schedule, send notifications, and even reboot when needed. The challenge is managing it consistently across your entire fleet without configuration drift.

Additionally, production systems may need a different set of policies for updates than development or staging system, i.e. only security updates, while other stages use fully updated systems.

confdroid_automatic solves that by turning dnf-automatic into a fully Puppet-controlled service.

Key Features

Installs and configures the dnf-automatic package
Manages the main configuration file (/etc/dnf/automatic.conf) with proper permissions and SELinux contexts
Controls the dnf-automatic.timer systemd service
Supports flexible parameters you can override via Foreman ENC or Hiera
Includes sensible defaults for production use while allowing fine-tuning

Main tunable parameters include:

ac_upgrade_type- 'default', 'security', 'minimal' or 'all'
ac_apply_updates — whether to actually install updates (or just download them)
ac_download_updates — enable downloading of available packages
ac_random_sleep — add a random delay (in seconds) to prevent all servers from updating at the exact same moment
ac_reboot - when to reboot after applied updates
ac_email_to - which email address to notify

Automatic Update Flow

Here’s how the module turns Puppet configuration into real-world automated patching:

The flow ensures updates are applied safely and predictably. The optional random sleep helps avoid “thundering herd” problems in larger environments.

How to Use It

Import the module via r10k (Puppetfile).

The simplest way to enable automatic updates on a node is in site.pp:

include confdroid_automatic

To apply via Foreman:

Assign confdroid_automatic::params to the host or hostgroup in Question and override parameters as required.

Important Notes

Test thoroughly in a non-production environment first. Automatic updates can cause reboots or service restarts.
If you already have a manual dnf-automatic configuration, the module will overwrite it — start clean or review the generated config carefully.
The module handles SELinux contexts automatically, so it works smoothly on enforcing-mode Rocky 9 systems.

You can find the full module, source code, and parameter reference here:

Final Thoughts

With confdroid_automatic, keeping your Rocky 9 fleet patched becomes a truly hands-off process. Combined with the rest of the Confdroid collection (including monitoring via confdroid_nagios), you get a consistent, secure, and maintainable update strategy.

Automated patching is no longer a nice-to-have — it’s a baseline security requirement. This module makes it simple, repeatable, and fully integrated into your Puppet workflow.

Have you been managing OS updates manually or with scripts? Would you like automatic reboots enabled or prefer a download-only approach? Drop your thoughts or questions in the comments — I’d love to hear how you handle patching in your environment.

Did you find this post helpful? You can support me.