Introducing confdroid_automatic: Hands-Off OS Updates for Your Rocky 9 Servers
Keeping operating systems patched is one of the most important — yet often neglected — parts of server maintenance. Security updates arrive regularly, and manually applying them across dozens or hundreds of machines quickly becomes a burden and a source of risk.
That’s why I’m happy to release confdroid_automatic, the latest addition to the Confdroid Puppet collection.
This module brings reliable, automated OS updates to Rocky 9 (and other RHEL 9-based) systems by managing dnf-automatic declaratively with Puppet 8. It installs the necessary packages, configures update behavior, applies correct SELinux contexts, and ensures the systemd timer runs as expected.
Why Automated Updates Matter
Security patches close vulnerabilities before attackers can exploit them. dnf-automatic already does most of the heavy lifting out of the box — it can download and apply updates on a schedule, send notifications, and even reboot when needed. The challenge is managing it consistently across your entire fleet without configuration drift.
Additionally, production systems may need a different set of policies for updates than development or staging system, i.e. only security updates, while other stages use fully updated systems.
confdroid_automatic solves that by turning dnf-automatic into a fully Puppet-controlled service.
Key Features
- Installs and configures the
dnf-automaticpackage - Manages the main configuration file (
/etc/dnf/automatic.conf) with proper permissions and SELinux contexts - Controls the
dnf-automatic.timersystemd service - Supports flexible parameters you can override via Foreman ENC or Hiera
- Includes sensible defaults for production use while allowing fine-tuning
Main tunable parameters include:
ac_upgrade_type– ‘default’, ‘security’, ‘minimal’ or ‘all’ac_apply_updates— whether to actually install updates (or just download them)ac_download_updates— enable downloading of available packagesac_random_sleep— add a random delay (in seconds) to prevent all servers from updating at the exact same momentac_reboot– when to reboot after applied updatesac_email_to– which email address to notify
Automatic Update Flow
Here’s how the module turns Puppet configuration into real-world automated patching:
The flow ensures updates are applied safely and predictably. The optional random sleep helps avoid “thundering herd” problems in larger environments.
How to Use It
Import the module via r10k (Puppetfile).
The simplest way to enable automatic updates on a node is in site.pp:
include confdroid_automaticTo apply via Foreman:
Assign confdroid_automatic::params to the host or hostgroup in Question and override parameters as required.
Important Notes
- Test thoroughly in a non-production environment first. Automatic updates can cause reboots or service restarts.
- If you already have a manual dnf-automatic configuration, the module will overwrite it — start clean or review the generated config carefully.
- The module handles SELinux contexts automatically, so it works smoothly on enforcing-mode Rocky 9 systems.
You can find the full module, source code, and parameter reference here:
Final Thoughts
With confdroid_automatic, keeping your Rocky 9 fleet patched becomes a truly hands-off process. Combined with the rest of the Confdroid collection (including monitoring via confdroid_nagios), you get a consistent, secure, and maintainable update strategy.
Automated patching is no longer a nice-to-have — it’s a baseline security requirement. This module makes it simple, repeatable, and fully integrated into your Puppet workflow.
Have you been managing OS updates manually or with scripts? Would you like automatic reboots enabled or prefer a download-only approach? Drop your thoughts or questions in the comments — I’d love to hear how you handle patching in your environment.
Did you find this post helpful? You can support me.
Related posts
- Confdroid Puppet Modules – Pilot
- Confdroid Puppet Modules – Puppet
- ConfDroid Puppet Modules – confdroid_resources
- ConfDroid Puppet Modules – Postgresql
- ConfDroid Puppet Modules – Gitea
- ConfDroid Puppet Modules – Apache
- ConfDroid Puppet Modules – Nagios
- ConfDroid Puppet Modules – NRPE
- ConfDroid Puppet Modules – Fail2ban
Author Profile
