automatic security updates

[ltalirz]

In what area(s)?

/area administration
/area ansible
/area autoscaling
/area configuration
/area cyclecloud
/area documentation
/area image
/area job-scheduling
/area monitoring
/area ood
/area remote-visualization
/area user-management

Describe the feature

Many playbooks currently contain a task

  - name: update packages for security
    become: true
    yum:
      name: '*'
      state: latest
      exclude: cyclecloud*

Not only does this task slow down the playbooks, it also does not keep the systems up to date when you are not running playbooks.

There are ansible roles for this, such as https://github.com/geerlingguy/ansible-role-security that will install cronjobs (yum-cron for rhel-based, unattended-upgrades for debian-based systems) that periodically install security patches (and only security patches) to keep the VMs up to date at all times.
I believe we should use them

[xpillons]

I think it would probably be easier to do our own cron instead of relying on another repo. At the end it's just a cron running yum with security updates.
Best would be to rely on the azure platform for managing security update globally see #1413
issue with azure update is that it only support a specific list of marketplace images and not custom images