This is the result of a bug in docker and Debian. It’s since been fixed, but apparently not for Discourse’s docker image (yet?).
Per the above link, I used the following template file to both [a] create the /etc/cron.d/ file and [b] fix the bug in the cron pam module:
[root@osestaging1 discourse]# cat /var/discourse/templates/unattended-upgrades.template.yml run:
- file:
path: /etc/cron.d/unattended-upgrades
contents: |+
################################################################################
# File: /etc/cron.d/unattended-upgrades
# Version: 0.1
# Purpose: run unattended-upgrades in lieu of systemd. For more info see
# * https://wiki.opensourceecology.org/wiki/Discourse
# * https://meta.discourse.org/t/does-discourse-container-use-unattended-upgrades/136296/3
# Author: Michael Altfield <michael@opensourceecology.org>
# Created: 2020-03-23
# Updated: 2020-03-23
################################################################################
20 04 * * * root /usr/bin/nice /usr/bin/unattended-upgrades --debug
- exec: /bin/echo -e "\n" >> /etc/cron.d/unattended-upgrades
# fix the Docker cron bug https://stackoverflow.com/questions/43323754/cannot-make-remove-an-entry-for-the-specified-session-cron
- exec: /bin/sed --in-place=.`date "+%Y%m%d_%H%M%S"` 's%^\([^#]*\)\(session\s\+required\s\+pam_loginuid\.so\)$%\1#\2%' /etc/pam.d/cron
[root@osestaging1 discourse]#
Unfortunately, I’m not 100% of all the consequences of making this change to the cron pam.d module. But it does seem to me to be the recognized fix upstream :\