tronde / ansible-role-rhel-patchmanagement Goto Github PK

In tasks/main.yml the following code is used to reboot hosts that have installed any kind of update:

 - name: Reboot Host if packages were updated
    shell: sleep 2 && shutdown -r now "Ansible updates triggered"
    async: 1
    poll: 0
    ignore_errors: true
    when: ("Complete!" in yum_output.stdout_lines[-1]) or
          ("Komplett!" in yum_output.stdout_lines[-1])

Instead of the shell module the ansible module reboot could be used here.

I don't know yet, when I'll be able to implement and test this RFE. In case anyone would like to do this, you are welcome to contribute.

One of my colleagues suggests to automatically create a bash script which could install the current patch set. This script should be placed on the target nodes. The system owner of the particular machine could use this script to install the patch set to a time that pleases him.

I've not decided whether to build such a script or not, yet. I'll use this issue to write down the todos, the pros and the cons. After that I'll make up my mind and decide to build such a feature or not.

Pros:

• System owner could run the exaclty same command that ansible would run
• Makes the installation of advisories easier for people with limitid knowledge about how to use YUM

Cons:

• Redundancy, nodes will get exactly the same advisories at due time during the patch cycle
• Additional feature with an additinal risk to break; System owners could just copy and past the command from the info mail if they would like to run it prior to due time
• Script may prevents users from learning and training how to use YUM, because the use the script only to update their machines
• Script would install advisories only, but the system owner is admonished to install all available updates for a machine

I'll leave this issue open for some while. Feel free to comment to give me your opinion on this topic. Or just give it a Thumbs up if you would like such a script or a Thumbs down if you don't.

From the current Pros and Cons I would not build this script, but I did not make a final decision, yet.

To determine whether some host needs to be rebooted or not the output of the yum/dnf command is checked as follows:

  - name: Reboot Host if packages were updated
    shell: sleep 2 && shutdown -r now "Ansible updates triggered"
    async: 1
    poll: 0
    ignore_errors: true
    when: ("Complete!" in yum_output.stdout_lines[-1]) or
          ("Komplett!" in yum_output.stdout_lines[-1])

But the strings "Complete!" or "Komplett!" occur in RHEL 8 even when there is nothing to do, as shown in the following debug output:

TASK [rhel-patchmanagement : debug] ********************************************
ok: [rhel8.example.com] => {
    "yum_output": {
        "changed": true,
[...]
        "stderr": "",
        "stderr_lines": [],
        "stdout": "Updating Subscription Management repositories.\nLast metadata expiration check: 3:19:20 ago on Wed 29 Dec 2021 01:01:03 AM CET.\nDependencies resolved.\nNothing to do.\nComplete!",
        "stdout_lines": [
            "Updating Subscription Management repositories.",
            "Last metadata expiration check: 3:19:20 ago on Wed 29 Dec 2021 01:01:03 AM CET.",
            "Dependencies resolved.",
            "Nothing to do.",
            "Complete!"
        ],
    }
}

An already patched RHEL 7 host shows:

ok: [rhel7.example.com] => {
    "yum_output": {
[...]
        "stderr": "",
        "stderr_lines": [],
        "stdout": "Loaded plugins: product-id, search-disabled-repos, subscription-manager\nNo Packages marked for minimal Update",
        "stdout_lines": [
            "Loaded plugins: product-id, search-disabled-repos, subscription-manager",
            "No Packages marked for minimal Update"
        ],
    }
}

Ideas

• Check if there are similar strings other than "Complete!" or "Komplett!" for RHEL 7 and RHEL 8 that could be used to check whether a reboot is needed or not.
• Alternative: Write different reboot conditions for RHEL 7 and RHEL 8.
• Check RHEL 9 as well.

I would like to start this issue to a follow up on a comment from @Klaas-:

you can use needs-restarting, but it uses shell/command

- name: check if reboot is needed
  shell: "{{ needs_restarting_command[ansible_distribution_major_version | int] }}"
  failed_when: False
  register: needs_restarting
  changed_when: False

definition of the var

needs_restarting_command:
  7: /usr/bin/needs-restarting -r
  8: /usr/bin/dnf needs-restarting -r

usage in the reboot task:
when: needs_restarting.rc is defined and needs_restarting.rc != 0

on rhel7 deps are yum-utils, on rhel8 python3-dnf-plugins-core

Originally posted by @Klaas- in #12 (comment)

@Klaas- Can you confirm the following? While python3-dnf-plugins-core seems to be included in the minimal install environment of RHEL 8 providing /usr/bin/dnf needs-restarting -r you have to install yum-utils on RHEL 7 based on minimal install envirionment to be able to use the command, right?

• Add new variable to variables.txt.example that will contain the overview of the patch phases defined in hosts.example
• Add the script get_rhel_patch_groups.py to this project
• Define new function in create_vars.sh that will use get_rhel_patch_groups.py to write the current overview of patch pahses to the file defined in variables.txt.example
• Extend function send_mail() to attach the file created in the previous task

Description

Today, only advisories available on the host this role is running on are considered to create a patch set. For example, if you run this role on a RHEL 7 host, advisories for RHEL 8 won't be fetched unless the have the same advisory number as the RHEL 7 advisories.

Solution

I'm going to enhance this role that it can gather advisories from remote hosts with different RHEL versions in order to create a patch set that fits for all RHEL versions in use.

Necessarry steps are:

1. Collect advisory lists from local host an remote hosts
2. Establish one BASELINE that contains all advisories
3. From this baseline create a CURRENT_PATCH_SET

I've seen that AlmaLinux and Rocky Linux are providing errata information in their RPM repos just like RHEL does, i.e. RHSA, ALSA, or RLSA. Since this role uses this errata information to create patch sets it should work for these distributions as well.

In case someone is using AlmaLinux and/or Rocky Linux I would appreciate when you could take the time to test this role in your environment and leave me some feedback here.

In the current version a system is going to be rebooted in case that any package was updated. The programm needs-restarting -r from the package yum-utils could be used to check whether a restart is required or not.

Pros:

• May prevents unnecessary restarts

Cons:

• Package yum-utils is not installed in RHEL minimal-installation and has to be installed first

Hi Joerg,

I would like to know how are you managing the variables? In other words, how are you getting the ids of the security errata? I see that you are setting a_2016_09_27: RHSA-2016:1940. How are you gathering that information?

Also, this role looks nice. I may poke in at some time to ask some more questions.

Cheers