tronde / ansible-role-rhel-patchmanagement Goto Github PK
View Code? Open in Web Editor NEWUse Ansible and some custom scripts to deploy advisories and patches to RHEL servers.
License: MIT License
Use Ansible and some custom scripts to deploy advisories and patches to RHEL servers.
License: MIT License
In tasks/main.yml the following code is used to reboot hosts that have installed any kind of update:
- name: Reboot Host if packages were updated
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
ignore_errors: true
when: ("Complete!" in yum_output.stdout_lines[-1]) or
("Komplett!" in yum_output.stdout_lines[-1])
Instead of the shell module the ansible module reboot could be used here.
I don't know yet, when I'll be able to implement and test this RFE. In case anyone would like to do this, you are welcome to contribute.
One of my colleagues suggests to automatically create a bash script which could install the current patch set. This script should be placed on the target nodes. The system owner of the particular machine could use this script to install the patch set to a time that pleases him.
I've not decided whether to build such a script or not, yet. I'll use this issue to write down the todos, the pros and the cons. After that I'll make up my mind and decide to build such a feature or not.
Pros:
Cons:
I'll leave this issue open for some while. Feel free to comment to give me your opinion on this topic. Or just give it a Thumbs up if you would like such a script or a Thumbs down if you don't.
From the current Pros and Cons I would not build this script, but I did not make a final decision, yet.
To determine whether some host needs to be rebooted or not the output of the yum/dnf command is checked as follows:
- name: Reboot Host if packages were updated
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
ignore_errors: true
when: ("Complete!" in yum_output.stdout_lines[-1]) or
("Komplett!" in yum_output.stdout_lines[-1])
But the strings "Complete!" or "Komplett!" occur in RHEL 8 even when there is nothing to do, as shown in the following debug output:
TASK [rhel-patchmanagement : debug] ********************************************
ok: [rhel8.example.com] => {
"yum_output": {
"changed": true,
[...]
"stderr": "",
"stderr_lines": [],
"stdout": "Updating Subscription Management repositories.\nLast metadata expiration check: 3:19:20 ago on Wed 29 Dec 2021 01:01:03 AM CET.\nDependencies resolved.\nNothing to do.\nComplete!",
"stdout_lines": [
"Updating Subscription Management repositories.",
"Last metadata expiration check: 3:19:20 ago on Wed 29 Dec 2021 01:01:03 AM CET.",
"Dependencies resolved.",
"Nothing to do.",
"Complete!"
],
}
}
An already patched RHEL 7 host shows:
ok: [rhel7.example.com] => {
"yum_output": {
[...]
"stderr": "",
"stderr_lines": [],
"stdout": "Loaded plugins: product-id, search-disabled-repos, subscription-manager\nNo Packages marked for minimal Update",
"stdout_lines": [
"Loaded plugins: product-id, search-disabled-repos, subscription-manager",
"No Packages marked for minimal Update"
],
}
}
I would like to start this issue to a follow up on a comment from @Klaas-:
you can use needs-restarting, but it uses shell/command
- name: check if reboot is needed
shell: "{{ needs_restarting_command[ansible_distribution_major_version | int] }}"
failed_when: False
register: needs_restarting
changed_when: False
definition of the var
needs_restarting_command:
7: /usr/bin/needs-restarting -r
8: /usr/bin/dnf needs-restarting -r
usage in the reboot task:
when: needs_restarting.rc is defined and needs_restarting.rc != 0
on rhel7 deps are yum-utils
, on rhel8 python3-dnf-plugins-core
Originally posted by @Klaas- in #12 (comment)
@Klaas- Can you confirm the following? While python3-dnf-plugins-core
seems to be included in the minimal install environment of RHEL 8 providing /usr/bin/dnf needs-restarting -r
you have to install yum-utils
on RHEL 7 based on minimal install envirionment to be able to use the command, right?
variables.txt.example
that will contain the overview of the patch phases defined in hosts.example
get_rhel_patch_groups.py
to this projectcreate_vars.sh
that will use get_rhel_patch_groups.py
to write the current overview of patch pahses to the file defined in variables.txt.example
send_mail()
to attach the file created in the previous taskToday, only advisories available on the host this role is running on are considered to create a patch set. For example, if you run this role on a RHEL 7 host, advisories for RHEL 8 won't be fetched unless the have the same advisory number as the RHEL 7 advisories.
I'm going to enhance this role that it can gather advisories from remote hosts with different RHEL versions in order to create a patch set that fits for all RHEL versions in use.
Necessarry steps are:
I've seen that AlmaLinux and Rocky Linux are providing errata information in their RPM repos just like RHEL does, i.e. RHSA, ALSA, or RLSA. Since this role uses this errata information to create patch sets it should work for these distributions as well.
In case someone is using AlmaLinux and/or Rocky Linux I would appreciate when you could take the time to test this role in your environment and leave me some feedback here.
In the current version a system is going to be rebooted in case that any package was updated. The programm needs-restarting -r
from the package yum-utils could be used to check whether a restart is required or not.
Pros:
Cons:
Hi Joerg,
I would like to know how are you managing the variables? In other words, how are you getting the ids of the security errata? I see that you are setting a_2016_09_27: RHSA-2016:1940
. How are you gathering that information?
Also, this role looks nice. I may poke in at some time to ask some more questions.
Cheers
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.