RHEL-Patchmanagement

Patch Management for Red Hat Enterprise Linux Server.

Use Case

We set up RHEL Servers in our departments to run their applications.

This role was created to automatically install Red Hat Advisories on target servers once a month. The System Administrator can select which Advisories to install, such as RHSA, RHBA, and/or RHEA.

In our specific case, we only install RHSA to maintain a basic level of security. The installation happens once a month, and the advisories are grouped into "Patch-Sets" to ensure consistency across all stages of the patch process.

In Ansible, the servers are organized into these groups to schedule patch installations:

• [rhel-patch-phase1] - on the second Tuesday of the month
• [rhel-patch-phase2] - on the third Tuesday of the month
• [rhel-patch-phase3] - on the fourth Tuesday of the month
• [rhel-patch-phase4] - on the fourth Wednesday of the month

If packages are updated on the servers, they will be restarted afterward.

Since our production systems are crucial, they are divided into two separate groups (phase3 and phase4) to lower the risk of failure and downtime during advisory installation.

You can choose which servers to assign to each phase and different days for patch cycles. Feel free to customize the role as needed.

A Bash script is used to run the playbook for Patch Management on the scheduled date.

Once set up, the RHEL Patch Management operates automatically. You can use the issue tracker for questions about the role and to report any bugs.

How to Get Advisory Information?

To gather advisory information and create a patch set in vars/main.yml, run the script create_vars.sh.

For additional information on advisories, you can subscribe to Red Hat Advisory Notifications via the Customer Portal or use the command yum updateinfo list all to check for advisory information.

Role Variables

The role variables in vars/main.yml are automatically set by the create_vars.sh script, which runs through cron.

Example Playbook

Here’s an example of how to use this role:

• hosts: all

  tasks:

  • name: Group by OS group_by: key=os_{{ ansible_distribution }} changed_when: False

• hosts: os_RedHat roles:

  • rhel_patchmanagement

How to Use This Role

The following instructions are tailored for the use case mentioned above. You may need to adjust a few things for your specific requirements. Ensure you've cloned the repository or downloaded the needed files. Then, follow these steps to set up RHEL Patch Management:

1. Edit run_rhel_patch_mgmt.sh and add the ssh-private-key for connecting to your servers.
2. Create a cron job to run run_rhel_patch_mgmt.sh every Tuesday and Wednesday at your preferred time. This script triggers the Ansible playbook as described above.
3. You may need to edit patch_rhel.yml to suit your needs. By default, it runs on all Red Hat hosts in the rhel-patch-phaseX groups.
4. Rename variables.txt.example to variables.txt and update it for your environment.
5. Edit create_vars.sh to set the absolute path for the variables.txt file.
6. Rename variables.py.example to variables.py and provide the absolute path to your Ansible inventory file.
7. By default, create_vars.sh runs on the first Tuesday of the month to generate a new vars/main.yml file with the current patch set and a mail_text.txt file.
8. You can use the send_mail function to automatically notify a specific email address. This function is enabled by default.
9. Optional: Use mail_text.txt content to inform your users about the advisories that will be installed.

License

MIT

Author Information

• Original: Joerg Kastning <joerg(dot)kastning(at)uni-bielefeld(dot)de>