Patch Management

A system update is usually more than just running yum update -y. patchmanagement is an Ansible role designed to help you easily handle the update process and related tasks for servers running RedHat, CentOS, Debian, or Ubuntu.

With patch management, you can:

• Put the target server in maintenance mode
• Send notifications at the start or end of the update
• Respond to failures
• And more!

This role simplifies your work.

Remember, you should never log into a server to perform updates directly.

Requirements

No specific requirements.

Features

• Record system information like IP address, running processes, and mount points (for troubleshooting—don't skip this!).
• Execute custom tasks across all servers (see pm_before_update_tasks_file variable).
• Execute custom tasks for the target server (check the playbook example section).

Main Goals

• Update the server using apt or yum.

Then:

• Set Ansible facts with the current date and an optional environment variable.
• Execute custom tasks for the target server.
• Execute custom tasks for all servers (see pm_after_update_tasks_file variable).

Role Variables

• pm_restart_after_update: default true

  • Determines if the target will restart post-update to ensure the latest kernel operates. It's best to do this regularly.

• pm_logpath: default /etc/ansible/facts.d/PM.log

  • Where the results of successful or failed updates are logged.

• pm_date_format: default "{{ ansible_date_time.date }}-{{ ansible_date_time.time }}"

  • Format for date in logs and facts.

• pm_fact_name: default pm

  • The name for the fact being recorded.

• pm_set_env_variable: default true

• pm_env_file_path: default /etc/profile.d/last_pm_date.sh

  • Should we create an environment variable for the last patch management date, and where to save the script?

• pm_manage_yum_clean_all: default true

  • Cleans up YUM caches before updating. Change to false if you've already downloaded RPMs.

• pm_manage_apt_clean: default true

  • Cleans up APT caches before updating.

• pm_manage_apt_autoremove: default true

  • Automatically removes unnecessary deb packages.

• pm_apt_verbose_package_list: default false

  • Outputs the APT result list.

• pm_before_update_tasks_file:

  • Provide a file like custom_tasks/pm_before_update_tasks_file.yml to run custom tasks before starting the update.

• pm_after_update_tasks_file:

  • Similar to before, use a file like custom_tasks/pm_after_update_tasks_file.yml for tasks to run after the update.

Example Playbook

Creating a playbook is quite straightforward:

- name: Start a Patch Management
  hosts: servers
  vars:
    pm_before_update_tasks_file: custom_tasks/pm_before_update_tasks_file.yml
    pm_after_update_tasks_file: custom_tasks/pm_after_update_tasks_file.yml
  tasks:
    - name: "Include patchmanagement"
      include_role:
        name: "alemorvan.patchmanagement"

You can also create separate task files for individual servers to execute actions before and after upgrades, such as removing nodes from a load balancer or flushing caches.

For each server, create files named before_pm_{{ inventory_hostname_short }}_custom_tasks.yml and after_pm_{{ inventory_hostname_short }}_custom_tasks.yml in the custom_tasks directory.

- name: Run a custom task for this server defined in after_pm_{{ inventory_hostname_short }}_custom_tasks.yml
  debug:
    msg: "This is a custom task defined in after_pm_{{ inventory_hostname_short }}_custom_tasks.yml file"

Molecule Testing

You can test this role using Molecule and Docker:

$ molecule test

Refer to molecule/default/converge.yml for a good illustration of how to use this role.

License

MIT

Author Information

This role was originally created by Antoine Le Morvan for Vivalto Sante, building on the work of Nicolas Martin and the Ansible Team at Claranet France / BU RMP (Ismaël Ouattara and EliE Deloumeau).