ryandaniels.server_update_reboot

Panoramica Versioni Approfondimenti

ansible-role-server-update-reboot

This Ansible role is used to update the server with the latest packages, reboot it, and wait for it to start again. You can add more roles afterward to keep installing and configuring the server. It allows you to exclude certain packages from the update, update only specific packages, or install specific packages. It works with Redhat/CentOS and Ubuntu.

You can use it to update packages for Meltdown/Spectre Mitigation on Redhat/CentOS 7 and Ubuntu 16.04.

For a more detailed example, check the blog post: Using Ansible to Update Ubuntu, CentOS, and Redhat.

Requires: Ansible version 2.7.1 (this version fixes an issue with rebooting).

Note: This role may reboot the server if there is a kernel update and the reboot variable is set to true (which is the default).

Tested Systems

  • Ubuntu 18.04 / 16.04
  • CentOS & RHEL 7.x

Group Variables

With a proxy:

proxy_env:
  http_proxy: http://my.internal.proxy:80
  https_proxy: https://my.internal.proxy:80

Without a proxy:

proxy_env: []

Default Settings

  • debug_enabled_default: true|false (default false)
  • update_default: true|false (default true)
  • reboot_default: true|false (default true)
  • server_update_reboot_pre_delay: Time (in seconds) to wait before running tasks
  • server_update_reboot_pre_reboot_delay: Time (in seconds) to wait before rebooting
  • server_update_reboot_post_reboot_delay: Time (in seconds) to wait after rebooting
  • server_update_reboot_reboot_timeout: Maximum time (in seconds) to wait for server to reboot

For RHEL/CentOS:

  • server_update_yum_exclude_pkgs: List of packages to exclude from updates (default [])
  • server_update_yum_install_pkgs: List of packages to ONLY update (default '*' means all packages)

For Ubuntu:

  • server_update_apt_exclude_default: true|false (default false)
  • server_update_apt_exclude_pkgs: List of packages not to update (default undefined)
  • server_update_apt_default: full|update_specific|install (default full)
    • full: update all packages
    • update_specific: only update packages in server_update_apt_install_pkgs
    • install: only install packages in server_update_apt_install_pkgs
  • server_update_apt_install_pkgs: List of packages to ONLY update or install (default undefined)

Example Playbook: server-update-reboot.yml

The example below will update/reboot one server at a time. If you want to update/reboot all servers at once, uncomment those lines.

---
- hosts: '{{inventory}}'
  max_fail_percentage: 0
  serial: 1
  become: yes
  roles:
#  - stop-applications
  - server-update-reboot
#  - server-config-xyz
#  - start-applications

Preparation

  • Install Ansible
  • Create SSH keys
  • SSH to the client server to add it to the known_hosts file
  • Configure the client's authorized_keys
  • Run Ansible commands

Usage

For Redhat/CentOS/Ubuntu

To update, reboot the server, and wait for it to start up:

ansible-playbook server-update-reboot.yml --extra-vars "inventory=all-dev" -i hosts-dev

To update without rebooting:

ansible-playbook server-update-reboot.yml --extra-vars "inventory=all-dev reboot_default=false" -i hosts-dev

For Redhat/CentOS

To update all packages except specified ones:

ansible-playbook server-update-reboot.yml --extra-vars 'inventory=centos-dev server_update_yum_exclude_pkgs="mysql*, bash, openssh*"' -i hosts-dev

To only update (or install) specific packages:

ansible-playbook server-update-reboot.yml --extra-vars "inventory=centos-dev server_update_yum_install_pkgs='kernel-*, iwl*firmware, microcode_ctl, dracut'" -i hosts-dev

For Ubuntu

To update all packages except specified ones:

ansible-playbook server-update-reboot.yml --extra-vars 'inventory=ubuntu-dev server_update_apt_exclude_default=true' --extra-vars '{"server_update_apt_exclude_pkgs": [bash, openssl, ^mysql*, ^openssh*]}' -i hosts-dev

To only update specific packages:

ansible-playbook server-update-reboot.yml --extra-vars "inventory=ubuntu-dev server_update_apt_default=update_specific" --extra-vars "{'server_update_apt_install_pkgs': [linux-firmware, linux-generic, linux-headers-generic, linux-image-generic, intel-microcode, openssh*]}" -i hosts-dev

To only install specific packages:

ansible-playbook server-update-reboot.yml --extra-vars "inventory=ubuntu-dev server_update_apt_default=install" --extra-vars "{'server_update_apt_install_pkgs': [bash, openssh-server]}" -i hosts-dev

Spectre/Meltdown Mitigation

To patch Redhat/CentOS 7 and Ubuntu 16.04 for Spectre and Meltdown vulnerabilities:

For Redhat/CentOS 7

ansible-playbook server-update-reboot.yml --extra-vars "inventory=centos-dev server_update_yum_install_pkgs='kernel-*, iwl*firmware, microcode_ctl, dracut'" -i hosts-dev

For Ubuntu 16.04

ansible-playbook server-update-reboot.yml --extra-vars "inventory=ubuntu-dev server_update_apt_default=update_specific" --extra-vars "{'server_update_apt_install_pkgs': [linux-firmware, linux-generic, linux-headers-generic, linux-image-generic, intel-microcode]}" -i hosts-dev

Notes

RHEL5

For RHEL/CentOS 5, install the dependency python-simplejson:

ansible centos5 -m raw -a "yum install -y python-simplejson" --become --ask-pass --become-method=su --ask-become-pass --extra-vars="ansible_ssh_user=username123" -i hosts-dev

SELinux

If SELinux is enabled, you might need the dependency libselinux-python:

ansible centos5 -m raw -a "yum install -y libselinux-python" --become --ask-pass --become-method=su --ask-become-pass --extra-vars="ansible_ssh_user=username123" -i hosts-dev
Informazioni sul progetto

Role to update packages on linux and optionally reboot

role system update
Installa
ansible-galaxy install ryandaniels.server_update_reboot
GitHub repository
32 stelle
20 fork
1 problemi aperti
Licenza
mit
Download
15.9k
Proprietario
Ryan Daniels
Ansible all the things