diff options
author | mail_redacted_for_web | 2024-05-05 14:46:51 +0200 |
---|---|---|
committer | mail_redacted_for_web | 2024-05-05 14:46:51 +0200 |
commit | 4f0b5cb177f98c7f1d80504f94eeba94f721d2de (patch) | |
tree | 0cc13128f0ac6301c969a328908b74eb3f003344 /roles/patch_redhat | |
download | os-patch-4f0b5cb177f98c7f1d80504f94eeba94f721d2de.tar.bz2 |
This is a ported collection of my patch playbooks + roles. Before,
they were living inside an "all things ansible" repository. The
history is not important as shortly before porting, the code
had been revamped (before, it employed changes for host selection
which worked but changes are not intended for that).
Diffstat (limited to 'roles/patch_redhat')
-rw-r--r-- | roles/patch_redhat/tasks/main.yaml | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/roles/patch_redhat/tasks/main.yaml b/roles/patch_redhat/tasks/main.yaml new file mode 100644 index 0000000..7f200e7 --- /dev/null +++ b/roles/patch_redhat/tasks/main.yaml @@ -0,0 +1,91 @@ +--- +- name: "Check whether OS is a Red Hat derivative" + ansible.builtin.assert: + that: + - ansible_distribution_file_variety == 'RedHat' + no_log: true +- name: Update yum/dnf cache + # We want to see a dedicated failure if the repos cannot be fetched already. + # Cheating here: yum wants a "state" statement to be placed before it takes action, and then - other than stated in the docs - + # we can trigger an action containing update_cache without "name" being mandatory. So we will have no package present with + # updated cache :-) + ansible.builtin.yum: + state: present + update_cache: "yes" + validate_certs: "yes" + become: true +- name: Check for upgrades (RHEL) + # yum check-upgrade would normally throw an RC 100 if updates are available. + # But through ansible: RC0! Weeeee + ansible.builtin.shell: /usr/bin/yum -q -C check-upgrade 2>/dev/null | wc -l + # args: + # warn: false + register: yue + changed_when: false + become: true +- block: + - name: Check for existence of rkhunter + ansible.builtin.stat: + path: /usr/bin/rkhunter + register: rkhex + - name: RKhunter pre-check + ansible.builtin.command: rkhunter -c --sk --rwo --ns + become: true + no_log: true + changed_when: false + when: + - rkhex.stat is defined + - rkhex.stat.executable is defined + - rkhex.stat.executable + - name: Upgrade all installed packages (RHEL) + ansible.builtin.yum: + name: '*' + state: latest + validate_certs: "yes" + skip_broken: "yes" + become: true + # Auto-removal is broken and will nuke packages we previously selected through e.g. ansible. + # See ansible issue #60349. Leaving commented out. -- pff + # - name: Auto-removal of orphaned dependencies (RHEL) + # ansible.builtin.yum: + # autoremove: "yes" + name: Updates and RKhunter checks + # yum always tosses an arbitrary extra line at you, a simple tr -s does not eradicate it, so - well, + # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible. + when: yue.stdout|int > 1 +- block: + - name: Register requirement for reboot (RHEL) + # "yum needs-restarting still works on RHEL 8, and "needs-restarting" is obsolete + # On major releases >= 9 you may want to create an alternative for symlinking yum to dnf + ansible.builtin.command: yum needs-restarting -r + register: nr + changed_when: false + failed_when: false + become: true + name: Check reboot requirement +- name: Clean packages cache (RHEL) + # ansible's yum module does not have a dedicated action for this. So shell it is. + # CAUTION: This will only work as long as modern RHEL derivatives (RHEL/CentOS >=8, Fedora >=30) will have yum available as pseudo-alias to dnf. + # Also, despite ansible's yum not offering this feature, ansible will warn that there is a yum module and we should consider using it. Turning warnings off. + #args: + # warn: false + ansible.builtin.command: yum clean packages + changed_when: true + become: true +- name: RKhunter properties update + ansible.builtin.command: rkhunter --propupd --rwo --ns + become: true + changed_when: true + when: + - rkhex.stat is defined + - rkhex.stat.executable is defined + - rkhex.stat.executable +- name: Reboot if required + # ignore_errors: yes + ansible.builtin.reboot: + reboot_timeout: 300 + pre_reboot_delay: 5 + test_command: uptime + reboot_command: "/bin/systemctl reboot" + become: true + when: ( nr.rc is defined and nr.rc|int > 0 ) or ( nr.rc is not defined ) |