robertdebock / ansible-role-update Goto Github PK

View Code? Open in Web Editor NEW

45.0 3.0 20.0 337 KB

Install updates on your system.

Home Page: https://robertdebock.nl/

License: Apache License 2.0

ansible update molecule tox playbook security system

ansible-role-update's Introduction

Ansible role update

Install updates on your system.

GitHub	GitLab	Downloads	Version

Example Playbook

This example is taken from molecule/default/converge.yml and is tested on each push, pull request and release.

---
- name: Converge
  hosts: all
  become: true
  gather_facts: true

  roles:
    - role: robertdebock.update

The machine needs to be prepared. In CI this is done using molecule/default/prepare.yml:

---
- name: Prepare
  hosts: all
  become: true
  gather_facts: false

  roles:
    - role: robertdebock.bootstrap

Also see a full explanation and example on how to use these roles.

Role Variables

The default values for the variables are set in defaults/main.yml:

---
# defaults file for update

# For APT (Debian/Ubuntu) only: remove unused dependency packages for all module states except `build-dep'
update_autoremove: false

# For APT (Debian/Ubuntu) only: apt_upgrade type which can be: dist, full, yes, or safe
update_upgrade_command: dist

# For APT (Debian/Ubuntu) only: update the apt cache if it's older than the cache_valid_time. Set in seconds.
update_cache_valid_time: 1

# When updating systems, a reboot may be required. Here you can select to:
# "yes": Always reboot when packages have changed.
# "no": Never reboot when packages have changed.
update_reboot: true

# You can exclude certain packages from being updated.
# Some Ansible modules do not support this option, so this variable works for only:
# - apt
# - dnf
# - yum
#
# Example:
# update_excluded_packages:
#   - kernel
update_excluded_packages: []

Requirements

pip packages listed in requirements.txt.

State of used roles

The following roles are used to prepare a system. You can prepare your system in another way.

Requirement	GitHub	GitLab
robertdebock.bootstrap

Context

This role is a part of many compatible roles. Have a look at the documentation of these roles for further information.

Here is an overview of related roles:

Compatibility

This role has been tested on these container images:

container	tags
Alpine	all
Amazon	Candidate
EL	8, 9
Debian	all
Fedora	all
opensuse	all
Ubuntu	all

The minimum version of Ansible required is 2.12, tests have been done to:

The previous version.
The current version.
The development version.

If you find issues, please register them in GitHub.

Author Information

robertdebock

Please consider sponsoring me.

ansible-role-update's People

Contributors

Stargazers

Watchers

Forkers

ahnooie mkotsbak ragetti rikordi cjsteel haghighi tombull wak-automation houssoli sreekanth-sree dirien leny1996 dgibbs64 juangarcia4ks mmorster evaluation-software-development fourthkindsolutions mfaridi1394

ansible-role-update's Issues

apt autoremove

It might be nice to set the autoremove parameter for apt. http://docs.ansible.com/ansible/latest/apt_module.html

On Ubuntu unless you run apt autoremove periodically the kernel updates will eventually fill up the /boot partition and you'll run out of space. I'm not sure if it's an issue with other distributions.

Assert.yml task fail on 2.3.6/master version

Describe the bug

I've updated the role version to 2.3.6 and the task fail when executing the task "test if update_autoremove is set correctly" in assert.yml

I've downgraded to 2.3.5 and is working again. Looking at the code it seems this change causing the issue:

ansible-role-update/tasks/assert.yml

Line 7 in 28ffccf

- update_autoremove is boolean

Playbook

Please paste the playbook you are using. (Consider requirements.yml and
optionally the command you've invoked.)

---
---
- name: Install updates
  hosts: localhost #all
  become: yes
  gather_facts: yes

  roles:
    - robertdebock.update

Output

Show at least the error, possible related output, maybe just all the output.

daniele@wls2:/home/wls2/ansible-updates # ansible-playbook playbook.yml -i localhost

PLAY [Install updates] ******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [robertdebock.update : include assert.yml] **********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
included: /root/.ansible/roles/robertdebock.update/tasks/assert.yml for localhost

TASK [robertdebock.update : test if update_autoremove is set correctly] **********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'update_autoremove is boolean' failed. The error was: template error while templating string: no test named 'boolean'. String: {% if update_autoremove is boolean %} True {% else %} False {% endif %}"}

PLAY RECAP ***********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Environment

Control node OS:
The same problem happens when launching the task from AWX

cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Control node Ansible version: [e.g. 2.9.1] (ansible --version)

ansible 2.9.16
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.16 (default, Oct 10 2019, 22:02:15) [GCC 8.3.0]

Managed node OS: [e.g. CentOS 7] (cat /etc/os-release)

cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Post upgrade reboot behavior options

Option to control post upgrade reboot behavior

What do you think about adding an option to control the reboot behavior? I can think of 3 options I would use:

update_unattended_reboot = always (current behavior/default)
update_unattended_reboot = never
update_unattended_reboot = when_required

Option 3 might be a little tricky...

For Debian/Ubuntu /var/run/reboot-required is created whenever a reboot is needed: (could be implemented adding the "removes" option, something like the example below)

- name: reboot when required
  shell: (sleep "{{ update_reboot_delay }}" && shutdown -r now "ansible-role-update" &)
  async: 1
  poll: 0
  ignore_errors: yes
  changed_when: no
  removes=/var/run/reboot-required
  when:
    - ansible_virtualization_type != "docker"
    - update_unattended_reboot = "when_required"

For Fedora/RedHat/CentOS I believe there's a needs-restarting command that can be installed.

Reboot always executed, before upgrade and update_reboot = no

Describe the bug
While executing the playbook, a reboot is always initiated even there is no reason.

To Reproduce
Steps to reproduce the behavior:

Run this role:

playbook:

---
- name: Update system
  hosts: "{{inventory}}"
  gather_facts: yes
  vars_files:
    - "{{ inventory_dir }}/group_vars/update_package.yaml"
  roles:
    - robertdebock.update
    - systemli.needrestart

group_vars/update_package.yaml

# Update system related
---

## robertdebock
update_reboot: false
reboot_always: no
update_autoremove: yes
update_upgrade_command: safe

## systemli
needrestart_disable_email: 1
needrestart_action: a
needrestart_blacklist_rc:
  - mongodb-.*\.service
  - mariadb\.service
  - mysql\.service

$ ansible-playbook update_system.yaml -i inventories/dev/hosts --extra-vars "inventory=devpc21" --limit "devpc21n-06"

See error

PLAY [Update system] ***********************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************
ok: [devpc21n-06]

TASK [robertdebock.reboot : see if a reboot is required] ***********************************************************************************
skipping: [devpc21n-06]

TASK [robertdebock.reboot : reboot the machine] ********************************************************************************************
changed: [devpc21n-06]

RUNNING HANDLER [robertdebock.reboot : 1 wait for the start of reboot] *********************************************************************
Pausing for 4 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
ok: [devpc21n-06]

RUNNING HANDLER [robertdebock.reboot : 2 wait for the machine to be up] ********************************************************************
ok: [devpc21n-06]

RUNNING HANDLER [robertdebock.reboot : 3 gather facts after reboot] ************************************************************************
ok: [devpc21n-06]

The host reboots and then update task is running. In case of a new kernel, libc etc. a 2nd reboot is required.

Expected behavior

Don't reboot
Update system

Error

More debug -vvv

META: ran handlers
Read vars_file '{{ inventory_dir }}/group_vars/update_package.yaml'

TASK [robertdebock.reboot : see if a reboot is required] *************************************************************************************************************************************************************************************
task path: /home/dfuchs/git/ansible-new/roles/robertdebock.reboot/tasks/main.yml:3
skipping: [devpc21n-06] => {
    "changed": false,
    "skip_reason": "Conditional result was False"
}
META: ran handlers
Read vars_file '{{ inventory_dir }}/group_vars/update_package.yaml'

TASK [robertdebock.reboot : reboot the machine] **********************************************************************************************************************************************************************************************
task path: /home/dfuchs/git/ansible-new/roles/robertdebock.reboot/tasks/main.yml:22
fatal: [devpc21n-06]: FAILED! => {
    "changed": false,
    "msg": "check mode and async cannot be used on same task."
}
...ignoring
META: ran handlers
Read vars_file '{{ inventory_dir }}/group_vars/update_package.yaml'

Environment

Control node OS: Fedora 30 Workstation
Control node Ansible version: 2.8
Managed node OS: Debian 9

Additional context
I want to let needrestart to restart services and maybe the system.

update_kernel_reboot_only = yes

Is your feature request related to a problem? Please describe.
We have every end of a month a bigger system upgrade on round about ~120 hosts. In most cases, we do update_reboot = yes and let the hosts reboot.
But we have also auto updates, via Rundeck every day, which executes the same playbook, with your great modules :-) But ... also with update_reboot = yes, which reboots the hosts also, if only PHP package or something like that was upgraded :-).

Describe the solution you'd like
It would be very cool, if a new global variable exists, like update_kernel_reboot_only = yes, that do not reboot while a normal package update, but if the kernel has changed. For that, we can ask robertdebock.reboot, if we have a kernel change pending.

Describe alternatives you've considered
I would starting with having two kind of playbooks, one with reboot, one with not. Also possible: adding the variable while calling the playbook (wia Rundeck or shell) , but than you have instruct all people who are involved.

Additional context
Add any other context or screenshots about the feature request here.

Our playbooks for upgrades looks like this one:

---
# Generic update System playbook

- name: Update system
  hosts: "{{inventory}}"
  serial: 1
  gather_facts: yes
  vars_files:
    - "{{inventory_dir}}/group_vars/update_package.yaml"
  tasks:
    - name: Update packages
      include_role:
        name: robertdebock.update
    - name: Execute puppet if installed
      include_role:
        name: puppet
    - name: Check for needrestart services
      include_role:
        name: systemli.needrestart
    - name: Execute puppet if installed
      include_role:
        name: puppet
    - name: Run Rkhunter if installed
      include_role:
        name: rkhunter

The (inventories/dev/)group_vars/update_package.yaml:

---
## robertdebock
update_autoremove: yes
update_upgrade_command: safe

reboot_always: no
update_reboot: yes

## systemli
needrestart_disable_email: 1
needrestart_action: a
needrestart_blacklist_rc:
  - mongodb-.*\.service
  - mariadb\.service
  - mysql\.service

The command:

ansible-playbook update_system_test.yaml  -i inventories/dev/hosts --extra-vars "inventory=devpc21" --limit devpc21n-05.example.local

Support for Amazon Linux

Describe the bug

Currently if ran against an Amazon Linux (AL2 in my case) the host is skipped without actually upgrading or rebooting.

This appears to be because in AL2 ansible_pkg_mgr does in fact equal yum but ansible_distribution_major_version equals 2 which is neither 6 or 7 that are within the block.

Playbook

requirements.yml

---
roles:
  - name: robertdebock.update
    version: 3.1.4

patching.yml

---
- name: Perform OS update patching
  hosts: all
  become: true
  roles:
    - role: robertdebock.update

Output

Show at least the error, possible related output, maybe just all the output.

PLAY [Perform OS update patching] **********************************************
TASK [Gathering Facts] *********************************************************
ok: [jbouse-dev-util-poc]
TASK [robertdebock.update : test if update_autoremove is set correctly] ********
ok: [jbouse-dev-util-poc -> localhost]
TASK [robertdebock.update : test if update_upgrade_command is set correctly] ***
ok: [jbouse-dev-util-poc -> localhost]
TASK [robertdebock.update : test if update_cache_valid_time is set correctly] ***
ok: [jbouse-dev-util-poc -> localhost]
TASK [robertdebock.update : test if update_reboot is set correctly] ************
ok: [jbouse-dev-util-poc -> localhost]
TASK [robertdebock.update : update cache (apk)] ********************************
skipping: [jbouse-dev-util-poc]
TASK [robertdebock.update : update all software (apk)] *************************
skipping: [jbouse-dev-util-poc]
TASK [robertdebock.update : update all software (apt)] *************************
skipping: [jbouse-dev-util-poc]
TASK [robertdebock.update : apt autoremove (apt)] ******************************
skipping: [jbouse-dev-util-poc]
TASK [robertdebock.update : update all software (dnf)] *************************
skipping: [jbouse-dev-util-poc]
TASK [robertdebock.update : update all software (pacman)] **********************
skipping: [jbouse-dev-util-poc]
TASK [robertdebock.update : update all software (yum/6)] ***********************
skipping: [jbouse-dev-util-poc]
TASK [robertdebock.update : update all software (yum/7)] ***********************
skipping: [jbouse-dev-util-poc]
TASK [robertdebock.update : install yum-utils] *********************************
skipping: [jbouse-dev-util-poc]
TASK [robertdebock.update : update all software (zypper)] **********************
skipping: [jbouse-dev-util-poc]
PLAY RECAP *********************************************************************
jbouse-dev-util-poc        : ok=5    changed=0    unreachable=0    failed=0    skipped=10   rescued=0    ignored=0

Environment

Control node OS: AWX 21.8.0 running in AWS EKS
Control node Ansible version: core 2.12.5.post0
Managed node OS: Amazon Linux 2 AMI

Relevant snippets from the Gathering Facts task

{
  "ansible_facts": {
    "ansible_distribution": "Amazon",
    "ansible_distribution_release": "NA",
    "ansible_distribution_version": "2",
    "ansible_distribution_major_version": "2",
    "ansible_distribution_file_path": "/etc/os-release",
    "ansible_distribution_file_variety": "Amazon",
    "ansible_distribution_file_parsed": true,
    "ansible_distribution_minor_version": "NA",
    "ansible_os_family": "RedHat",
    "ansible_pkg_mgr": "yum"
}

Debian upgrade package breaks because of DEBIAN_FRONTEND=dialog

Describe the bug

Upgrading packages with answer question, because of DEBIAN_FRONTEND=dialog fails.

Output

....
  attempts: 3
  msg: |-
    '/usr/bin/apt-get upgrade --with-new-pkgs ' failed: E: Sub-process /usr/bin/dpkg returned an error code (1)
  rc: 100
  stdout: |-
    Reading package lists...
    Building dependency tree...
    Reading state information...
    Calculating upgrade...
    The following package was automatically installed and is no longer required:
      linux-image-4.19.0-20-amd64
    Use 'apt autoremove' to remove it.
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    1 not fully installed or removed.
    After this operation, 0 B of additional disk space will be used.
    Setting up grub-pc (2.06-3~deb10u2) ...
    You must correct your GRUB install devices before proceeding:
  
      DEBIAN_FRONTEND=dialog dpkg --configure grub-pc
      dpkg --configure -a
    dpkg: error processing package grub-pc (--configure):
     installed grub-pc package post-installation script subprocess returned error exit status 1
    Errors were encountered while processing:
     grub-pc
    needrestart is being skipped since dpkg has failed
  stdout_lines: <omitted>
....

Environment

Control node OS: Debian 10
Control node Ansible version: core 2.11.12
Managed node OS: Debian 9 / Debian 10

How to solve

We need to tell Debian to avoid questions with DEBIAN_FRONTEND=nointeractive as ENV.

Is that possible ?

cu denny

"wait for the machine to be down" fails

ISSUE TYPE

Bug Report

OS / ENVIRONMENT

CentOS 7 on DigitalOcean

SUMMARY

TASK [robertdebock.update : update all software (yum)] ***********************************************************************************************
changed: [machine3.meinit.nl]
changed: [machine1.meinit.nl]
changed: [machine4.meinit.nl]
changed: [machine2.meinit.nl]

TASK [robertdebock.update : update all software (zypper)] ********************************************************************************************
skipping: [machine1.meinit.nl]
skipping: [machine3.meinit.nl]
skipping: [machine2.meinit.nl]
skipping: [machine4.meinit.nl]

RUNNING HANDLER [robertdebock.update : reboot] *******************************************************************************************************
changed: [machine3.meinit.nl]
changed: [machine1.meinit.nl]
changed: [machine2.meinit.nl]
changed: [machine4.meinit.nl]

RUNNING HANDLER [robertdebock.update : wait for the machine to be down] ******************************************************************************
fatal: [machine3.meinit.nl]: FAILED! => {"attempts": 1, "changed": false, "elapsed": 1, "failed_when_result": true}
fatal: [machine2.meinit.nl]: FAILED! => {"attempts": 1, "changed": false, "elapsed": 1, "failed_when_result": true}
fatal: [machine1.meinit.nl]: FAILED! => {"attempts": 1, "changed": false, "elapsed": 1, "failed_when_result": true}
fatal: [machine4.meinit.nl]: FAILED! => {"attempts": 1, "changed": false, "elapsed": 2, "failed_when_result": true}

Fedora (26) does not reboot.

On Fedora 26 in Vagrant (virtualbox) this role issues a reboot command:

RUNNING HANDLER [robertdebock.update : reboot] *********************************
changed: [default]

But the machine does not reboot, so it's stuck in:

RUNNING HANDLER [robertdebock.update : wait for the machine to be down] ********
FAILED - RETRYING: wait for the machine to be down (180 retries left).
FAILED - RETRYING: wait for the machine to be down (179 retries left).
FAILED - RETRYING: wait for the machine to be down (178 retries left).
...

robertdebock / ansible-role-update Goto Github PK

ansible-role-update's Introduction

ansible-role-update's People

Contributors

Stargazers

Watchers

Forkers

ansible-role-update's Issues

apt autoremove

Describe the bug

Playbook

Output

Environment

Option to control post upgrade reboot behavior

Describe the bug

Playbook

requirements.yml

patching.yml

Output

Environment

Describe the bug

Output

Environment

How to solve

ISSUE TYPE

OS / ENVIRONMENT

SUMMARY

Recommend Projects

Recommend Topics

Recommend Org