Ansible role to update server to latest packages, reboot server, and wait for the server to start up. Add more roles after this to continue installing/configuring server.
Can also exclude packages from being updated, only update specified packages, or install specified packages.
Works with Redhat/CentOS and Ubuntu.
Can be used to update packages for Meltdown/Spectre Mitigation for Redhat/CentOS 7 and Ubuntu 16.04
More detailed example can be found in the blog post: Using Ansible to Update Ubuntu, CentOS, and Redhat
Requires: Ansible 2.7.1 (uses reboot module and 2.7.1 fixes reboot_timeout)
Note:
This role can reboot the server if there is a kernel update and if the reboot variable is true (reboot is default setting).
- Ubuntu 18.04 / 16.04
- CentOS & RHEL 7.x
./group_vars/centos-dev/proxy.yml
With a proxy:
proxy_env:
http_proxy: http://my.internal.proxy:80
https_proxy: https://my.internal.proxy:80With no proxy:
proxy_env: []- debug_enabled_default: true|false (default false)
- update_default: true|false (default true)
- reboot_default: true|false (default true)
- server_update_reboot_pre_delay: Time (in seconds) to wait before running tasks in this role
- server_update_reboot_pre_reboot_delay: Time (in seconds) to wait before rebooting
- server_update_reboot_post_reboot_delay: Time (in seconds) to wait after rebooting
- server_update_reboot_reboot_timeout: Maximum time (in seconds) to wait for server to reboot
Variables for RHEL/CentOS:
- server_update_yum_exclude_pkgs: comma separated string of packages to exclude from update. Can use wildcards. (default [])
- server_update_yum_install_pkgs: comma separated string of packages to ONLY update. Can use wildcards. (default '*' meaning all packages)
Variables for Ubuntu:
- server_update_apt_exclude_default: true|false. set true if using exclude list below (default false)
- server_update_apt_exclude_pkgs: List of packages to not update (each on separate line). Can include wildcard (but use ^ to begin match or a lot will match) to match multiple packages. (default undefined)
- server_update_apt_default: full|update_specific|install (default full)
- full: update all packages using "apt-get dist-upgrade"
- update_specific: only update from list in variable server_update_apt_install_pkgs
- install: only install from list in variable server_update_apt_install_pkgs
- server_update_apt_install_pkgs: List of packages to ONLY update or install (each on separate line). Can include wildcard to match multiple packages. (default undefined)
Below example playbook will update/reboot one server at a time (using max_fail_percentage and serial variables). If you want to update/reboot everything at once uncomment those lines.
---
- hosts: '{{inventory}}'
max_fail_percentage: 0
serial: 1
become: yes
roles:
# - stop-applications
- server-update-reboot
# - server-config-xyz
# - start-applications- install ansible
- create keys
- ssh to client to add entry to known_hosts file
- configure client server authorized_keys
- run ansible commands
Use all defaults to: update, reboot server, and wait for server to start up:
ansible-playbook server-update-reboot.yml --extra-vars "inventory=all-dev" -i hosts-devSame as above, but do not reboot server:
ansible-playbook server-update-reboot.yml --extra-vars "inventory=all-dev reboot_default=false" -i hosts-devUpdate all packages except package(s) specified (for RHEL):
ansible-playbook server-update-reboot.yml --extra-vars 'inventory=centos-dev server_update_yum_exclude_pkgs="mysql*, bash, openssh*"' -i hosts-devOnly update (or install) specific packages (for RHEL):
ansible-playbook server-update-reboot.yml --extra-vars "inventory=centos-dev server_update_yum_install_pkgs='kernel-*, iwl*firmware, microcode_ctl, dracut'" -i hosts-devUpdate all packages except package(s) specified (for Ubuntu):
ansible-playbook server-update-reboot.yml --extra-vars 'inventory=ubuntu-dev server_update_apt_exclude_default=true' --extra-vars '{"server_update_apt_exclude_pkgs": [bash, openssl, ^mysql*, ^openssh*]}' -i hosts-devOnly update specific packages (for Ubuntu):
ansible-playbook server-update-reboot.yml --extra-vars "inventory=ubuntu-dev server_update_apt_default=update_specific" --extra-vars "{'server_update_apt_install_pkgs': [linux-firmware, linux-generic, linux-headers-generic, linux-image-generic, intel-microcode, openssh*]}" -i hosts-devOnly install specific packages (for Ubuntu). Be careful with wildcards:
ansible-playbook server-update-reboot.yml --extra-vars "inventory=ubuntu-dev server_update_apt_default=install" --extra-vars "{'server_update_apt_install_pkgs': [bash, openssh-server]}" -i hosts-devTo patch Redhat/CentOS 7 and Ubuntu 16.04, for Spectre and Meltdown (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715)
Info from Ubuntu
Info from Redhat
Or just patch everything using first command above.
ansible-playbook server-update-reboot.yml --extra-vars "inventory=centos-dev server_update_yum_install_pkgs='kernel-*, iwl*firmware, microcode_ctl, dracut'" -i hosts-devansible-playbook server-update-reboot.yml --extra-vars "inventory=ubuntu-dev server_update_apt_default=update_specific" --extra-vars "{'server_update_apt_install_pkgs': [linux-firmware, linux-generic, linux-headers-generic, linux-image-generic, intel-microcode]}" -i hosts-devRHEL/CentOS 5 has a dependency that needs to be installed: python-simplejson
This command will use the raw module to install it:
ansible centos5 -m raw -a "yum install -y python-simplejson" --become --ask-pass --become-method=su --ask-become-pass --extra-vars="ansible_ssh_user=username123" -i hosts-devIf SELinux is enabled/permissive a dependency is needed: libselinux-python
This command will use the raw module to install it:
ansible centos5 -m raw -a "yum install -y libselinux-python" --become --ask-pass --become-method=su --ask-become-pass --extra-vars="ansible_ssh_user=username123" -i hosts-dev