Ansible Roles - Automatic Updates

• Ansible Roles - Automatic Updates
  • What is this?
  • Resource Requirements
  • Dependencies
  • Supported Distributions
  • Quick-start & Usage
  • Contributing
  • Acknowledgements
  • License

What is this?

• A set of Ansible roles for CentOS and Debian hosts that provides users with the option to enable and/or remove automatic updates for packages installed.
  • Deploy - centos_automatic_updates.yaml and debian_automatic_updates.yaml playbooks will install packages that enable automatic updates. Custom configuration files to set automatic updates will then be copied to the remote hosts. If there are any existing configuration files, a task will fetch the files and store them in a backups directory under the files directory.
  • Remove - centos_automatic_updates_remove.yaml and debian_automatic_updates_remove.yaml will remove packages and configuration files from the hosts that enable automatic updates.
• For reference, below is a demonstration of how the directory structure of backups will look like after a number of debian_automatic_updates.yaml and centos_automatic_updates.yaml playbook runs at different time intervals.

# CentOS
.
└── <INVENTORY_HOSTNAME_001>
    ├── 2021-07-25T22:34:13Z-CentOS-8.4
    │   └── automatic.conf
    ├── 2021-07-25T22:35:33Z-CentOS-8.4
    │   └── automatic.conf
    └── 2021-07-25T22:37:20Z-CentOS-8.4
        └── automatic.conf

# Debian
.
└── <INVENTORY_HOSTNAME_002>
    ├── 2021-07-25T22:34:21Z-Debian-10
    │   ├── 20auto-upgrades
    │   ├── 50unattended-upgrades
    │   └── listchanges.conf
    ├── 2021-07-25T22:35:42Z-Debian-10
    │   ├── 20auto-upgrades
    │   ├── 50unattended-upgrades
    │   └── listchanges.conf
    └── 2021-07-25T22:37:27Z-Debian-10
        ├── 20auto-upgrades
        ├── 50unattended-upgrades
        └── listchanges.conf

Resource Requirements

• Debian and/or CentOS Stream host(s) that the playbooks will be run against.

Dependencies

• dnf-automatic, unattended-upgrades, apt-listchanges
• ansible-vault - [optional] - can be used in the debian_ssh.yaml or centos_ssh.yaml playbook to encrypt and store sensitive data "at rest".
  • In this use case, the ansible_sudo_password variable, which is used as the privilege escalation password, is stored in a vault.
  • Once the secret has been created and added to the playbook, in order for a user be able to become sudo to run the playbook, they will need to decrypt the vault to access the variable.
  • This can be achieved by passing one of the following flags listed below when executing the the playbook;
    • --ask-vault-pass
    • --vault-password-file
  • Below is a demonstration of how the encrypted variable is defined in the playbooks;

---
# playbook for the debian_automatic_updates role.
- hosts: debian_hosts
  # vars_files:
  #   - become-secret
  become: true
  roles:
    - debian_automatic_updates

• For more information on how to create encrypted variables, review the official ansible documentation.

Supported Distributions

• Tested on;
  • debian-10 , centos-8-stream

Quick-start & Usage

# clone the repository
$ git clone git@github.com:hubvu/automatic-updates-ansible.git

# navigate into the directory
$ cd automatic-updates-ansible/

# run the master playbook `site.yaml` with verbosity
# for non Ansible Vault users
$ ansible-playbook site.yaml \
  --inventory-file=hosts \
  --ask-become-pass \
  --verbose

# run the master playbook `site.yaml` with verbosity
# for Ansible Vault users
$ ansible-playbook site_remove.yaml \
  --inventory-file=hosts \
  --ask-vault-pass \
  --verbose

# review the `backups` directory for the configuration files of each host
$ ls /roles/<role_name>/files/backups/<inventory_hostname>/<date_time>-<distribution_name>-<distribution_version>/

Contributing

• Contribution guidelines for this project can be found in the Contributing document.

Acknowledgements

• DNF Automatic - Documentation.
• Unattended Upgrades - Debian Wiki.
• Ansible Lint.
• Ansible Lint for GitHub Action.

License

• Licenced under the MIT License.