Enable kpatch support for updates

cjeanner · cjeanner · commit 6f77a836b546 · 2024-11-22T10:13:36.000+01:00
This change enables kpatch-patch support, allowing in-place kernel patching for security and bug fixes, provided `kpatch-patch-KERNEL_VERSION` package exists. For more information about kpatch: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_monitoring_and_updating_the_kernel/applying-patches-with-kernel-live-patching_managing-monitoring-and-updating-the-kernel This PR also corrects a potential issue related to the exclide list applied to the package update: if a user were to pass the `edpm_update_exclude_packages` parameter, the subsequent override wouldn't be applied, meaning the `openvswitch` package wouldn't be excluded in the end. Using an "internal var" such as the `_exclude_packages` in order to inject our own content in addition to whatever the user may pass ensures everything is working as expected. Fixes: https://issues.redhat.com/browse/OSPRH-11274
diff --git a/roles/edpm_update/defaults/main.yml b/roles/edpm_update/defaults/main.yml
@@ -17,6 +17,9 @@
 
 # All variables intended for modification should be placed in this file.
 
+# Toggle to enable/disable kpatch usage
+edpm_update_enable_kpatch: false
+
 # Toggle to enable/disable packages updates
 edpm_update_enable_packages_update: true
 
diff --git a/roles/edpm_update/molecule/kpatch/converge.yml b/roles/edpm_update/molecule/kpatch/converge.yml
@@ -0,0 +1,57 @@
+---
+# Copyright 2024 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Converge
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: "Call edpm_update role"
+      ansible.builtin.include_role:
+        name: osp.edpm.edpm_update
+      vars:
+        edpm_update_enable_containers_update: false
+        edpm_service_types: []
+        edpm_update_enable_kpatch: true
+
+    # We have to run the verifications in this play to
+    # ensure we have access to the internally changed
+    # facts.
+    - name: Conduct some verifications
+      block:
+        - name: Ensure kernel related packages are excluded
+          ansible.builtin.assert:
+            that:
+              - _exclude_packages is defined
+              - "'kernel' in _exclude_packages"
+              - "'kernel-core' in _exclude_packages"
+
+        - name: Gather all installed packages
+          ansible.builtin.package_facts:
+
+        - name: Check service status if we have kpatch-patch installed
+          when:
+            - ansible_facts.packages["kpatch-patch"] is defined
+          block:
+            - name: Gather services
+              ansible.builtin.service_facts:
+
+            - name: Ensure kpatch.service is running
+              ansible.builtin.assert:
+                that:
+                  - ansible_facts.services['kpatch.service'] is defined
+                  - ansible_facts.services['kpatch.service'].state == 'running'
+                  - ansible_facts.services['kpatch.service'].status == 'enabled'
diff --git a/roles/edpm_update/molecule/kpatch/molecule.yml b/roles/edpm_update/molecule/kpatch/molecule.yml
@@ -0,0 +1,27 @@
+---
+dependency:
+  name: galaxy
+  options:
+    role-file: collections.yml
+driver:
+  name: delegated
+  options:
+    managed: false
+    ansible_connection_options:
+      ansible_connection: local
+platforms:
+  - name: edpm-0.localdomain
+    groups:
+      - compute
+provisioner:
+  log: true
+  name: ansible
+
+scenario:
+  test_sequence:
+    - prepare
+    - converge
+    - cleanup
+    - destroy
+verifier:
+  name: ansible
diff --git a/roles/edpm_update/molecule/kpatch/prepare.yml b/roles/edpm_update/molecule/kpatch/prepare.yml
@@ -0,0 +1,18 @@
+---
+# Copyright 2024 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: Run prepare playbook
+  ansible.builtin.import_playbook: ../default/prepare.yml
diff --git a/roles/edpm_update/tasks/kpatch.yml b/roles/edpm_update/tasks/kpatch.yml
@@ -0,0 +1,29 @@
+---
+- name: Ensure we know about kernel version
+  when:
+    - ansible_facts['kernel'] is undefined
+  ansible.builtin.setup:
+    gather_subset:
+      - '!all,!min'
+      - 'kernel'
+
+- name: Ensure kpatch package is installed
+  become: true
+  ansible.builtin.package:
+    name: kpatch
+    state: present
+
+- name: Install kpatch-patch if available  # noqa: package-latest
+  failed_when: false
+  become: true
+  ansible.builtin.package:
+    name: "kpatch-patch = {{ ansible_facts['kernel'] }}"
+    state: latest
+
+- name: Ensure further update stages will not update kernel
+  vars:
+    _kernel:
+      - kernel
+      - kernel-core
+  ansible.builtin.set_fact:
+    _exclude_packages: "{{ edpm_update_exclude_packages + _kernel }}"
diff --git a/roles/edpm_update/tasks/main.yml b/roles/edpm_update/tasks/main.yml
@@ -17,6 +17,10 @@
 
 # "edpm_update" will search for and load any operating system variable file
 
+- name: Apply kernel patch via kpatch
+  ansible.builtin.include_tasks: kpatch.yml
+  when: edpm_update_enable_kpatch
+
 - name: Update packages
   ansible.builtin.include_tasks: packages.yml
   when: edpm_update_enable_packages_update
diff --git a/roles/edpm_update/tasks/packages.yml b/roles/edpm_update/tasks/packages.yml
@@ -9,9 +9,13 @@
 
 - name: Ensure openvswitch is excluded from bulk update
   ansible.builtin.set_fact:
-    edpm_update_exclude_packages: "{{ edpm_update_exclude_packages + ['openvswitch'] }}"
-  when:
-    "'openvswitch' not in edpm_update_exclude_packages"
+    _exclude_packages: >-
+      {{
+        _exclude_packages | default([]) +
+        edpm_update_exclude_packages +
+        ['openvswitch'] |
+        ansible.builtin.unique
+      }}
   tags:
     - edpm_update
 
@@ -21,6 +25,6 @@
     name: "*"
     state: latest
     update_cache: true
-    exclude: "{{ edpm_update_exclude_packages }}"
+    exclude: "{{ _exclude_packages }}"
   tags:
     - edpm_update
