Linux OS Patch

it-pappa · it-pappa · commit ef31781e21c9 · 2022-04-08T21:01:35.000+02:00
diff --git a/README.md b/README.md
@@ -0,0 +1,35 @@
+#Patch linux VM's 
+
+This playbook/role will first determind the OS of the VM (Distro), before it will start patching it. <br>
+
+This playbook works on: 
+- [X] Debian
+- [X] Centos
+- [X] Ubuntu
+- [X] RHEL8
+- [X] Rocky Linux 8.5
+
+on processor architecture:
+- [X] x64
+- [X] ARM
+
+✅ Playbook requirements:
+* Sudo access to the VM
+* The target machine needs Internet access
+* Ansible installed on the host running the playbook
+
+Example playbook: 
+```
+- hosts: ip-address
+  gather_facts: true
+  become: yes
+
+  roles:
+  - linux_os_patch
+```
+
+Example playbook run: 
+```
+ansible-playbook setup.yml -i inventory --ask-become-pass
+```
+The playbook will then ask for the 'Sudo' password for the host target. 
diff --git a/meta/main.yml b/meta/main.yml
@@ -0,0 +1,17 @@
+---
+galaxy_info:
+  role_name: patch_linux_host
+  author: Dan Eckholm
+  description: Patch Linux hosts (Centos/Ubuntu) 
+  license: BSD-3-Clause
+  min_ansible_version: 2.11
+  platforms:
+    - name: EL
+      versions:
+        - 8
+  galaxy_tags:
+    - linux
+    - patch
+
+
+dependencies: []
diff --git a/tasks/01_patch_centos_redhat.yml b/tasks/01_patch_centos_redhat.yml
@@ -0,0 +1,21 @@
+---
+- name:  Patch Task 1 - upgrade kernel package on RHEL/CentOS server
+  ansible.builtin.yum:
+   name="kernel"
+   state=latest
+  when: app_process_check.stdout == "process_not_running" and ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' or ansible_distribution == 'Rocky Linux'
+  register: yum_update
+
+- name: Patch Task 2 - check if reboot required after kernel update on CentOS/RedHat servers
+  ansible.builtin.shell: KERNEL_NEW=$(rpm -q --last kernel |head -1 | awk '{print $1}' | sed 's/kernel-//'); KERNEL_NOW=$(uname -r); if [[ $KERNEL_NEW != $KERNEL_NOW ]]; then echo "reboot_needed"; else echo "reboot_not_needed"; fi
+  when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' 
+  ignore_errors: true
+  register: reboot_required
+
+- name: Patch Task 3 - Reboot CentOS/RedHat systems if kernel updated
+  ansible.builtin.command: shutdown -r +1  "Rebooting CentOS/RedHat Servers After Kernel Patching"
+  ansible.builtin.async: 0
+  poll: 0
+  when: reboot_required.stdout == "reboot_needed" and (ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' or ansible_distribution == 'Rocky Linux')
+  register: reboot_started
+  ignore_errors: true
diff --git a/tasks/02_patch_ubuntu_debian.yml b/tasks/02_patch_ubuntu_debian.yml
@@ -0,0 +1,29 @@
+---
+- name: Patch Task 1 - upgrade kernel package on Ubuntu server
+  ansible.builtin.apt:
+    update_cache: yes
+    force_apt_get: yes
+    cache_valid_time: 3600
+    name: linux-image-generic
+    state: latest
+  when: app_process_check.stdout == "process_not_running" and ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
+  register: apt_update
+
+
+- name: Patch Task 2 - Check if a reboot is required after kernel update on Ubuntu/Debian servers
+  register: reboot_required_file
+  ansible.builtin.stat: path=/var/run/reboot-required get_md5=no
+  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
+
+
+- name: Patch Task 3 - Reboot Ubuntu/Debian Servers if kernel updated
+  ansible.builtin.reboot:
+    msg: "Rebooting Ubuntu/Debian Servers After Kernel Patching"
+    connect_timeout: 5
+    reboot_timeout: 300
+    pre_reboot_delay: 0
+    post_reboot_delay: 30
+    test_command: uptime
+  when: reboot_required_file.stat.exists and (ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian')
+  register: reboot_started_ubuntu
+  ignore_errors: true
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+# Tasks to run
+
+# Resolve Linux Distro
+- ansible.builtin.include: 01_centos_redhat.yml
+  when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux' or ansible_distribution == 'Rocky Linux'
+- ansible.builtin.include: 02_ubuntu_debian.yml
+  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
+
+
+# If this role is ran locally, these tasks will fail if the server restarts. 
+- name: Task // - pause for 180 secs
+  ansible.builtin.pause:
+    minutes: 3
+
+
+- name: Task // - check if all the systems responding to ssh
+  local_action:
+    module: ansible.builtin.wait_for
+      host={{ (ansible_ssh_host|default(ansible_host))|default(inventory_hostname) }}
+      port=22
+      search_regex=OpenSSH
+      delay=15
+      timeout=300
+      state=started
