Ansible – Example playbook to Patchup Selective packages on RHEL 7 / CentOS and Full Security Patchup

Ansible – Example playbook to Patchup Selective packages on RHEL 7 / CentOS and Full Security Patchup

Ansible - Example playbook to Patchup Selective packages on RHEL 7 / CentOS and Full Security Patchup

Ansible playbook to Patchup Selective Packages on RHEL 7 / CentOS servers

In this playbook we are going to do Security Patchup and Selective Package Updates. Keeping your system up to date and applying all security patches is an essential task for sysadmins and developers. We can use yum module of Ansible to manages yum packages for RHEL/CentOS based Linux distros. This module can use to install, remove, update on the remote servers for package management. This page explains how to run yum update --security or yum update package-name via Ansible.

In this playbook we are doing 5 tasks

  • Gather the rpm packages installed using facts module : package_facts
  • Importing list of packages need to be Patchup using variable in directory:

directory : vars
file: package.yml
variable name: myvar (it have list of packages)

  • Updating list of packages which are installed only.
  • Display installed packages result
  • Applying Security Updates only --- passing with variables if required to have full Security Patchup.

Step1: Create variables files for package list

Switch to your playbooks directory:

 [root@ansible ~]# cd redhat-playbooks/

Create directory for variable, here I am using "vars"

 [root@ansible redhat-playbooks]# mkdir vars/

Create variables file, here I am creating as "packages"

 [root@ansible redhat-playbooks]# vi vars/packages.yml
---
myvar:
  - httpd
  - nmap
  - sssd
  - iftop

Step2: Create Playbook for Selective Package Update

Create Playbook, I am using name "redhat-selective-packages-security.yml"

 [root@ansible redhat-playbooks]# vim redhat-selective-packages-security.yml
---
- name: Redhat and Centos Server selective Packages Patchups
  hosts: webservers
  ignore_errors: yes
  force_handlers: yes

  tasks:

    - name: Gather the rpm package facts
      package_facts:
        manager: auto

    - name: Import variables files
      include_vars: vars/packages.yml

    - name: Update package
      ignore_errors: yes
      yum:
        name: "{{ item }}"
        state: latest
      loop: "{{ myvar | default([]) }}"
      when: item in ansible_facts.packages
      register: install_result

    - name: Display installed packages result
      debug:
        var: install_result

    - name: Server is getting FULL SECUIRTY PATCHUP ONLY --- SECURITY
      yum:
        name: '*'
        security: yes
        state: latest
      when: "'{{ patchup_sec }}' == 'Security'"
      tags: ['security']

 

Step3: Run ansible-playbook without "Security" variable... only for Selective Patchup

 [root@ansible redhat-playbooks]# ansible-playbook redhat-selective-packages-security.yml --extra-vars "patchup_sec="

Result for playbook run:

PLAY [Redhat and Centos Server selective Packages Patchups] **********************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************
ok: [webservers]

TASK [Gather the rpm package facts] **********************************************************************************************************************************************
ok: [webservers]

TASK [Import variables files] ****************************************************************************************************************************************************
ok: [webservers]

TASK [Update package] ************************************************************************************************************************************************************
ok: [webservers] => (item=httpd)
ok: [webservers] => (item=nmap)
ok: [webservers] => (item=sssd)
skipping: [webservers] => (item=iftop) 

TASK [Display installed packages result] *****************************************************************************************************************************************
ok: [webservers] => {
    "install_result": {
        "changed": false, 
        "msg": "All items completed", 
        "results": [
            {
                "ansible_loop_var": "item", 
                "changed": false, 
                "changes": {
                    "installed": [], 
                    "updated": []
                }, 
                "failed": false, 
                "invocation": {
                    "module_args": {
                        "allow_downgrade": false, 
                        "autoremove": false, 
                        "bugfix": false, 
                        "conf_file": null, 
                        "disable_excludes": null, 
                        "disable_gpg_check": false, 
                        "disable_plugin": [], 
                        "disablerepo": [], 
                        "download_dir": null, 
                        "download_only": false, 
                        "enable_plugin": [], 
                        "enablerepo": [], 
                        "exclude": [], 
                        "install_repoquery": true, 
                        "install_weak_deps": true, 
                        "installroot": "/", 
                        "list": null, 
                        "lock_timeout": 30, 
                        "name": [
                            "httpd"
                        ], 
                        "releasever": null, 
                        "security": false, 
                        "skip_broken": false, 
                        "state": "latest", 
                        "update_cache": false, 
                        "update_only": false, 
                        "use_backend": "auto", 
                        "validate_certs": true
                    }
                }, 
                "item": "httpd", 
                "msg": "", 
                "rc": 0, 
                "results": [
                    "All packages providing httpd are up to date", 
                    ""
                ]
            }, 
            {
                "ansible_loop_var": "item", 
                "changed": false, 
                "changes": {
                    "installed": [], 
                    "updated": []
                }, 
                "failed": false, 
                "invocation": {
                    "module_args": {
                        "allow_downgrade": false, 
                        "autoremove": false, 
                        "bugfix": false, 
                        "conf_file": null, 
                        "disable_excludes": null, 
                        "disable_gpg_check": false, 
                        "disable_plugin": [], 
                        "disablerepo": [], 
                        "download_dir": null, 
                        "download_only": false, 
                        "enable_plugin": [], 
                        "enablerepo": [], 
                        "exclude": [], 
                        "install_repoquery": true, 
                        "install_weak_deps": true, 
                        "installroot": "/", 
                        "list": null, 
                        "lock_timeout": 30, 
                        "name": [
                            "nmap"
                        ], 
                        "releasever": null, 
                        "security": false, 
                        "skip_broken": false, 
                        "state": "latest", 
                        "update_cache": false, 
                        "update_only": false, 
                        "use_backend": "auto", 
                        "validate_certs": true
                    }
                }, 
                "item": "nmap", 
                "msg": "", 
                "rc": 0, 
                "results": [
                    "All packages providing nmap are up to date", 
                    ""
                ]
            }, 
            {
                "ansible_loop_var": "item", 
                "changed": false, 
                "changes": {
                    "installed": [], 
                    "updated": []
                }, 
                "failed": false, 
                "invocation": {
                    "module_args": {
                        "allow_downgrade": false, 
                        "autoremove": false, 
                        "bugfix": false, 
                        "conf_file": null, 
                        "disable_excludes": null, 
                        "disable_gpg_check": false, 
                        "disable_plugin": [], 
                        "disablerepo": [], 
                        "download_dir": null, 
                        "download_only": false, 
                        "enable_plugin": [], 
                        "enablerepo": [], 
                        "exclude": [], 
                        "install_repoquery": true, 
                        "install_weak_deps": true, 
                        "installroot": "/", 
                        "list": null, 
                        "lock_timeout": 30, 
                        "name": [
                            "sssd"
                        ], 
                        "releasever": null, 
                        "security": false, 
                        "skip_broken": false, 
                        "state": "latest", 
                        "update_cache": false, 
                        "update_only": false, 
                        "use_backend": "auto", 
                        "validate_certs": true
                    }
                }, 
                "item": "sssd", 
                "msg": "", 
                "rc": 0, 
                "results": [
                    "All packages providing sssd are up to date", 
                    ""
                ]
            }, 
            {
                "ansible_loop_var": "item", 
                "changed": false, 
                "item": "iftop", 
                "skip_reason": "Conditional result was False", 
                "skipped": true
            }
        ]
    }
}

TASK [Server is getting FULL SECUIRTY PATCHUP ONLY --- SECURITY] *****************************************************************************************************************
[WARNING]: conditional statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: '{{ patchup_sec }}' == 'Security'
skipping: [webservers]

PLAY RECAP ************************************************************************************************************

If you see in the above results, we get 3 success and one skipping. Coz our server have only httpd, nmap and sssd packages are installed. It skipped for iftop coz package is not installed.

ok: [webservers] => (item=httpd)
ok: [webservers] => (item=nmap)
ok: [webservers] => (item=sssd)
skipping: [webservers] => (item=iftop)
"results": [
"All packages providing nmap are up to date",
"results": [
"All packages providing httpd are up to date",
"results": [
"All packages providing sssd are up to date",

But we get failed for

                "ansible_loop_var": "item", 
                "changed": false, 
                "item": "iftop", 
                "skip_reason": "Conditional result was False", 
                "skipped": true
            }

Below you can check packages installed or not. By yum command on server.

Step4: Apply security patchup run playbook with variable Security

If you want to do Full Security patchup for server you can run below command:

[root@ansible redhat-playbooks]# ansible-playbook redhat-selective-packages-security.yml --extra-vars "patchup_sec=Security"

This will do full security patchup only --- this will not make full update of server. Only Security patchup

Note: This has been tested on RHEL 7 (I didn't tested on CentOS for Security Patchup Only)

 

 

Conclusion

The playbook is ready. You can now easily do Security Patchup and Selective Packages Updates from variable file thanks to Ansible.

2 thoughts on “Ansible – Example playbook to Patchup Selective packages on RHEL 7 / CentOS and Full Security Patchup

Leave a Reply

Your email address will not be published. Required fields are marked *