git.lirion.de

Of git, get, and gud

summaryrefslogtreecommitdiffstats
path: root/roles/patch_redhat/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/patch_redhat/tasks')
-rw-r--r--roles/patch_redhat/tasks/main.yaml91
1 files changed, 91 insertions, 0 deletions
diff --git a/roles/patch_redhat/tasks/main.yaml b/roles/patch_redhat/tasks/main.yaml
new file mode 100644
index 0000000..7f200e7
--- /dev/null
+++ b/roles/patch_redhat/tasks/main.yaml
@@ -0,0 +1,91 @@
+---
+- name: "Check whether OS is a Red Hat derivative"
+ ansible.builtin.assert:
+ that:
+ - ansible_distribution_file_variety == 'RedHat'
+ no_log: true
+- name: Update yum/dnf cache
+ # We want to see a dedicated failure if the repos cannot be fetched already.
+ # Cheating here: yum wants a "state" statement to be placed before it takes action, and then - other than stated in the docs -
+ # we can trigger an action containing update_cache without "name" being mandatory. So we will have no package present with
+ # updated cache :-)
+ ansible.builtin.yum:
+ state: present
+ update_cache: "yes"
+ validate_certs: "yes"
+ become: true
+- name: Check for upgrades (RHEL)
+ # yum check-upgrade would normally throw an RC 100 if updates are available.
+ # But through ansible: RC0! Weeeee
+ ansible.builtin.shell: /usr/bin/yum -q -C check-upgrade 2>/dev/null | wc -l
+ # args:
+ # warn: false
+ register: yue
+ changed_when: false
+ become: true
+- block:
+ - name: Check for existence of rkhunter
+ ansible.builtin.stat:
+ path: /usr/bin/rkhunter
+ register: rkhex
+ - name: RKhunter pre-check
+ ansible.builtin.command: rkhunter -c --sk --rwo --ns
+ become: true
+ no_log: true
+ changed_when: false
+ when:
+ - rkhex.stat is defined
+ - rkhex.stat.executable is defined
+ - rkhex.stat.executable
+ - name: Upgrade all installed packages (RHEL)
+ ansible.builtin.yum:
+ name: '*'
+ state: latest
+ validate_certs: "yes"
+ skip_broken: "yes"
+ become: true
+ # Auto-removal is broken and will nuke packages we previously selected through e.g. ansible.
+ # See ansible issue #60349. Leaving commented out. -- pff
+ # - name: Auto-removal of orphaned dependencies (RHEL)
+ # ansible.builtin.yum:
+ # autoremove: "yes"
+ name: Updates and RKhunter checks
+ # yum always tosses an arbitrary extra line at you, a simple tr -s does not eradicate it, so - well,
+ # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible.
+ when: yue.stdout|int > 1
+- block:
+ - name: Register requirement for reboot (RHEL)
+ # "yum needs-restarting still works on RHEL 8, and "needs-restarting" is obsolete
+ # On major releases >= 9 you may want to create an alternative for symlinking yum to dnf
+ ansible.builtin.command: yum needs-restarting -r
+ register: nr
+ changed_when: false
+ failed_when: false
+ become: true
+ name: Check reboot requirement
+- name: Clean packages cache (RHEL)
+ # ansible's yum module does not have a dedicated action for this. So shell it is.
+ # CAUTION: This will only work as long as modern RHEL derivatives (RHEL/CentOS >=8, Fedora >=30) will have yum available as pseudo-alias to dnf.
+ # Also, despite ansible's yum not offering this feature, ansible will warn that there is a yum module and we should consider using it. Turning warnings off.
+ #args:
+ # warn: false
+ ansible.builtin.command: yum clean packages
+ changed_when: true
+ become: true
+- name: RKhunter properties update
+ ansible.builtin.command: rkhunter --propupd --rwo --ns
+ become: true
+ changed_when: true
+ when:
+ - rkhex.stat is defined
+ - rkhex.stat.executable is defined
+ - rkhex.stat.executable
+- name: Reboot if required
+ # ignore_errors: yes
+ ansible.builtin.reboot:
+ reboot_timeout: 300
+ pre_reboot_delay: 5
+ test_command: uptime
+ reboot_command: "/bin/systemctl reboot"
+ become: true
+ when: ( nr.rc is defined and nr.rc|int > 0 ) or ( nr.rc is not defined )