From 4f0b5cb177f98c7f1d80504f94eeba94f721d2de Mon Sep 17 00:00:00 2001 From: Harald Pfeiffer Date: Sun, 5 May 2024 14:46:51 +0200 Subject: Initial commit after port This is a ported collection of my patch playbooks + roles. Before, they were living inside an "all things ansible" repository. The history is not important as shortly before porting, the code had been revamped (before, it employed changes for host selection which worked but changes are not intended for that). --- roles/patch_redhat/tasks/main.yaml | 91 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 roles/patch_redhat/tasks/main.yaml (limited to 'roles/patch_redhat/tasks/main.yaml') diff --git a/roles/patch_redhat/tasks/main.yaml b/roles/patch_redhat/tasks/main.yaml new file mode 100644 index 0000000..7f200e7 --- /dev/null +++ b/roles/patch_redhat/tasks/main.yaml @@ -0,0 +1,91 @@ +--- +- name: "Check whether OS is a Red Hat derivative" + ansible.builtin.assert: + that: + - ansible_distribution_file_variety == 'RedHat' + no_log: true +- name: Update yum/dnf cache + # We want to see a dedicated failure if the repos cannot be fetched already. + # Cheating here: yum wants a "state" statement to be placed before it takes action, and then - other than stated in the docs - + # we can trigger an action containing update_cache without "name" being mandatory. So we will have no package present with + # updated cache :-) + ansible.builtin.yum: + state: present + update_cache: "yes" + validate_certs: "yes" + become: true +- name: Check for upgrades (RHEL) + # yum check-upgrade would normally throw an RC 100 if updates are available. + # But through ansible: RC0! Weeeee + ansible.builtin.shell: /usr/bin/yum -q -C check-upgrade 2>/dev/null | wc -l + # args: + # warn: false + register: yue + changed_when: false + become: true +- block: + - name: Check for existence of rkhunter + ansible.builtin.stat: + path: /usr/bin/rkhunter + register: rkhex + - name: RKhunter pre-check + ansible.builtin.command: rkhunter -c --sk --rwo --ns + become: true + no_log: true + changed_when: false + when: + - rkhex.stat is defined + - rkhex.stat.executable is defined + - rkhex.stat.executable + - name: Upgrade all installed packages (RHEL) + ansible.builtin.yum: + name: '*' + state: latest + validate_certs: "yes" + skip_broken: "yes" + become: true + # Auto-removal is broken and will nuke packages we previously selected through e.g. ansible. + # See ansible issue #60349. Leaving commented out. -- pff + # - name: Auto-removal of orphaned dependencies (RHEL) + # ansible.builtin.yum: + # autoremove: "yes" + name: Updates and RKhunter checks + # yum always tosses an arbitrary extra line at you, a simple tr -s does not eradicate it, so - well, + # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible. + when: yue.stdout|int > 1 +- block: + - name: Register requirement for reboot (RHEL) + # "yum needs-restarting still works on RHEL 8, and "needs-restarting" is obsolete + # On major releases >= 9 you may want to create an alternative for symlinking yum to dnf + ansible.builtin.command: yum needs-restarting -r + register: nr + changed_when: false + failed_when: false + become: true + name: Check reboot requirement +- name: Clean packages cache (RHEL) + # ansible's yum module does not have a dedicated action for this. So shell it is. + # CAUTION: This will only work as long as modern RHEL derivatives (RHEL/CentOS >=8, Fedora >=30) will have yum available as pseudo-alias to dnf. + # Also, despite ansible's yum not offering this feature, ansible will warn that there is a yum module and we should consider using it. Turning warnings off. + #args: + # warn: false + ansible.builtin.command: yum clean packages + changed_when: true + become: true +- name: RKhunter properties update + ansible.builtin.command: rkhunter --propupd --rwo --ns + become: true + changed_when: true + when: + - rkhex.stat is defined + - rkhex.stat.executable is defined + - rkhex.stat.executable +- name: Reboot if required + # ignore_errors: yes + ansible.builtin.reboot: + reboot_timeout: 300 + pre_reboot_delay: 5 + test_command: uptime + reboot_command: "/bin/systemctl reboot" + become: true + when: ( nr.rc is defined and nr.rc|int > 0 ) or ( nr.rc is not defined ) -- cgit v1.2.3