Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auto updates #5

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions hosts
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[servers]

5 changes: 5 additions & 0 deletions playbook-server-setup.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
- hosts: servers
vars:
- automatic_updates: true
roles:
- auto-updates
41 changes: 41 additions & 0 deletions roles/auto-updates/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
Role Name
=========

Enable either security updates or automatic updates for CentOS.

Requirements
------------

Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.

Role Variables
--------------
Set in the playbook:
automatic_updates: true or security_updates: true

Dependencies
------------

A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.

Example Playbook
----------------
Run with:
ansible-playbook playbook-server-setup.yml --tags=automatic_updates -e "ansible_ssh_pass=pasword ansible_user=myusername"

Example Playbook:
- hosts: servers
vars:
- automatic_updates: true
roles:
- auto-updates

License
-------

BSD

Author Information
------------------

Meg Ford [email protected]
11 changes: 11 additions & 0 deletions roles/auto-updates/defaults/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@

# What kind of update to use:
# default = yum upgrade
# security = yum --security upgrade
# security-severity:Critical = yum --sec-severity=Critical upgrade
# minimal = yum --bugfix update-minimal
# minimal-security = yum --security update-minimal
# minimal-security-severity:Critical = --sec-severity=Critical update-minimal
yum_update_command: security
wait_ssh_down_timeout: 120
wait_ssh_up_timeout: 500
9 changes: 9 additions & 0 deletions roles/auto-updates/handlers/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
- name: Wait ssh down after server_reboot
local_action: wait_for host={{ inventory_hostname }} port=22 delay=0 timeout={{ wait_ssh_down_timeout }} state=stopped
become: false
listen: waitfor_server

- name: Wait ssh up after server reboot
local_action: wait_for host={{ inventory_hostname }} state=started port=22 delay=30 timeout={{ wait_ssh_up_timeout }}
become: false
listen: waitfor_server
59 changes: 59 additions & 0 deletions roles/auto-updates/meta/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
galaxy_info:
author: "Meg Ford"
description: "Update tasks for RHEL/Centos"
company: Chicago LUG

# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker

# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: GPLv2

min_ansible_version: 2.5

# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:

# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:

#
# platforms is a list of platforms, and each platform has a name and a list of versions.
#
platforms:
- name: Centos
versions:
- 7.4
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99

galaxy_tags:
- system
- basic
- updates
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.

dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
73 changes: 73 additions & 0 deletions roles/auto-updates/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
- name: Print usage when no extra args are specified
debug:
msg: "You need to specify automatic_updates or security_updates (both to true)"
when: automatic_updates is not defined and security_updates is not defined

- name: Process requirements (yum-utils)
package:
name: yum-utils
state: installed

- name: Install yum-cron
package:
name: yum-cron
state: present
when: automatic_updates is defined
tags:
- automatic_updates

- name: Disable hourly yum-cron
file:
name: /etc/cron.hourly/0yum-hourly.cron
state: absent
when: automatic_updates is defined
tags:
- automatic_updates

- name: Copy yum-cron.conf
template:
src: yum-cron.conf.j2
dest: /etc/yum/yum-cron.conf
when: automatic_updates is defined
tags:
- automatic_updates

- name: Enable yum-cron service
service:
name: yum-cron
enabled: yes
state: started
when: automatic_updates is defined
tags:
- automatic_updates

- name: Security updates only
command: yum -y --security update
when: security_updates is defined
tags:
- security_updates

- name: Complete Update
yum:
update_cache: yes
name: '*'
state: latest
when: update_all is defined
tags:
- update_all

- when: ansible_distribution_major_version == "7"
block:
- name: Check if system needs a reboot
command: needs-restarting -r
register: reboot_required
failed_when: reboot_required.rc not in [0,1]

- name: restart_server
command: /usr/bin/systemd-run --on-active=10 /usr/bin/systemctl reboot
async: 0
poll: 0
ignore_errors: true
when: reboot_required.rc == 1 and do_reboot is defined
notify:
- waitfor_server
84 changes: 84 additions & 0 deletions roles/auto-updates/templates/yum-cron.conf.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
[commands]
# What kind of update to use:
# default = yum upgrade
# security = yum --security upgrade
# security-severity:Critical = yum --sec-severity=Critical upgrade
# minimal = yum --bugfix update-minimal
# minimal-security = yum --security update-minimal
# minimal-security-severity:Critical = --sec-severity=Critical update-minimal
update_cmd = {{ yum_update_command }}

# Whether a message should be emitted when updates are available,
# were downloaded, or applied.
update_messages = yes

# Whether updates should be downloaded when they are available.
download_updates = yes

# Whether updates should be applied when they are available. Note
# that download_updates must also be yes for the update to be applied.
apply_updates = yes

# Maximum amout of time to randomly sleep, in minutes. The program
# will sleep for a random amount of time between 0 and random_sleep
# minutes before running. This is useful for e.g. staggering the
# times that multiple systems will access update servers. If
# random_sleep is 0 or negative, the program will run immediately.
# 6*60 = 360
random_sleep = 10


[emitters]
# Name to use for this system in messages that are emitted. If
# system_name is None, the hostname will be used.
system_name = None

# How to send messages. Valid options are stdio and email. If
# emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages. If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via is None or left blank, no messages will be sent.
emit_via = None

# The width, in characters, that messages that are emitted should be
# formatted to.
output_width = 80


[email]
# The address to send email messages from.
# NOTE: 'localhost' will be replaced with the value of system_name.
email_from = root@localhost

# List of addresses to send messages to.
email_to = root

# Name of the host to connect to to send email messages.
email_host = localhost


[groups]
# NOTE: This only works when group_command != objects, which is now the default
# List of groups to update
group_list = None

# The types of group packages to install
group_package_types = mandatory, default

[base]
# This section overrides yum.conf

# Use this to filter Yum core messages
# -4: critical
# -3: critical+errors
# -2: critical+errors+warnings (default)
debuglevel = -2

# skip_broken = True
mdpolicy = group:main

# Uncomment to auto-import new gpg keys (dangerous)
# assumeyes = True

# Exclude kernel updates
exclude = kernel*
2 changes: 2 additions & 0 deletions roles/auto-updates/tests/inventory
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
localhost

5 changes: 5 additions & 0 deletions roles/auto-updates/tests/test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- auto-updates
2 changes: 2 additions & 0 deletions roles/auto-updates/vars/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
---
# vars file for auto-updates