Auto updates

hosts

@@ -0,0 +1,2 @@
+[servers]
+

playbook-server-setup.yml

@@ -0,0 +1,5 @@
+- hosts: servers
+  vars:
+  - automatic_updates: true
+  roles:
+  - auto-updates

roles/auto-updates/README.md

@@ -0,0 +1,41 @@
+Role Name
+=========
+
+Enable either security updates or automatic updates for CentOS.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+Set in the playbook:
+	automatic_updates: true or security_updates: true
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+Run with:
+ ansible-playbook playbook-server-setup.yml --tags=automatic_updates -e "ansible_ssh_pass=pasword ansible_user=myusername"
+
+Example Playbook:
+- hosts: servers
+  vars:
+  - automatic_updates: true
+  roles:
+  - auto-updates
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+Meg Ford [email protected]

roles/auto-updates/defaults/main.yml

@@ -0,0 +1,11 @@
+
+#  What kind of update to use:
+# default                            = yum upgrade
+# security                           = yum --security upgrade
+# security-severity:Critical         = yum --sec-severity=Critical upgrade
+# minimal                            = yum --bugfix update-minimal
+# minimal-security                   = yum --security update-minimal
+# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
+yum_update_command: security
+wait_ssh_down_timeout: 120
+wait_ssh_up_timeout: 500

roles/auto-updates/handlers/main.yml

@@ -0,0 +1,9 @@
+- name: Wait ssh down after server_reboot
+  local_action: wait_for host={{ inventory_hostname }} port=22 delay=0 timeout={{ wait_ssh_down_timeout }} state=stopped
+  become: false
+  listen: waitfor_server
+
+- name: Wait ssh up after server reboot
+  local_action: wait_for host={{ inventory_hostname }} state=started port=22 delay=30 timeout={{ wait_ssh_up_timeout }}
+  become: false
+  listen: waitfor_server

roles/auto-updates/meta/main.yml

@@ -0,0 +1,59 @@
+galaxy_info:
+  author: "Meg Ford"
+  description: "Update tasks for RHEL/Centos"
+  company: Chicago LUG
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Some suggested licenses:
+  # - BSD (default)
+  # - MIT
+  # - GPLv2
+  # - GPLv3
+  # - Apache
+  # - CC-BY
+  license: GPLv2
+
+  min_ansible_version: 2.5
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  # Optionally specify the branch Galaxy will use when accessing the GitHub
+  # repo for this role. During role install, if no tags are available,
+  # Galaxy will use this branch. During import Galaxy will access files on
+  # this branch. If Travis integration is configured, only notifications for this
+  # branch will be accepted. Otherwise, in all cases, the repo's default branch
+  # (usually master) will be used.
+  #github_branch:
+
+  #
+  # platforms is a list of platforms, and each platform has a name and a list of versions.
+  #
+  platforms:
+  - name: Centos
+    versions:
+    - 7.4
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags:
+    - system
+    - basic
+    - updates
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/auto-updates/tasks/main.yml

@@ -0,0 +1,73 @@
+- name: Print usage when no extra args are specified
+  debug:
+    msg: "You need to specify automatic_updates or security_updates (both to true)"
+  when: automatic_updates is not defined and security_updates is not defined
+
+- name: Process requirements (yum-utils)
+  package:
+    name: yum-utils
+    state: installed
+
+- name: Install yum-cron
+  package:
+    name: yum-cron
+    state: present
+  when: automatic_updates is defined
+  tags:
+    - automatic_updates
+
+- name: Disable hourly yum-cron
+  file:
+    name: /etc/cron.hourly/0yum-hourly.cron
+    state: absent
+  when: automatic_updates is defined
+  tags:
+    - automatic_updates
+
+- name: Copy yum-cron.conf
+  template:
+    src: yum-cron.conf.j2
+    dest: /etc/yum/yum-cron.conf
+  when: automatic_updates is defined
+  tags:
+    - automatic_updates
+
+- name: Enable yum-cron service
+  service:
+    name: yum-cron
+    enabled: yes
+    state: started
+  when: automatic_updates is defined
+  tags:
+    - automatic_updates
+
+- name: Security updates only
+  command: yum -y --security update
+  when: security_updates is defined
+  tags:
+    - security_updates
+
+- name: Complete Update
+  yum:
+    update_cache: yes
+    name: '*'
+    state: latest
+  when: update_all is defined
+  tags:
+    - update_all
+
+- when: ansible_distribution_major_version == "7"
+  block:
+    - name: Check if system needs a reboot
+      command: needs-restarting -r
+      register: reboot_required
+      failed_when: reboot_required.rc not in [0,1]
+
+    - name: restart_server
+      command: /usr/bin/systemd-run --on-active=10 /usr/bin/systemctl reboot
+      async: 0
+      poll: 0
+      ignore_errors: true
+      when: reboot_required.rc == 1 and do_reboot is defined
+      notify:
+       - waitfor_server

roles/auto-updates/templates/yum-cron.conf.j2

@@ -0,0 +1,84 @@
+[commands]
+#  What kind of update to use:
+# default                            = yum upgrade
+# security                           = yum --security upgrade
+# security-severity:Critical         = yum --sec-severity=Critical upgrade
+# minimal                            = yum --bugfix update-minimal
+# minimal-security                   = yum --security update-minimal
+# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
+update_cmd = {{ yum_update_command }}
+
+# Whether a message should be emitted when updates are available,
+# were downloaded, or applied.
+update_messages = yes
+
+# Whether updates should be downloaded when they are available.
+download_updates = yes
+
+# Whether updates should be applied when they are available.  Note
+# that download_updates must also be yes for the update to be applied.
+apply_updates = yes
+
+# Maximum amout of time to randomly sleep, in minutes.  The program
+# will sleep for a random amount of time between 0 and random_sleep
+# minutes before running.  This is useful for e.g. staggering the
+# times that multiple systems will access update servers.  If
+# random_sleep is 0 or negative, the program will run immediately.
+# 6*60 = 360
+random_sleep = 10
+
+
+[emitters]
+# Name to use for this system in messages that are emitted.  If
+# system_name is None, the hostname will be used.
+system_name = None
+
+# How to send messages.  Valid options are stdio and email.  If
+# emit_via includes stdio, messages will be sent to stdout; this is useful
+# to have cron send the messages.  If emit_via includes email, this
+# program will send email itself according to the configured options.
+# If emit_via is None or left blank, no messages will be sent.
+emit_via = None
+
+# The width, in characters, that messages that are emitted should be
+# formatted to.
+output_width = 80
+
+
+[email]
+# The address to send email messages from.
+# NOTE: 'localhost' will be replaced with the value of system_name.
+email_from = root@localhost
+
+# List of addresses to send messages to.
+email_to = root
+
+# Name of the host to connect to to send email messages.
+email_host = localhost
+
+
+[groups]
+# NOTE: This only works when group_command != objects, which is now the default
+# List of groups to update
+group_list = None
+
+# The types of group packages to install
+group_package_types = mandatory, default
+
+[base]
+# This section overrides yum.conf
+
+# Use this to filter Yum core messages
+# -4: critical
+# -3: critical+errors
+# -2: critical+errors+warnings (default)
+debuglevel = -2
+
+# skip_broken = True
+mdpolicy = group:main
+
+# Uncomment to auto-import new gpg keys (dangerous)
+# assumeyes = True
+
+# Exclude kernel updates
+exclude = kernel*

roles/auto-updates/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/auto-updates/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - auto-updates

roles/auto-updates/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for auto-updates