git.lirion.de

Of git, get, and gud

aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Pfeiffer <harald.pfeiffer _ bechtle.com> 2019-08-16 16:52:38 +0200
committerHarald Pfeiffer <harald.pfeiffer _ bechtle.com> 2019-08-16 16:52:38 +0200
commitc565de62acade8e85b15c7617570c8f4824c7341 (patch)
tree06fa4a0c96514103facb4bfcadbf537baa27703b
parentd04bab2bd6dbf401b86454e7c0f001429089cf30 (diff)
downloadansible-c565de62acade8e85b15c7617570c8f4824c7341.tar.bz2
pb for hv machine
-rw-r--r--apt-upgrade-hv.yml165
1 files changed, 165 insertions, 0 deletions
diff --git a/apt-upgrade-hv.yml b/apt-upgrade-hv.yml
new file mode 100644
index 0000000..58a6170
--- /dev/null
+++ b/apt-upgrade-hv.yml
@@ -0,0 +1,165 @@
+# reboot timeouts adjusted to fit a physical machine
+# todo: merge anything in sub-tasks and main yml
+
+- hosts: lirion
+ # This will upgrade a Debian system. Steps:
+ # 1. Check rkhunter status, abandon ship if something is wrong. Skip if no rkhunter
+ # 2. Stop gitlab if existing
+ # 3. Upgrade
+ # 4. Prop-update on rkhunter if existing
+ # 5. Apt autoremove
+ # 6. Start gitlab if existing
+ # 7. Check for outdated services and kernel if needrestart exists
+ # situation: keeping a gitlab installation on one host for $reasons which remains
+ # shut down most of the times. Since the gitlab update procedure is stupid as hell
+ # for 4 major release versions at least in wanting to shut down gitlab before upgrade
+ # and failing when it can't shut down if it is already shut down... let's circumvent
+ # this incompetence with a start at the beginning and a stop in the end. You will face
+ # two scenarios:
+ # 1. You don't use gitlab. Fine. You don't even need to delete the lines as they only
+ # trigger if there is an apt update for gitlab :) if the execution bothers you,
+ # remove anything with gitlab in the task name
+ # 2. You have gitlab instances you want to keep running: add a when condition to the
+ # stop task in the end. I won't for now, because I'm lazy and thus I only meet
+ # incompetence with incompetence, so this feels sufficient. Later versions may
+ # or may not include adequate variable handling (like host.gitlabshutdown or whatever)
+ tasks:
+ - name: Update apt cache
+ apt:
+ update_cache: yes
+ become: true
+ - name: Fetch upgradable packages
+ shell: 'apt list --upgradable 2>/dev/null|grep -v ^Listing'
+ register: aptout
+ # apt will throw an error because it doesn't like piping yet.
+ # for our purposes, however, everything has already been sufficiently implemented.
+ failed_when: false
+ - name: Check for existence of rkhunter
+ stat:
+ path: /usr/bin/rkhunter
+ register: rkhex
+ ignore_errors: true
+ - name: rkhunter pre-check
+ command: rkhunter -c --sk --rwo --ns
+ become: true
+ when:
+ - aptout.stdout != ""
+ - rkhex.stat.executable == true
+ - name: Unmask gitlab-runsvdir if GitLab update is present
+ systemd:
+ name: gitlab-runsvdir.service
+ masked: no
+ failed_when: false
+ become: true
+ when: aptout.stdout is search("gitlab-ce")
+ - name: Start gitlab-runsvdir if GitLab update is present
+ systemd:
+ name: gitlab-runsvdir.service
+ state: started
+ become: true
+ when: aptout.stdout is search("gitlab-ce")
+ - name: Start gitlab's own rail units
+ shell: gitlab-ctl start
+ become: true
+ when: aptout.stdout is search("gitlab-ce")
+ - name: Upgrade packages
+ apt:
+ upgrade: dist
+ when: aptout.stdout != ""
+ become: true
+ - name: rkhunter update of properties
+ command: rkhunter --propupd --rwo --ns
+ become: true
+ when:
+ - aptout.stdout != ""
+ - rkhex.stat.executable == true
+ - name: Remove dependencies that are no longer required
+ # Do this anytime: somebody could've manually updated and forgotten to autoremove :)
+ # I typically purge on autoremove. Remove line if contrary to your package maintenance.
+ apt:
+ autoremove: yes
+ purge: yes
+ become: true
+ # insert this if you only want to run after processed upgrades:
+ # when: aptout.stdout != ""
+ # also, this still fails with TypeNone. Look into this later. TODO.
+ ignore_errors: yes
+ - name: Stop gitlab's katyusha-on-rails
+ shell: gitlab-ctl stop
+ become: true
+ when: aptout.stdout is search("gitlab-ce")
+ - name: Stop gitlab-runsvdir
+ systemd:
+ name: gitlab-runsvdir.service
+ state: stopped
+ become: true
+ when: aptout.stdout is search("gitlab-ce")
+ - name: Mask gitlab-runsvdir
+ systemd:
+ name: gitlab-runsvdir.service
+ masked: no
+ become: true
+ when: aptout.stdout is search("gitlab-ce")
+ - name: Check for existence of needrestart
+ stat:
+ path: /usr/sbin/needrestart
+ register: nrex
+ ignore_errors: yes
+ # we are checking whether this is executable later on. Hence: better elevate
+ become: true
+# here's the thing with needrestart: the service check also checks for outdated sessions (good). This will give you
+# a result of at least 1, for the ansible session. Why? didn't find out yet. We will cheat and format the output
+# string to just filter for services and ignore containers and sessions for now. This is not good, but yeah -
+# the freshly forked ansible session will still give a false positive :(
+# - name: Check for outdated unrestartable services
+# shell: /usr/sbin/needrestart -plra
+# register: restout
+# when: nrex.stat.executable == true
+# become: true
+ - name: Check for outdated services (and nothing else)
+ shell: /usr/sbin/needrestart -pl|head -n1|sed 's/.*|//'|awk -F';' '{print $1}'|sed 's/.*=//'
+ register: restout
+ become: true
+ when:
+ - nrex.stat.exists == true
+ - nrex.stat.executable == true
+# This will come once that ansible session bug in needrestart is taken care of
+# - name: Services summary
+# debug:
+# msg: "{{ restout.stdout }}"
+# when: nrex.stat.executable == true
+# - name: Wuz dis gud?
+# debug:
+# msg: "Dis wuz RC {{restout.stdout}}"
+# failed_when: restout.stdout|int > 0
+# when:
+# - nrex.stat.exists == true
+# - nrex.stat.executable == true
+# Well, fuck this. needrestart will report errors not
+ - name: Check for outdated kernel
+ shell: /usr/sbin/needrestart -pk
+ register: kernout
+ when:
+ - nrex.stat.exists == true
+ - nrex.stat.executable == true
+ become: true
+ ignore_errors: yes
+ - name: Kernel summary
+ debug:
+ msg: "{{ kernout.stdout }}"
+ when:
+ - nrex.stat.exists == true
+ - nrex.stat.executable == true
+ - name: Reboot if outdated kernel
+ reboot:
+ reboot_timeout: "900"
+ post_reboot_delay: "300"
+ become: true
+ register: rbt
+ when:
+ - kernout.rc != 0
+ - name: Stats
+ debug:
+ msg: "Reboot took {{rbt.elapsed}} seconds."
+ when:
+ - rbt.elapsed != ""