git.lirion.de

Of git, get, and gud

aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--patch.yaml14
-rw-r--r--roles/patch_suse/tasks/main.yaml101
2 files changed, 114 insertions, 1 deletions
diff --git a/patch.yaml b/patch.yaml
index f78d79e..3ab323d 100644
--- a/patch.yaml
+++ b/patch.yaml
@@ -36,4 +36,16 @@
- name: Red Hat Patches
ansible.builtin.import_role:
name: "patch_redhat"
- when: ansible_distribution_file_variety == "RedHat"
+ tags:
+ - redhat
+- hosts: adfv_suse
+ order: inventory
+ gather_facts: false
+ # default: all in first step, but that shit requires (int)
+ serial: 666
+ tasks:
+ - name: SUSE Patches
+ ansible.builtin.import_role:
+ name: "patch_suse"
+ tags:
+ - suse
diff --git a/roles/patch_suse/tasks/main.yaml b/roles/patch_suse/tasks/main.yaml
new file mode 100644
index 0000000..cd5a4c5
--- /dev/null
+++ b/roles/patch_suse/tasks/main.yaml
@@ -0,0 +1,101 @@
+---
+- name: "Check whether OS is a SUSE derivative"
+ ansible.builtin.assert:
+ that:
+ - ansible_distribution_file_variety == 'SUSE' or ansible_distribution_file_variety == 'SuSE'
+ no_log: true
+- name: Check for existence of rkhunter
+ ansible.builtin.stat:
+ path: /usr/bin/rkhunter
+ register: rkhex
+ ignore_errors: true
+ no_log: true
+ # yum always tosses this arbitrary extra line at you, a simple tr -s does not eradicate it, so - well,
+ # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible.
+ changed_when: false
+ notify: "rkhunter execution"
+- name: Update zypper cache (SUSE)
+ # we cannot cheat like we did with yum: we need to update any package to refresh the cache with the zypper module. Hence falling back
+ # to shell.
+ ansible.builtin.shell:
+ cmd: 'zypper refs && zypper ref'
+ changed_when: false
+ register: zypperref
+ become: true
+- name: Verify Zypper repository availability
+ # Now, here's the thing with zypper. If you have a dead repository, you need to face the following facts:
+ # 1. All output goes to stdout. For zypper lu at least on SLE12/openSUSE42 and earlier, this is:
+ # - The packages available for update
+ # - Debug output lik "loading repository data..." and "reading installed packages..."
+ # (could be silenced with -q, but without RC feedback we need the debug strings again, kek.)
+ # - WARNING(!!) messages
+ # ... there is no STDERR.
+ # 2. There is no return code other than 0 for warnings.
+ # Great. Interaction with automatisms as if that stuff came directly from Redmond.
+ # So we need to parse the fucking output string in ansible. Let's start with the "repository not available" warnings.
+ ansible.builtin.debug:
+ msg: "Dead repositories existing and no update present, we consider this a failure."
+ when:
+ - zypperref is search("Repository.*appears to be outdated")
+ - zypperref is search("No updates found")
+ failed_when: true
+- name: Check for zypper updates
+ ansible.builtin.command: zypper lu
+ register: zypperlu
+ changed_when: false
+ become: true
+- block:
+ - name: Update all packages (SUSE)
+ # we could narrow this down via type:patch, but that's about all. So fire away.
+ community.general.zypper:
+ name: '*'
+ state: latest
+ extra_args: '--no-refresh'
+ # this is only document as "zypper rm -u", so apparently nothing is existing like
+ # rpm's cleanup or apt's "autoremove" :(
+ # clean_deps: true
+ become: true
+ name: Update and RKhunter checks
+ when:
+ - zypperlu is not search("No updates found.")
+- block:
+ - name: Register requirement for reboot (SUSE)
+ # change in paradigm: we will now use "needs-rebooting", suse implemented that somewhere between 12 and 15, instead of "ps -sss"
+ # todo: what to do if services require a refork?
+ # shell: zypper ps -sss
+ ansible.builtin.command: zypper needs-rebooting
+ register: nrout
+ changed_when: nrout.rc|int == 102
+ failed_when: nrout.rc|int != 102 and nrout.rc|int != 0
+ notify: "Reboot if required"
+ # we listen to "suse upd" here in case a previous reboot was skipped. Change to "suse updates available" if undesired.
+ name: Check reboot requirement
+- block:
+ - name: Clean packages cache
+ # ansible's zypper module does not have a dedicated action for this yet. So shell it is:
+ ansible.builtin.command: zypper clean
+ changed_when: false
+ - name: Purge old kernels
+ # ansible's zypper module does not have a dedicated action for this yet. So shell it is:
+ ansible.builtin.command: zypper purge-kernels
+ # TODO: Check output for actual kernel-purging and make this a proper statement:
+ changed_when: false
+ name: Cleanup
+ become: true
+- name: RKhunter properties update
+ ansible.builtin.command: rkhunter --propupd --rwo --ns
+ become: true
+ changed_when: true
+ when:
+ - rkhex.stat is defined
+ - rkhex.stat.executable is defined
+ - rkhex.stat.executable|bool == true
+- name: Reboot if required
+ # ignore_errors: yes
+ ansible.builtin.reboot:
+ reboot_timeout: 300
+ pre_reboot_delay: 5
+ test_command: uptime
+ reboot_command: "/bin/systemctl reboot"
+ become: true
+ when: nrout is defined and nrout.rc is defined and nrout.rc|int == 102