From 9f7b1e7638b4985c1e2b528ffcd7ee97732aae82 Mon Sep 17 00:00:00 2001 From: Harald Pfeiffer Date: Sun, 14 Apr 2024 21:16:06 +0200 Subject: +SUSE --- roles/patch_suse/tasks/main.yaml | 101 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 roles/patch_suse/tasks/main.yaml (limited to 'roles') diff --git a/roles/patch_suse/tasks/main.yaml b/roles/patch_suse/tasks/main.yaml new file mode 100644 index 0000000..cd5a4c5 --- /dev/null +++ b/roles/patch_suse/tasks/main.yaml @@ -0,0 +1,101 @@ +--- +- name: "Check whether OS is a SUSE derivative" + ansible.builtin.assert: + that: + - ansible_distribution_file_variety == 'SUSE' or ansible_distribution_file_variety == 'SuSE' + no_log: true +- name: Check for existence of rkhunter + ansible.builtin.stat: + path: /usr/bin/rkhunter + register: rkhex + ignore_errors: true + no_log: true + # yum always tosses this arbitrary extra line at you, a simple tr -s does not eradicate it, so - well, + # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible. + changed_when: false + notify: "rkhunter execution" +- name: Update zypper cache (SUSE) + # we cannot cheat like we did with yum: we need to update any package to refresh the cache with the zypper module. Hence falling back + # to shell. + ansible.builtin.shell: + cmd: 'zypper refs && zypper ref' + changed_when: false + register: zypperref + become: true +- name: Verify Zypper repository availability + # Now, here's the thing with zypper. If you have a dead repository, you need to face the following facts: + # 1. All output goes to stdout. For zypper lu at least on SLE12/openSUSE42 and earlier, this is: + # - The packages available for update + # - Debug output lik "loading repository data..." and "reading installed packages..." + # (could be silenced with -q, but without RC feedback we need the debug strings again, kek.) + # - WARNING(!!) messages + # ... there is no STDERR. + # 2. There is no return code other than 0 for warnings. + # Great. Interaction with automatisms as if that stuff came directly from Redmond. + # So we need to parse the fucking output string in ansible. Let's start with the "repository not available" warnings. + ansible.builtin.debug: + msg: "Dead repositories existing and no update present, we consider this a failure." + when: + - zypperref is search("Repository.*appears to be outdated") + - zypperref is search("No updates found") + failed_when: true +- name: Check for zypper updates + ansible.builtin.command: zypper lu + register: zypperlu + changed_when: false + become: true +- block: + - name: Update all packages (SUSE) + # we could narrow this down via type:patch, but that's about all. So fire away. + community.general.zypper: + name: '*' + state: latest + extra_args: '--no-refresh' + # this is only document as "zypper rm -u", so apparently nothing is existing like + # rpm's cleanup or apt's "autoremove" :( + # clean_deps: true + become: true + name: Update and RKhunter checks + when: + - zypperlu is not search("No updates found.") +- block: + - name: Register requirement for reboot (SUSE) + # change in paradigm: we will now use "needs-rebooting", suse implemented that somewhere between 12 and 15, instead of "ps -sss" + # todo: what to do if services require a refork? + # shell: zypper ps -sss + ansible.builtin.command: zypper needs-rebooting + register: nrout + changed_when: nrout.rc|int == 102 + failed_when: nrout.rc|int != 102 and nrout.rc|int != 0 + notify: "Reboot if required" + # we listen to "suse upd" here in case a previous reboot was skipped. Change to "suse updates available" if undesired. + name: Check reboot requirement +- block: + - name: Clean packages cache + # ansible's zypper module does not have a dedicated action for this yet. So shell it is: + ansible.builtin.command: zypper clean + changed_when: false + - name: Purge old kernels + # ansible's zypper module does not have a dedicated action for this yet. So shell it is: + ansible.builtin.command: zypper purge-kernels + # TODO: Check output for actual kernel-purging and make this a proper statement: + changed_when: false + name: Cleanup + become: true +- name: RKhunter properties update + ansible.builtin.command: rkhunter --propupd --rwo --ns + become: true + changed_when: true + when: + - rkhex.stat is defined + - rkhex.stat.executable is defined + - rkhex.stat.executable|bool == true +- name: Reboot if required + # ignore_errors: yes + ansible.builtin.reboot: + reboot_timeout: 300 + pre_reboot_delay: 5 + test_command: uptime + reboot_command: "/bin/systemctl reboot" + become: true + when: nrout is defined and nrout.rc is defined and nrout.rc|int == 102 -- cgit v1.2.3