git.lirion.de

Of git, get, and gud

aboutsummaryrefslogtreecommitdiffstats
path: root/apt-upgrade.yml
blob: 8ecafb79cb1abd25ce1d11140f73358a7510910d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
- hosts: lirion_virt
  # This will upgrade a Debian system. Steps:
  # 1. Check rkhunter status, abandon ship if something is wrong. Skip if no rkhunter
  # 2. Stop gitlab if existing
  # 3. Upgrade
  # 4. Prop-update on rkhunter if existing
  # 5. Apt autoremove
  # 6. Start gitlab if existing
  # 7. Check for outdated services and kernel if needrestart exists
  # situation: keeping a gitlab installation on one host for $reasons which remains
  # shut down most of the times. Since the gitlab update procedure is stupid as hell
  # for 4 major release versions at least in wanting to shut down gitlab before upgrade
  # and failing when it can't shut down if it is already shut down... let's circumvent
  # this incompetence with a start at the beginning and a stop in the end. You will face
  # two scenarios:
  # 1. You don't use gitlab. Fine. You don't even need to delete the lines as they only
  #    trigger if there is an apt update for gitlab :) if the execution bothers you,
  #    remove anything with gitlab in the task name
  # 2. You have gitlab instances you want to keep running: add a when condition to the
  #    stop task in the end. I won't for now, because I'm lazy and thus I only meet
  #    incompetence with incompetence, so this feels sufficient. Later versions may
  #    or may not include adequate variable handling (like host.gitlabshutdown or whatever)
  tasks:
#  - name: Update apt cache on apt-cacher
#    apt:
#      update_cache: yes
#    become: true
#    delegate_to: acng
  - name: Clean packages cache prior to apt actions
    # since we are using this playbook also on systems where the disk space has
    # been narrowly tailored to their usage (e.g. self-implemented firewall VMs),
    # we will try to not overuse /var/cache/apt :-)
    # For now: command. Once the apt module is able to do that, we will shift.
    command: apt clean
    become: true
  - name: Update apt cache
    apt:
      update_cache: yes
    become: true
  - name: Fetch upgradable packages
    shell: 'apt list --upgradable 2>/dev/null|grep -v ^Listing'
    register: aptout
    # apt will throw an error because it doesn't like piping yet.
    # for our purposes, however, everything has already been sufficiently implemented.
    failed_when: false
  - name: Check for existence of rkhunter
    stat:
      path: /usr/bin/rkhunter
    register: rkhex
    ignore_errors: true
  - name: rkhunter pre-check
    command: rkhunter -c --sk --rwo --ns
    become: true
    when:
      - aptout.stdout != ""
      - rkhex.stat.executable == true
  - name: Unmask gitlab-runsvdir if GitLab update is present
    systemd:
      name: gitlab-runsvdir.service
      masked: no
    failed_when: false
    become: true
    when: aptout.stdout is search("gitlab-ce")
  - name: Start gitlab-runsvdir if GitLab update is present
    systemd:
      name: gitlab-runsvdir.service
      state: started
    become: true
    when: aptout.stdout is search("gitlab-ce")
  - name: Start gitlab's own rail units
    shell: gitlab-ctl start
    become: true
    when: aptout.stdout is search("gitlab-ce")
  - name: Upgrade packages
    apt:
      upgrade: dist
    when: aptout.stdout != ""
    become: true
  - name: rkhunter update of properties
    command: rkhunter --propupd --rwo --ns
    become: true
    when:
      - aptout.stdout != ""
      - rkhex.stat.executable == true
  - name: Remove dependencies that are no longer required
    # Do this anytime: somebody could've manually updated and forgotten to autoremove :)
    # I typically purge on autoremove. Remove line if contrary to your package maintenance.
    apt:
      autoremove: yes
      purge: yes
    become: true
    # insert this if you only want to run after processed upgrades:
    # when: aptout.stdout != ""
    # also, this still fails with TypeNone. Look into this later. TODO.
    ignore_errors: yes
  - name: Stop gitlab's katyusha-on-rails
    shell: gitlab-ctl stop
    become: true
    when: aptout.stdout is search("gitlab-ce")
  - name: Stop gitlab-runsvdir
    systemd:
      name: gitlab-runsvdir.service
      state: stopped
    become: true
    when: aptout.stdout is search("gitlab-ce")
  - name: Mask gitlab-runsvdir
    systemd:
      name: gitlab-runsvdir.service
      masked: no
    become: true
    when: aptout.stdout is search("gitlab-ce")
  - name: Check for existence of needrestart
    stat:
      path: /usr/sbin/needrestart
    register: nrex
    ignore_errors: yes
    # we are checking whether this is executable later on. Hence: better elevate
    become: true
# here's the thing with needrestart: the service check also checks for outdated sessions (good). This will give you
# a result of at least 1, for the ansible session. Why? didn't find out yet. We will cheat and format the output
# string to just filter for services and ignore containers and sessions for now. This is not good, but yeah -
# the freshly forked ansible session will still give a false positive :(
#  - name: Check for outdated unrestartable services
#    shell: /usr/sbin/needrestart -plra
#    register: restout
#     when: nrex.stat.executable == true
#    become: true
  - name: Check for outdated services (and nothing else)
    shell: /usr/sbin/needrestart -pl|head -n1|sed 's/.*|//'|awk -F';' '{print $1}'|sed 's/.*=//'
    register: restout
    become: true
    when:
      - nrex.stat.exists == true
      - nrex.stat.executable == true
# This will come once that ansible session bug in needrestart is taken care of
#  - name: Services summary
#    debug:
#      msg: "{{ restout.stdout }}"
#    when: nrex.stat.executable == true
#  - name: Wuz dis gud?
#    debug:
#      msg: "Dis wuz RC {{restout.stdout}}"
#    failed_when: restout.stdout|int > 0
#    when:
#      - nrex.stat.exists == true
#      - nrex.stat.executable == true
# Well, fuck this. needrestart will report errors not 
  - name: Check for outdated kernel
    shell: /usr/sbin/needrestart -pk
    register: kernout
    when:
      - nrex.stat.exists == true
      - nrex.stat.executable == true
    become: true
    ignore_errors: yes
  - name: Kernel summary
    debug:
      msg: "{{ kernout.stdout }}"
    when:
      - nrex.stat.exists == true
      - nrex.stat.executable == true
  - name: Reboot if outdated kernel
    reboot:
      reboot_timeout: "240"
      post_reboot_delay: "120"
    become: true
    register: rbt
    when:
      - kernout.rc != 0
  - name: Stats
    debug:
      msg: "Reboot took {{rbt.elapsed}} seconds."
    when:
      - rbt.elapsed is defined