git.lirion.de

Of git, get, and gud

aboutsummaryrefslogtreecommitdiffstats
path: root/roles/patch_redhat/tasks/main.yaml
blob: 7f200e7655e5caa5e221c6647aafaeaa920a64d0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
---
- name: "Check whether OS is a Red Hat derivative"
  ansible.builtin.assert:
    that:
      - ansible_distribution_file_variety == 'RedHat'
  no_log: true
- name: Update yum/dnf cache
  # We want to see a dedicated failure if the repos cannot be fetched already.
  # Cheating here: yum wants a "state" statement to be placed before it takes action, and then - other than stated in the docs -
  # we can trigger an action containing update_cache without "name" being mandatory. So we will have no package present with
  # updated cache :-)
  ansible.builtin.yum:
    state: present
    update_cache: "yes"
    validate_certs: "yes"
  become: true
- name: Check for upgrades (RHEL)
  # yum check-upgrade would normally throw an RC 100 if updates are available.
  # But through ansible: RC0! Weeeee
  ansible.builtin.shell: /usr/bin/yum -q -C check-upgrade 2>/dev/null | wc -l
  # args:
  #   warn: false
  register: yue
  changed_when: false
  become: true
- block:
    - name: Check for existence of rkhunter
      ansible.builtin.stat:
        path: /usr/bin/rkhunter
      register: rkhex
    - name: RKhunter pre-check
      ansible.builtin.command: rkhunter -c --sk --rwo --ns
      become: true
      no_log: true
      changed_when: false
      when:
        - rkhex.stat is defined
        - rkhex.stat.executable is defined
        - rkhex.stat.executable
    - name: Upgrade all installed packages (RHEL)
      ansible.builtin.yum:
        name: '*'
        state: latest
        validate_certs: "yes"
        skip_broken: "yes"
      become: true
    # Auto-removal is broken and will nuke packages we previously selected through e.g. ansible.
    # See ansible issue #60349. Leaving commented out. -- pff
    # - name: Auto-removal of orphaned dependencies (RHEL)
    #   ansible.builtin.yum:
    #     autoremove: "yes"
  name: Updates and RKhunter checks
  # yum always tosses an arbitrary extra line at you, a simple tr -s does not eradicate it, so - well,
  # 0 and 1 are fine. As explained above, the RC is worthless when run through ansible.
  when: yue.stdout|int > 1
- block:
    - name: Register requirement for reboot (RHEL)
      # "yum needs-restarting still works on RHEL 8, and "needs-restarting" is obsolete
      # On major releases >= 9 you may want to create an alternative for symlinking yum to dnf
      ansible.builtin.command: yum needs-restarting -r
      register: nr
      changed_when: false
      failed_when: false
      become: true
  name: Check reboot requirement
- name: Clean packages cache (RHEL)
  # ansible's yum module does not have a dedicated action for this. So shell it is.
  # CAUTION: This will only work as long as modern RHEL derivatives (RHEL/CentOS >=8, Fedora >=30) will have yum available as pseudo-alias to dnf.
  # Also, despite ansible's yum not offering this feature, ansible will warn that there is a yum module and we should consider using it. Turning warnings off.
  #args:
  #  warn: false
  ansible.builtin.command: yum clean packages
  changed_when: true
  become: true
- name: RKhunter properties update
  ansible.builtin.command: rkhunter --propupd --rwo --ns
  become: true
  changed_when: true
  when:
    - rkhex.stat is defined
    - rkhex.stat.executable is defined
    - rkhex.stat.executable
- name: Reboot if required
  # ignore_errors: yes
  ansible.builtin.reboot:
    reboot_timeout: 300
    pre_reboot_delay: 5
    test_command: uptime
    reboot_command: "/bin/systemctl reboot"
  become: true
  when: ( nr.rc is defined and nr.rc|int > 0 ) or ( nr.rc is not defined )