ansible/tasks/update_all_freebsd.yml

# vim:ts=2:sw=2:et:filetype=ansible
---
- name: Check security status
  command:
    cmd: /usr/sbin/pkg audit -Rjson-compact
  register: security_status
  # Need to have this working in check mode
  check_mode: false
  # non zero exit code does not mean "failure" but "action needed"
  ignore_errors: true
  changed_when: security_status.rc != 0
  failed_when: security_status.rc > 2

- name: show results of security_status
  debug:
    verbosity: 1
    msg: '{{security_status.stdout | from_json | to_json(indent=4, sort_keys=True) }}'

- name: Perform pre update commands
  import_tasks: tasks/patch_pre_exec.yml
  when: patch_pre_exec is defined

- block:
    - name: Update all packages to their latest version
      command:
        cmd: /usr/sbin/pkg upgrade -vy
        # async: '{{ ansible_check_mode | ternary(0, (downtime_minutes | int * 60) - 60)}}'
      register: pkg_data
    - name: Update all packages to their latest version (dry run)
      command:
        cmd: /usr/sbin/pkg upgrade -vyn
      # Need to have this working in check mode
      check_mode: false
      ignore_errors: true
      changed_when: pkg_data.rc != 0
      failed_when: "'FAILED' in pkg_data.stderr"
      register: pkg_data
      when: ansible_check_mode
  rescue:
    - name: pkg failed, try to recover if possible
      debug:
        msg: "Something went wrong, attempting recovery.."

  always:
    - name: Log output from pkg run
      check_mode: false  # Need to have this working in check mode
      ansible.builtin.copy:
        content: |
          Result of pkg on {{inventory_hostname}}

          {% if pkg_data.msg is defined %}
          {{ pkg_data.msg }}
          {% endif %}

          {% if pkg_data.stdout is defined %}
          stdout of pkg

          {{ pkg_data.stdout }}
          {% endif %}

          {% if pkg_data.stderr is defined %}
          stderr of pkg

          {{ pkg_data.stderr }}
          {% endif %}
        dest: "/var/tmp/security-patch-{{'%FT%T' | strftime}}.log"


    - name: Perform post update commands
      import_tasks: tasks/patch_post_exec.yml
      when: patch_post_exec is defined

    - name: Check restart status
      command:
        cmd: /usr/local/bin/checkrestart -j 0 --libxo json
      register: check_restart_status
      check_mode: false # Need to have this working in check mode
      changed_when: check_restart_status.rc != 0
      failed_when: check_restart_status.rc > 2
      ignore_errors: true # non zero exit code does not mean "failure" but "action needed"

    - name: set restart_files
      ansible.builtin.set_fact:
        restart_files: '{{ check_restart_status.stdout | from_json | community.general.json_query("checkrestart.process[].arguments") | unique}}'

    - name: find packages for restart_files
      ansible.builtin.command:
        cmd: '/usr/sbin/pkg which -q {{ item }}'
      register: pkg_which_output
      loop: '{{ restart_files }}'

    - name: list package contents
      ansible.builtin.command:
        cmd: '/usr/sbin/pkg info -ql {{ item }}'
      register: pkg_info_output
      loop: '{{ pkg_which_output.results  | map(attribute="stdout")}}'

    - name: set services to be restarted due to stale libraries
      ansible.builtin.set_fact:
        restart_services: '{{ restart_services + (item)  }}'
      loop: '{{ pkg_info_output.results | map(attribute="stdout_lines") | select("search","\/rc\.d\/([^\/]+)$") | map("basename")}}'
      loop_control:
        label: '{{ item }}'

    - name: show services to be restarted
      ansible.builtin.debug:
        verbosity: 1
        var: restart_services

    - name: restart service(s)
      ansible.builtin.service:
        name: '{{ item }}'
        state: restarted
      loop: '{{ restart_services }}'
  when: security_status.rc != 0 or ansible_check_mode
First iteration of update playbooks that work for FreeBSD/Debian 2024-06-12 11:22:54 +02:00			`# vim:ts=2:sw=2:et:filetype=ansible`
			`---`
			`- name: Check security status`
			`command:`
			`cmd: /usr/sbin/pkg audit -Rjson-compact`
			`register: security_status`
			`# Need to have this working in check mode`
			`check_mode: false`
			`# non zero exit code does not mean "failure" but "action needed"`
			`ignore_errors: true`
			`changed_when: security_status.rc != 0`
			`failed_when: security_status.rc > 2`

			`- name: show results of security_status`
			`debug:`
			`verbosity: 1`
			`msg: '{{security_status.stdout \| from_json \| to_json(indent=4, sort_keys=True) }}'`

			`- name: Perform pre update commands`
			`import_tasks: tasks/patch_pre_exec.yml`
			`when: patch_pre_exec is defined`

			`- block:`
			`- name: Update all packages to their latest version`
			`command:`
			`cmd: /usr/sbin/pkg upgrade -vy`
			`# async: '{{ ansible_check_mode \| ternary(0, (downtime_minutes \| int * 60) - 60)}}'`
			`register: pkg_data`
			`- name: Update all packages to their latest version (dry run)`
			`command:`
			`cmd: /usr/sbin/pkg upgrade -vyn`
			`# Need to have this working in check mode`
			`check_mode: false`
			`ignore_errors: true`
			`changed_when: pkg_data.rc != 0`
			`failed_when: "'FAILED' in pkg_data.stderr"`
			`register: pkg_data`
			`when: ansible_check_mode`
			`rescue:`
			`- name: pkg failed, try to recover if possible`
			`debug:`
			`msg: "Something went wrong, attempting recovery.."`

			`always:`
			`- name: Log output from pkg run`
			`check_mode: false # Need to have this working in check mode`
			`ansible.builtin.copy:`
			`content: \|`
			`Result of pkg on {{inventory_hostname}}`

			`{% if pkg_data.msg is defined %}`
			`{{ pkg_data.msg }}`
			`{% endif %}`

			`{% if pkg_data.stdout is defined %}`
			`stdout of pkg`

			`{{ pkg_data.stdout }}`
			`{% endif %}`

			`{% if pkg_data.stderr is defined %}`
			`stderr of pkg`

			`{{ pkg_data.stderr }}`
			`{% endif %}`
			`dest: "/var/tmp/security-patch-{{'%FT%T' \| strftime}}.log"`


			`- name: Perform post update commands`
			`import_tasks: tasks/patch_post_exec.yml`
			`when: patch_post_exec is defined`

			`- name: Check restart status`
			`command:`
			`cmd: /usr/local/bin/checkrestart -j 0 --libxo json`
			`register: check_restart_status`
			`check_mode: false # Need to have this working in check mode`
			`changed_when: check_restart_status.rc != 0`
			`failed_when: check_restart_status.rc > 2`
			`ignore_errors: true # non zero exit code does not mean "failure" but "action needed"`

			`- name: set restart_files`
			`ansible.builtin.set_fact:`
			`restart_files: '{{ check_restart_status.stdout \| from_json \| community.general.json_query("checkrestart.process[].arguments") \| unique}}'`

			`- name: find packages for restart_files`
			`ansible.builtin.command:`
			`cmd: '/usr/sbin/pkg which -q {{ item }}'`
			`register: pkg_which_output`
			`loop: '{{ restart_files }}'`

			`- name: list package contents`
			`ansible.builtin.command:`
			`cmd: '/usr/sbin/pkg info -ql {{ item }}'`
			`register: pkg_info_output`
			`loop: '{{ pkg_which_output.results \| map(attribute="stdout")}}'`

			`- name: set services to be restarted due to stale libraries`
			`ansible.builtin.set_fact:`
			`restart_services: '{{ restart_services + (item) }}'`
			`loop: '{{ pkg_info_output.results \| map(attribute="stdout_lines") \| select("search","\/rc\.d\/([^\/]+)$") \| map("basename")}}'`
			`loop_control:`
			`label: '{{ item }}'`

			`- name: show services to be restarted`
			`ansible.builtin.debug:`
			`verbosity: 1`
			`var: restart_services`

			`- name: restart service(s)`
			`ansible.builtin.service:`
			`name: '{{ item }}'`
			`state: restarted`
			`loop: '{{ restart_services }}'`
			`when: security_status.rc != 0 or ansible_check_mode`