diff --git a/debian-distupgrade.yml b/debian-distupgrade.yml index 0ca8391..846a163 100644 --- a/debian-distupgrade.yml +++ b/debian-distupgrade.yml @@ -22,11 +22,11 @@ pre_tasks: - name: Abort automated dist-upgrade non Debian systems - fail: + ansible.builtin.fail: msg: 'Not dist-upgrading non-Debian system {{ inventory_hostname }}/{{ ansible_hostname }} ({{ansible_distribution_release}}/{{ ansible_distribution_version }}), aborting. Please upgrade to supported version' when: "ansible_facts['os_family']|lower != 'debian'" - name: Abort automated dist-upgrade for EOL systems - fail: + ansible.builtin.fail: msg: 'Not dist-upgrading EOL system {{ inventory_hostname }}/{{ ansible_hostname }} ({{ansible_distribution_release}}/{{ ansible_distribution_version }}), aborting. Please upgrade to supported version' when: "ansible_distribution == 'Debian' and ansible_distribution_release not in debian_supported" - name: Check available space @@ -38,12 +38,12 @@ pkg: '{{ required_pkgs }}' - name: Tell we are not going to do dist-upgrade, if not in the upgrade matrix - fail: + ansible.builtin.fail: msg: 'Upgrading {{ ansible_distribution_release }} is not possible, upgrade path not seen in upgrade matrix' when: "ansible_distribution_release not in debian_upgrade_matrix" - name: Tell we are going to do dist-upgrade - debug: + ansible.builtin.debug: msg: 'Upgrade {{ ansible_distribution_release }} to {{ debian_upgrade_matrix[ansible_distribution_release] }}' when: "ansible_distribution_release in debian_upgrade_matrix" - name: Find apt sources mentioning Debian distribution name @@ -59,7 +59,7 @@ apt_sources_files: '{{ ["/etc/apt/sources.list"] + (apt_sources.files | map(attribute="path") )}}' - name: Record current selections - command: + ansible.builtin.command: cmd: '/usr/bin/dpkg --get-selections "*"' register: dpkg_selections_all_pre check_mode: false # Need to have this working in check mode @@ -87,7 +87,7 @@ import_tasks: tasks/dist_upgrade_debian.yml - name: Show found apt source file - debug: + ansible.builtin.debug: msg: 'Adjusting {{ item }}' loop: '{{ apt_sources_files }}' @@ -112,14 +112,14 @@ register: apt_sources_files_replacements - name: Show replacements - debug: + ansible.builtin.debug: var: apt_sources_files_replacements - name: Dist upgrade on to get to the new release import_tasks: tasks/dist_upgrade_debian.yml - name: Record current selections after upgrade - command: + ansible.builtin.command: cmd: '/usr/bin/dpkg --get-selections "*"' register: dpkg_selections_all_post check_mode: false # Need to have this working in check mode diff --git a/freebsd-update.yml b/freebsd-update.yml index 417612a..00641d7 100644 --- a/freebsd-update.yml +++ b/freebsd-update.yml @@ -11,20 +11,21 @@ tasks: - name: Fetch updates - command: + ansible.builtin.command: cmd: /usr/sbin/freebsd-update fetch --not-running-from-cron environment: PAGER: cat + changed_when: '"No updates needed to update" not in fetchupdates.stdout' register: fetchupdates # Need to have this working in check mode check_mode: false - - name: show results of fetch updates - debug: + - name: Show results of fetch updates + ansible.builtin.debug: verbosity: 1 msg: '{{ fetchupdates.stdout }}' - name: Check if updates are ready to install - command: + ansible.builtin.command: cmd: /usr/sbin/freebsd-update updatesready register: updatesready # Need to have this working in check mode @@ -34,32 +35,33 @@ changed_when: updatesready.rc == 0 failed_when: updatesready.rc == 1 - - name: show results of updatesready - debug: + - name: Show results of updatesready + ansible.builtin.debug: verbosity: 1 msg: '{{ updatesready.stdout }}' - name: Update when updates can be installed + when: updatesready.rc == 0 block: - name: Perform system updates - import_tasks: tasks/update_install_freebsd.yml + ansible.builtin.import_tasks: tasks/update_install_freebsd.yml - name: Perform ezjail updates - import_tasks: tasks/update_ezjail_freebsd.yml + ansible.builtin.import_tasks: tasks/update_ezjail_freebsd.yml - name: Perform iocage updates - import_tasks: tasks/update_iocage_freebsd.yml + ansible.builtin.import_tasks: tasks/update_iocage_freebsd.yml - name: Record installed kernel version - command: + ansible.builtin.command: cmd: /bin/freebsd-version -k + changed_when: false check_mode: false register: installedkernel - name: Reboot system if newer kernel is found - import_tasks: tasks/reboot_system.yml + ansible.builtin.import_tasks: tasks/reboot_system.yml when: ansible_kernel != installedkernel.stdout - name: Perform system updates post reboot - import_tasks: tasks/update_install_freebsd.yml - when: updatesready.rc == 0 + ansible.builtin.import_tasks: tasks/update_install_freebsd.yml diff --git a/tasks/check-disk-free.yml b/tasks/check-disk-free.yml index 8a21f95..7464d0a 100644 --- a/tasks/check-disk-free.yml +++ b/tasks/check-disk-free.yml @@ -1,7 +1,7 @@ # vim:ts=2:sw=2:et:filetype=ansible --- -- name: test for available disk space - assert: +- name: Test for available disk space + ansible.builtin.assert: quiet: true that: - not (item.mount == '/' and ( item.size_available < item.size_total - ( item.size_total|float * ((100 - (disk_free_percentage|default(15)))/100) ) ) ) @@ -17,7 +17,7 @@ register: disk_free - name: Not enough free disk space - fail: + ansible.builtin.fail: msg: | Not enough free space on system: {% for failed_space in (disk_free.results | selectattr('failed')) %} diff --git a/tasks/dist_upgrade_debian.yml b/tasks/dist_upgrade_debian.yml index dfb7eee..c396b25 100644 --- a/tasks/dist_upgrade_debian.yml +++ b/tasks/dist_upgrade_debian.yml @@ -6,7 +6,7 @@ update_cache: true - name: Check restart status - command: + ansible.builtin.command: cmd: /usr/sbin/needrestart -pk register: restart_status check_mode: false # Need to have this working in check mode @@ -14,8 +14,8 @@ failed_when: restart_status.rc > 2 ignore_errors: true # non zero exit code does not mean "failure" but "action needed" -- name: show results of needrestart / check_restart_required - debug: +- name: Show results of needrestart / check_restart_required + ansible.builtin.debug: verbosity: 1 var: restart_status.stdout_lines diff --git a/tasks/patch_post_exec.yml b/tasks/patch_post_exec.yml index 7350dae..993db87 100644 --- a/tasks/patch_post_exec.yml +++ b/tasks/patch_post_exec.yml @@ -1,12 +1,12 @@ # vim:ts=2:sw=2:et:filetype=ansible --- - name: Execute post patch commands - shell: + ansible.builtin.shell: cmd: '{{ item }}' loop: '{{ patch_post_exec }}' register: patch_post_exec_res - - name: show results of patch_post_exec actions - debug: + - name: Show results of patch_post_exec actions + ansible.builtin.debug: verbosity: 1 var: patch_post_exec_res diff --git a/tasks/patch_pre_exec.yml b/tasks/patch_pre_exec.yml index ff004f1..ceedc0a 100644 --- a/tasks/patch_pre_exec.yml +++ b/tasks/patch_pre_exec.yml @@ -1,12 +1,12 @@ # vim:ts=2:sw=2:et:filetype=ansible --- - name: Execute pre patch commands - shell: + ansible.builtin.shell: cmd: '{{ item }}' loop: '{{ patch_pre_exec }}' register: patch_pre_exec_res - - name: show results of patch_pre_exec actions - debug: + - name: Show results of patch_pre_exec actions + ansible.builtin.debug: verbosity: 1 var: patch_pre_exec_res diff --git a/tasks/reboot_system.yml b/tasks/reboot_system.yml index 13520a6..aff557c 100644 --- a/tasks/reboot_system.yml +++ b/tasks/reboot_system.yml @@ -1,11 +1,11 @@ # vim:ts=2:sw=2:et:filetype=ansible --- - name: Reboot system for patches - reboot: + ansible.builtin.reboot: msg: 'Rebooting for patches' register: system_reboot -- name: show results of reboot - debug: +- name: Show results of reboot + ansible.builtin.debug: verbosity: 1 var: system_reboot diff --git a/tasks/update_all_freebsd.yml b/tasks/update_all_freebsd.yml index 725dca4..fedf37e 100644 --- a/tasks/update_all_freebsd.yml +++ b/tasks/update_all_freebsd.yml @@ -1,7 +1,7 @@ # vim:ts=2:sw=2:et:filetype=ansible --- - name: Check security status - command: + ansible.builtin.command: cmd: /usr/sbin/pkg audit -Rjson-compact register: security_status # Need to have this working in check mode @@ -11,23 +11,27 @@ changed_when: security_status.rc != 0 failed_when: security_status.rc > 2 -- name: show results of security_status - debug: +- name: Show results of security_status + ansible.builtin.debug: verbosity: 1 - msg: '{{security_status.stdout | from_json | to_json(indent=4, sort_keys=True) }}' + msg: '{{ security_status.stdout | from_json | to_json(indent=4, sort_keys=True) }}' - name: Perform pre update commands - import_tasks: tasks/patch_pre_exec.yml + ansible.builtin.import_tasks: tasks/patch_pre_exec.yml when: patch_pre_exec is defined -- block: +- name: Perform security updates when outstanding (or check mode) + when: security_status.rc != 0 or ansible_check_mode + block: - name: Update all packages to their latest version - command: + ansible.builtin.command: cmd: /usr/sbin/pkg upgrade -vy # async: '{{ ansible_check_mode | ternary(0, (downtime_minutes | int * 60) - 60)}}' + changed_when: pkg_data.rc != 0 + failed_when: "'FAILED' in pkg_data.stderr" register: pkg_data - name: Update all packages to their latest version (dry run) - command: + ansible.builtin.command: cmd: /usr/sbin/pkg upgrade -vyn # Need to have this working in check mode check_mode: false @@ -37,8 +41,8 @@ register: pkg_data when: ansible_check_mode rescue: - - name: pkg failed, try to recover if possible - debug: + - name: Pkg failed, try to recover if possible + ansible.builtin.debug: msg: "Something went wrong, attempting recovery.." always: @@ -67,11 +71,11 @@ - name: Perform post update commands - import_tasks: tasks/patch_post_exec.yml + ansible.builtin.import_tasks: tasks/patch_post_exec.yml when: patch_post_exec is defined - name: Check restart status - command: + ansible.builtin.command: cmd: /usr/local/bin/checkrestart -j 0 --libxo json register: check_restart_status check_mode: false # Need to have this working in check mode @@ -79,37 +83,36 @@ failed_when: check_restart_status.rc > 2 ignore_errors: true # non zero exit code does not mean "failure" but "action needed" - - name: set restart_files + - name: Set restart_files ansible.builtin.set_fact: restart_files: '{{ check_restart_status.stdout | from_json | community.general.json_query("checkrestart.process[].arguments") | unique}}' - - name: find packages for restart_files - ansible.builtin.command: + - name: Find packages for restart_files + ansible.builtin.ansible.builtin.command: cmd: '/usr/sbin/pkg which -q {{ item }}' register: pkg_which_output loop: '{{ restart_files }}' - - name: list package contents - ansible.builtin.command: + - name: List package contents + ansible.builtin.ansible.builtin.command: cmd: '/usr/sbin/pkg info -ql {{ item }}' register: pkg_info_output loop: '{{ pkg_which_output.results | map(attribute="stdout")}}' - - name: set services to be restarted due to stale libraries + - name: Set services to be restarted due to stale libraries ansible.builtin.set_fact: restart_services: '{{ restart_services + (item) }}' loop: '{{ pkg_info_output.results | map(attribute="stdout_lines") | select("search","\/rc\.d\/([^\/]+)$") | map("basename")}}' loop_control: label: '{{ item }}' - - name: show services to be restarted - ansible.builtin.debug: + - name: Show services to be restarted + ansible.builtin.ansible.builtin.debug: verbosity: 1 var: restart_services - - name: restart service(s) + - name: Restart service(s) ansible.builtin.service: name: '{{ item }}' state: restarted loop: '{{ restart_services }}' - when: security_status.rc != 0 or ansible_check_mode diff --git a/tasks/update_ezjail_freebsd.yml b/tasks/update_ezjail_freebsd.yml index 46c5a3f..a7e5a49 100644 --- a/tasks/update_ezjail_freebsd.yml +++ b/tasks/update_ezjail_freebsd.yml @@ -1,22 +1,25 @@ +# vim:ts=2:sw=2:et:filetype=ansible --- - name: Check if ezjail is available - stat: + ansible.builtin.stat: path: /usr/local/bin/ezjail-admin tags: - always register: ezjail_available -- block: +- name: Perform ezjail updates when ezjail-admin is available + when: ezjail_available.stat.exists + block: - name: Install updates (ezjail) - command: + ansible.builtin.command: cmd: /usr/local/bin/ezjail-admin update -u + changed_when: true register: installupdates_ezjail - - name: show results of install updates (ezjail) - debug: + - name: Show results of install updates (ezjail) + ansible.builtin.debug: verbosity: 1 msg: '{{ installupdates_ezjail.stdout }}' # XXX etcupdate in blind mode / certificate stuff # - when: ezjail_available.stat.exists diff --git a/tasks/update_install_freebsd.yml b/tasks/update_install_freebsd.yml index dd06c40..4303f4c 100644 --- a/tasks/update_install_freebsd.yml +++ b/tasks/update_install_freebsd.yml @@ -1,12 +1,14 @@ +# vim:ts=2:sw=2:et:filetype=ansible --- - name: Install updates - command: + ansible.builtin.command: cmd: /usr/sbin/freebsd-update install + changed_when: true environment: PAGER: cat register: installupdates -- name: show results of install updates - debug: +- name: Show results of install updates + ansible.builtin.debug: verbosity: 1 msg: '{{ installupdates.stdout }}' diff --git a/tasks/update_iocage_freebsd.yml b/tasks/update_iocage_freebsd.yml index 067d160..79ef59f 100644 --- a/tasks/update_iocage_freebsd.yml +++ b/tasks/update_iocage_freebsd.yml @@ -1,40 +1,45 @@ +# vim:ts=2:sw=2:et:filetype=ansible --- - name: Check if iocage is available - stat: + ansible.builtin.stat: path: /usr/local/bin/iocage tags: - always register: iocage_available -- block: +- name: Perform iocage updates when iocage is available + when: iocage_available.stat.exists + block: - name: List iocage jails - command: + ansible.builtin.command: cmd: /usr/local/bin/iocage list -H + changed_when: false check_mode: false register: iocage_list_jails - - name: show results of list jails (iocage) - debug: + - name: Show results of list jails (iocage) + ansible.builtin.debug: verbosity: 1 var: iocage_list_jails - - name: set iocage jails + - name: Set iocage jails ansible.builtin.set_fact: iocage_jails: '{{ iocage_list_jails.stdout_lines | map("split") }}' - name: Install updates (iocage) - command: + ansible.builtin.command: cmd: '/usr/local/bin/iocage update {{ item.1 }}' environment: PAGER: cat + changed_when: true when: item.2 == 'up' and item.3 == ansible_distribution_version + '-RELEASE' loop: '{{ iocage_jails }}' loop_control: label: 'iocage update {{ item.1 }}' register: installupdates_iocage - - name: show results of install updates (iocage) - debug: + - name: Show results of install updates (iocage) + ansible.builtin.debug: verbosity: 1 msg: | {% if item.false_condition is not defined -%} @@ -49,4 +54,3 @@ loop_control: label: 'Update of {{ item.item.1 }}' when: installupdates_iocage - when: iocage_available.stat.exists