ruben/ansible
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ruben:5ee810921174f9972d0a6963084165f54412fd45
Branches Tags
ruben:main
...
compare: ruben:df1b2dbcfe63c7f56c45c1ec5a18736e8b7f041e
Branches Tags
ruben:main

3 Commits
5ee8109211 ... df1b2dbcfe

Author SHA1 Message Date
Ruben van Staveren
df1b2dbcfe
Ansible lint fixes 2024-06-12 14:47:43 +02:00
Ruben van Staveren
460802d02e
Properly handle items with a false condition 2024-06-12 13:30:13 +02:00
Ruben van Staveren
3b4169bafb
Revert "Apparently this can get empty" 
This reverts commit 5ee810921174f9972d0a6963084165f54412fd45.
 2024-06-12 11:57:24 +02:00
11 changed files with 98 additions and 79 deletions
Show Stats Expand all files Collapse all files

16
debian-distupgrade.yml
View File

@ -22,11 +22,11 @@
pre_tasks:
- name: Abort automated dist-upgrade non Debian systems
fail:
ansible.builtin.fail:
msg: 'Not dist-upgrading non-Debian system {{ inventory_hostname }}/{{ ansible_hostname }} ({{ansible_distribution_release}}/{{ ansible_distribution_version }}), aborting. Please upgrade to supported version'
when: "ansible_facts['os_family']|lower != 'debian'"
- name: Abort automated dist-upgrade for EOL systems
fail:
ansible.builtin.fail:
msg: 'Not dist-upgrading EOL system {{ inventory_hostname }}/{{ ansible_hostname }} ({{ansible_distribution_release}}/{{ ansible_distribution_version }}), aborting. Please upgrade to supported version'
when: "ansible_distribution == 'Debian' and ansible_distribution_release not in debian_supported"
- name: Check available space
@ -38,12 +38,12 @@
pkg: '{{ required_pkgs }}'
- name: Tell we are not going to do dist-upgrade, if not in the upgrade matrix
fail:
ansible.builtin.fail:
msg: 'Upgrading {{ ansible_distribution_release }} is not possible, upgrade path not seen in upgrade matrix'
when: "ansible_distribution_release not in debian_upgrade_matrix"
- name: Tell we are going to do dist-upgrade
debug:
ansible.builtin.debug:
msg: 'Upgrade {{ ansible_distribution_release }} to {{ debian_upgrade_matrix[ansible_distribution_release] }}'
when: "ansible_distribution_release in debian_upgrade_matrix"
- name: Find apt sources mentioning Debian distribution name
@ -59,7 +59,7 @@
apt_sources_files: '{{ ["/etc/apt/sources.list"] + (apt_sources.files | map(attribute="path") )}}'
- name: Record current selections
command:
ansible.builtin.command:
cmd: '/usr/bin/dpkg --get-selections "*"'
register: dpkg_selections_all_pre
check_mode: false # Need to have this working in check mode
@ -87,7 +87,7 @@
import_tasks: tasks/dist_upgrade_debian.yml
- name: Show found apt source file
debug:
ansible.builtin.debug:
msg: 'Adjusting {{ item }}'
loop: '{{ apt_sources_files }}'
@ -112,14 +112,14 @@
register: apt_sources_files_replacements
- name: Show replacements
debug:
ansible.builtin.debug:
var: apt_sources_files_replacements
- name: Dist upgrade on to get to the new release
import_tasks: tasks/dist_upgrade_debian.yml
- name: Record current selections after upgrade
command:
ansible.builtin.command:
cmd: '/usr/bin/dpkg --get-selections "*"'
register: dpkg_selections_all_post
check_mode: false # Need to have this working in check mode

28
freebsd-update.yml
View File

@ -11,20 +11,21 @@
tasks:
- name: Fetch updates
command:
ansible.builtin.command:
cmd: /usr/sbin/freebsd-update fetch --not-running-from-cron
environment:
PAGER: cat
changed_when: '"No updates needed to update" not in fetchupdates.stdout'
register: fetchupdates
# Need to have this working in check mode
check_mode: false
- name: show results of fetch updates
debug:
- name: Show results of fetch updates
ansible.builtin.debug:
verbosity: 1
msg: '{{ fetchupdates.stdout }}'
- name: Check if updates are ready to install
command:
ansible.builtin.command:
cmd: /usr/sbin/freebsd-update updatesready
register: updatesready
# Need to have this working in check mode
@ -34,32 +35,33 @@
changed_when: updatesready.rc == 0
failed_when: updatesready.rc == 1
- name: show results of updatesready
debug:
- name: Show results of updatesready
ansible.builtin.debug:
verbosity: 1
msg: '{{ updatesready.stdout }}'
- name: Update when updates can be installed
when: updatesready.rc == 0
block:
- name: Perform system updates
import_tasks: tasks/update_install_freebsd.yml
ansible.builtin.import_tasks: tasks/update_install_freebsd.yml
- name: Perform ezjail updates
import_tasks: tasks/update_ezjail_freebsd.yml
ansible.builtin.import_tasks: tasks/update_ezjail_freebsd.yml
- name: Perform iocage updates
import_tasks: tasks/update_iocage_freebsd.yml
ansible.builtin.import_tasks: tasks/update_iocage_freebsd.yml
- name: Record installed kernel version
command:
ansible.builtin.command:
cmd: /bin/freebsd-version -k
changed_when: false
check_mode: false
register: installedkernel
- name: Reboot system if newer kernel is found
import_tasks: tasks/reboot_system.yml
ansible.builtin.import_tasks: tasks/reboot_system.yml
when: ansible_kernel != installedkernel.stdout
- name: Perform system updates post reboot
import_tasks: tasks/update_install_freebsd.yml
when: updatesready.rc == 0
ansible.builtin.import_tasks: tasks/update_install_freebsd.yml

6
tasks/check-disk-free.yml
View File

@ -1,7 +1,7 @@
# vim:ts=2:sw=2:et:filetype=ansible
---
- name: test for available disk space
assert:
- name: Test for available disk space
ansible.builtin.assert:
quiet: true
that:
- not (item.mount == '/' and ( item.size_available < item.size_total - ( item.size_total|float * ((100 - (disk_free_percentage|default(15)))/100) ) ) )
@ -17,7 +17,7 @@
register: disk_free
- name: Not enough free disk space
fail:
ansible.builtin.fail:
msg: |
Not enough free space on system:
{% for failed_space in (disk_free.results | selectattr('failed')) %}

6
tasks/dist_upgrade_debian.yml
View File

@ -6,7 +6,7 @@
update_cache: true
- name: Check restart status
command:
ansible.builtin.command:
cmd: /usr/sbin/needrestart -pk
register: restart_status
check_mode: false # Need to have this working in check mode
@ -14,8 +14,8 @@
failed_when: restart_status.rc > 2
ignore_errors: true # non zero exit code does not mean "failure" but "action needed"
- name: show results of needrestart / check_restart_required
debug:
- name: Show results of needrestart / check_restart_required
ansible.builtin.debug:
verbosity: 1
var: restart_status.stdout_lines

6
tasks/patch_post_exec.yml
View File

@ -1,12 +1,12 @@
# vim:ts=2:sw=2:et:filetype=ansible
---
- name: Execute post patch commands
shell:
ansible.builtin.shell:
cmd: '{{ item }}'
loop: '{{ patch_post_exec }}'
register: patch_post_exec_res
- name: show results of patch_post_exec actions
debug:
- name: Show results of patch_post_exec actions
ansible.builtin.debug:
verbosity: 1
var: patch_post_exec_res

6
tasks/patch_pre_exec.yml
View File

@ -1,12 +1,12 @@
# vim:ts=2:sw=2:et:filetype=ansible
---
- name: Execute pre patch commands
shell:
ansible.builtin.shell:
cmd: '{{ item }}'
loop: '{{ patch_pre_exec }}'
register: patch_pre_exec_res
- name: show results of patch_pre_exec actions
debug:
- name: Show results of patch_pre_exec actions
ansible.builtin.debug:
verbosity: 1
var: patch_pre_exec_res

6
tasks/reboot_system.yml
View File

@ -1,11 +1,11 @@
# vim:ts=2:sw=2:et:filetype=ansible
---
- name: Reboot system for patches
reboot:
ansible.builtin.reboot:
msg: 'Rebooting for patches'
register: system_reboot
- name: show results of reboot
debug:
- name: Show results of reboot
ansible.builtin.debug:
verbosity: 1
var: system_reboot

47
tasks/update_all_freebsd.yml
View File

@ -1,7 +1,7 @@
# vim:ts=2:sw=2:et:filetype=ansible
---
- name: Check security status
command:
ansible.builtin.command:
cmd: /usr/sbin/pkg audit -Rjson-compact
register: security_status
# Need to have this working in check mode
@ -11,23 +11,27 @@
changed_when: security_status.rc != 0
failed_when: security_status.rc > 2
- name: show results of security_status
debug:
- name: Show results of security_status
ansible.builtin.debug:
verbosity: 1
msg: '{{security_status.stdout | from_json | to_json(indent=4, sort_keys=True) }}'
msg: '{{ security_status.stdout | from_json | to_json(indent=4, sort_keys=True) }}'
- name: Perform pre update commands
import_tasks: tasks/patch_pre_exec.yml
ansible.builtin.import_tasks: tasks/patch_pre_exec.yml
when: patch_pre_exec is defined
- block:
- name: Perform security updates when outstanding (or check mode)
when: security_status.rc != 0 or ansible_check_mode
block:
- name: Update all packages to their latest version
command:
ansible.builtin.command:
cmd: /usr/sbin/pkg upgrade -vy
# async: '{{ ansible_check_mode | ternary(0, (downtime_minutes | int * 60) - 60)}}'
changed_when: pkg_data.rc != 0
failed_when: "'FAILED' in pkg_data.stderr"
register: pkg_data
- name: Update all packages to their latest version (dry run)
command:
ansible.builtin.command:
cmd: /usr/sbin/pkg upgrade -vyn
# Need to have this working in check mode
check_mode: false
@ -37,8 +41,8 @@
register: pkg_data
when: ansible_check_mode
rescue:
- name: pkg failed, try to recover if possible
debug:
- name: Pkg failed, try to recover if possible
ansible.builtin.debug:
msg: "Something went wrong, attempting recovery.."
always:
@ -67,11 +71,11 @@
- name: Perform post update commands
import_tasks: tasks/patch_post_exec.yml
ansible.builtin.import_tasks: tasks/patch_post_exec.yml
when: patch_post_exec is defined
- name: Check restart status
command:
ansible.builtin.command:
cmd: /usr/local/bin/checkrestart -j 0 --libxo json
register: check_restart_status
check_mode: false # Need to have this working in check mode
@ -79,37 +83,36 @@
failed_when: check_restart_status.rc > 2
ignore_errors: true # non zero exit code does not mean "failure" but "action needed"
- name: set restart_files
- name: Set restart_files
ansible.builtin.set_fact:
restart_files: '{{ check_restart_status.stdout | from_json | community.general.json_query("checkrestart.process[].arguments") | unique}}'
- name: find packages for restart_files
ansible.builtin.command:
- name: Find packages for restart_files
ansible.builtin.ansible.builtin.command:
cmd: '/usr/sbin/pkg which -q {{ item }}'
register: pkg_which_output
loop: '{{ restart_files }}'
- name: list package contents
ansible.builtin.command:
- name: List package contents
ansible.builtin.ansible.builtin.command:
cmd: '/usr/sbin/pkg info -ql {{ item }}'
register: pkg_info_output
loop: '{{ pkg_which_output.results | map(attribute="stdout")}}'
- name: set services to be restarted due to stale libraries
- name: Set services to be restarted due to stale libraries
ansible.builtin.set_fact:
restart_services: '{{ restart_services + (item) }}'
loop: '{{ pkg_info_output.results | map(attribute="stdout_lines") | select("search","\/rc\.d\/([^\/]+)$") | map("basename")}}'
loop_control:
label: '{{ item }}'
- name: show services to be restarted
ansible.builtin.debug:
- name: Show services to be restarted
ansible.builtin.ansible.builtin.debug:
verbosity: 1
var: restart_services
- name: restart service(s)
- name: Restart service(s)
ansible.builtin.service:
name: '{{ item }}'
state: restarted
loop: '{{ restart_services }}'
when: security_status.rc != 0 or ansible_check_mode

15
tasks/update_ezjail_freebsd.yml
View File

@ -1,22 +1,25 @@
# vim:ts=2:sw=2:et:filetype=ansible
---
- name: Check if ezjail is available
stat:
ansible.builtin.stat:
path: /usr/local/bin/ezjail-admin
tags:
- always
register: ezjail_available
- block:
- name: Perform ezjail updates when ezjail-admin is available
when: ezjail_available.stat.exists
block:
- name: Install updates (ezjail)
command:
ansible.builtin.command:
cmd: /usr/local/bin/ezjail-admin update -u
changed_when: true
register: installupdates_ezjail
- name: show results of install updates (ezjail)
debug:
- name: Show results of install updates (ezjail)
ansible.builtin.debug:
verbosity: 1
msg: '{{ installupdates_ezjail.stdout }}'
# XXX etcupdate in blind mode / certificate stuff
#
when: ezjail_available.stat.exists

8
tasks/update_install_freebsd.yml
View File

@ -1,12 +1,14 @@
# vim:ts=2:sw=2:et:filetype=ansible
---
- name: Install updates
command:
ansible.builtin.command:
cmd: /usr/sbin/freebsd-update install
changed_when: true
environment:
PAGER: cat
register: installupdates
- name: show results of install updates
debug:
- name: Show results of install updates
ansible.builtin.debug:
verbosity: 1
msg: '{{ installupdates.stdout }}'

33
tasks/update_iocage_freebsd.yml
View File

@ -1,47 +1,56 @@
# vim:ts=2:sw=2:et:filetype=ansible
---
- name: Check if iocage is available
stat:
ansible.builtin.stat:
path: /usr/local/bin/iocage
tags:
- always
register: iocage_available
- block:
- name: Perform iocage updates when iocage is available
when: iocage_available.stat.exists
block:
- name: List iocage jails
command:
ansible.builtin.command:
cmd: /usr/local/bin/iocage list -H
changed_when: false
check_mode: false
register: iocage_list_jails
- name: show results of list jails (iocage)
debug:
- name: Show results of list jails (iocage)
ansible.builtin.debug:
verbosity: 1
var: iocage_list_jails
- name: set iocage jails
- name: Set iocage jails
ansible.builtin.set_fact:
iocage_jails: '{{ iocage_list_jails.stdout_lines | map("split") }}'
- name: Install updates (iocage)
command:
ansible.builtin.command:
cmd: '/usr/local/bin/iocage update {{ item.1 }}'
environment:
PAGER: cat
changed_when: true
when: item.2 == 'up' and item.3 == ansible_distribution_version + '-RELEASE'
loop: '{{ iocage_jails }}'
loop_control:
label: 'iocage update {{ item.1 }}'
register: installupdates_iocage
- name: show results of install updates (iocage)
debug:
- name: Show results of install updates (iocage)
ansible.builtin.debug:
verbosity: 1
msg: |
{% if item.false_condition is not defined -%}
Results of {{ item.cmd | join(' ') }}
{{ item.stdout | default(item.msg | default('No message')) }}
{% else %}
Update of {{ item.item.1 }} skipped due to the following conditional(s) being false
* {{ item.item.2 }} == 'up'
* {{ item.item.3 }} == {{ ansible_distribution_version }}-RELEASE
{% endif -%}
loop: '{{ installupdates_iocage.results }}'
loop_control:
label: '{{ item.cmd | default(["No command seen"]) | join(" ") }}'
label: 'Update of {{ item.item.1 }}'
when: installupdates_iocage
when: iocage_available.stat.exists