116 lines
3.7 KiB
YAML
116 lines
3.7 KiB
YAML
# vim:ts=2:sw=2:et:filetype=ansible
|
|
---
|
|
- name: Check security status
|
|
command:
|
|
cmd: /usr/sbin/pkg audit -Rjson-compact
|
|
register: security_status
|
|
# Need to have this working in check mode
|
|
check_mode: false
|
|
# non zero exit code does not mean "failure" but "action needed"
|
|
ignore_errors: true
|
|
changed_when: security_status.rc != 0
|
|
failed_when: security_status.rc > 2
|
|
|
|
- name: show results of security_status
|
|
debug:
|
|
verbosity: 1
|
|
msg: '{{security_status.stdout | from_json | to_json(indent=4, sort_keys=True) }}'
|
|
|
|
- name: Perform pre update commands
|
|
import_tasks: tasks/patch_pre_exec.yml
|
|
when: patch_pre_exec is defined
|
|
|
|
- block:
|
|
- name: Update all packages to their latest version
|
|
command:
|
|
cmd: /usr/sbin/pkg upgrade -vy
|
|
# async: '{{ ansible_check_mode | ternary(0, (downtime_minutes | int * 60) - 60)}}'
|
|
register: pkg_data
|
|
- name: Update all packages to their latest version (dry run)
|
|
command:
|
|
cmd: /usr/sbin/pkg upgrade -vyn
|
|
# Need to have this working in check mode
|
|
check_mode: false
|
|
ignore_errors: true
|
|
changed_when: pkg_data.rc != 0
|
|
failed_when: "'FAILED' in pkg_data.stderr"
|
|
register: pkg_data
|
|
when: ansible_check_mode
|
|
rescue:
|
|
- name: pkg failed, try to recover if possible
|
|
debug:
|
|
msg: "Something went wrong, attempting recovery.."
|
|
|
|
always:
|
|
- name: Log output from pkg run
|
|
check_mode: false # Need to have this working in check mode
|
|
ansible.builtin.copy:
|
|
content: |
|
|
Result of pkg on {{inventory_hostname}}
|
|
|
|
{% if pkg_data.msg is defined %}
|
|
{{ pkg_data.msg }}
|
|
{% endif %}
|
|
|
|
{% if pkg_data.stdout is defined %}
|
|
stdout of pkg
|
|
|
|
{{ pkg_data.stdout }}
|
|
{% endif %}
|
|
|
|
{% if pkg_data.stderr is defined %}
|
|
stderr of pkg
|
|
|
|
{{ pkg_data.stderr }}
|
|
{% endif %}
|
|
dest: "/var/tmp/security-patch-{{'%FT%T' | strftime}}.log"
|
|
|
|
|
|
- name: Perform post update commands
|
|
import_tasks: tasks/patch_post_exec.yml
|
|
when: patch_post_exec is defined
|
|
|
|
- name: Check restart status
|
|
command:
|
|
cmd: /usr/local/bin/checkrestart -j 0 --libxo json
|
|
register: check_restart_status
|
|
check_mode: false # Need to have this working in check mode
|
|
changed_when: check_restart_status.rc != 0
|
|
failed_when: check_restart_status.rc > 2
|
|
ignore_errors: true # non zero exit code does not mean "failure" but "action needed"
|
|
|
|
- name: set restart_files
|
|
ansible.builtin.set_fact:
|
|
restart_files: '{{ check_restart_status.stdout | from_json | community.general.json_query("checkrestart.process[].arguments") | unique}}'
|
|
|
|
- name: find packages for restart_files
|
|
ansible.builtin.command:
|
|
cmd: '/usr/sbin/pkg which -q {{ item }}'
|
|
register: pkg_which_output
|
|
loop: '{{ restart_files }}'
|
|
|
|
- name: list package contents
|
|
ansible.builtin.command:
|
|
cmd: '/usr/sbin/pkg info -ql {{ item }}'
|
|
register: pkg_info_output
|
|
loop: '{{ pkg_which_output.results | map(attribute="stdout")}}'
|
|
|
|
- name: set services to be restarted due to stale libraries
|
|
ansible.builtin.set_fact:
|
|
restart_services: '{{ restart_services + (item) }}'
|
|
loop: '{{ pkg_info_output.results | map(attribute="stdout_lines") | select("search","\/rc\.d\/([^\/]+)$") | map("basename")}}'
|
|
loop_control:
|
|
label: '{{ item }}'
|
|
|
|
- name: show services to be restarted
|
|
ansible.builtin.debug:
|
|
verbosity: 1
|
|
var: restart_services
|
|
|
|
- name: restart service(s)
|
|
ansible.builtin.service:
|
|
name: '{{ item }}'
|
|
state: restarted
|
|
loop: '{{ restart_services }}'
|
|
when: security_status.rc != 0 or ansible_check_mode
|