Ansible Patch Automation Tutorial
Ansible patch automation is a crucial aspect of maintaining the security and stability of Linux systems. By automating the process of applying software updates, administrators can ensure that their systems are always up-to-date and protected against known vulnerabilities.
It was first developed by Michael DeHaan in 2012 and is currently owned by Red Hat. Ansible is known for its simple and easy-to-use syntax, making it a popular choice for system administrators and developers alike.
One of the most common tasks performed with Ansible is patch automation. This involves updating software packages on a set of servers in a consistent and automated manner. In this article, we will discuss how to create an Ansible playbook that can be used to update software packages on both yum and apt-based Linux machines. Additionally, this playbook will also include the ability to reboot the servers after the updates have been applied.
Before we begin, it is important to note that Ansible uses an inventory file to manage the servers it will be interacting with. This file can be in the form of a simple text file, or it can be stored in the standard Ansible host file. In this example, we will be using the standard Ansible host file to manage the inventory. To add servers to the inventory, we will need to add the following entries to the host file:
[yumservers]
yumserver1.servers.zerosandones.us
[aptservers]
aptserver1.servers.zerosandones.us
SSH Key Configuration on hosts
To set up SSH key-based authentication for each server, we will need to manually insert our public key into the authorized_keys file on each remote server. To do this, we need to follow these steps:
- On your local system, use the
catcommand to display the contents of your public key file. The default location of the public key is~/.ssh/id_rsa.pub, but the location may vary depending on your system configuration.
cat ~/.ssh/id_rsa.pub
- Copy the contents of the public key file to your clipboard.
- Connect to the remote server using the
sshcommand.
ssh user@yumserver1.servers.zerosandones.usOnce connected, create a new file named authorized_keys in the ~/.ssh directory, if it doesn’t already exist.
touch ~/.ssh/authorized_keys
Open the authorized_keys file in a text editor, and paste the contents of your public key into the file. Be sure to include a newline after the key.
nano ~/.ssh/authorized_keys
- Save and close the file.
- Change the permissions of the
authorized_keysfile and~/.sshto 700.
chmod 700 ~/.ssh/authorized_keys
chmod 700 ~/.ssh
- Repeat the above steps for aptserver1.servers.zerosandones.us
For more information see our post on SSH Keys.
Running Playbook on a subset of servers
With the servers added to the inventory and SSH key-based authentication set up, we can now create the Ansible playbook. The playbook will contain two main tasks:
- Update the packages on the servers using the appropriate package manager (yum or apt)
- Reboot the servers
Playbook:
---
- name: Update and reboot servers
hosts: all
gather_facts: yes
tasks:
- name: Update packages
become: yes
package:
state: latest
when: ansible_os_family == "RedHat"
tags: update
- name: Update packages
become: yes
apt:
upgrade: dist
when: ansible_os_family == "Debian"
tags: update
- name: Reboot servers
become: yes
reboot:
tags: reboot
This playbook can be executed using the ansible-playbook command. For example, to run this playbook against the servers in the yumservers group, we would use the following command:
ansible-playbook -i /etc/ansible/hosts update_and_reboot.yml --tags update,reboot --limit yumservers
This will update the packages on the yumservers group of servers and reboot them.
When this playbook is run, the output will show the tasks being executed and their status. For example:
TASK [Update packages]
ok: [yumserver1.servers.zerosandones.us]
TASK [Reboot servers]
ok: [yumserver1.servers.zerosandones.us]
As you can see, this Ansible playbook automates the process of updating software packages and rebooting servers, making it a valuable tool for maintaining a fleet of servers. The use of SSH key-based authentication also adds an extra layer of security to the process.
Running Playbook on All Servers
To run the playbook for all servers in the inventory, you can use the “all” group in the “hosts” section of the playbook, like this:
---
- name: Update and reboot servers
hosts: all
gather_facts: yes
tasks:
- name: Update packages
become: yes
package:
state: latest
when: ansible_os_family == "RedHat"
tags: update
- name: Update packages
become: yes
apt:
upgrade: dist
when: ansible_os_family == "Debian"
tags: update
- name: Reboot servers
become: yes
reboot:
tags: reboot
And then you can run the ansible-playbook command like this:
ansible-playbook -i /etc/ansible/hosts update_and_reboot.yml --tags update,reboot
PLAY [Update and reboot servers]
*****************************************************************************************************
TASK [Gathering Facts]
ok: [yumserver1.servers.zerosandones.us]
ok: [aptserver1.servers.zerosandones.us]
TASK [Update packages]
ok: [yumserver1.servers.zerosandones.us]
changed: [aptserver1.servers.zerosandones.us]
TASK [Reboot servers]
changed: [yumserver1.servers.zerosandones.us]
changed: [aptserver1.servers.zerosandones.us]
PLAY RECAP
*****************************************************************************************************
aptserver1.servers.zerosandones.us : ok=2 changed=2 unreachable=0 failed=0
yumserver1.servers.zerosandones.us : ok=2 changed=2 unreachable=0 failed=0
This command will update packages and reboot all servers defined in the inventory file. The gather_facts: yes makes sure that ansible gather information about the remote servers before running the tasks, this is useful to use the variable ansible_os_family to determine which package manager to use (apt or yum)
You can also use --ask-become-pass to provide the password for privilege escalation (if you are not using ssh-key-based authentication)
ansible-playbook -i /etc/ansible/hosts update_and_reboot.yml --tags update,reboot --ask-become-passThe tags in the command “ansible-playbook -i /etc/ansible/hosts update_and_reboot.yml –tags update,reboot” are not required, but they are used to limit the execution of the playbook to specific tasks.
In the example playbook provided, the tasks are labeled with tags “update” and “reboot”. By specifying these tags in the command, Ansible will only execute the tasks with the corresponding tags, in this case, the tasks labeled with “update” and “reboot”. This can be useful if you want to only update packages or only reboot servers without running the entire playbook.
If you do not include the tags when running the playbook, all tasks in the playbook will be executed.
So, you can also run the playbook without tags like below:
ansible-playbook -i /etc/ansible/hosts update_and_reboot.yml
This will run all the tasks in the playbook.
PLAY [Update and reboot servers]
*****************************************************************************************************
TASK [Gathering Facts]
ok: [yumserver1.servers.zerosandones.us]
ok: [aptserver1.servers.zerosandones.us]
TASK [Update packages]
ok: [yumserver1.servers.zerosandones.us]
changed: [aptserver1.servers.zerosandones.us]
TASK [Reboot servers]
changed: [yumserver1.servers.zerosandones.us]
changed: [aptserver1.servers.zerosandones.us]
PLAY RECAP
*****************************************************************************************************
aptserver1.servers.zerosandones.us : ok=2 changed=2 unreachable=0 failed=0
yumserver1.servers.zerosandones.us : ok=2 changed=2 unreachable=0 failed=0
Ansible Patch Automation Summary
Ansible is a powerful and versatile automation tool that makes it easy to manage and automate the configuration of servers, network devices, and other IT infrastructure. One of the reasons why many users (myself included) love Ansible is that it is simple to use, yet powerful enough to handle complex tasks such as Ansible Patch Management. With Ansible, you can automate repetitive tasks, such as patching and updating servers, with just a few lines of code, saving time and reducing the risk of errors. Additionally, Ansible’s ability to use SSH keys for authentication makes it more secure than other tools that rely on password-based authentication. Overall, Ansible’s ease of use, automation capabilities and its ability to handle patch management make it an essential tool for managing IT infrastructure.
Environment Notes
Versions of Ansible tested: 2.11, 2.9
Operating Systems Tested
- CentOS 6, 7, 8
- Rocky Linux 8, 9
- Ubuntu 18, 20, 22
- Amazon Linux 2
- RedHat Linux 7, 8, 9
Leave a Reply
You must be logged in to post a comment.