Note that I simplified the project setup for this tutorial. For more information on Ansible's inventory, see: How to build your inventory. In my Ansible project I have created the following inventory and role: The setup.yml is an Ansible playbook that installs docker and updates servers. To get more information about what Ansible is, check out the Ansible documentation.

The group [special] contains my Ansible Control Node itself and my KVM hypervisor, where my Ansible Control Node runs. * Disclaimer: Test any updates thoroughly before upgrading your production environments since an update could introduce performance impacts or issues.

The setup role installs docker ce and pins its version if the package string contains an =.

The linux distro field is very dispersed, how do you do patch all these systems?

I've also specified the path to the SSH private key Ansible should use to connect to the nodes on the network. Not sure whether you need Red Hat Ansible or Red Hat Ansible Tower? Kick the tires with Ansible and start automating with these simple tasks. It's easier than you think to get started automating your tasks with Ansible. %t min read It shows you how to use the groups from your inventory in different plays of your playbook using some of the Ansible modules and a simple command. ].

Ansible Vault lets you keep sensitive data, such as passwords and keys, in encrypted files. In this post I will show you how I install package updates and ensure that specific packages cannot be updated using version pinning. Ansible can help you to automate the updating of your software. For Windows servers and clients you have WSUS to coordinate updates and security patches. Debian, Fedora and many more are distros managed by communities. This assumes you have Ansible and git installed.

If you want to update everything at once you can comment those two lines out.

With all the latest news about the Spectre and Meltdown security vulnerabilities it is important to keep the software updated on all your devices. At home, I own some IT devices that run 24/7. The below information can help you use Ansible to update all of your Ubuntu, CentOS, and Redhat servers. I chose it because this host can reach all other hosts in the environment. If a new OS version is available for the Diskstation, I will update it manually because there is no Ansible module for it yet. centos-dev is the host group in the example below. RHEL and Ubuntu are both enterprise derivates, which means that enterprise features for these distros are managed by companies and not communities. It is obvious that patch management is executed by companies running a farm of servers and there for seek automated solutions.

Automation is not just for technology organizations anymore. The content published on this site are community contributions and are for informational purpose only AND ARE NOT, AND ARE NOT INTENDED TO BE, RED HAT DOCUMENTATION, SUPPORT, OR ADVICE. I hope I was able to demonstrate how you can manage patches for your linux systems using Ansible. Because my Synology Diskstation is in standby mode most of the time, I'm using the option -T to specify a timeout of 30 seconds to give it some time to wake up. But be aware this is because I'm using the command module, which returns changed every time it runs, regardless of whether something on your node changed. This comes in handy when creating the playbook to update them. The update role runs only if updates are enabled for the host. You get the newest features, and more importantly, you also get the latest security fixes. Finally, the last step is to run the Ansible Playbook.

March 11, 2021 As you can see, my RHEL machines were already up to date. Automation using a tool like Ansible is very powerful. Subscribe to our RSS feed or Email newsletter. Finally, with all of the recent issues surrounding Spectre and Meltdown, the Ansible server update role can help you keep everything updated and more secure.

For example, if a kernel update was applied.

With this configuration, all the magic is controlled from my HOME directory, and I won't need any root privileges on my Ansible Control Node to get the following job done. It's a similar story with the hosts tower-pc.lan and rhel8-squid.lan.

Ansible is a command line IT automation solution that can deploy configuration changes, software, and perform many other tasks all automatically.

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Although every development team, service owner or system administrator will determine their own particular plan, what is vitally important is that there is a plan in place. As an extra bonus, this Ansible role can also help you mitigate the recent security vulnerabilities called Spectre and Meltdown (once updates are available for your operating system of course).

The yum package supplied with CentOS includes scripts to perform full system updates every day.

Next, clone my Github repository with the Ansible role. This will reboot your server by default!

To begin updating, continue reading. That's because only userspace tools will be updated, and there is no need for a reboot. Medium/Low security updates can wait until a standard maintenance window or weekly/monthly scheduled patching.

His fields of operation include Virtualization (VMware), Linux System Administration and Automation (RHEL), Firewalling (Forcepoint), and Loadbalancing (F5). In this use case, Iuse a static inventory file by putting my hosts with their FQDN into the ~/ansible/hosts file. The warnings don't bother me at this time, so I move on to create the playbook. The host vars simply tell wether this host should be updated or not. | In case you would like to know more about the ad-hoc commands, read Introduction to ad-hoc commands in the official docs. Get the latest on Ansible, Red Hat Enterprise Linux, OpenShift, and more from our virtual event on demand. In this tutorial I will show you how I install essential packages and apply system patches. Install the packages unattended-upgrades and apt-listchanges: For more information, see https://wiki.debian.org/UnattendedUpgrades. You can also jump directly to the example commands which can be used to mitigate Spectre and Meltdown if that is all you want to do. If you have already done this, you can skip ahead to installing the role. Use all defaults for the role to: update packages, reboot server if needed, and wait for the server to start up. If possible, package updates should be installed and tested in a test/dev/staging/uat environment before being deployed in production. I will demonstrate the pin version feature using this package. When new mitigations become available you will need to patch your servers again. Note: It is important to understand what will happen. Red Hat and the Red Hat logo are trademarks of Red Hat, Inc., registered in the United States and other countries. I am not responsible if you break anything! https://www.centos.org/docs/5/html/yum/sn-updating-your-system.html. My Raspberry Pis, on the other hand, had updates available and they were installed. A deliberate patch management plan is required for all service owners and sysadmins. , Posted: But, keep in mind it is usually better to keep all of the packages updated*. In order to use the host RHEL8-Squid as an Ansible Control Node, I'll have to enable a repo that provides Ansible and install it: For other distributions, please see the official documentation. My Ansible Control Node and my KVM hypervisor are important enough to me that I'll update them manually. Ubuntu is managed by Canonical and they have their Livepatch Service to apply patches.

Each play runs a task onhostsbelonging to a certain group in my inventory except [special].

With Ansibles help you can update all of your Ubuntu, CentOS, and Redhat servers quickly.

Before you begin, make sure you have your Ansible group_vars setup for the Ansible hosts you are running this playbook against. To update Ubuntu 16.04, Redhat 7, and CentOS 7 with only the available Spectre and Meltdown mitigations use the below examples. In this simple example, each play connects to a group of hosts, updates them, and reboots them afterward in case updates were installed. By using this website you agree to our use of cookies. In this article, I showed you an easy but not very sophisticated example of how I keep my Linux devices at home up to date using Ansible automation. To keep them up to date and install updates automatically, I leave the job to Ansible. The Ansible default configuration file is found at /etc/ansible/ansible.cfg. If you search their name in combination with patching you end up with various blog posts, where people show how they install the kernel updates and security patches.

Also, it seems obvious, but just in case.. Be sure to stop your applications before updating and rebooting your server, and then start your applications again after. Update all packages except package(s) specified: Update (or install) only specific package(s): Be careful with wildcards since they can install more than you might want. Below is the same as above, but now the server is not rebooted, even when a reboot is needed. To determine if updates were installed, I register variables that store the return values of the tasks where I registered them. You can also exclude packages from the update, update only specified packages, or install only specified packages. We use cookies on our websites to deliver our online services. First let me assure that the method for patching can also be used for other distros.

If you are a desktop user, update your OS now*. You can add more roles after this role to continue installing and configuring your server. As mentioned this method can be used for other non-aptitude-enabled distros. Ansible is modular, so you can create groups of tasks, called roles.

To activate automatic daily updates, enter this command: Enabling automatic updates in Centos 6 and Red Hat 6 (yum-cron version 3.2.29 for CentOS 6): https://linuxaria.com/pills/enabling-automatic-updates-in-centos-6-and-red-hat-6, Automatic updates for CentOS: yum-cron installing and configuring (yum-cron version 3.4.3, for Amazon Linux and CentOS 7): https://jonathansblog.co.uk/yum-cron.

[ You might also like:How to create an Ansible Playbook ]. However, with Ansible you can easily manage you server farm and therefore also require an advanced solution to apply patches for your hosts.

I left them out of this playbook on purpose. First of all, Ansible is amazing at IT automation.

It is recommend the run the update command periodically.

Make sure you have the yum security plugin installed: Check to see what security updates need to be installed: If you want to install all the available updates, do this: The inventory file is just a list of machines: update-machines.yml is the ansible playbook. Keeping your software updated is important. Its job is to update my Linux environment.

If you are behind a corporate firewall and use a proxy, add: To install the Ansible role that handles updating your server(s), go into the directory you have your Ansible playbooks. OUR BEST CONTENT, DELIVERED TO YOUR INBOX. You can find this Ansible role on Github or Ansible Galaxy. Learn how to use Nmap scans to check if systems are online and find problems in your network. [ A free guide from Red Hat: 5 steps to automate your business.

Jrg Kastning (Red Hat Accelerator, Sudoer). On all my hosts, there is a user account thatcan use sudo to run commands with root privileges. Learn how to install, configure, and use firewalld to restrict or allow a computer's access to services, ports, networks, subnets, and IP addresses. Assume that we have a Docker installation on an Ubuntu server and want to make sure that Docker is not updated as we do not want break compatibility. In addition, you also need to follow a few steps before running the playbook. The group vars usually contains a list of packages.

Or, you can use Ansible Galaxy to install this role: Now, create your Ansible Playbook file for the server update role. More about me. For better understanding I will show how its done using Ubuntu. Keep in mind its usually better to keep all of the packages up to date.

You can use it anywhere, even at home. Both devices were rebooted afterward. And then you can group the roles together to all run sequentially inside of a playbook. This gentle introduction gives you the basics you need to begin streamlining your administrative life. The Ansible playbook setup.yml supports two running modes. The default mode and the update mode (update tag is required).

Check back for any updates on Github, and also for more information about the variables used in this Ansible role.

My playbook contains three plays. Get the highlights in your inbox every week. If you maintain Linux servers, update those now* as well. Or, if you dont have any existing playbooks, then create a new directory for the Ansible role and playbook.

A reboot of the server is only be performed if the reboot flag is set (which is enabled by default), and if the kernel was updated or another package indicates to the OS that a reboot is needed.

This is an Ansible role to update your servers with the latest packages, reboot the server if needed, and wait for the server to start up.

The Diskstation has itsstatus changed, too. by Jrg has been a Sysadmin for over ten years now. More information about how to mitigate Spectre and Meltdown (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) is available for Ubuntu and CentOS/Redhat. Since this file is shipped and controlled by the RPM package, I like to create a custom config file at ~/.ansible.cfg by just copying the original one and editing it.

Here is some sample syntax: Critical/High security updates should be applied as soon as possible but no later than 48 hours after they have been published.

| If you need some help generating the SSH keys, check out Using ssh-keygen and sharing for key-based authentication in Linux by Tyler Carrigan.

In this example the extra variable reboot_default is used on the command line to change the reboot variable to false. And with Ansible it can be less painful. Before I create the playbook that updates my hosts, I check if my Ansible Control Node RHEL8-Squid can connect to all of my hosts by using the following ad-hoc command: The default timeout for an Ansible connection is 10 seconds.

RHEL is managed by Red Hat and they provide Satellite to apply patches, system configurations and much more. Below are examples for various scenarios. Read on, and learn how to get started with Ansible Tower as well. Keep in mind that a server reboot may be necessary to complete the updates. To install docker on the target host you would enter: ansible-playbook -i inventory/setup setup.yml -l server1, And to update the target host you would enter: ansible-playbook -i inventory/setup setup.yml -l server1 -t update. The update role refreshes the repo cache and runs a dist upgrade. As you can see, I grouped the hosts on my network by the package manager they use.

Firefox privacy and custom settings made easy, Ansible role to setup OpenVPN with ad blocking, Firefox, I love you but youre bringing me down, Android 12 review: Like the new feature its Extra Dim, Helm Post-Renderer and an ugly Windows Batch Script, 10 Tips for Failing at Slack (to Increase Mayhem), Secure Docker with iptables firewall and Ansible. You can also add other roles to run before or after. How to encrypt sensitive data in playbooks with Ansible Vault, How to troubleshoot your network with Nmap, How to configure a firewall on Linux with firewalld, Ansible Automation Platform trial subscription, A system administrator's guide to IT automation, Quick start guide to Ansible for Linux sysadmins, Using ssh-keygen and sharing for key-based authentication in Linux. For convenience, I created an SSH key-pair and distributed the SSH public key to the hosts I would like to update using Ansible.

However, you should be extra cautious when running any type of automation for server updates. Here'sthe playbook: As you may have noticed, the Diskstation wasn't rebooted. Patching is an essential part in server maintenance. But how do you patch Ubuntu, Debian, RHEL or Fedora machines? Now that your servers are patched, you can look at other Ansible roles to help you install and configure software. For my system configurations I try to be as explicit as possible, which means I pin versions for installed software. Tip: The above will update one server at a time (using max_fail_percentage and serial). If it is, the system will be rebooted. Tested on Ubuntu 16.04, Ubuntu 18.04, CentOS 7.x, and Redhat Enterprise Linux (RHEL) 7.x servers. Be careful with this since you could update and reboot all your servers at once!

Ive only made a few changes: As you can see, I've created an ansible directory in my HOME directory to store my hostinventory file. I use these to check whether the status of a task is changed.

inventories/setup/group_vars/ubuntu1804.yml.

An Ansible playbook can run against one or multiple servers, depending how you reference the servers in your playbook, and also depending on how you group the servers in your Ansible inventory file. Nothing to update or remove, and therefore no reboot required. In case you are completely new to Ansible, you'll find a good introduction in: My home network includes the following devices: The host marked by the red square is my Ansible Control Node. Once a package has been pinned, it cannot be updated by the package manger. Details about how we use cookies and how you may disable them are set out in our Privacy Statement. Other hosts, for example, the Red Hat Enterprise Linux 7 (RHEL)-Ansible hosts, are only able to reach hosts inside the isolated network. Heres how to use it in playbooks to improve automation workflow safety. If you have your own VPS, check out the Ansible role to setup OpenVPN with ad blocking.