Ansible Role system_update
This role configures the server to do (weekly) system updates by deploying two shell scripts: The first script notify-and-schedule checks for available updates (normally during the day), and notifies the system administrators either via email or Rocket.Chat. On update time (usually the next morning at round about 4 AM), the second script update-and-reboot
sets a downtime for the host and all its services in Icinga
applies all updates
and, if necessary, automatically reboots the host after the updates.
Mandatory Requirements
Install at. This can be done using the linuxfabrik.lfops.at role.
Install mailx. This can be done using the linuxfabrik.lfops.mailx role.
Install needrestart on Debian. This can be done using the linuxfabrik.lfops.apps role.
Install yum-utils on RHEL. This can be done using the linuxfabrik.lfops.yum_utils role.
If you use the system_update Playbook, this is automatically done for you.
Optional Role Variables
Variable |
Description |
Default Value |
|---|---|---|
|
The URL of the Icinga2 API (usually on the Icinga2 Master). This will be used to set a downtime for the corresponding host and all its services in the |
`‘https://{{ icinga2_agent__icinga2_master_host |
|
The Icinga2 API User to set the downtime for the corresponding host and all its services. |
unset |
|
The hostname of the Icinga2 host on which the downtime should be set. |
|
|
The email sender account. This will be used as the „from“-address for all notifications. |
|
|
A list of email recipients to notify if there is a new version of a config file ( |
|
|
A list of email recipients to notify about the expected updates and the report of the installed updates. |
|
|
String which will be used as the hostname in the mail subject. You can use |
‚$(hostname –short)‘ |
|
This will set a prefix that will be showed in front of the hostname. Can be used to separate servers by environment or customer. |
|
|
When the notification for the expected updates should be sent. Have a look at systemd.time(7) for the format. |
|
|
This codeblock will be executed after the updates have been installed and before a potential reboot. |
unset |
|
This codeblock will be executed before the update process is started. Can be used to check pre-conditions for updating, for example for checking cluster nodes. |
unset |
|
A suffix to the Rocket.Chat notifications. This can be used to mention other users. |
unset |
|
The URL to a potential Rocket.Chat server to send notifications about the updates to. |
unset |
|
Enables or disables the system-update timer, analogous to |
|
|
The time when to actually execute the updates (and automatically reboot if necessary), relative to |
|
Example:
# optional
system_update__icinga2_api_url: 'https://icinga.example.com:5665'
system_update__icinga2_api_user_login:
username: 'downtime-user'
password: 'linuxfabrik'
system_update__icinga2_hostname: 'myhost.example.com'
system_update__mail_from: 'noreply@example.com'
system_update__mail_recipients_new_configfiles:
- 'info@example.com'
- 'support@example.com'
system_update__mail_recipients_updates:
- 'info@example.com'
- 'support@example.com'
system_update__mail_subject_hostname: '$(hostname --long)'
system_update__mail_subject_prefix: '001-'
system_update__notify_and_schedule_on_calendar: 'mon *-*-01..07 10:00' # first monday of the month
system_update__post_update_code: |-
VAR='hello world'
echo $VAR
system_update__pre_update_code: |-
check_dns() {
local DNS_SERVER=$1
if ! dig @$DNS_SERVER linuxfabrik.ch +short > /dev/null; then
SUBJECT="$SUBJECT_PREFIX - System update failed"
MSGBODY="DNS Server $DNS_SERVER failed to respond. Aborting update."
send_msg
exit 1
fi
}
check_dns 192.0.2.10
check_dns 192.0.2.11
system_update__rocketchat_msg_suffix: '@administrator'
system_update__rocketchat_url: 'https://chat.example.com/hooks/abcd1234'
system_update__update_enabled: true
system_update__update_time: '04:00 + 1 days'