Ansible Role system_update¶
This role configures the server to do (weekly) system updates by deploying two shell scripts: The first script notify-and-schedule checks for available updates (normally during the day), and notifies the system administrators either via email or Rocket.Chat. On update time (usually the next morning at round about 4 AM), the second script update-and-reboot
sets a downtime for the host and all its services in Icinga
applies all updates
and, if necessary, automatically reboots the host after the updates.
On Rocky Linux the role additionally sets up a separate security lane that installs only security hot-fixes daily, independent of the weekly update lane.
Available since LFOps 2.0.0.
How the Role Behaves¶
Two independent lanes. The regular lane (
notify-and-schedule/update-and-reboot) applies all available updates on its weekly schedule. On Rocky Linux a second, independent security lane (security-update, twice a day by default) installs only security hot-fixes from the dedicatedsecurityrepository, isolated from the regular lane via--disablerepo/--enablerepo. Both reboot the host when an update requires it.The security lane is enabled by default, but a no-op without the
securityrepository. That repository is provided by the repo_baseos role. On hosts where it is not present, the security lane installs nothing and never reboots. Turn the lane off entirely withsystem_update__security_enabled: false.Reboots are steered per host group. A security hot-fix that requires a reboot is scheduled via
at; the time comes fromsystem_update__security_reboot_time__*. This can be used so test hosts reboot immediately ('now') while production hosts defer to the evening (for example'19:00').
Dependent Roles¶
Any LFOps playbook that installs this role runs these for you. Optional ones can be disabled via the playbook’s skip variables.
at must be installed (role: linuxfabrik.lfops.at).
mailx must be installed (role: linuxfabrik.lfops.mailx).
yum-utils must be installed on RHEL (role: linuxfabrik.lfops.yum_utils).
Requirements¶
Manual steps:
On Debian, install needrestart by running the apps playbook (role: linuxfabrik.lfops.apps).
Optional Role Variables¶
system_update__cache_only
Whether to install updates from cache only. This implies to have the cache built beforehand.
Type: Bool.
Default:
false
system_update__icinga2_api_url
The URL of the Icinga2 API (usually on the Icinga2 Master). This will be used to set a downtime for the corresponding host and all its services in the
rebootalias.Type: String.
Default:
'https://{{ icinga2_agent__icinga2_master_host | d("") }}:{{ icinga2_agent__icinga2_master_port | d(5665) }}'
system_update__icinga2_api_user_login
The Icinga2 API User to set the downtime for the corresponding host and all its services.
Type: Dictionary.
Default: unset
system_update__icinga2_hostname
The hostname of the Icinga2 host on which the downtime should be set.
Type: String.
Default:
'{{ ansible_facts["nodename"] }}'
system_update__mail_from
The email sender account. This will be used as the „from“-address for all notifications.
Type: String.
Default:
'{{ mailto_root__from }}'
system_update__mail_recipients_new_configfiles
A list of email recipients to notify if there is a new version of a config file (
rpmnew/rpmsave/dpkg-dist/ucf-dist).Type: String.
Default:
'{{ mailto_root__to }}'
system_update__mail_recipients_updates
A list of email recipients to notify about the expected updates and the report of the installed updates.
Type: String.
Default:
'{{ mailto_root__to }}'
system_update__mail_subject_hostname
String which will be used as the hostname in the mail subject. You can use
$()to call bash code.Type: String.
Default:
'$(hostname --short)'
system_update__mail_subject_prefix
This will set a prefix that will be showed in front of the hostname. Can be used to separate servers by environment or customer.
Type: String.
Default:
''
system_update__notify_and_schedule_on_calendar
When the notification for the expected updates should be sent. Have a look at systemd.time(7) for the format.
Type: String.
Default:
'mon 10:00'
system_update__post_update_code
This codeblock will be executed after the updates have been installed and before a potential reboot.
Type: String.
Default: unset
system_update__pre_update_code
This codeblock will be executed before the update process is started. Can be used to check pre-conditions for updating, for example for checking cluster nodes.
Type: String.
Default: unset
system_update__rocketchat_msg_suffix
A suffix to the Rocket.Chat notifications. This can be used to mention other users.
Type: String.
Default:
''
system_update__rocketchat_url
The URL to a potential Rocket.Chat server to send notifications about the updates to.
Type: String.
Default: unset
system_update__security_enabled
Enables or disables the security lane (the
security-updatetimer), analogous tosystemctl enable/disable --now. Rocky Linux only. When enabled but thesecurityrepository is not enabled on the host, the lane is a no-op.Type: Bool.
Default:
true
system_update__security_on_calendar
When the security lane checks for and installs security hot-fixes. Have a look at systemd.time(7) for the format.
Type: String.
Default:
'*-*-* 10,16:00'
system_update__security_reboot_time__host_var / system_update__security_reboot_time__group_var
When to reboot after a security hot-fix that requires it. Passed verbatim to
at. Use this to steer test versus production hosts via inventory group membership:'now'reboots immediately, a time such as'19:00'defers the reboot.Type: String.
Default:
'now'
system_update__security_repos
The repositories the security lane installs from. All other repositories are disabled for the security transaction, keeping it separate from the regular update lane.
Type: List.
Default:
['security']
system_update__update_enabled
Enables or disables the system-update timer, analogous to
systemctl enable/disable --now.Type: Bool.
Default:
true
system_update__update_time
The time when to actually execute the updates (and automatically reboot if necessary), relative to
system_update__notify_and_schedule_on_calendar. Passed verbatim toat. The default schedules the update for the next day between 04:00 and 04:59, with the exact minute derived deterministically frominventory_hostnameso multiple hosts spread across the hour instead of all updating at 04:00.Type: String.
Default:
'04:{{ 59 | random(seed=inventory_hostname) }} + 1 days'
Example:
# optional
system_update__cache_only: true
system_update__icinga2_api_url: 'https://icinga.example.com:5665'
system_update__icinga2_api_user_login:
username: 'downtime-user'
password: 'linuxfabrik'
system_update__icinga2_hostname: 'myhost.example.com'
system_update__mail_from: 'noreply@example.com'
system_update__mail_recipients_new_configfiles:
- 'info@example.com'
- 'support@example.com'
system_update__mail_recipients_updates:
- 'info@example.com'
- 'support@example.com'
system_update__mail_subject_hostname: '$(hostname --long)'
system_update__mail_subject_prefix: '001-'
system_update__notify_and_schedule_on_calendar: 'mon *-*-01..07 10:00' # first monday of the month
system_update__post_update_code: |-
VAR='hello world'
echo $VAR
system_update__pre_update_code: |-
check_dns() {
local DNS_SERVER=$1
if ! dig @$DNS_SERVER linuxfabrik.ch +short > /dev/null; then
SUBJECT="$SUBJECT_PREFIX - System update failed"
MSGBODY="DNS Server $DNS_SERVER failed to respond. Aborting update."
send_msg
exit 1
fi
}
check_dns 192.0.2.10
check_dns 192.0.2.11
system_update__rocketchat_msg_suffix: '@administrator'
system_update__rocketchat_url: 'https://chat.example.com/hooks/abcd1234'
system_update__security_enabled: true
system_update__security_on_calendar: '*-*-* 10,16:00'
system_update__security_reboot_time__group_var: '19:00'
system_update__security_repos:
- 'security'
system_update__update_enabled: true
system_update__update_time: '04:{{ 59 | random(seed=inventory_hostname) }} + 1 days'