Installing Updates on GNU/Linux using Ansible

Importing Foreign Images into Proxmox

10. Februar 2024

Installing Updates on Windows Server systems using Ansible

29. April 2024

Table of Contents

Ansible Patching Linux systems is a vital task to ensure security, performance, and stability. Doing this manually across multiple servers can be an error-prone and time consuming task. That is where Ansible comes in, a powerful automation tool that simplifies the process of updating Linux systems. Compared to the Windows Server patching described in another blog post the Linux part is easier.

The Ansible Playbook

In our automation environment we use roles to make the playbook reusable by different functions. Here we took out the most important functions to form a simple playbook for demonstration purposes.

FYI: We are planning to provide a public access to our Git later, where you can fetch those files.

For demonstration purposes, we have chosen the Ansible Apt module to showcase patching on Debian GNU/Linux. This module also works seamlessly with Ubuntu Server systems and Proxmox. Additionally, Ansible provides other modules tailored for different Linux distributions, including SuSE (using the zypper module), Red Hat (using Yum/DNF), and Arch Linux (using Pacman), ensuring coverage in various environments.

hosts.ini

[debian]
debian ansible_host=172.16.66.66

linux-updates.yaml

The file, along with the accompanying comments, should be self-explanatory. We will dive into the crucial aspects of the file in the following section.

---
# Tasks for patching GNU/Linux Server

- name: GNU/Linux Update Playbook
  hosts: debian
  gather_facts: false
  become: true

  tasks:
    # Update the Apt Cache if it is older that one hour.
    - name: Update the Apt cache
      ansible.builtin.apt:
        update_cache: yes
        cache_valid_time: 3600

    - name: Proof needrestart is installed, if not install it
      ansible.builtin.apt:
        name: needrestart

    - name: Upgrade all packages to the most recent version
      ansible.builtin.apt:
        upgrade: full
      environment:
        - NEEDRESTART_MODE: a

    - name: Autoremove, remove old kernels, etc.
      ansible.builtin.apt:
        autoremove: yes

    - name: Clean local Package Repo
      ansible.builtin.apt:
        clean: yes

    - name: Check if a rebooted is required
      stat:
        path: /var/run/reboot-required
      register: reboot_required

    - name: Reboot the machine if required
      ansible.builtin.reboot:
        msg: "Rebooting due to system updates"
        connect_timeout: 5
        reboot_timeout: 360
        pre_reboot_delay: 0
        post_reboot_delay: 30
        test_command: uptime
      when: reboot_required.stat.exists

Execute the playbook

Executing the playbook is straightforward: you can run it using the ansible-playbook command, or through automation platforms like Ansible AWX or Ansible Semaphore, among others.

➜ ansible-playbook -i hosts.ini linux-updates.yaml

Further Explanations

In this section, we will dive little bit deeper into the special sections of the previously mentioned playbook file.

Update the Apt cache

When you know Debian you have to ensure your package cache is recent, so that the system knows the lastest updates. You need to refresh the package cache in all commonly used systems like Red Hat and SuSE, too.

    # Update the Apt Cache if it is older that one hour.
    - name: Update the Apt cache
      ansible.builtin.apt:
        update_cache: yes
        cache_valid_time: 3600

Install new Patches?

Except of the use of needrestart there is nothing special here. We just do a full upgrade using Apt and do an autoremove afterwards, which removes the old kernel packages and the like. And with clean we can instruct Apt to do a package cleanup in the local package repository to save disk space.

needrestart is needed to determine services which have been updated and require a restart. Multiple solutions are available to determine the same, for example checkrestart from the debian-goodies package. Needrestart makes the handling quite easy, during installtion of the package an Apt handler is automatically installed, which gets instructed by the environment variable NEEDRESTART_MODE – a stands for automatically.

    - name: Proof needrestart is installed, if not install it
      ansible.builtin.apt:
        name: needrestart

    - name: Upgrade all packages to the most recent version
      ansible.builtin.apt:
        upgrade: full
      environment:
        - NEEDRESTART_MODE: a

    - name: Autoremove, remove old kernels, etc.
      ansible.builtin.apt:
        autoremove: yes

    - name: Clean local Package Repo
      ansible.builtin.apt:
        clean: yes

Do we need to reboot?

In the end Ansible determines whether a system reboot is required or not. If the file /var/run/reboot-required was generated by Apt, Ansible starts the reboot process.

    - name: Check if a rebooted is required
      stat:
        path: /var/run/reboot-required
      register: reboot_required

    - name: Reboot the machine if required
      ansible.builtin.reboot:
        msg: "Rebooting due to system updates"
        connect_timeout: 5
        reboot_timeout: 360
        pre_reboot_delay: 0
        post_reboot_delay: 30
        test_command: uptime
      when: reboot_required.stat.exists

Final Toughts

Even though the gerenal patching process in easier compared to the Windows world. The Linux world can get more complicated when you have to patch cluster systems where the nodes have to be rebooted in a sequenced way (for example: Kubernetes, Ceph or classic HA clusters). You have to keep in mind, patching just the Operating System is not sufficient when you drive Podman or Docker containers on top of your systems.