Ansible Linux Security

Update Debian/Ubuntu with Ansible

So we all know the pain that is keeping multiple systems patched and updated throughout the month. If you have the *pleasure* of having to do that manually, then I may have a possible solution for you. Ansible is an Open Source project overseen by RedHat and the basic tooling is available for free. Originally developed for Linux systems, it is supposedly able to help configure and manage Microsoft Windows systems. I may have to try that one of these days.

In my environment, I have a primary Ansible node that I use to manage my various Linux Systems. I wanted to share the playbook that I use for updating my hosts. To be fair, the are plenty of really good playbooks out there for review. I’ll share a couple later on, including one on configuring a system to be a Kubernetes Master or Worker node.

Anyways, here is my playbook for updating Debian or Ubuntu systems:

- name: Update All Hosts
  hosts: all
  become: yes
    - name: Update Systems
        update_cache: yes
        cache_valid_time: 3600
        upgrade: dist

In this playbook, I specify “all” systems, because the only ones I’m currently keeping on all the time are my Ubuntu ones. I’ll adjust this to handle the 2 RHEL ones later as a second task that uses yum rather than apt.

I’m using the “become” option to have the task execute as “sudo”. This allows me to use a regular user account to login to the host rather than root.

The actual update task updates the package cache first so apt is aware of the latest packages available. It will do this only if the current cache is older than an hour.

Finally, the “upgrade: dist” option will upgrade all of the available packages on the host.

To execute this, I log into my control node and run the following command:

$ ansible-playbook update.yaml --ask-vault-pass

Rather than provide credentials each time, I’ve created a credential vault on the control node. I provide the vault password and the credentials for ssh and sudo are made available and used.

Now, there are guides out there that will also check to see if a reboot is required after patching (such as when a new kernel is installed). I am not doing that right now because these three nodes are my Kubernetes cluster and I want to manually do the reboot when time permits.

This was a simple one, but I think valuable to anyone who is just starting out with system automation. Let me know what you think!

Leave a Reply