Creating a central patch management with ansible

Posted on

Hello,

I'm trying to establish a central patch management using ansible. To get an idea of what I am going to do have a look on the following script:

#!/bin/bash
#
# Datei: install_rhsa.sh
# Autor: Joerg Kastning
#
# Beschreibung:
# Mit diesem Skript wird die Installation von Red Hat Security Advisory auf
# einer Gruppe von Hosts durchgefuehrt.
##############################################################################

# Variablen ##################################################################

# Array der zu installierenden Red Hat Security Advisory
# RHSA="RHSA-2016:1539,RHSA-2016:1539,RHSA-2016:1539"
RHSA="RHSA-2016:1277,RHSA-2016:0301"

INVENTAR="/data/ansible/staging" # ansible inventory file
GRUPPE="e-stage" # Gruppe innerhalb des ansible inventory files

LOG="/var/log/install_rhsa.log"

# Funktionen #################################################################

install_rhsa() {
  echo "# `date +%Y-%m-%dT%H:%M:%S`"
  echo "Running command: yum clean all"
  /usr/bin/ansible -i ${INVENTAR} ${GRUPPE} -m command -a "/usr/bin/yum clean all"
  echo "Running command: yum update-minimal -y --advisory"
  /usr/bin/ansible -i ${INVENTAR} ${GRUPPE} -m command -a "/usr/bin/yum update-minimal -y --advisory ${RHSA[@]}"
  echo "# `date +%Y-%m-%dT%H:%M:%S`"
}

usage() {
  cat << EOF
  usage: $0 OPTIONS

  Mit diesem Skript wird die Installation von Red Hat Security Advisory auf einer Gruppe von Hosts durchgefuehrt.

  OPTIONS:
  -h Zeigt diesen Hilfetext an
  -i Spezifiziert die zu verwendende Inventar-Datei
  -g Gibt die Hostgruppe (Stage) an, auf der das Skript areiten soll
EOF
}

# Hauptprogramm ##############################################################
while getopts .hi:g:. OPTION
do
  case $OPTION in
    h)
      usage
      exit;;
    i)
      INVENTAR="${OPTARG}"
      ;;
    g)
      GRUPPE="${OPTARG}"
      ;;
    ?)
      usage
      exit;;
  esac
done

install_rhsa > $LOG

In the script I specify the ansible inventory file to use, the group to run the tasks on and the RHSA numbers which should be used. The scripts works as expected but there is an important thing missing. I like to reboot the remote hosts if packages were updated but not in case no packages were marked for update. But for now I have no idea how to implement this.

The yum output which is written to my log is different for any remote host. So it is very hard to parse to figure out where packages where updated and where not.

Maybe someone from the community here has an idea how to accomplish that. I look forward reading your replies.

Kind regards,
Joerg

JK

Responses