# Update software to address CVE-2019-5736
#
# Playbook Ver. 1.1
#
# This playbook will update runc and docker packages to latest version that
# include the fix for CVE-2019-5736. For more details see the article:
# https://access.redhat.com/security/vulnerabilities/runcescape
#
# To use it, define the HOSTS variable with the hosts you'd like to modify:
# ansible-playbook -e HOSTS=webservers,db01 CVE-2019-5736-update_fixit.yml
- name: Update runc and docker package to latest and restart docker service to address CVE-2019-5736
  hosts: "{{HOSTS}}"
  become: true

  tasks:
    - name: Check if runc is installed
      command: rpm -q runc
      register: rpm_runc
      failed_when: false
      check_mode: no

    - when: '"not installed" not in rpm_runc.stdout'
      name: Update runc package if installed
      yum:
        name: runc
        state: latest

    - name: Check if docker is installed
      command: rpm -q docker
      register: rpm_docker
      failed_when: false
      check_mode: no

    - when: '"not installed" not in rpm_docker.stdout'
      # The docker system service is restarted automatically during updating the package.
      name: Update docker package if installed
      yum:
        name: docker
        state: latest

    # Fail when 'docker-latest' package is installed.
    - name: Check if docker-latest is installed
      command: rpm -q docker-latest
      register: rpm_docker_l
      failed_when: false
      check_mode: no

    - when: '"not installed" not in rpm_docker_l.stdout'
      name: docker-latest not supported
      fail:
        msg: "Package docker-latest is not supported. Please update to package docker."