# Update software to address several CVEs:
#  CVE-2020-14298: Docker fix regression
#  CVE-2020-14300: Docker fix regression
#  CVE-2016-8867:  Docker incorrect capabilities
# 
# Find the latest information about this issue, including any updates to this playbook,
# on the vulnerability article:
# https://access.redhat.com/security/vulnerabilities/runc-regression-docker-1.13.1-108
#
# Playbook Ver. 1.0
#
# This playbook will update docker packages if the affected package version is installed.
#
# To use it, define the HOSTS variable with the hosts you'd like to modify:
# ansible-playbook -e HOSTS=container_host,dev01 CVE-2020-14298-14300_update_fixit.yml

- name: Update docker and restart docker service to address CVE-2020-14298 and related
  hosts: "{{HOSTS}}"
  become: true

  # docker-1.13.1-108.git4ef4b30.el7

  tasks:
    - name: Check if affected docker package is installed
      command: warn=no rpm -q docker
      register: rpm_docker
      failed_when: false
      changed_when: false
      check_mode: no

    - when: '"docker-1.13.1-108.git4ef4b30.el7" in rpm_docker.stdout'
      # The docker system service is restarted automatically during updating the package.
      name: Update affected docker package
      yum:
        name: docker
        state: latest