Ansible Role linuxfabrik.lfops.system_update

This role configures the server to do (weekly) system updates by deploying two shell scripts: The first script notify-and-schedule checks for available updates (normally during the day), and notifies the system administrators either via email or Rocket.Chat. On update time (usually the next morning at round about 4 AM), the second script update-and-reboot

• sets a downtime for the host and all its services in Icinga
• applies all updates
• and, if necessary, automatically reboots the host after the updates.

Mandatory Requirements

• Install at. This can be done using the linuxfabrik.lfops.at role.
• Install mailx. This can be done using the linuxfabrik.lfops.mailx role.
• Install needrestart on Debian. This can be done using the linuxfabrik.lfops.apps role.
• Install yum-utils on RHEL. This can be done using the linuxfabrik.lfops.yum_utils role.

If you use the system_update Playbook, this is automatically done for you.

Tags

system_update

• Sets up automatic system update via systemd timer.
• Triggers: none.

system_update:state

• Determines whether notify-and-schedule.timer is enabled.
• Triggers: none.

Optional Role Variables

system_update__cache_only

• Whether to install updates from cache only. This implies to have the cache built beforehand.
• Type: Bool.
• Default: false

system_update__icinga2_api_url

• The URL of the Icinga2 API (usually on the Icinga2 Master). This will be used to set a downtime for the corresponding host and all its services in the reboot alias.
• Type: String.
• Default: 'https://{{ icinga2_agent__icinga2_master_host | d("") }}:{{ icinga2_agent__icinga2_master_port | d(5665) }}'

system_update__icinga2_api_user_login

• The Icinga2 API User to set the downtime for the corresponding host and all its services.
• Type: Dictionary.
• Default: unset

system_update__icinga2_hostname

• The hostname of the Icinga2 host on which the downtime should be set.
• Type: String.
• Default: '{{ ansible_facts["nodename"] }}'

system_update__mail_from

• The email sender account. This will be used as the "from"-address for all notifications.
• Type: String.
• Default: '{{ mailto_root__from }}'

system_update__mail_recipients_new_configfiles

• A list of email recipients to notify if there is a new version of a config file (rpmnew / rpmsave / dpkg-dist / ucf-dist).
• Type: String.
• Default: '{{ mailto_root__to }}'

system_update__mail_recipients_updates

• A list of email recipients to notify about the expected updates and the report of the installed updates.
• Type: String.
• Default: '{{ mailto_root__to }}'

system_update__mail_subject_hostname

• String which will be used as the hostname in the mail subject. You can use $() to call bash code.
• Type: String.
• Default: '$(hostname --short)'

system_update__mail_subject_prefix

• This will set a prefix that will be showed in front of the hostname. Can be used to separate servers by environment or customer.
• Type: String.
• Default: ''

system_update__notify_and_schedule_on_calendar

• When the notification for the expected updates should be sent. Have a look at systemd.time(7) for the format.
• Type: String.
• Default: 'mon 10:00'

system_update__post_update_code

• This codeblock will be executed after the updates have been installed and before a potential reboot.
• Type: String.
• Default: unset

system_update__pre_update_code

• This codeblock will be executed before the update process is started. Can be used to check pre-conditions for updating, for example for checking cluster nodes.
• Type: String.
• Default: unset

system_update__rocketchat_msg_suffix

• A suffix to the Rocket.Chat notifications. This can be used to mention other users.
• Type: String.
• Default: ''

system_update__rocketchat_url

• The URL to a potential Rocket.Chat server to send notifications about the updates to.
• Type: String.
• Default: unset

system_update__update_enabled

• Enables or disables the system-update timer, analogous to systemctl enable/disable --now.
• Type: Bool.
• Default: true

system_update__update_time

• The time when to actually execute the updates (and automatically reboot if necessary), relative to system_update__notify_and_schedule_on_calendar.
• Type: String.
• Default: '04:00 + 1 days'

Example:

# optional
system_update__cache_only: true
system_update__icinga2_api_url: 'https://icinga.example.com:5665'
system_update__icinga2_api_user_login:
  username: 'downtime-user'
  password: 'linuxfabrik'
system_update__icinga2_hostname: 'myhost.example.com'
system_update__mail_from: 'noreply@example.com'
system_update__mail_recipients_new_configfiles:
  - 'info@example.com'
  - 'support@example.com'
system_update__mail_recipients_updates:
  - 'info@example.com'
  - 'support@example.com'
system_update__mail_subject_hostname: '$(hostname --long)'
system_update__mail_subject_prefix: '001-'
system_update__notify_and_schedule_on_calendar: 'mon *-*-01..07 10:00' # first monday of the month
system_update__post_update_code: |-
  VAR='hello world'
  echo $VAR
system_update__pre_update_code: |-
  check_dns() {
    local DNS_SERVER=$1
    if ! dig @$DNS_SERVER linuxfabrik.ch +short > /dev/null; then
        SUBJECT="$SUBJECT_PREFIX - System update failed"
        MSGBODY="DNS Server $DNS_SERVER failed to respond. Aborting update."
        send_msg
        exit 1
    fi
  }
  check_dns 192.0.2.10
  check_dns 192.0.2.11
system_update__rocketchat_msg_suffix: '@administrator'
system_update__rocketchat_url: 'https://chat.example.com/hooks/abcd1234'
system_update__update_enabled: true
system_update__update_time: '04:00 + 1 days'

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich