Scribd
Upload
2 views

sysadmin is patching systems

The document outlines a process for system administrators to patch vulnerabilities using Ansible, specifically through the yum module to update systems and install necessary packages. It details tasks for updating the system, restarting it, and ensuring services like NGINX are installed and running. The playbook example demonstrates how to automate these tasks efficiently while considering production environment settings for better control over updates.

Uploaded by

bharathvenna.venna
Copyright
© © All Rights Reserved
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
2 views

sysadmin is patching systems

The document outlines a process for system administrators to patch vulnerabilities using Ansible, specifically through the yum module to update systems and install necessary packages. It details tasks for updating the system, restarting it, and ensuring services like NGINX are installed and running. The playbook example demonstrates how to automate these tasks efficiently while considering production environment settings for better control over updates.

Uploaded by

bharathvenna.venna
Copyright
© © All Rights Reserved
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 4

sysadmin is patching systems.

Every time you get a Common


Vulnerabilities and Exposure (CVE) notification or Information
Assurance Vulnerability Alert (IAVA) mandated by security, you have
to kick into high gear to close the security gaps. (And, believe me,
your security officer will hunt you down unless the vulnerabilities are
patched.)

Ansible can reduce the time it takes to patch systems by


running packaging modules. To demonstrate, let's use the yum
module to update the system. Ansible can install, update, remove,
or install from another location (e.g., rpmbuild from continuous
integration/continuous development). Here is the task for updating
the system:

- name: update the system


yum:
name: "*"
state: latest

In the first line, we give the task a meaningful name so we know what
Ansible is doing. In the next line, the yum module updates the CentOS
virtual machine (VM), then name: "*" tells yum to update everything,
and, finally, state: latest updates to the latest RPM.

After updating the system, we need to restart and reconnect:

- name: restart system to reboot to newest kernel


shell: "sleep 5 && reboot"
async: 1
poll: 0

- name: wait for 10 seconds


pause:
seconds: 10

- name: wait for the system to reboot


wait_for_connection:
connect_timeout: 20
sleep: 5
delay: 5
timeout: 60

- name: install epel-release


yum:
name: epel-release
state: latest

The shell module puts the system to sleep for 5 seconds then reboots.
We use sleep to prevent the connection from breaking, async to avoid
timeout, and poll to fire & forget. We pause for 10 seconds to wait
for the VM to come back and use wait_for_connection to connect back
to the VM as soon as it can make a connection. Then we install
epel-release to test the RPM installation. You can run this playbook
multiple times to show the idempotent, and the only task that will
show as changed is the reboot since we are using the shell module.
You can use changed_when: False to ignore the change when using
the shell module if you expect no actual changes.

So far we've learned how to update a system, restart the VM,


reconnect, and install a RPM. Next we will install NGINX using the
role in Ansible Lightbulb.

- name: Ensure nginx packages are present


yum:
name: nginx, python-pip, python-devel, devel
state: present
notify: restart-nginx-service

- name: Ensure uwsgi package is present


pip:
name: uwsgi
state: present
notify: restart-nginx-service

- name: Ensure latest default.conf is present


template:
src: templates/nginx.conf.j2
dest: /etc/nginx/nginx.conf
backup: yes
notify: restart-nginx-service

- name: Ensure latest index.html is present


template:
src: templates/index.html.j2
dest: /usr/share/nginx/html/index.html

- name: Ensure nginx service is started and enabled


service:
name: nginx
state: started
enabled: yes
- name: Ensure proper response from localhost can be received
uri:
url: "http://localhost:80/"
return_content: yes
register: response
until: 'nginx_test_message in response.content'
retries: 10
delay: 1

And the handler that restarts the nginx service:

# handlers file for nginx-example


- name: restart-nginx-service
service:
name: nginx
state: restarted

In this role, we install the RPMs nginx, python-pip, python-devel,


and devel and install uwsgi with PIP. Next, we use the template module
to copy over the nginx.conf and index.html for the page to display.
After that, we make sure the service is enabled on boot and started.
Then we use the uri module to check the connection to the page.

Here is a playbook showing an example of updating, restarting, and


installing an RPM. Then continue installing nginx. This can be done
with any other roles/applications you want.

- hosts: all
roles:
- centos-update
- nginx-simple

Watch this demo video for more insight on the process.

This was just a simple example of how to update, reboot, and


continue. For simplicity, I added the packages without variables.
Once you start working with a large number of hosts, you will need
to change a few settings:

 async & poll


 serial
 forks
This is because on your production environment you might want to
update one system at a time (not fire & forget) and actually wait a
longer time for your system to reboot and continue.

You might also like