Table of Contents

Automating Linux Patching and Updates with Ansible

In today’s fast-paced and security-conscious world, automating the patching and updating of Linux systems is crucial to ensure system stability and mitigate vulnerabilities. With the multitude of Linux distributions available, it can be challenging to manage updates across different platforms efficiently. Fortunately, Ansible, a powerful automation tool, provides a unified solution for automating patching and updates across various Linux distributions. In this article, we will explore how to use Ansible to automate the patching and updating process for Debian-based, Ubuntu-based, RHEL-based, Alpine-based, and other distributions. We will also provide a detailed Ansible playbook example that handles installing patches and updates on different Linux distros, along with instructions on setting up Ansible credentials and host files for all targeted systems.

Prerequisites

Before diving into the automation process, let’s ensure we have the necessary prerequisites in place. These include:

  1. Ansible Installation: To use Ansible, you need to install it on the system from which you will run the automation tasks. You can follow the official Ansible documentation on how to install Ansible for detailed instructions.

  2. Inventory Configuration: Create an inventory file that lists the target systems you want to manage with Ansible. Each system should have its IP address or hostname specified. For example, you can create an inventory file named hosts.ini with the following content:

[debian]
debian-host ansible_host=<debian_ip_address>

[ubuntu]
ubuntu-host ansible_host=<ubuntu_ip_address>

[rhel]
rhel-host ansible_host=<rhel_ip_address>

[alpine]
alpine-host ansible_host=<alpine_ip_address>

Replace <debian_ip_address>, <ubuntu_ip_address>, <rhel_ip_address>, and <alpine_ip_address> with the respective IP addresses or hostnames of the target systems.

  1. SSH Access: Ensure that you have SSH access to the target systems using SSH key-based authentication. This will allow Ansible to securely connect to the systems and perform the necessary tasks.

Ansible Playbook for Patching and Updating

To automate the patching and updating process for various Linux distributions, we can create an Ansible playbook that handles installing patches and updates on different distros.

See the role and files:

Below is an example playbook:

---
- name: Patching and Updating Linux Systems
  hosts: all
  become: yes

  tasks:
    - name: Update Debian-based Systems
      when: ansible_os_family == 'Debian'
      apt:
        update_cache: yes
        upgrade: dist

    - name: Update RHEL-based Systems
      when: ansible_os_family == 'RedHat'
      yum:
        name: '*'
        state: latest

    - name: Update Alpine-based Systems
      when: ansible_os_family == 'Alpine'
      apk:
        update_cache: yes
        upgrade: yes

In the above playbook:

  • The hosts line specifies the target systems for each task. The playbook will run on systems grouped under debian, ubuntu, rhel, and alpine.
  • The become: yes statement allows the playbook to run with administrative privileges.
  • The first task updates Debian-based and Ubuntu-based systems using the apt module.
  • The second task updates RHEL-based systems using the yum module.
  • The third task updates Alpine-based systems using the apk module.

Note that the tasks are conditioned based on the group names to target the appropriate systems.

Setting up Ansible Credentials and Host Files

To configure Ansible credentials and host files for the targeted systems, follow these steps:

  1. Create an Ansible Vault file to store sensitive information such as SSH credentials. You can use the following command to create a vault file:
ansible-vault create credentials.yml
  1. Update the inventory file (hosts.ini) with the appropriate SSH credentials for each target system. For example:
[debian]
debian-host ansible_host=<debian_ip_address> ansible_user=<debian_username> ansible_ssh_pass=<debian_ssh_password>

[ubuntu]
ubuntu-host ansible_host=<ubuntu_ip_address> ansible_user=<ubuntu_username> ansible_ssh_pass=<ubuntu_ssh_password>

[rhel]
rhel-host ansible_host=<rhel_ip_address> ansible_user=<rhel_username> ansible_ssh_pass=<rhel_ssh_password>

[alpine]
alpine-host ansible_host=<alpine_ip_address> ansible_user=<alpine_username> ansible_ssh_pass=<alpine_ssh_password>

Replace <debian_ip_address>, <ubuntu_ip_address>, <rhel_ip_address>, and <alpine_ip_address> with the respective IP addresses of the target systems. Also, replace <debian_username>, <ubuntu_username>, <rhel_username>, and <alpine_username> with the appropriate SSH usernames for each system. Lastly, replace <debian_ssh_password>, <ubuntu_ssh_password>, <rhel_ssh_password>, and <alpine_ssh_password> with the corresponding SSH passwords.

  1. Encrypt the hosts.ini file using the Ansible Vault:
ansible-vault encrypt hosts.ini

Provide the vault password when prompted.

With the above steps, you have set up the necessary Ansible credentials and host files for all the targeted systems

Running the Playbook

To run the playbook and automate the patching and updating process, follow these steps:

  1. Open a terminal and navigate to the directory where you have the playbook file and the encrypted inventory file.

  2. Run the following command to execute the playbook, providing the vault password when prompted:

ansible-playbook -i hosts.ini playbook.yml --ask-vault-pass
  1. Ansible will connect to the target systems, use the provided credentials, and execute the specified tasks, updating the systems accordingly.

Congratulations! You have successfully automated the patching and updating of different Linux distributions using Ansible. With the Ansible playbook and the proper setup of credentials and host files, you can now efficiently manage the patching and updating process across your Linux infrastructure.

Conclusion

Automating the patching and updating of Linux systems with Ansible simplifies and streamlines the process, allowing system administrators to efficiently manage updates across various Linux distributions. By following the instructions provided in this article, you have learned how to create an Ansible playbook that handles installing patches and updates on different Linux distros. Additionally, you have set up Ansible credentials and host files to target the desired systems. Embrace the power of automation and enjoy the benefits of a more secure and well-maintained Linux infrastructure.

References

  1. Ansible Documentation
  2. Official Ansible Installation Guide
  3. Ansible Galaxy - linux_update
  4. Github - simeononsecurity/ansible_linux_update