Using Ansible to Update Ubuntu, CentOS, and Redhat

Keeping your software updated is important. You get the newest features, and more importantly, you also get the latest security fixes. Ansible can help you to automate the updating of your software.

Spectre and Meltdown security vulnerabilities. Update Ubuntu, CentOS 7, Redhat 7 using Ansible

With all the latest news about the Spectre and Meltdown security vulnerabilities it is important to keep the software updated on all your devices. If you are a desktop user, update your OS now*. If you maintain Linux servers, update those now* as well.
The below information can help you use Ansible to update all of your Ubuntu, CentOS, and Redhat servers.

* Disclaimer: Test any updates thoroughly before upgrading your production environments since an update could introduce performance impacts or issues. I am not responsible if you break anything!

What is Ansible?

First of all, Ansible is amazing at IT automation. Ansible is a command line IT automation solution that can deploy configuration changes, software, and perform many other tasks all automatically. However, you should be extra cautious when running any type of automation for server updates. To get more information about what Ansible is, check out the Ansible documentation.

Ansible is modular, so you can create groups of tasks, called roles. And then you can group the roles together to all run sequentially inside of a playbook.
An Ansible playbook can run against one or multiple servers, depending how you reference the servers in your playbook, and also depending on how you group the servers in your Ansible inventory file.

What the Ansible server update role does

This is an Ansible role to update your servers with the latest packages, reboot the server if needed, and wait for the server to start up.
You can also exclude packages from the update, update only specified packages, or install only specified packages.

A reboot of the server is only be performed if the reboot flag is set (which is enabled by default), and if the kernel was updated or another package indicates to the OS that a reboot is needed.

Also, it seems obvious, but just in case.. Be sure to stop your applications before updating and rebooting your server, and then start your applications again after.
You can add more roles after this role to continue installing and configuring your server.

Tested on Ubuntu 16.04, Ubuntu 18.04, CentOS 7.x, and Redhat Enterprise Linux (RHEL) 7.x servers.

You can find this Ansible role on Github. Check back for any updates on Github, and also for more information about the variables used in this Ansible role.

Bonus – Spectre and Meltdown mitigation

As an extra bonus, this Ansible role can also help you mitigate the recent security vulnerabilities called Spectre and Meltdown (once updates are available for your operating system of course).

More information about how to mitigate Spectre and Meltdown (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715) is available for Ubuntu and CentOS/Redhat. When new mitigations become available you will need to patch your servers again. And with Ansible it can be less painful.

To begin updating, continue reading. You can also jump directly to the example commands which can be used to mitigate Spectre and Meltdown if that is all you want to do. But, keep in mind it is usually better to keep all of the packages updated*.

Using Ansible to update Ubuntu and CentOS/Redhat 7

This assumes you have Ansible and git installed.
In addition, you also need to follow a few steps before running the playbook. If you have already done this, you can skip ahead to installing the role.

Prerequisites

Before you begin, make sure you have your Ansible “group_vars” setup for the Ansible hosts you are running this playbook against. “centos-dev” is the host group in the example below.

$ vi ./group_vars/centos-dev/proxy.yml

If you are behind a corporate firewall and use a proxy, add:

proxy_env:
  http_proxy: http://my.internal.proxy:80
  https_proxy: https://my.internal.proxy:80

If not using a proxy, add:

proxy_env: []

Install Ansible role to update the server

To install the Ansible role that handles updating your server(s), go into the directory you have your Ansible playbooks. Or, if you don’t have any existing playbooks, then create a new directory for the Ansible role and playbook.

Next, clone my Github repository with the Ansible role.

$ cd ~/ansible
$ git clone https://github.com/ryandaniels/ansible-role-server-update-reboot.git roles/server-update-reboot

Create your Ansible Playbook

Now, create your Ansible Playbook file for the server update role. You can also add other roles to run before or after.

$ vi server-update-reboot.yml

---
- hosts: '{{inventory}}'
max_fail_percentage: 0
serial: 1
become: yes
roles:
# - stop-applications
- server-update-reboot
# - server-config-xyz
#  - start-applications

Tip: The above will update one server at a time (using max_fail_percentage and serial). If you want to update everything at once you can comment those two lines out. Be careful with this since you could update and reboot all your servers at once!

Update your servers – Run the Playbook

Finally, the last step is to run the Ansible Playbook. Below are examples for various scenarios.

Note: It is important to understand what will happen. This will reboot your server by default!

Example for Ubuntu & Redhat/CentOS to update all packages

Use all defaults for the role to: update packages, reboot server if needed, and wait for the server to start up.

ansible-playbook server-update-reboot.yml --extra-vars "inventory=all-dev" -i hosts-dev

Below is the same as above, but now the server is not rebooted, even when a reboot is needed. In this example the extra variable “reboot_default” is used on the command line to change the reboot variable to false.

ansible-playbook server-update-reboot.yml --extra-vars "inventory=all-dev reboot_default=false" -i hosts-dev

Keep in mind that a server reboot may be necessary to complete the updates. For example, if a kernel update was applied.

Example for Redhat/CentOS to limit packages being updated

Update all packages except package(s) specified:

ansible-playbook server-update-reboot.yml --extra-vars 'inventory=centos-dev server_update_yum_exclude_pkgs="mysql*, bash, openssh*"' -i hosts-dev

Update (or install) only specific package(s):

ansible-playbook server-update-reboot.yml --extra-vars "inventory=centos-dev server_update_yum_install_pkgs='kernel-*, iwl*firmware, microcode_ctl, dracut'" -i hosts-dev

Example for Ubuntu to limit packages being updated

Update all packages except package(s) specified:

ansible-playbook server-update-reboot.yml --extra-vars 'inventory=ubuntu-dev server_update_apt_exclude_default=true' --extra-vars '{"server_update_apt_exclude_pkgs": [bash, openssl, ^mysql*, ^openssh*]}' -i hosts-dev

Update only specific package(s):

ansible-playbook server-update-reboot.yml --extra-vars "inventory=ubuntu-dev server_update_apt_default=update_specific" --extra-vars "{'server_update_apt_install_pkgs': [linux-firmware, linux-generic, linux-headers-generic, linux-image-generic, intel-microcode, openssh*]}" -i hosts-dev

Install only specific package(s):

ansible-playbook server-update-reboot.yml --extra-vars "inventory=ubuntu-dev server_update_apt_default=install" --extra-vars "{'server_update_apt_install_pkgs': [bash, openssh-server]}" -i hosts-dev

Be careful with wildcards since they can install more than you might want.

Examples for Spectre and Meltdown Mitigation

To update Ubuntu 16.04, Redhat 7, and CentOS 7 with only the available Spectre and Meltdown mitigations use the below examples.

Keep in mind it’s usually better to keep all of the packages up to date.

For Redhat/CentOS 7 (Spectre/Meltdown Mitigation)

ansible-playbook server-update-reboot.yml --extra-vars "inventory=centos-dev server_update_yum_install_pkgs='kernel-*, iwl*firmware, microcode_ctl, dracut'" -i hosts-dev

For Ubuntu 16.04 (Spectre/Meltdown Mitigation)

ansible-playbook server-update-reboot.yml --extra-vars "inventory=ubuntu-dev server_update_apt_default=update_specific" --extra-vars "{'server_update_apt_install_pkgs': [linux-firmware, linux-generic, linux-headers-generic, linux-image-generic, intel-microcode]}" -i hosts-dev

Conclusion

Automation using a tool like Ansible is very powerful. With Ansible’s help you can update all of your Ubuntu, CentOS, and Redhat servers quickly. Finally, with all of the recent issues surrounding Spectre and Meltdown, the Ansible server update role can help you keep everything updated and more secure.

Now that your servers are patched, you can look at other Ansible roles to help you install and configure software. If you have your own VPS, check out the Ansible role to setup OpenVPN with ad blocking.