(0 comments)

Installation of security updates is essential. When using Centos/RHEL 7 based linux distribution you can easily automate this process using yum-cron tool, and if you need to deploy it on multiple remote hosts do not hesitate to use Ansible...;-)

Below I'm presenting a simple Ansible's playbook scenario, which you should modify to meet your particular needs.

1) Create a file called prodenv and specify groups, hosts in it

# file: prodenv 
# production hosts inventory

[websrv]
web1.example.com

[dbsrv]
db1.example.com

2) Create site.yml

---
# file: site.yml
- hosts: all
  roles:
    - common
  remote_user: root

3) Specify default variables...

---
# file: roles/common/defaults/main.yml
updateOption: security
emailTo: [email protected]
connectTo: mail.example.com

The emailTo and connectTo variables are used by yum-cron to send emails with the update status. Email's notification, how nice, huh? ;-)

4) Specify variables for particular hosts

---
# file: host_vars/db1.example.com
emailFrom: [email protected]
---
# file: host_vars/web1.example.com
emailFrom: [email protected]

5) And now the most important - write the main task

---
# file: roles/common/tasks/main.yml
- name: install cronie package
  yum: name=cronie state=installed
  tags: cronie

- name: enable cron(ie) service
  service: name=crond state=running enabled=yes
  tags: cronie

- name: install yum-cron package
  yum: name=yum-cron state=installed
  tags: yum-cron

- name: copy yum-cron.conf
  template: src=yum-cron.conf.j2 dest=/etc/yum/yum-cron.conf
  tags: yum-cron

- name: enable yum-cron service
  service: name=yum-cron state=running enabled=yes
  tags: yum-cron

In this example the yum-cron is going to be configured for daily operations only (yum-cron-hourly is disabled by default). Also, as you can see, this task checks if cron daemon (cronie) is installed and enabled (required/mandatory).

6) The last missing item is yum-cron.conf template

# file: roles/common/templates/yum-cron.conf.j2

[commands]
update_cmd = {{ updateOption }}

# Whether a message should be emitted when updates are available,
# were downloaded, or applied.
update_messages = yes
# Whether updates should be downloaded when they are available.
download_updates = yes
# Whether updates should be applied when they are available.  Note
# that download_updates must also be yes for the update to be applied.
apply_updates = yes
#
random_sleep = 120

[emitters]
# Name to use for this system in messages that are emitted.  If
# system_name is None, the hostname will be used.
system_name = None
emit_via = email
# The width, in characters, that messages that are emitted should be
# formatted to.
output_width = 80

[email]
# The address to send email messages from.
email_from = {{ emailFrom }}
# List of addresses to send messages to.
email_to = {{ emailTo }}
# Name of the host to connect to to send email messages.
email_host = {{ connectTo }}

[groups]
# NOTE: This only works when group_command != objects, which is now the default
# List of groups to update
group_list = None
# The types of group packages to install
group_package_types = mandatory, default

[base]
# This section overrides yum.conf

# Use this to filter Yum core messages
# -4: critical
# -3: critical+errors
# -2: critical+errors+warnings (default)
debuglevel = -2

# skip_broken = True
mdpolicy = group:main

# Uncomment to auto-import new gpg keys (dangerous)
# assumeyes = True

Done! Try-it-out - run Ansible with our playbook

$ ansible-playbook -i prodenv site.yml

I have also published on my github a similar ansible-yum-cron example, if interested.

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional