리눅스 서버에 보안 패치를 적용하기 위한 플레이북을 작성했고, 패치된 서버를 다시 시작하는 작업만 작성하면 남았습니다.
패치 적용 작업 내용은 다음과 같습니다.
- name: Deploying Security Packages
shell: "yum update --security -y"
register: progress
when: deploypackages == "y"
- name: Installed Packages
debug:
msg: "{{ progress.stdout_lines | regex_search('complete') }}"
#when: progress.changed | regex_search('complete')
출력에서 등록된 변수의 단어를 찾은 다음(있는 경우) 서버를 다시 시작 completed하는 필터를 찾고 있습니다 .kernel
감사해요
시도 1 - 실패
kernel테스트 목적 으로 변경했지만 xz-libs조건에 도달하면 실패합니다 when.
---
- name: Deploying Security Packages
#shell: "yum update --security -y"
yum:
name: '*'
state: latest
security: yes
register: yum_update
when: deploypackages == "y"
- name: Installed Packages
debug:
msg: " Packages installed Successfully "
when:
- yum_update.changed
- yum_update.stdout | regex_search('xz-libs', ignorecase=True ) is not none
이 오류가 발생합니다
TASK [deploying_security_updates : Deploying Security Packages] **********************
changed: [192.168.8.26]
TASK [deploying_security_updates : Installed Packages] *******************************
fatal: [192.168.8.26]: FAILED! => {"msg": "The conditional check 'yum_update.stdout | regex_search('*xz-libs*', ignorecase=True ) is not none' failed. The error was: nothing to repeat\n\nThe error appears to be in '/home/sysadmin/ansible_files/play-security-update/roles/deploying_security_updates/tasks/main.yaml': line 11, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Installed Packages\n ^ here\n"}
디버그
- name: Deploying Security Packages
yum:
name: '*'
state: latest
security: yes
register: yum_update
when: deploypackages == "y"
- name: Installed Packages
debug:
#msg: " Packages installed Successfully "
msg: " {{ yum_update.stdout | regex_search('xz-libs', ignorecase=True ) }}"
#when:
# - yum_update.changed
# - yum_update.stdout | regex_search('*xz-libs*', ignorecase=True ) is not none
Do you want to deploy Packages: y
PLAY [To Apply Security Patches on Linux Servers] *******************************************************************************************************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************************
ok: [192.168.8.26]
TASK [Condition Failed! Wrong User Input] ***************************************************************************************************************************************************************************************************
skipping: [192.168.8.26]
TASK [check_for_updates : Looking for Package Updates] **************************************************************************************************************************************************************************************
skipping: [192.168.8.26]
TASK [check_for_updates : Printing Available Updates] ***************************************************************************************************************************************************************************************
skipping: [192.168.8.26]
TASK [deploying_security_updates : Deploying Security Packages] *****************************************************************************************************************************************************************************
changed: [192.168.8.26]
TASK [deploying_security_updates : Installed Packages] **************************************************************************************************************************************************************************************
fatal: [192.168.8.26]: FAILED! => {"msg": "Unexpected templating type error occurred on ( {{ yum_update.stdout | regex_search('xz-libs', ignorecase=True ) }}): expected string or buffer"}
PLAY RECAP **********************************************************************************************************************************************************************************************************************************
192.168.8.26 : ok=2 changed=1 unreachable=0 failed=1 skipped=3 rescued=0 ignored=0
디버그 출력
ok: [192.168.8.26] => {
"msg": {
"changed": true,
"changes": {
"installed": [],
"updated": [
[
"xz",
"5.2.2-2.el7_9.x86_64 from rhel-remote"
],
[
"xz-libs",
"5.2.2-2.el7_9.x86_64 from rhel-remote"
]
]
},
"failed": false,
"msg": "",
"rc": 0,
"results": [
"Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-\n : manager\nThis system is not registered with an entitlement server. You can use subscription-manager to register.\n --> device-mapper-persistent-data-0.7.3-3.el7.x86_64 from @anaconda/7.6 removed (updateinfo)\n --> 7:device-mapper-event-1.02.170-6.el7_9.5.x86_64 from rhel-remote removed (updateinfo)\n --> libgnomekbd-3.26.0-3.el7.x86_64 from rhel-remote removed (updateinfo)\n --> cryptsetup-python-2.0.3-3.el7.x86_64 from @anaconda/7.6 removed (updateinfo)\n --> PackageKit-gstreamer-plugin-1.1.10-2.el7.x86_64 from rhel-remote removed (updateinfo)\n --> libstoragemgmt-1.6.2-4.el7.x86_64 from @anaconda/7.6 removed (updateinfo)\n --> PackageKit-gtk3-module-1.1.10-2.el7.x86_64 from rhel-remote removed (updateinfo)\n --> 7:device-mapper-event-1.02.149-8.el7.x86_64 from @anaconda/7.6 removed (updateinfo)\n --> setroubleshoot-plugins-3.0.67-3.el7.noarch from @anaconda/7.6 removed (updateinfo)\n --> libdrm-2.4.91-3.el7.x86_64 from @anaconda/7.6 removed (updateinfo)\n --> mesa-dri-drivers-18.3.4-12.el7_9.x86_64 from rhel-remote removed (updateinfo)\n --> subscription-manager-plugin-container-1.24.51-1.el7_9.x86_64 from rhel-remote removed (updateinfo)\n --> firewalld-0.6.3-13.el7_9.noarch from rhel-remote removed (updateinfo)\n --> gdb-7.6.1-114.el7.x86_64 from @anaconda/7.6 removed (updateinfo)\n --> grubby-8.28-26.el7.x86_64 from rhel-remote removed (updateinfo)\n --> hostname-3.13-3.el7.x86_64 from @anaconda/7.6 removed (updateinfo)\n --> 32:bind-libs-lite-9.11.4-26.P2.el7_9.9.x86_64 from rhel-remote removed (updateinfo)\n --> abrt-dbus-2.1.11-52.el7.x86_64 from @anaconda/7.6 removed (updateinfo)\n --> unzip-6.0-21.el7.x86_64 from @rhel-remote removed (updateinfo)\n
Package xz-libs.x86_64 0:5.2.2-2.el7_9 will be an update\n--> Finished Dependency Resolution\n\nDependencies Resolved\n\n================================================================================\n Package Arch Version Repository Size\n================================================================================\nUpdating:\n xz x86_64 5.2.2-2.el7_9 rhel-remote 229 k\n xz-libs x86_64 5.2.2-2.el7_9 rhel-remote 103 k\n\nTransaction Summary\n================================================================================\nUpgrade 2 Packages\n\nTotal download size: 332 k\nDownloading packages:\nNo Presto metadata available for rhel-remote\n--------------------------------------------------------------------------------\nTotal 1.3 MB/s | 332 kB 00:00 \nRunning transaction check\nRunning transaction test\nTransaction test succeeded\nRunning transaction\n Updating : xz-libs-5.2.2-2.el7_9.x86_64 1/4 \n Updating : xz-5.2.2-2.el7_9.x86_64 2/4 \n Cleanup : xz-5.2.2-1.el7.x86_64 3/4 \n Cleanup : xz-libs-5.2.2-1.el7.x86_64 4/4 \n Verifying : xz-libs-5.2.2-2.el7_9.x86_64 1/4 \n Verifying : xz-5.2.2-2.el7_9.x86_64 2/4 \n Verifying : xz-libs-5.2.2-1.el7.x86_64 3/4 \n Verifying : xz-5.2.2-1.el7.x86_64 4/4 \n\nUpdated:\n xz.x86_64 0:5.2.2-2.el7_9 xz-libs.x86_64 0:5.2.2-2.el7_9 \n\nComplete!\n"
]
}
}
PLAY RECAP **********************************************************************************************************************************************************************************************************************************
192.168.8.26 : ok=3 changed=1 unreachable=0 failed=0 skipped=3 rescued=0 ignored=0
답변1
새 커널을 설치한 후뿐만 아니라 마이크로코드, glibc, SSL 라이브러리 등을 업데이트한 후에도 재부팅이 필요할 수 있습니다. 따라서 아직 다시 시작하고 확인해야 할 일부 이벤트가 있습니다.
RHEL에는 사용 가능한 기본 운영 체제 패키지 관리자를 기반으로 하는 일부 유틸리티가 있습니다. 여기에는 업데이트를 적용한 후 이것이 필요한지 여부를 쿼리하는 스크립트 yum-utils등이 포함됩니다 .needs-restarting
예(RHEL 7 기준)
종속성을 해결한 후
- name: Install basic admin tools
yum:
name: yum-utils
state: latest
확인은 쉽습니다
- name: Check if reboot_required
shell:
cmd: "needs-restarting -r"
changed_when: false
failed_when: reboot_required.rc != 0 and reboot_required.rc != 1
check_mode: false
register: reboot_required
- name: Report reboot_required
debug:
msg: "{{ reboot_required.rc | bool }} "
changed_when: reboot_required.rc == 1
check_mode: false
그리고 출력을 생성
TASK [Report reboot_required] **************************************************
ok: [test1.example.com] => {
"msg": "True "
}
ok: [test2.example.com] => {
"msg": "False "
}
재시작이 필요한지 확인하는 패키지는 다른 배포판에서도 사용할 수 있습니다.
비슷한 질문과 답변
또한 인프라 및 환경에 따라 cronjob을 통해 시스템을 완전히 자동으로 다시 시작하는 것이 가능합니다.
# Reboot cron job
# /etc/cron.d/
# mm hh dom mon dow user command
59 0 * * * root needs-restarting -r || /usr/sbin/shutdown --no-wall -r +1
답변2
작업이 완료되었는지 확인하고 단어핵심출력에서 다음 작업을 수행할 것이라고 언급되었습니다.
- name: "Deploying Security Packages"
ansible.builtin.yum:
name: '*'
security: yes
state: latest
register: yum_update
- name: "Just debug for now"
ansible.builtin.debug:
msg: "This should be a reboot"
when:
- yum_update.changed
- (yum_update.results[0] | regex_search('kernel')) is not none
"언제"가 있는 두 개는 -논리를 의미하므로 AND업데이트가 변경되어 완료되어야 합니다. 그렇지 않으면 업데이트가 실패하고 stdout 출력에 단어 일치 커널이 있어야 합니다. 해당 단어가 존재하지 않으면 none다음과 같이 검사가 출력 됩니다.문서.