How to automate Linux patching with Ansible
Use automation to reduce the time IT teams spend deploying patches and apply updates consistently across systems.
Patch management is an integral part of the IT system lifecycle and vulnerability management. Applying updates to a system keeps it current with the latest bug fixes.
Typically, several teams operate large enterprise IT environments. Such environments contain hundreds of systems requiring thousands of security patches and bug fixes. Automation can help reduce the time IT teams spend deploying patches, making sure those updates are applied consistently across systems.
[ Learn more about patch management and automation. ]
1. Stop applications during an update
2. Take a snapshot
Murphy's Law says, "Anything that can go wrong will go wrong." If it's possible to take a snapshot of a working system or configuration before applying a patch, then Ansible can help. There are modules like
ec2_snapshot, and many more to help you preserve a working state before you update.
3. Fetch a precount of errata
Knowing the number of errata applied to the system is useful. In contrast to patching Linux by pushing errata from the Satellite GUI, you can't see the errata count when you automate patching using Ansible. Instead, you can trigger a Red Hat Satellite API from Ansible with the
uri module to fetch a count of errata. You can store the count of bug fixes, enhancements, security fixes, and upgradable packages in variables using the
4. Register a host
reboot module can preserve a connection state to a managed host while the host reboots. It also supports options like
test_commands, and more.
6. Fetch a post-count of errata
Once the patches have been applied, you can use Satellite APIs to fetch a post-count of errata. Ideally, that count is zero!
7. Start an application
command module to start the services or applications you stopped before your updates.
8. Send mail
Ansible can automatically email a report to your team or users about the system updates.
As a best practice, you should set a variable, determined by
set_fact, to capture the system time before and after playbook execution. The difference between the start and finish times can help gauge the duration of patching and downtime requirements for updates.
The Ansible module for mail can also include information such as the system name, errata pre- and post-count, patching duration, and more. For best results, enable Ansible logging on your control node and configure a cron job schedule for periodic patching.
[ Take Ansible essentials: Simplicity in automation technical overview, a no-cost technical overview course from Red Hat. ]
Automate your operations and monitor your automation. You have the steps and the modules, so now it's time to do yourself a favor: Set it up, and then sit back and enjoy your coffee!
A good patch management plan always includes a good patch backout plan.
It's easier than you think to get started automating your tasks with Ansible. This gentle introduction gives you the basics you need to begin streamlining your administrative life.
In this second article, you'll explore the how-to of Ansible installation.