Skip to main content

How to automate Linux patching with Ansible

Use automation to reduce the time IT teams spend deploying patches and apply updates consistently across systems.
Person typing code on laptop

Photo by Lukas from Pexels

Patch management is an integral part of the IT system lifecycle and vulnerability management. Applying updates to a system keeps it current with the latest bug fixes.

Typically, several teams operate large enterprise IT environments. Such environments contain hundreds of systems requiring thousands of security patches and bug fixes. Automation can help reduce the time IT teams spend deploying patches, making sure those updates are applied consistently across systems.

[ Learn more about patch management and automation. ]

Here are my eight favorite things that Ansible can do when patching Red Hat Enterprise Linux (RHEL) systems using Red Hat Satellite.

1. Stop applications during an update

Patching often updates packages that are actively in use by a running application. Use the service or command module to stop a service or application before patching.

2. Take a snapshot

Murphy's Law says, "Anything that can go wrong will go wrong." If it's possible to take a snapshot of a working system or configuration before applying a patch, then Ansible can help. There are modules like ovirt_snapshot, gcp_compute_snapshot, ec2_snapshot, and many more to help you preserve a working state before you update.

3. Fetch a precount of errata

Knowing the number of errata applied to the system is useful. In contrast to patching Linux by pushing errata from the Satellite GUI, you can't see the errata count when you automate patching using Ansible. Instead, you can trigger a Red Hat Satellite API from Ansible with the uri module to fetch a count of errata. You can store the count of bug fixes, enhancements, security fixes, and upgradable packages in variables using the set_fact module.

4. Register a host

You can use redhat_subscription and dnf modules to register a managed host to a Satellite server, enable repositories, set release versions, and perform updates.

5. Reboot

The Ansible reboot module can preserve a connection state to a managed host while the host reboots. It also supports options like reboot_timeout, pre_reboot_delay, msg, test_commands, and more.

6. Fetch a post-count of errata

Once the patches have been applied, you can use Satellite APIs to fetch a post-count of errata. Ideally, that count is zero!

7. Start an application

Use the service or command module to start the services or applications you stopped before your updates.

8. Send mail

Ansible can automatically email a report to your team or users about the system updates.

As a best practice, you should set a variable, determined by set_fact, to capture the system time before and after playbook execution. The difference between the start and finish times can help gauge the duration of patching and downtime requirements for updates.

The Ansible module for mail can also include information such as the system name, errata pre- and post-count, patching duration, and more. For best results, enable Ansible logging on your control node and configure a cron job schedule for periodic patching.

[ Take Ansible essentials: Simplicity in automation technical overview, a no-cost technical overview course from Red Hat. ]

Wrap up

Automate your operations and monitor your automation. You have the steps and the modules, so now it's time to do yourself a favor: Set it up, and then sit back and enjoy your coffee!

Author’s photo

Pratheek Prabhakaran

Pratheek is a Sysadmin at a Fortune 500 company in India where he specializes in IT automation with Ansible. He has experience in SAP Basis, RHEL Satellite, AWS Cloud, and VMware Administration. An avid reader, cricketer, and artist. More about me

Try Red Hat Enterprise Linux

Download it at no charge from the Red Hat Developer program.