linux_server_patching.yml

---
#### Ansible Playbook to perform Kernel Patching on RHEL/CentOS and Ubuntu/Debian Servers ####

- hosts: workers
  become: yes
  become_user: root
  serial: 3


  tasks:

    - name:  verify web/database processes are not running
      shell: if ps -eaf | egrep 'apache|http|mysql|postgresql|mariadb'|grep -v grep > /dev/null ;then echo 'process_running';else echo 'process_not_running';fi
      ignore_errors: true
      register: app_process_check

    # the play will fail/quit, if web/database processes is running on the server
    - name:  decision point to start patching
      fail: msg="{{ inventory_hostname }} have running Application. Please stop the application processes first, then attempt patching."
      when: app_process_check.stdout == "process_running"

    # this task will upgrade/install the kernel package if application is stopped on the server
    - name:  upgrade kernel package on RHEL/CentOS server
      yum:
       name="kernel"
       state=latest
      when: app_process_check.stdout == "process_not_running" and ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
      register: yum_update

    # this task will upgrade/install the kernel package if application is stopped on the Ubuntu server
    - name:  upgrade kernel package on Ubuntu server
      apt:
        update_cache: yes
        force_apt_get: yes
        cache_valid_time: 3600
        name: linux-image-generic
        state: latest
      when: app_process_check.stdout == "process_not_running" and ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
      register: apt_update

    # this task is to check if kernel update happend and CentOS/RedHat server needs to be rebooted or not
    - name: check if reboot required after kernel update on CentOS/RedHat servers
      shell: KERNEL_NEW=$(rpm -q --last kernel |head -1 | awk '{print $1}' | sed 's/kernel-//'); KERNEL_NOW=$(uname -r); if [[ $KERNEL_NEW != $KERNEL_NOW ]]; then echo "reboot_needed"; else echo "reboot_not_needed"; fi
      when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'
      ignore_errors: true
      register: reboot_required


    # this task is to check if kernel update happend and Ubuntu/Debian server needs to be rebooted or not
    - name: Check if a reboot is required after kernel update on Ubuntu/Debian servers
      register: reboot_required_file
      stat: path=/var/run/reboot-required get_md5=no
      when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'

    - name: Reboot CentOS/RedHat systems if kernel updated
      command: shutdown -r +1  "Rebooting CentOS/RedHat Servers After Kernel Patching"
      async: 0
      poll: 0
      when: reboot_required.stdout == "reboot_needed" and (ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux')
      register: reboot_started
      ignore_errors: true


    - name: Reboot Ubuntu/Debian Servers if kernel updated
      reboot:
        msg: "Rebooting Ubuntu/Debian Servers After Kernel Patching"
        connect_timeout: 5
        reboot_timeout: 300
        pre_reboot_delay: 0
        post_reboot_delay: 30
        test_command: uptime
      when: reboot_required_file.stat.exists and (ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian')
      register: reboot_started_ubuntu
      ignore_errors: true

    # this task is to wait for 3 minutues for server to come up after the reboot
    - name: pause for 180 secs
      pause:
        minutes: 3

    - name: check if all the systems responding to ssh
      local_action:
        module: wait_for
          host={{ (ansible_ssh_host|default(ansible_host))|default(inventory_hostname) }}
          port=22
          search_regex=OpenSSH
          delay=15
          timeout=300
          state=started