Last active
July 5, 2017 02:23
-
-
Save carsongee/10137729 to your computer and use it in GitHub Desktop.
Heartbeat / Heartbleed SSL Ansible check and correct play for Ubuntu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # Patches openssl problem and restarts needed services | |
| - name: Apply common configration to all nodes | |
| hosts: all | |
| sudo: yes | |
| # Uncomment to apply update one server at a time | |
| # serial: 1 | |
| tasks: | |
| - name: "Install packages and update cache" | |
| apt: pkg="{{ item }}" state=latest update_cache=yes | |
| with_items: | |
| - libssl1.0.0 | |
| - openssl | |
| - debian-goodies | |
| - name: "Restart Services known to be affected" | |
| service: name={{ item }} state=restarted | |
| with_items: | |
| - ssh | |
| - nginx | |
| - whoopsie | |
| - snmpd | |
| - ntp | |
| - supervisor | |
| - postfix | |
| - apache | |
| - shibd | |
| ignore_errors: yes | |
| - name: "Check that we are safe" | |
| shell: > | |
| if [ "$(openssl version -a | grep built)" != "built on: Mon Apr 7 20:33:29 UTC 2014" ]; then echo "Bad build date"; echo "$(openssl version -a | grep built)"; exit 1; fi | |
| tags: check | |
| - name: "Check that we don't have affected processes running" | |
| shell: > | |
| if [ "$(sudo lsof -n | grep ssl | grep DEL | wc -l)" != "0" ]; then echo "We still have affected processes"; checkrestart; exit 1; fi | |
| tags: check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You might want to restart those services through a handler. No point in bouncing all of them if no new packages got installed.