Automating updates with Ansible + Icinga

Meta Icinga Tutorials and Guides
,
1

Author: @KevinHonka

Revision: v0.1

Checks

I have a custom check for APT that lists all available updates.
You can find it in this gist

the output looks something like this:
check_output

Ansible

next I want you to show the ansible Playbook, that manages the updates.
This Version is not equipped with a mechanism to deal with ignored packages.

  - name: get Update ACK status
    uri:
      url: "https://icinga.example.de:5665/v1/objects/services?service={{ ansible_fqdn }}!APT&attrs=acknowledgement"
      user: root
      password: xXrandomPWXx
      validate_certs: False
      headers:
        Accept: "application/json"
      return_content: yes
    register: icinga_return

  - set_fact: icinga_ack="{{ icinga_return.content | from_json }}"

  - name: "APT: Updating installed packages"
    apt:
      update_cache: yes
      upgrade: dist
    when: icinga_ack['results'][0]['attrs']['acknowledgement'] == 1.0

  - name: "APT: removing unused packages"
    shell: apt -y autoremove && apt autoclean
    when: icinga_ack['results'][0]['attrs']['acknowledgement'] == 1.0

Warning: This playbook has only been tested on Ubuntu 16.04. Earlier version might not work correctly.

the playbook queries the icinga2 API directly to get the needed information on the Acknowledged checks and then proceeds to update all hosts that have an acknowledge on their checks.

it is also very important to set validate_certs: False as the urllib3 which Ansible uses will not accept self-signed certificates by default.

an additional step could be to trigger the checks to update after the updates are done. A newer version of this playbook does that, but is still in testing, due to some other functionalities.

Execution

the last part is about executing the playbook.

We have an AWX server running, which executes the playbook every hour, to run the updates.

but you could also run a cronjob that looks like this:
0 * * * * ansible-playbook -b -i hosts update.yml --limit 'all'

or even create an eventcommand in icinga2 which triggers the playbook to be run for on exact host.

Feedback

let me know what you think about this kind of interaction between icinga2 and ansible.

EDIT: Added note about os versions that are supported.