Author: @KevinHonka
Revision: v0.1
Checks
I have a custom check for APT that lists all available updates.
You can find it in this gist
the output looks something like this:
Ansible
next I want you to show the ansible Playbook, that manages the updates.
This Version is not equipped with a mechanism to deal with ignored packages.
- name: get Update ACK status
uri:
url: "https://icinga.example.de:5665/v1/objects/services?service={{ ansible_fqdn }}!APT&attrs=acknowledgement"
user: root
password: xXrandomPWXx
validate_certs: False
headers:
Accept: "application/json"
return_content: yes
register: icinga_return
- set_fact: icinga_ack="{{ icinga_return.content | from_json }}"
- name: "APT: Updating installed packages"
apt:
update_cache: yes
upgrade: dist
when: icinga_ack['results'][0]['attrs']['acknowledgement'] == 1.0
- name: "APT: removing unused packages"
shell: apt -y autoremove && apt autoclean
when: icinga_ack['results'][0]['attrs']['acknowledgement'] == 1.0
Warning: This playbook has only been tested on Ubuntu 16.04. Earlier version might not work correctly.
the playbook queries the icinga2 API directly to get the needed information on the Acknowledged checks and then proceeds to update all hosts that have an acknowledge on their checks.
it is also very important to set validate_certs: False
as the urllib3 which Ansible uses will not accept self-signed certificates by default.
an additional step could be to trigger the checks to update after the updates are done. A newer version of this playbook does that, but is still in testing, due to some other functionalities.
Execution
the last part is about executing the playbook.
We have an AWX server running, which executes the playbook every hour, to run the updates.
but you could also run a cronjob that looks like this:
0 * * * * ansible-playbook -b -i hosts update.yml --limit 'all'
or even create an eventcommand in icinga2 which triggers the playbook to be run for on exact host.
Feedback
let me know what you think about this kind of interaction between icinga2 and ansible.
EDIT: Added note about os versions that are supported.