You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by ma...@apache.org on 2021/04/16 18:02:10 UTC

[airavata] branch develop updated: Ansible: setup yum-cron to automatically install security updates

This is an automated email from the ASF dual-hosted git repository.

machristie pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/airavata.git


The following commit(s) were added to refs/heads/develop by this push:
     new a933b5b  Ansible: setup yum-cron to automatically install security updates
     new 5d99d5c  Merge branch 'yum-cron-security' into develop
a933b5b is described below

commit a933b5b9481b99bf85f1aec5f4bd6a7307a097e4
Author: Marcus Christie <ma...@apache.org>
AuthorDate: Fri Apr 16 14:01:29 2021 -0400

    Ansible: setup yum-cron to automatically install security updates
---
 .../roles/env_setup/tasks/files/yum-cron.conf      | 81 ++++++++++++++++++++++
 dev-tools/ansible/roles/env_setup/tasks/main.yml   | 22 ++++++
 2 files changed, 103 insertions(+)

diff --git a/dev-tools/ansible/roles/env_setup/tasks/files/yum-cron.conf b/dev-tools/ansible/roles/env_setup/tasks/files/yum-cron.conf
new file mode 100644
index 0000000..1f9ed25
--- /dev/null
+++ b/dev-tools/ansible/roles/env_setup/tasks/files/yum-cron.conf
@@ -0,0 +1,81 @@
+[commands]
+#  What kind of update to use:
+# default                            = yum upgrade
+# security                           = yum --security upgrade
+# security-severity:Critical         = yum --sec-severity=Critical upgrade
+# minimal                            = yum --bugfix update-minimal
+# minimal-security                   = yum --security update-minimal
+# minimal-security-severity:Critical =  --sec-severity=Critical update-minimal
+update_cmd = security
+
+# Whether a message should be emitted when updates are available,
+# were downloaded, or applied.
+update_messages = yes
+
+# Whether updates should be downloaded when they are available.
+download_updates = yes
+
+# Whether updates should be applied when they are available.  Note
+# that download_updates must also be yes for the update to be applied.
+apply_updates = yes
+
+# Maximum amout of time to randomly sleep, in minutes.  The program
+# will sleep for a random amount of time between 0 and random_sleep
+# minutes before running.  This is useful for e.g. staggering the
+# times that multiple systems will access update servers.  If
+# random_sleep is 0 or negative, the program will run immediately.
+# 6*60 = 360
+random_sleep = 360
+
+
+[emitters]
+# Name to use for this system in messages that are emitted.  If
+# system_name is None, the hostname will be used.
+system_name = None
+
+# How to send messages.  Valid options are stdio and email.  If
+# emit_via includes stdio, messages will be sent to stdout; this is useful
+# to have cron send the messages.  If emit_via includes email, this
+# program will send email itself according to the configured options.
+# If emit_via is None or left blank, no messages will be sent.
+emit_via = stdio
+
+# The width, in characters, that messages that are emitted should be
+# formatted to.
+output_width = 80
+
+
+[email]
+# The address to send email messages from.
+# NOTE: 'localhost' will be replaced with the value of system_name.
+email_from = root@localhost
+
+# List of addresses to send messages to.
+email_to = root
+
+# Name of the host to connect to to send email messages.
+email_host = localhost
+
+
+[groups]
+# NOTE: This only works when group_command != objects, which is now the default
+# List of groups to update
+group_list = None
+
+# The types of group packages to install
+group_package_types = mandatory, default
+
+[base]
+# This section overrides yum.conf
+
+# Use this to filter Yum core messages
+# -4: critical
+# -3: critical+errors
+# -2: critical+errors+warnings (default)
+debuglevel = -2
+
+# skip_broken = True
+mdpolicy = group:main
+
+# Uncomment to auto-import new gpg keys (dangerous)
+# assumeyes = True
diff --git a/dev-tools/ansible/roles/env_setup/tasks/main.yml b/dev-tools/ansible/roles/env_setup/tasks/main.yml
index bcd5327..a7ae890 100644
--- a/dev-tools/ansible/roles/env_setup/tasks/main.yml
+++ b/dev-tools/ansible/roles/env_setup/tasks/main.yml
@@ -83,4 +83,26 @@
   become: yes
   become_user: root
   when: ansible_os_family == "RedHat"
+
+# Automatic security updates installation
+
+- name: Install yum-cron, yum-utils (RedHat)
+  yum: name={{ item }} state=latest update_cache=yes
+  become: yes
+  when: ansible_os_family == "RedHat"
+  with_items:
+    - yum-cron
+    - yum-utils
+
+- name: Copy yum-cron.conf config file
+  copy:
+    src: yum-cron.conf
+    dest: /etc/yum/yum-cron.conf
+  become: yes
+  when: ansible_os_family == "RedHat"
+
+- name: Enable and start yum-cron
+  service: name=yum-cron state=started enabled=yes daemon_reload=yes
+  become: yes
+  when: ansible_os_family == "RedHat"
 ...