APT Upgrade Handling using Ansible

January 20, 2025Ansible, Debian, IaC, Sysadmin, , , , Standard
Read time 2 minutes

I’ve been managing my cluster using IaC tools for quite some while now and while with K8S I try to always go with an Immutable approach and therefore replace whole VM’s or Containers there are still some edge cases where an in place upgrades is necessary, e. g. hypervisor, gateways, etc.

That’s where my APT-Upgrade playbook comes into play.

  1. Load an SSH key into SSH-agent if it is not loaded yet
    • This key is used to authenticate against all servers
    • It will popup a dialog box and ask for the encryption password
  2. Update APT cache of all hosts
  3. List Updates for each host
  4. Ask for confirmation whether you want to proceed with a full-upgrade
  5. Install upgrades on each host one after the other
    • Will also clean the cache and auto remove unnecessary packages
  6. Check all hosts whether a reboot is required and list them
    • Reboot is still a manual process that you can then plan for

Playbook

---

# ansible-playbook --inventory inventory/production full-upgrade.yaml

- hosts: localhost
  gather_facts: no
  tasks:
    - include_vars: "vars/production.yaml"
      when: ansible_inventory_sources is search("production")

    - name: check if ssh key is already loaded
      shell: ssh-add -l | grep {{ SSH_KEY }}
      args:
        executable: /bin/bash
      register: ssh_key_check
      failed_when: false
      changed_when: false
    
    - name: load ssh key to ssh-agent if not already loaded
      shell: ssh-add {{ SSH_KEY }}
      args:
        executable: /bin/bash
      when: ssh_key_check.rc != 0


- hosts: all
  gather_facts: no

  vars:
    upgrade_confirmation: ""

  tasks:
    - name: update apt registry cache
      apt:
        force_apt_get: yes
        upgrade: no
        update_cache: yes

    - name: retrieve package upgrade list
      shell: apt list -u
      changed_when: false
      register: apt_upgrade_list

    - name: display available package upgrades
      debug:
        msg: "{{ apt_upgrade_list.stdout_lines }}"
      when: apt_upgrade_list.stdout_lines | length > 1


    - name: prompt for upgrade confirmation
      pause:
        prompt: "Do you want to run full-upgrade for all hosts ? (yes/no)"
      run_once: true
      register: upgrade_confirmation

    - name: running apt full-upgrade
      throttle: 1
      apt:
        force_apt_get: yes
        upgrade: full
        update_cache: no
        autoremove: yes
        autoclean: yes
      register: upgrade_result
      when: upgrade_confirmation.user_input | lower in ['yes', 'y']

    - name: display package upgrade result
      debug:
        msg: "{{ upgrade_result.stdout_lines }}"
      when: upgrade_result is not skipped and
            upgrade_result.stdout_lines | length > 0


    - name: check if reboot is required
      stat:
        path: /var/run/reboot-required
      register: reboot_required

    - name: display hosts that require reboot
      debug:
        msg: "reboot required on {{ inventory_hostname }}"
      changed_when: reboot_required.stat.exists
      when: reboot_required.stat.exists

Download

Make sure to adjust inventory/production and vars/production.yaml to your needs.

ansible-apt-full-upgrade-playbookDownload

Write a Reply or Comment

Your email address will not be published. Required fields are marked *

Recent Posts

Categories