Comprobar actualizaciones de windows con Ansible

Publicado en |

Buenos dias a tod@as!!

Hace ya tiempo, en este post, vimos como configurar nuestros servidores windows para ser manejados con Ansible.

Hoy os voy a compartir un playbook que he ideado para poder comprobar fácilmente el estado de las actualizaciones de windows en nuestros servidores windows.

En este ejemplo, en mi fichero de inventario he añadido los servidores que quiero comprobar:

1
2
3
[dc]
formacion-dc01
formacion-dc02

También es importante añadir las credenciales, tal como explicaba en el post anterior

1
2
3
4
5
6
[root@ansible01 /etc/ansible]# cat inventory/group_vars/dc.yml
ansible_ssh_user: administrador
ansible_ssh_pass: my_pass
ansible_ssh_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

Antes de ejecutar cualquier playbook, es conveniente verificar que la conectividad con nuestros servidores está correcta:

1
2
3
4
5
6
7
8
9
10
11
[root@ansible01 /etc/ansible]# ansible -m win_ping -i inventory/servers dc

formacion-dc01 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
formacion-dc02 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
[root@miquel-ansible01 /etc/ansible]#

Y aqui va el código del playbook:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
---
##EXAMPLE:  ansible-playbook playbooks/win_update.yml -i inventory/servers -e "servers=dc install_updates=false"

##############################################################################
## Play 1   Search-only, return list of found updates (if any).
##############################################################################
- hosts: "{{ servers }}"
  tasks:
    - name: Search-only, return list of found updates (if any).
      win_updates:
        category_names:
          - SecurityUpdates
          - CriticalUpdates
          - UpdateRollups
        state: searched
      register: list_of_found_updates

    - debug:
        var: list_of_found_updates

##############################################################################
### Play 2   Send info with telegram
##############################################################################
- hosts: localhost
  connection: local
  tasks:
    - name: Send telegram notification
      telegram:
        token: 304017237:AAHpKXZBaw_wOF3H-ryhWl3F3wqIVP_Zqf8
        chat_id: 6343788
        msg: Host "{{ hostvars[item].inventory_hostname }}" >> "{{ hostvars[item].list_of_found_updates.found_update_count }}" updates found.
      with_items:
        -  "{{ groups[servers] }}"
      ignore_errors: yes


##############################################################################
#### Play 3    Install all security, critical, and rollup updates when install_updates is true
###############################################################################
- hosts: "{{ servers }}"
  tasks:
    - name: Install all security, critical, and rollup updates
      win_updates:
        category_names:
          - SecurityUpdates
          - CriticalUpdates
          - UpdateRollups
        reboot: yes
      when:
          - install_updates == 'true'

La salida será algo similar a esto:

Prestar especial atencion en las variables pasadas a la hora de ejecutar el playbook. Definir la variable install_updates a true provocará que se instalen los parches encontrados.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
[root@ansible01 /etc/ansible]# ansible-playbook playbooks/win_update.yml -i inventory/servers -e  "servers=dc install_updates=false"

PLAY [dc] ***************************************************************************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************************************************************
ok: [formacion-dc01]
ok: [formacion-dc02]

TASK [Search-only, return list of found updates (if any).] **************************************************************************************************************************
ok: [formacion-dc01]
ok: [formacion-dc02]

TASK [debug] ************************************************************************************************************************************************************************
ok: [formacion-dc01] => {
    "list_of_found_updates": {
        "changed": false,
        "failed": false,
        "filtered_updates": {},
        "found_update_count": 0,
        "installed_update_count": 0,
        "reboot_required": false,
        "updates": {}
    }
}
ok: [formacion-dc02] => {
    "list_of_found_updates": {
        "changed": false,
        "failed": false,
        "filtered_updates": {},
        "found_update_count": 0,
        "installed_update_count": 0,
        "reboot_required": false,
        "updates": {}
    }
}

PLAY [localhost] ********************************************************************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************************************************************
ok: [localhost]

TASK [Send telegram notification] ***************************************************************************************************************************************************
changed: [localhost] => (item=formacion-dc01)
changed: [localhost] => (item=formacion-dc02)

PLAY [dc] ***************************************************************************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************************************************************
ok: [formacion-dc02]
ok: [formacion-dc01]

TASK [Install all security, critical, and rollup updates] ***************************************************************************************************************************
skipping: [formacion-dc01]
skipping: [formacion-dc02]

PLAY RECAP **************************************************************************************************************************************************************************
formacion-dc01             : ok=4    changed=0    unreachable=0    failed=0
formacion-dc02             : ok=4    changed=0    unreachable=0    failed=0
localhost                  : ok=2    changed=1    unreachable=0    failed=0

[root@ansible01 /etc/ansible]#

Como habeis podido observar en el play 3, he añadido una parte de notificaciones con telegram, que quedaria de la siguiente manera.

ansible-telegram

Espero que os guste. Un saludo!

Miquel.

0%