1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright (c) 2019-2020, Andrew Klaus <andrewklaus@gmail.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
DOCUMENTATION = r'''
---
module: syspatch
short_description: Manage OpenBSD system patches
description:
- "Manage OpenBSD system patches using syspatch."
extends_documentation_fragment:
- community.general.attributes
attributes:
check_mode:
support: full
diff_mode:
support: none
options:
revert:
description:
- Revert system patches.
type: str
choices: [ all, one ]
author:
- Andrew Klaus (@precurse)
'''
EXAMPLES = '''
- name: Apply all available system patches
community.general.syspatch:
- name: Revert last patch
community.general.syspatch:
revert: one
- name: Revert all patches
community.general.syspatch:
revert: all
# NOTE: You can reboot automatically if a patch requires it:
- name: Apply all patches and store result
community.general.syspatch:
register: syspatch
- name: Reboot if patch requires it
ansible.builtin.reboot:
when: syspatch.reboot_needed
'''
RETURN = r'''
rc:
description: The command return code (0 means success)
returned: always
type: int
stdout:
description: syspatch standard output.
returned: always
type: str
sample: "001_rip6cksum"
stderr:
description: syspatch standard error.
returned: always
type: str
sample: "syspatch: need root privileges"
reboot_needed:
description: Whether or not a reboot is required after an update.
returned: always
type: bool
sample: true
'''
from ansible.module_utils.basic import AnsibleModule
def run_module():
# define available arguments/parameters a user can pass to the module
module_args = dict(
revert=dict(type='str', choices=['all', 'one'])
)
module = AnsibleModule(
argument_spec=module_args,
supports_check_mode=True,
)
result = syspatch_run(module)
module.exit_json(**result)
def syspatch_run(module):
cmd = module.get_bin_path('syspatch', True)
changed = False
reboot_needed = False
warnings = []
# Set safe defaults for run_flag and check_flag
run_flag = ['-c']
check_flag = ['-c']
if module.params['revert']:
check_flag = ['-l']
if module.params['revert'] == 'all':
run_flag = ['-R']
else:
run_flag = ['-r']
else:
check_flag = ['-c']
run_flag = []
# Run check command
rc, out, err = module.run_command([cmd] + check_flag)
if rc != 0:
module.fail_json(msg="Command %s failed rc=%d, out=%s, err=%s" % (cmd, rc, out, err))
if len(out) > 0:
# Changes pending
change_pending = True
else:
# No changes pending
change_pending = False
if module.check_mode:
changed = change_pending
elif change_pending:
rc, out, err = module.run_command([cmd] + run_flag)
# Workaround syspatch ln bug:
# http://openbsd-archive.7691.n7.nabble.com/Warning-applying-latest-syspatch-td354250.html
if rc != 0 and err != 'ln: /usr/X11R6/bin/X: No such file or directory\n':
module.fail_json(msg="Command %s failed rc=%d, out=%s, err=%s" % (cmd, rc, out, err))
elif out.lower().find('create unique kernel') >= 0:
# Kernel update applied
reboot_needed = True
elif out.lower().find('syspatch updated itself') >= 0:
warnings.append('Syspatch was updated. Please run syspatch again.')
# If no stdout, then warn user
if len(out) == 0:
warnings.append('syspatch had suggested changes, but stdout was empty.')
changed = True
else:
changed = False
return dict(
changed=changed,
reboot_needed=reboot_needed,
rc=rc,
stderr=err,
stdout=out,
warnings=warnings
)
def main():
run_module()
if __name__ == '__main__':
main()
|