Redhat ansible playbook не исправляет CVE
Я запускаю ansible playbook, созданный с помощью redhat insights, но отредактированный для локальной рабочей станции, на которой я запускаю его, однако CVE остается нерешенной при последующей проверке идей. Автоматическая перезагрузка пропускается. Я пытаюсь понять, правильно ли работает playbook. Запуск от root:
- name: update vulnerable packages
hosts: localhost
connection: local
become: true
tasks:
- name: check for update
shell: "{{ ansible_facts['pkg_mgr'] }} check-update -q --cve CVE-2018-12126"
check_mode: no
register: check_out
failed_when: check_out.rc != 0 and check_out.rc != 100
args:
warn: true
- when: check_out.rc == 100
name: upgrade package
shell: "{{ ansible_facts['pkg_mgr'] }} upgrade -v -y --cve CVE-2018-12126"
args:
warn: true
- when: check_out.rc == 100
name: set reboot fact
set_fact:
insights_needs_reboot: True
# Reboots a system if any of the preceeding plays sets the 'insights_needs_reboot' variable to true.
# The variable can be overridden to suppress this behavior.
- name: Reboot system (if applicable)
hosts: localhost
connection: local
become: True
gather_facts: False
tasks:
- when:
- insights_needs_reboot is defined
- insights_needs_reboot
block:
- name: Reboot system
shell: sleep 2 && shutdown -r now "Ansible triggered reboot"
async: 1
poll: 0
ignore_errors: false
- name: Wait for system to boot up
local_action:
module: wait_for
host: "{{ hostvars[inventory_hostname]['ansible_host'] | default(hostvars[inventory_hostname]['ansible_ssh_host'], true) | default(inventory_hostname, true) }}"
port: "{{ hostvars[inventory_hostname]['ansible_port'] | default(hostvars[inventory_hostname]['ansible_ssh_port'], true) | default('22', true) }}"
delay: 15
search_regex: OpenSSH
timeout: 300
become: false
- name: run insights
hosts: localhost
connection: local
become: True
gather_facts: False
tasks:
- name: run insights
command: insights-client
changed_when: false
Результат:
PLAY [update vulnerable packages] **********************************************
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [check for update] ********************************************************
[WARNING]: Consider using the dnf module rather than running 'dnf'. If you
need to use command because dnf is insufficient you can add 'warn: false' to
this command task or set 'command_warnings=False' in ansible.cfg to get rid of
this message.
changed: [localhost]
TASK [upgrade package] *********************************************************
skipping: [localhost]
TASK [set reboot fact] *********************************************************
skipping: [localhost]
PLAY [Reboot system (if applicable)] *******************************************
TASK [Reboot system] ***********************************************************
skipping: [localhost]
TASK [Wait for system to boot up] **********************************************
skipping: [localhost]
PLAY [run insights] ************************************************************
TASK [run insights] ************************************************************
ok: [localhost]
PLAY RECAP *********************************************************************
localhost : ok=3 changed=1 unreachable=0 failed=0 skipped=4 rescued=0 ignored=0