Ansible playbook to upgrade Ubuntu/Debian servers and reboot if needed

January 26, 2022

I realized I've never posted this playbook to my blog... I needed to grab it for a project I'm working on, so I figured I'd post it here for future reference.

Basically, I need a playbook I can run whenever, that will ensure all packages are upgraded, then checks if a reboot is required, and if so, reboots the server. Afterwards, it removes any dependencies no longer required.

---
- hosts: all
  gather_facts: yes
  become: yes

  tasks:
    - name: Perform a dist-upgrade.
      ansible.builtin.apt:
        upgrade: dist
        update_cache: yes

    - name: Check if a reboot is required.
      ansible.builtin.stat:
        path: /var/run/reboot-required
        get_md5: no
      register: reboot_required_file

    - name: Reboot the server (if required).
      ansible.builtin.reboot:
      when: reboot_required_file.stat.exists == true

    - name: Remove dependencies that are no longer required.
      ansible.builtin.apt:
        autoremove: yes

Further reading

ansible
upgrade
apt
ubuntu
debian
reboot
playbook

Comments

This might reboot Ubuntu servers where not applicable (those running Canonical Livepatch service) and misses needed reboots on UCS servers (Univention Corporate Server – groupware server based on Debian and most probably not known outside of Europe/Germany).

That's why I ended up writing an own check whether Ubuntu/Debian servers really need a reboot or not :)

https://github.com/ThomasKaiser/Check_MK/blob/master/mrpe/check-for-reb…

Do you have any good solutions for notifying the admin that a reboot is needed instead of blindly rebooting?

I have some servers that is a bit more reboot sensitive but I have not found a good solution.

Yeah that could work.

I already use Telegram-bots for Nagios notifications and found the community.general.telegram module for Ansible.
So I just added a task that sends me a Telegram message when a server should be rebooted.

What about the /etc/apt/sources.list file? Shouldn't that be updated to reflect the new debian/ubuntu version?

imo, this has to be added. at least i built a more complex role for this. consider checking the debian wiki [0] also, i am sending notifications using plain old email using `community.general.mail` [1]

[0]: https: wiki.debian.org/DebianUpgrade
[1]: https: docs.ansible.com/ansible/latest/collections/community/general/mail_module.html

*edit:* can't paste links...