apt

Ansible playbook to upgrade Ubuntu/Debian servers and reboot if needed

I realized I've never posted this playbook to my blog... I needed to grab it for a project I'm working on, so I figured I'd post it here for future reference.

Basically, I need a playbook I can run whenever, that will ensure all packages are upgraded, then checks if a reboot is required, and if so, reboots the server. Afterwards, it removes any dependencies no longer required.

---
- hosts: all
  gather_facts: yes
  become: yes

  tasks:
    - name: Perform a dist-upgrade.
      ansible.builtin.apt:
        upgrade: dist
        update_cache: yes

    - name: Check if a reboot is required.
      ansible.builtin.stat:
        path: /var/run/reboot-required
        get_md5: no
      register: reboot_required_file

    - name: Reboot the server (if required).
      ansible.builtin.reboot:
      when: reboot_required_file.stat.exists == true

    - name: Remove dependencies that are no longer required.
      ansible.builtin.apt:
        autoremove: yes

Microsoft repo and key are automatically added to Raspberry Pis

A couple weeks ago, I noticed when running apt-get upgrade on one of my Pi projects that a new repository was added.

VSCode Repository added to Raspberry Pi OS automatically during apt upgrade

It was a little odd, because Linux distributions don't typically 'inject' new repositories like this. And it was even stranger because this particular repository was for VSCode, from Microsoft.

The Raspberry Pi Foundation just posted an article to their blog about Visual Studio Code coming to the Raspberry Pi—but that post didn't address any of the controversy surrounding this change.

There's also a video that goes along with this post: Is Microsoft Spying on your Raspberry Pi?

What Happened

In late 2020, Microsoft released a version of VSCode compatible with the Raspberry Pi.

Updating all your servers with Ansible

From time to time, there's a security patch or other update that's critical to apply ASAP to all your servers. If you use Ansible to automate infrastructure work, then updates are painless—even across dozens, hundreds, or thousands of instances! I've written about this a little bit in the past, in relation to protecting against the shellshock vulnerability, but that was specific to one package.

I have an inventory script that pulls together all the servers I manage for personal projects (including the server running this website), and organizes them by OS, so I can run commands like ansible [os] command. Then that enables me to run commands like: