Automatic O & M ansible playbook one-click solution to a large number of host bash updates

Source: Internet
Author: User
Tags ansible playbook

Today, we found a bash vulnerability, but I have nearly 1000 servers. To facilitate and save time, I feel that I am using ansible to install the bash update package. Next I will share my installation method.

1. Installed playbook content

19:00:03 # cd /etc/ansible[email protected]:/etc/ansible19:00:06 # cat update_bash.yml ---- hosts: "{{ host }}"  remote_user: "{{ user }}"  gather_facts: True  tasks:  - name: update bash in redhat 6 version    yum: name=http://mirrors.hustunique.com/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.1.x86_64.rpm state=present    when: ansible_os_family == "RedHat" and ansible_distribution_version|int >=6  - name: update bash in redhat 5 version    yum: name=http://mirrors.hustunique.com/centos/5/updates/x86_64/RPMS/bash-3.2-33.el5.1.x86_64.rpm state=present    when: ansible_os_family == "RedHat" and ansible_distribution_version|int <=5

The system version will be automatically determined, and different packages will be installed. In this case, we wanted to get the yum update source, but we found that it was still being updated, so we had to install the file ourselves.

2. test the system before installation (centos 6)

To test, use docker virtual containers

16:32:46 # ssh 172.17.0.9The authenticity of host ‘172.17.0.9 (172.17.0.9)‘ can‘t be established.RSA key fingerprint is 39:7c:13:9f:d4:b0:d7:63:fc:ff:ae:e3:46:a4:bf:6b.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added ‘172.17.0.9‘ (RSA) to the list of known hosts.[email protected]‘s password: Last login: Thu Sep 25 16:31:32 2014 from 172.17.42.1[email protected]:~16:35:04 #  env x=‘() { :;}; echo vulnerable‘ bash -c "echo this is a test"vulnerablethis is a test

We can see that there is a bash vulnerability.

3. Use ansible playbook to upgrade bash

16:35:08 # time ansible-playbook update_bash.yml  --extra-vars "host=172.17.0.9 user=root" -kSSH password: PLAY [172.17.0.9] ************************************************************* GATHERING FACTS *************************************************************** ok: [172.17.0.9]TASK: [update bash in redhat 6 version] *************************************** changed: [172.17.0.9]TASK: [update bash in redhat 5 version] *************************************** skipping: [172.17.0.9]PLAY RECAP ******************************************************************** 172.17.0.9                 : ok=2    changed=1    unreachable=0    failed=0   real0m35.901suser0m0.952ssys0m0.216s

4. Check for vulnerabilities

[email protected]:/etc/ansible16:36:01 # ssh 172.17.0.9[email protected]‘s password: Last login: Thu Sep 25 16:35:57 2014 from 172.17.42.1[email protected]:~16:36:11 #  env x=‘() { :;}; echo vulnerable‘ bash -c "echo this is a test"bash: warning: x: ignoring function definition attemptbash: error importing function definition for `x‘this is a test[email protected]:~

We can see that the vulnerability has been fixed.

Completed is

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4A/41/wKioL1Qj91KAqbWpAATc-ukvu4U457.jpg "Title =" 5.jpg" alt = "wKioL1Qj91KAqbWpAATc-ukvu4U457.jpg"/>

If there are a large number of hosts, add-f at run time and select a suitable number of concurrent hosts. I used this here, and soon the Bash is upgraded.

We hope it will be helpful for you to update bash in batches.


This article is from the "Yin-Technical Exchange" blog, please be sure to keep this source http://dl528888.blog.51cto.com/2382721/1558227

Automatic O & M ansible playbook one-click solution to a large number of host bash updates

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.