Ansible Playbook to upgrade Linux Servers (Debian, Ubuntu, RedHat, Fedora, CentOS)

Posted on February 13, 2024 by admin

This is an Ansible playbook that can upgrade all your Linux machines! Or at least most of them. No openSUSE support yet.

Copy the playbook below, and put all your servers into an inventory file and run with

ansible-playbook -i hosts.ini master_update.yaml --ask-vault-pass

Couple of notes.

This will do a full update automatically reboot your servers if needed.
There is a special section for RHEL, CentOS 7 servers. If a server is running say CentOS 7, it will default to using YUM instead of DNF.
You need sudo or become: yes to reboot and install upgrades.

Linux OS Upgrade Playbook

---
- name: Linux OS Upgrade
  hosts: all
  gather_facts: yes
  become: yes

  tasks:
    - name: Upgrade Debian and Ubuntu systems with apt
      block: 
        - name: dist-upgrade
          ansible.builtin.apt:
            upgrade: dist
            update_cache: yes 
          register: upgrade_result

        - name: Debain check if reboot is required
          shell: "[ -f /var/run/reboot-required ]"
          failed_when: False
          register: debian_reboot_required
          changed_when: debian_reboot_required.rc == 0
          notify:
            - Reboot server 

        - name: Debian remove unneeded dependencies
          ansible.builtin.apt:
            autoremove: yes
          register: autoremove_result 

        - name: Debian print errors if upgrade failed
          ansible.builtin.debug:
            msg: | 
              Upgrade Result: {{ upgrade_result }}
              Autoremove Result: {{ autoremove_result }}
      when: ansible_os_family == "Debian"
    
    - name: Upgrade RHEL systems with DNF
      block:
        - name: Get packages that can be upgraded with DNF
          ansible.builtin.dnf:
            list: upgrades
            state: latest
            update_cache: yes 
          register: reg_dnf_output_all

        - name: List packages that can be upgraded with DNF
          ansible.builtin.debug: 
            msg: "{{ reg_dnf_output_all.results | map(attribute='name') | list }}"

        - name: Upgrade packages with DNF
          become: yes
          ansible.builtin.dnf:
            name: '*'
            state: latest
            update_cache: yes
            update_only: no
          register: reg_upgrade_ok

        - name: Print DNF errors if upgrade failed
          ansible.builtin.debug:
            msg: "Packages upgrade failed"
          when: reg_upgrade_ok is not defined

        - name: Install dnf-utils
          become: yes
          ansible.builtin.dnf:
            name: 'dnf-utils'
            state: latest
            update_cache: yes
          when: reg_dnf_output_all is defined

      when: ansible_os_family == "RedHat" and not (ansible_distribution_major_version == "7")

    - name: Upgrade legacy RHEL systems with YUM
      block:
        - name: Get packages that can be upgraded with YUM
          ansible.builtin.yum:
            list: upgrades
            state: latest
            update_cache: yes 
          register: reg_yum_output_all
            

        - name: List packages that can be upgraded with YUM
          ansible.builtin.debug: 
            msg: "{{ reg_yum_output_all.results | map(attribute='name') | list }}"

        - name: Upgrade packages with YUM
          become: yes
          ansible.builtin.yum:
            name: '*'
            state: latest
            update_cache: yes
            update_only: no
          register: reg_yum_upgrade_ok

        - name: Print YUM errors if upgrade failed
          ansible.builtin.debug:
            msg: "Packages upgrade failed"
          when: reg_yum_upgrade_ok is not defined
            
        - name: Check legacy RHEL system if a reboot is required
          become: yes
          command: needs-restarting -r
          register: reg_reboot_required
          ignore_errors: yes
          failed_when: false
          changed_when: reg_reboot_required.rc != 0
          notify:
            - Reboot server 
      when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "7"


  handlers:
    - name : Reboot server
      ansible.builtin.reboot:
        msg: "Reboot initiated by Ansible after OS update"
        reboot_timeout: 3600
        test_command: uptime

Helpful links

https://github.com/simeononsecurity/ansible_linux_update/tree/main
https://simeononsecurity.com/guides/automate-linux-patching-and-updates-with-ansible/
https://thenathan.net/2020/07/16/yum-and-dnf-update-and-reboot-with-ansible/

More space needed on the /boot filesystem. RHEL / Fedora / Alma / Rocky

Posted on February 13, 2024 by admin

Error Summary
-------------
Disk Requirements:
   At least 28MB more space needed on the /boot filesystem.

The above error is due to the /boot partition being out of space. We can fix this issue by removing older unused Linux kernels. You could also increase the disk space, but that is a little more involved.

First we need to list which kernels we have installed.

rpm -qa | grep kernel

Example output

[incredigeek@apache ~]$ rpm -qa | grep kernel
kernel-core-4.18.0-522.el8.x86_64
kernel-tools-4.18.0-529.el8.x86_64
kernel-modules-4.18.0-526.el8.x86_64
kernel-4.18.0-526.el8.x86_64
kernel-modules-4.18.0-529.el8.x86_64
kernel-4.18.0-522.el8.x86_64
kernel-4.18.0-529.el8.x86_64
kernel-core-4.18.0-529.el8.x86_64
kernel-devel-4.18.0-522.el8.x86_64
kernel-core-4.18.0-526.el8.x86_64
kernel-devel-4.18.0-529.el8.x86_64
kernel-tools-libs-4.18.0-529.el8.x86_64
kernel-devel-4.18.0-526.el8.x86_64
kernel-headers-4.18.0-529.el8.x86_64
kernel-modules-4.18.0-522.el8.x86_64

The kernel in bold is the one we will remove.

Next we remove erase the old kernel(s)/items.

sudo rpm -e kernel-4.18.0-522.el8.x86_64 kernel-core-4.18.0-522.el8.x86_64 kernel-devel-4.18.0-522.el8.x86_64 kernel-modules-4.18.0-522.el8.x86_64

And now we continue with our update

sudo dnf update

Helpful links.

https://www.cyberciti.biz/faq/installing-kernel-2-6-32-131-2-1-el6-x86_64-needs-8mb-on-boot-filesystem/

Ansible Playbook for Updating Linux (Debian/Ubuntu)

Posted on February 8, 2024 by admin

Video on using Ansible to Update Linux

The three steps to update a machine with Ansible

Create Ansible Inventory/Hosts file
Create Playbook
Run Playbook

Create Inventory

The first thing we need to do is create an inventory file. This will contain a list of our servers along with the credentials.

touch hosts.txt

Now let’s encrypt the file with Ansible Vault.

ansible-vault encrypt hosts.txt

The file is now encrypted. To edit the file, we need to use `ansible-vault edit`.
If you want to, you can configure the hosts.txt file and then encrypt it when you are finished.

ansible-vault edit hosts.txt

Now add some hosts. In this example we add the local Kali machine, because why not. If you have Ubuntu servers, replace debian with ubuntu.

[debian]
kali ansible_host=127.0.0.1 ansible_ssh_user=kali ansible_ssh_port=22 ansible_ssh_password='kali pass' ansible_become_pass='kali sudo pass'

Add as many hosts as you need. For sake of simplicity, we are only adding one, and it is our localhost.

Create Playbook

Create a new playbook.

vi debian_update.yml

Put the following into the playbook. Edit as desired. Change hosts to match the above hosts in the inventory/hosts file.

---
- name: OS update
  hosts: debian
  gather_facts: yes
  become: yes

  tasks:
    - name: dist-upgrade
      ansible.builtin.apt:
        upgrade: dist
        update_cache: yes
      register: upgrade_result

    - name: Check if a reboot is required
      ansible.builtin.stat:
        path: /var/run/reboot-required
        get_checksum: no
      register: reboot_required_file

    - name: Reboot the server (if required).
      ansible.builtin.reboot:
      when: reboot_required_file.stat.exists
      register: reboot_result

    - name: Remove unneeded dependencies
      ansible.builtin.apt:
        autoremove: yes
      register: autoremove_result

    - name: Print errors if upgrade failed
      ansible.builtin.debug:
        msg: |
          Upgrade Result: {{ upgrade_result }}
          Reboot Result: {{ reboot_result }}
          Autoremove Result: {{ autoremove_result }}

A couple of notes

On the 3rd line it defines which group to run this playbook against. In this case debian.
This will check if a reboot is needed and reboot the machine. Reboots are usually needed when the kernel is updated
The 5th line contains `become: yes` this means that the playbook will use sudo. You can specify the sudo password in the hosts file `ansible_become_pass=sudopass` or with the -k or –ask-become options
The update and reboot are natively built into Ansible. Hence the ansible.builtin.

Run Playbook

Now that we have our inventory and playbook, we can upgrade our machines.

ansible-playbook debian_update.yml -i hosts.ini --ask-vault-password

Tip! If you have not specified a “ansible_ask_become” password (that is the sudo password), you can specify it with the -k or –ask-become options.

Run sudo Command over SSH. Single line.

Posted on February 6, 2024 by admin

When running an SSH command that uses sudo, something like

ssh admin@192.168.1.20 "sudo apt -y update && sudo apt -y upgrade"

You may receive the following error.

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

To work around this, you can use the -t option. -q is not needed, but makes thing quieter.

ssh -qt admin@192.168.1.20 "sudo apt -y update && sudo apt -y upgrade "

The sudo password will also be hidden.

https://unix.stackexchange.com/questions/134155/how-do-you-keep-the-password-hidden-when-invoked-during-the-su-command

https://stackoverflow.com/questions/233217/how-to-pass-the-password-to-su-sudo-ssh-without-overriding-the-tty

LibreNMS Error “.sock: rrd_fetch_r failed:”

Posted on February 5, 2024 by admin

The following error showed up after adding a new device to LibreNMS.

.sock:rrd_fetch_r failed:

It was not displaying any graph data, but the device was up and connected.

Looks like the error is SELinux related. You can fix the error by resetting the security context with the following command.

sudo restorecon -RFv /opt/librenms

If that does not work, try running all the following

Running the following commands will fix the issue most of the time:

sudo chown -R librenms:librenms '/opt/librenms'

sudo setfacl -d -m g::rwx /opt/librenms/bootstrap/cache /opt/librenms/storage /opt/librenms/logs /opt/librenms/rrd

sudo chmod -R ug=rwX /opt/librenms/bootstrap/cache /opt/librenms/storage /opt/librenms/logs /opt/librenms/rrd

sudo semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/bootstrap/cache(/.*)?'

sudo semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/storage(/.*)?'

sudo semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/logs(/.*)?'

sudo semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/rrd(/.*)?'

sudo restorecon -RFv /opt/librenms

Install and Setup Tailscale on Ubuntu

Posted on February 3, 2024 by admin

Add the Tailscale package

curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/lunar.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null

curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/lunar.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list

Update and install Tailscale

sudo apt update && sudo apt upgrade
sudo apt install tailscale
sudo tailscale up

You’ll be given a link to visit to authenticate the device.

You can check the Tailscale IP address with

tailscale ip -4

https://tailscale.com/kb/1275/install-ubuntu-2304

Can’t log into NixOS after Install!

Posted on January 11, 2024 by admin

You thought everything went well with your NixOS install, you reboot, enter your username and password, and bam! Login incorrect.

Okay, try it again.

Hmm…

Let’s try root. Nope, same thing…

If you don’t enter the password in correctly for root at the end of an installation, there will not be a root password, hence you can not log in.

Best way to keep this from happening is to make sure the password is set up before rebooting.

If you are one of those unfortunate souls who entered the wrong root password and missed the warning at the end of the installation

Try the following.

nixos-enter --root '/mnt'

Note: If you already rebooted, boot up on the minimum USB drive, mount the root partition, then run the nixos-enter command.

mount /dev/disk/by-label/nixos /mnt
nixos-enter --root '/mnt'

passwd to set the root password. You can also set your user password with

passwd username

Change username to your username.

Reboot and login!

How To Install NixOS Minimum from USB drive

Posted on December 29, 2023 by admin

You can make the USB drive by downloading the image off of nixos.org and then use Etcher, dd, or your favorite iso to USB drive utility.

The minimum version of NixOS does not come with a GUI installer.

https://nixos.org/manual/nixos/stable/#ch-installation

The manual contains all the info needed. For a minimum install, there are a couple of steps that you need to perform, before you can install.

Format hard disk
Create config file
Install

Format Hard Disk

We’ll assume that /dev/sda is our target disk. This will overwrite the disk. Make sure you don’t need anything on it.

parted /dev/sda -- mklabel gpt
parted /dev/sda -- mkpart root ext4 512MB -8GB
parted /dev/sda -- mkpart swap linux-swap -8GB 100%
parted /dev/sda -- mkpart ESP fat32 1MB 512MB
parted /dev/sda -- set 3 esp on

Format the partitions

mkfs.ext4 -L nixos /dev/sda1
mkswap -L swap /dev/sda2
mkfs.fat -F 32 -n boot /dev/sda3
mount /dev/disk/by-label/nixos /mnt
mkdir -p /mnt/boot
mount /dev/disk/by-label/boot /mnt/boot
swapon /dev/sda2

Create a basic config file

nixos-generate-config --root /mnt

You can edit the config to make any changes you need. You may want to uncomment the user lines to setup a new user.

nano /mnt/etc/nixos/configuration.nix

Install NixOS

nixos-install

Last step is to setup the root and user password.

passwd

Reboot the machine once the password is set.

After you log in, set the user password.

passwd username

Simple method to Encrypt/Decrypt Zip files on Windows

Posted on December 28, 2023 by admin

Unfortunately, encrypting a file on Windows with a simple password is not super simple. While Windows does now support other compression formats (RAR, 7-Zip) it does not support encryption for them.

Currently, Windows natively supports the ZipCrypto algorithm. No AES. Note that the ZipCrypto algorithm is not considered secure, and shouldn’t be used for highly confidential data.

The following method, you will need 7-Zip to create the archive, but you won’t need it for decryption as Windows has built in support for ZipCrypto decryption.

To create the archive, you will need 7-Zip installed. Right click on your file/folder -> 7-Zip -> Add to Archive.

You should be presented with a similar window.

Change Archive format to zip
Enter the password
Ensure that the Encryption method is ZipCrypto
Hit OK to create the Archive.

You can now transfer the password protected archive to a new machine. You’ll be prompted for the password when you extract the archive.

How to Fix OpenVAS “ERROR: The default PostgreSQL version (14) is not 16 that is required libgvmd”

Posted on December 26, 2023 by admin

Currently OpenVAS needs PostgreSQL 16 on port 5432. If you have multiple versions of PostgreSQL, the lowest version will typically run on port 5432, and then they’ll increment from there. For example, if you have PostgreSQL 14, 15, and 16, 14 will run on port 5432, 15 on 5433, and 16 on 5434.

The quick fix is to edit the PostgreSQL config files, change the port numbers, restart PostgreSQL, and rerun gvm-setup.

vi /etc/postgresql/16/main/postgresql.conf

Change port number from 5434 to 5432

You will need to remove/disable/change the port for PostgreSQL 14

sudo apt remove postgresql-14

sudo systemctl restart postgresql@16-main.service

We can verify that PostgreSQL is running with netstat.

netstat -tulpn

We can see that the ports 5432 (PostgreSQL 16) and 5433 (PostgreSQL 15) are both running.

Rerun gvm-setup

sudo gvm-setup