If you intend to use Ansible to patch the Server, you may need to use an external variable to decide whether you wish to take a look at the list or actually patch the OS. It consists of 3 parts.
Option 1: Ansible Command used if just checking
$ ansible-playbook security.yml --extra-vars "ext_permit_flag=no"
Part 1a: Get the List of Packages from DNF to be upgraded ONLY using the External Permit Flag = “no”
- name: Get the list of Packages from DNF to be upgraded (ext_permit_flag == "no")
dnf:
security: yes
bugfix: false
state: latest
update_cache: yes
list: updates
exclude: 'kernel*'
register: register_output_security
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "8"
- ext_permit_flag == "no"
Part 1b: Report the List of Packages from DNF to be upgraded ONLY using the External Permit Flag = “no”
- name: Report the List of Packages from DNF to be upgraded ( ext_permit_flag == no")
debug:
msg: "{{ register_output_security.results | map(attribute='name') | list }}"
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "8"
- ext_permit_flag == "no"
Option 2: Ansible Command used when ready for Patching
$ ansible-playbook security.yml --extra-vars "ext_permit_flag=yes"
Part 2: Patch all the packages except Kernel
- name: Patch all the packages except Kernel
dnf:
name: '*'
security: yes
bugfix: false
state: latest
update_cache: yes
update_only: no
exclude: 'kernel*'
register: register_update_success
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "8"
- ext_permit_flag == "yes"
- name: Print Errors if upgrade failed
debug:
msg: "Patch Update Failed"
when: register_update_success is not defined
Reference: