-
Notifications
You must be signed in to change notification settings - Fork 70
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This change enables kpatch-patch support, allowing in-place kernel patching for security and bug fixes, provided `kpatch-patch-KERNEL_VERSION` package exists. For more information about kpatch: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_monitoring_and_updating_the_kernel/applying-patches-with-kernel-live-patching_managing-monitoring-and-updating-the-kernel This PR also corrects a potential issue related to the exclide list applied to the package update: if a user were to pass the `edpm_update_exclude_packages` parameter, the subsequent override wouldn't be applied, meaning the `openvswitch` package wouldn't be excluded in the end. Using an "internal var" such as the `_exclude_packages` in order to inject our own content in addition to whatever the user may pass ensures everything is working as expected. Fixes: https://issues.redhat.com/browse/OSPRH-11274
- Loading branch information
Showing
7 changed files
with
145 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
--- | ||
# Copyright 2024 Red Hat, Inc. | ||
# All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
|
||
|
||
- name: Converge | ||
hosts: all | ||
tasks: | ||
- name: "Call edpm_update role" | ||
ansible.builtin.include_role: | ||
name: osp.edpm.edpm_update | ||
vars: | ||
edpm_update_enable_containers_update: false | ||
edpm_service_types: [] | ||
edpm_update_enable_kpatch: true | ||
|
||
# We have to run the verifications in this play to | ||
# ensure we have access to the internally changed | ||
# facts. | ||
- name: Conduct some verifications | ||
block: | ||
- name: Ensure kernel related packages are excluded | ||
ansible.builtin.assert: | ||
that: | ||
- _exclude_packages is defined | ||
- "'kernel' in _exclude_packages" | ||
- "'kernel-core' in _exclude_packages" | ||
|
||
- name: Gather all installed packages | ||
ansible.builtin.package_facts: | ||
|
||
- name: Check service status if we have kpatch-patch installed | ||
when: | ||
- ansible_facts.packages["kpatch-patch"] is defined | ||
block: | ||
- name: Gather services | ||
ansible.builtin.service_facts: | ||
|
||
- name: Ensure kpatch.service is running | ||
ansible.builtin.assert: | ||
that: | ||
- ansible_facts.services['kpatch.service'] is defined | ||
- ansible_facts.services['kpatch.service'].state == 'running' | ||
- ansible_facts.services['kpatch.service'].status == 'enabled' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
--- | ||
dependency: | ||
name: galaxy | ||
options: | ||
role-file: collections.yml | ||
driver: | ||
name: delegated | ||
options: | ||
managed: false | ||
ansible_connection_options: | ||
ansible_connection: local | ||
platforms: | ||
- name: edpm-0.localdomain | ||
groups: | ||
- compute | ||
provisioner: | ||
log: true | ||
name: ansible | ||
|
||
scenario: | ||
test_sequence: | ||
- prepare | ||
- converge | ||
- cleanup | ||
- destroy | ||
verifier: | ||
name: ansible |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
--- | ||
# Copyright 2024 Red Hat, Inc. | ||
# All Rights Reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); you may | ||
# not use this file except in compliance with the License. You may obtain | ||
# a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
# License for the specific language governing permissions and limitations | ||
# under the License. | ||
|
||
- name: Run prepare playbook | ||
ansible.builtin.import_playbook: ../default/prepare.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
--- | ||
- name: Ensure we know about kernel version | ||
when: | ||
- ansible_facts['kernel'] is undefined | ||
ansible.builtin.setup: | ||
gather_subset: | ||
- '!all,!min' | ||
- 'kernel' | ||
|
||
- name: Ensure kpatch package is installed | ||
become: true | ||
ansible.builtin.package: | ||
name: kpatch | ||
state: present | ||
|
||
- name: Install kpatch-patch if available # noqa: package-latest | ||
failed_when: false | ||
become: true | ||
ansible.builtin.package: | ||
name: "kpatch-patch = {{ ansible_facts['kernel'] }}" | ||
state: latest | ||
|
||
- name: Ensure further update stages will not update kernel | ||
vars: | ||
_kernel: | ||
- kernel | ||
- kernel-core | ||
ansible.builtin.set_fact: | ||
_exclude_packages: "{{ edpm_update_exclude_packages + _kernel }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters