运维自动化之ansible playbook一键化解决大量主机bash更新问题

linre

今天发现有bash漏洞，但我这里近1000台服务器，为了方便、省时间，觉得使用ansible安装bash更新包，下面分享一下我的安装方法。
1、安装的playbook的内容

1 2 3 4 5 6 7 8 9 10 11 12 13 14

19:00:03 # cd /etc/ansible root@ip-10-10-10-10:/etc/ansible 19:00:06 # cat update_bash.yml --- - hosts: "{{ host }}"   remote_user: "{{ user }}"   gather_facts: True   tasks:   - name: update bash in redhat 6 version     yum: name=http://mirrors.hustunique.com/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm state=present     when: ansible_os_family == "RedHat" and ansible_distribution_version|int >=6   - name: update bash in redhat 5 version     yum: name=http://mirrors.hustunique.com/centos/5/updates/x86_64/RPMS/bash-3.2-33.el5.2.x86_64.rpm state=present     when: ansible_os_family == "RedHat" and ansible_distribution_version|int <=5

会自动判断系统版本，然后安装不同的包，本来想弄好yum的update源，但发现还在更新，觉得麻烦就还自己安装文件了。
2、安装前测试系统（centos 6系统）
为了测试需要，使用docker虚拟个容器

1 2 3 4 5 6 7 8 9 10 11

16:32:46 # ssh 172.17.0.9 The authenticity of host '172.17.0.9 (172.17.0.9)' can't be established. RSA key fingerprint is 39:7c:13:9f:d4:b0:d7:63:fc:ff:ae:e3:46:a4:bf:6b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.17.0.9' (RSA) to the list of known hosts. root@172.17.0.9's password: Last login: Thu Sep 25 16:31:32 2014 from 172.17.42.1 root@86fb0b4bbb0b:~ 16:35:04 #  env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test

可以看到是有bash漏洞的
3、使用ansible playbook升级bash

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

16:35:08 # time ansible-playbook update_bash.yml  --extra-vars "host=172.17.0.9 user=root" -k SSH password: PLAY [172.17.0.9] ************************************************************* GATHERING FACTS *************************************************************** ok: [172.17.0.9] TASK: [update bash in redhat 6 version] *************************************** changed: [172.17.0.9] TASK: [update bash in redhat 5 version] *************************************** skipping: [172.17.0.9] PLAY RECAP ******************************************************************** 172.17.0.9                 : ok=2    changed=1    unreachable=0    failed=0    real    0m35.901s user    0m0.952s sys 0m0.216s

4、查看是否有漏洞

1 2 3 4 5 6 7 8 9 10

root@ip-10-10-10-10:/etc/ansible 16:36:01 # ssh 172.17.0.9 root@172.17.0.9's password: Last login: Thu Sep 25 16:35:57 2014 from 172.17.42.1 root@86fb0b4bbb0b:~ 16:36:11 #  env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test root@86fb0b4bbb0b:~

可以看到漏洞已经解决了。

完成的截图为

如果有大量主机，就在运行的时候加上-f然后选择一个合适的并发主机数量即可，我这里使用了这个，很快的就升级完成bash了。
希望对大家批量更新bash有益。