patch-glibc-CVE-2015-0235.yml

---
 - hosts: all
   gather_facts: false
   sudo: true
   vars:
      glibc_search: "lsof -n |grep -v init | grep -v udevd | grep -v getty | grep -v 'upstart-' | grep -v 'xe-daemon' | grep 'DEL.*libc-'" 
      glibc_packages: ["libc-bin", "libc-dev-bin", "libc6", "libc6-dev"]
      affected_services:
        - nginx
        - apache2
        - postgresql
        - php5-fpm
        - openvpn
        - uwsgi
        - postfix
        - monit
        - zabbix-server
        - icinga 
        - nagios3 
        - unbound
        - pgpool2
        - varnish
        - ntp
        - nagios-nrpe-server
        - memcached
        - xfs
        - cron
        - rsyslog
        - dbus
        - ssh
        - atd
        - xe-linux-distribution
        - nova-agent
        - mcollective
        - tomcat6
        - tomcat7
        - opendkim
        - driveclient
        - logstash-forwarder
   tasks:
     - name: ensure glibc is the latest version
       with_items: glibc_packages
       apt: pkg={{item}} state=latest update_cache=yes
       register: packages_updated

     - name: discover services that need to be restarted
       shell: "{{ glibc_search }}"
       register: service_restart_check
       failed_when: service_restart_check.stdout.find('unrecognized') != -1 and service_restart_check.rc != 0
       #changed_when: service_restart_check.stdout.find('unrecognized') == -1 or service_restart_check.rc == 0
       changed_when: service_restart_check.rc == 0
       always_run: yes

     - name: find the current status of a service
       always_run: yes
       with_items: affected_services
       shell: "service {{ item }} status | grep -i running"
       register: services_status
       when: service_restart_check.rc == 0 or packages_updated.changed
       ignore_errors: true
       notify: restart running service

     - name: ensure no more service need to be restarted
       shell: "{{ glibc_search }}"
       register: result
       failed_when: result.rc == 0
       changed_when: result.rc != 1
       always_run: yes

   handlers:
     - name: restart running service
       with_items: services_status.results
       service: name={{item.item}} state=restarted
       #when: (service_restart_check.rc == 0 or packages_updated.changed ) and item.rc == 0
       when: item.rc == 0