How to Automate Ubuntu and RHEL Server Updates via Ansible

You are currently viewing How to Automate Ubuntu and RHEL Server Updates via Ansible

How to Automate Ubuntu and RHEL Server Updates via Ansible

Image by: Maarten Ceulemans

The patch management crisis in hybrid environments

Did you know that 60% of data breaches stem from unpatched vulnerabilities? For DevOps teams managing a hybrid fleet of Linux servers across distributions like RHEL, Ubuntu, and SUSE, inconsistent patch cycles create critical security gaps. Manual patching becomes unsustainable at scale—imagine coordinating updates across hundreds of servers with different package managers while maintaining uptime SLAs. This tutorial solves that chaos by implementing Infrastructure as Code (IaC) for unified patch management. You’ll learn to automate security updates across diverse environments using Ansible, creating a reproducible, auditable process that eliminates configuration drift. By the end, you’ll transform fragmented maintenance into a streamlined workflow that handles everything from emergency CVEs to scheduled kernel updates.

Building a unified inventory with dynamic grouping

Traditional static inventories crumble in hybrid environments where servers constantly scale. The solution? A dynamic inventory that auto-discovers nodes and groups them by OS, environment, or patch window. Start by integrating your cloud providers (AWS, Azure) and on-prem systems using plugins like aws_ec2 or vmware_vm_inventory. Tag instances with labels like prod-ubuntu-lts or dev-centos-stream to enable intelligent grouping.

Example inventory structure:

  • Group: apt_servers – Auto-populates Ubuntu/Debian hosts
  • Group: yum_servers – Captures RHEL/CentOS/AlmaLinux
  • Group: patch_window_offpeak – Servers requiring 2am UTC updates

Use ansible.builtin.group_by to create dynamic child groups based on facts:

– name: Create OS family groups
ansible.builtin.group_by:
key: “os_{{ ansible_facts[‘os_family’] }}”

This approach scales across environments—whether you’re managing 50 or 5,000 servers. For hybrid clouds, combine Terraform provisioning with Ansible inventories using shared state files.

Crafting multi-distro playbooks: Yum, Apt, and Zypper

Writing universal playbooks requires conditional logic that adapts to each system’s package manager. Leverage Ansible facts like ansible_pkg_mgr to create a single playbook that handles apt, yum/dnf, and zypper seamlessly.

Key strategies:

  1. Use package module abstraction for install/update operations
  2. Employ when conditions for distro-specific tasks
  3. Set granular update policies with update_cache and upgrade parameters

Critical patch comparison across distros:

Distro Security repo command Kernel update impact Reboot required
Ubuntu apt-get –only-upgrade install Low (livepatch available) Sometimes
RHEL yum update-minimal –security High Always
openSUSE zypper patch –with-security Medium Usually

Sample multi-distro task:

– name: Apply security updates
package:
name: “*”
state: latest
update_cache: yes
register: patch_result

– name: Reboot if kernel updated
reboot:
when: “‘kernel’ in patch_result.changes”

Reference package manager fundamentals for edge-case handling.

Zero-downtime patching: Rolling updates and maintenance windows

Unplanned downtime during patching costs enterprises an average of $5,600 per minute. Prevent this with strategic execution controls:

  • Rolling updates: Update 10% of nodes per batch using serial keyword
  • Load balancer integration: Drain connections with F5 or HAProxy modules
  • Maintenance windows: Schedule with cron or AWX using time-based conditionals

Implementing phased updates:

– name: Patch web servers in batches
hosts: webservers
serial: “20%”
tasks:
– include_tasks: security-update.yml
– meta: clear_host_errors

Combine with pipeline gates to pause if monitoring detects abnormal CPU/memory patterns post-update. For stateful apps, use pod anti-affinity rules to maintain quorum.

Automating compliance reporting with IaC

Auditors demand proof of patch compliance—manual spreadsheets won’t scale. Generate automated reports using Ansible callbacks and ansible-doc:

  1. Capture update status with register and callback plugins
  2. Export to JSON/CSV using jq or pandas for processing
  3. Integrate with SIEM tools like Splunk or Elasticsearch

Critical compliance fields to track:

  • Hostname and IP address
  • OS version and kernel release
  • Patched CVE list with severity scores
  • Reboot status and maintenance window

Sample audit command:

ansible all -m script -a “security-audit.sh” –result-file audit_$(date +%F).json

Visualize trends with Red Hat Insights dashboards.

Advanced strategies: Canary deployments and rollback workflows

When patching business-critical systems, implement progressive rollout techniques:

Canary deployments:

  1. Patch 1-2 non-production nodes first
  2. Monitor for 24 hours using Prometheus metrics
  3. Automate rollback with dnf history undo or apt-mark hold if errors occur

Immutable rollbacks:
Maintain pre-patch AMIs/Golden Images. If patching fails, trigger Terraform to replace instances:

– name: Rollback via instance replacement
community.aws.ec2_instance:
instance_id: “{{ failed_host }}”
state: absent

– name: Launch patched AMI
terraform:
project_path: “/patch-baselines”

For complex apps, use Kubernetes daemonsets to limit blast radius.

Frequently asked questions

How do I handle air-gapped environments in hybrid fleets?

Use satellite servers or local package mirrors synced via rsync. Configure playbooks with local_repo_path variables that switch to internal repos when ansible_default_ipv4.gateway is unreachable.

Can this work with Windows servers in a hybrid fleet?

Yes, but requires separate playbooks using win_updates module. Group Windows hosts dynamically using ansible_os_family and coordinate reboot cycles via win_reboot.

What’s the biggest pitfall in automated patch management?

Untested dependency chains. Always test in staging using --check mode and package version pinning. Over 40% of failures stem from incompatible library updates.

How often should we run patching playbooks?

Critical CVEs: Within 72 hours. Standard updates: Bi-weekly for dev, monthly for prod. Use ansible-pull with cron for disconnected nodes.

Conclusion

Managing a hybrid fleet of Linux servers doesn’t require sacrificing security for stability. By implementing Infrastructure as Code for patch management, you gain a unified workflow that handles everything from RHEL security errata to Ubuntu livepatches. Start by building a dynamic inventory, then develop multi-distro playbooks with conditional logic, and finally enforce compliance with automated reporting. Remember: the goal isn’t just patching—it’s creating a self-healing infrastructure where updates happen consistently without human intervention. Ready to transform your operations? Download our Ansible patch templates to implement these techniques in your environment today.