jjneely/openssl-fix.yml

## openssl-fix.yml
---

# Much lifted from https://gist.github.com/carsongee/10137729

# Make our target groups
- hosts: all
  sudo: true

  tasks:

    # Grouping is usually done by role/function rather than OS type
    # but this is easily generated
    - name: Build groups based on OS type
      group_by: key={{ ansible_lsb.codename }}


# Push the updates: Heartbleed affects Ubuntu 12.04, 12.10, 13.10
- hosts: "precise:quantal:saucy"
  sudo: true
  # no need to gather facts a second time
  gather_facts: false
  serial: true
  tasks:

    - name: "Install packages and update cache"
      apt: pkg="{{ item }}" state=latest update_cache=yes
      with_items:
        - libssl1.0.0
        - openssl
        - debian-goodies

    - name: "Restart Services known to be affected"
      # Not everyone has cond_restart, or is a SysV script, only restart
      # if we are running in the first place.
      shell: >
        service {{ item }} status && service {{ item }} restart
      with_items:
        - ssh
        - whoopsie
        - ntp
        - postfix
        - nagios-nrpe-server
        - openvpn
        - chef-client
      ignore_errors: yes

    - name: "Check that we are safe"
      shell: >
        if [ "$(openssl version -a | grep built)" != "built on: Mon Apr  7 20:33:29 UTC 2014" ]; then echo "Bad build date"; echo "$(openssl version -a | grep built)"; exit 1; fi
      tags: check

    - name: "Check that we don't have affected processes running"
      shell: >
        if [ "$(sudo lsof -n | grep ssl | grep DEL | wc -l)" != "0" ]; then echo "We still have affected processes"; checkrestart; exit 1; fi
      tags: check
	---

	# Much lifted from https://gist.github.com/carsongee/10137729

	# Make our target groups
	- hosts: all
	sudo: true

	tasks:

	# Grouping is usually done by role/function rather than OS type
	# but this is easily generated
	- name: Build groups based on OS type
	group_by: key={{ ansible_lsb.codename }}


	# Push the updates: Heartbleed affects Ubuntu 12.04, 12.10, 13.10
	- hosts: "precise:quantal:saucy"
	sudo: true
	# no need to gather facts a second time
	gather_facts: false
	serial: true
	tasks:

	- name: "Install packages and update cache"
	apt: pkg="{{ item }}" state=latest update_cache=yes
	with_items:
	- libssl1.0.0
	- openssl
	- debian-goodies

	- name: "Restart Services known to be affected"
	# Not everyone has cond_restart, or is a SysV script, only restart
	# if we are running in the first place.
	shell: >
	service {{ item }} status && service {{ item }} restart
	with_items:
	- ssh
	- whoopsie
	- ntp
	- postfix
	- nagios-nrpe-server
	- openvpn
	- chef-client
	ignore_errors: yes

	- name: "Check that we are safe"
	shell: >
	if [ "$(openssl version -a \| grep built)" != "built on: Mon Apr 7 20:33:29 UTC 2014" ]; then echo "Bad build date"; echo "$(openssl version -a \| grep built)"; exit 1; fi
	tags: check

	- name: "Check that we don't have affected processes running"
	shell: >
	if [ "$(sudo lsof -n \| grep ssl \| grep DEL \| wc -l)" != "0" ]; then echo "We still have affected processes"; checkrestart; exit 1; fi
	tags: check