Toggle to allow warnings to block patching #143 (#150)

* #143 first stab at a new parameter to control VSBNLP behaviour * Try the new format for the locked files * Abort flag * update fact
albatrossflavour · Aug 21, 2019 · a6e9594 · a6e9594
1 parent d1ca426
commit a6e9594
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 12 deletions.
diff --git a/files/os_patching_fact_generation.sh b/files/os_patching_fact_generation.sh
@@ -28,8 +28,8 @@ case $(facter osfamily) in
     FILTER='egrep -v "^Security:"'
     PKGS=$(yum -q check-update 2>/dev/null| $FILTER | egrep -v "is broken|^Loaded plugins" | awk '/^[[:alnum:]]/ {print $1}')
     SECPKGS=$(yum -q --security check-update 2>/dev/null| $FILTER | egrep -v "is broken|^Loaded plugins" | awk '/^[[:alnum:]]/ {print $1}')
-    HELDPKGS=$(awk -F'[:-]' '/:/ {print $2}' /etc/yum/pluginconf.d/versionlock.list)
-
+    HELDPKGS=$(awk -F':' '/:/ {print $2}' /etc/yum/pluginconf.d/versionlock.list | sed 's/-[0-9].*//'
+)
   ;;
   Suse)
     PKGS=$(zypper --non-interactive --no-abbrev --quiet lu | grep '|' | grep -v '\sRepository' | awk -F'|' '/^[[:alnum:]]/ {print $3}' | sed 's/^\s*\|\s*$//')

diff --git a/lib/facter/os_patching.rb b/lib/facter/os_patching.rb
@@ -13,6 +13,8 @@
     require 'time'
     now = Time.now.iso8601
     warnings = {}
+    blocked = false
+    blocked_reasons = []
 
     if Facter.value(:kernel) == 'Linux'
       os_patching_dir = '/var/cache/os_patching'
@@ -83,9 +85,6 @@
     chunk(:blackouts) do
       data = {}
       arraydata = {}
-      data['blocked'] = false
-      data['blocked_reasons'] = {}
-      data['blocked_reasons'] = []
       blackoutfile = os_patching_dir + '/blackout_windows'
       if File.file?(blackoutfile)
         blackouts = File.open(blackoutfile, 'r').read
@@ -106,22 +105,22 @@
             end
 
             if (matchdata[2]..matchdata[3]).cover?(now)
-              data['blocked'] = true
-              data['blocked_reasons'].push matchdata[1]
+              blocked = true
+              blocked_reasons.push matchdata[1]
             end
             # rubocop:enable Metrics/BlockNesting
           else
             warnings['blackouts'] = "Invalid blackout entry : #{line}"
-            data['blocked'] = true
-            data['blocked_reasons'].push "Invalid blackout entry : #{line}"
+            blocked = true
+            blocked_reasons.push "Invalid blackout entry : #{line}"
           end
         end
       end
       data['blackouts'] = arraydata
       data
     end
 
-    # Are there any pinned packages in yum?
+    # Are there any pinned/version locked packages?
     chunk(:pinned) do
       data = {}
       pinnedpkgs = []
@@ -248,9 +247,25 @@
       end
       data
     end
-    chunk(:warnings) do
+
+    # Should we patch if there are warnings?
+    chunk(:block_patching_on_warnings) do
       data = {}
-      data['warnings'] = warnings
+      abort_on_warningsfile = os_patching_dir + '/block_patching_on_warnings'
+      if File.file?(abort_on_warningsfile)
+        data['block_patching_on_warnings'] = 'true'
+        if not warnings.empty?
+          blocked = true
+          blocked_reasons.push warnings
+        end
+        data['blocked'] = blocked
+        data['blocked_reasons'] = blocked_reasons
+      else
+        data['block_patching_on_warnings'] = 'false'
+        data['warnings'] = warnings
+        data['blocked'] = blocked
+        data['blocked_reasons'] = blocked_reasons
+      end
       data
     end
   end

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -14,6 +14,11 @@
 #   Should the yum_utils package be managed by this module on RedHat family nodes?
 #   If `true`, use the parameter `yum_utils` to determine how it should be manged
 #
+# @param block_patching_on_warnings [Boolean]
+#   If there are warnings present in the os_patching fact, should the patching task run?
+#   If `true` the run will abort and take no action
+#   If `false` the run will continue and attempt to patch (default)
+#
 # @param yum_utils
 #   If managed, what should the yum_utils package set to?
 #
@@ -118,6 +123,7 @@
   Boolean $manage_delta_rpm           = false,
   Boolean $manage_yum_plugin_security = false,
   Boolean $fact_upload                = true,
+  Boolean $block_patching_on_warnings = false,
   Enum['installed', 'absent', 'purged', 'held', 'latest'] $yum_utils = 'installed',
   Enum['installed', 'absent', 'purged', 'held', 'latest'] $delta_rpm = 'installed',
   Enum['installed', 'absent', 'purged', 'held', 'latest'] $yum_plugin_security = 'installed',
@@ -199,11 +205,21 @@
     default => 'absent'
   }
 
+  $block_patching_ensure = ($ensure == 'present' and $block_patching_on_warnings ) ? {
+    true    => 'file',
+    default => 'absent'
+  }
+
   file { "${cache_dir}/patch_window":
     ensure  => $patch_window_ensure,
     content => $patch_window,
   }
 
+  file { "${cache_dir}/block_patching_on_warnings":
+    ensure  => $block_patching_ensure,
+    notify  => Exec[$fact_exec],
+  }
+
   $reboot_override_ensure = ($ensure == 'present' and $reboot_override) ? {
     true    => 'file',
     default => 'absent',
@@ -268,6 +284,7 @@
 
   case $::kernel {
     'Linux': {
+
       if ( $::osfamily == 'RedHat' and $manage_yum_utils) {
         package { 'yum-utils':
           ensure => $yum_utils,