A Practical Guide to Managing RHEL Packages with the Ansible Yum Module
For system administrators and DevOps engineers, managing software packages across a fleet of servers is a fundamental, repetitive task. Manually installing, updating, and removing packages on Red Hat Enterprise Linux (RHEL) and its derivatives like CentOS and Fedora is not only time-consuming but also prone to human error. This is where automation with Ansible becomes a game-changer.
Ansible provides a simple yet powerful way to automate system configurations, and at the heart of its package management capabilities for Red Hat-based systems is the yum module. This module acts as an automated interface to the yum (or dnf on modern systems) package manager, allowing you to define the desired state of your software in a clear, declarative way.
Let’s dive into how you can leverage the ansible.builtin.yum module to streamline your package management workflow.
The Power of Idempotency
Before we look at examples, it’s crucial to understand a core Ansible concept: idempotency. In simple terms, this means that running an Ansible playbook multiple times will have the same end result as running it just once. If a package is already installed, Ansible won’t try to install it again. This prevents unnecessary changes and ensures your systems consistently match the state you’ve defined.
Installing Packages
The most common task is ensuring a package is installed. To do this, you specify the package name and set the state parameter to present.
For example, to ensure the Apache web server (httpd) is installed on your target servers, your Ansible task would look like this:
- name: Ensure the Apache web server is installed
ansible.builtin.yum:
name: httpd
state: present
If you need to install several packages at once, you can provide them as a list. This is much more efficient than creating a separate task for each one.
- name: Install a list of essential packages
ansible.builtin.yum:
name:
- httpd
- mariadb-server
- php
state: present
Ensuring the Latest Version is Installed
Sometimes, just having a package present isn’t enough; you need to ensure it’s the latest version available from your configured repositories. For this, you simply change the state to latest.
This is a key task for patching vulnerabilities and keeping systems up-to-date.
- name: Ensure the Apache web server is updated to the latest version
ansible.builtin.yum:
name: httpd
state: latest
Ansible will check the installed version against the repository version. If a newer version is available, it will perform the update; otherwise, it will make no changes.
Removing Packages
Just as you can ensure packages are present, you can also ensure they are absent. This is useful for decommissioning software or enforcing security policies that forbid certain tools. To remove a package, you set the state to absent.
- name: Ensure the telnet package is removed
ansible.builtin.yum:
name: telnet
state: absent
Running this task will uninstall telnet if it exists and do nothing if it’s already gone, perfectly demonstrating idempotency.
Updating All System Packages
A common maintenance task is to update all packages on a system. The yum module makes this incredibly straightforward. By using * as the package name and latest as the state, you instruct Ansible to update everything.
- name: Update all packages on the system
ansible.builtin.yum:
name: '*'
state: latest
Security Tip: While powerful, running a full system update can sometimes introduce breaking changes. It’s a best practice to test these updates in a staging environment before rolling them out to production servers.
Actionable Security: Applying Only Security Updates
In many production environments, you may only want to apply critical security patches without updating every single package. The yum module includes a specific parameter for this exact scenario.
By setting the security: yes parameter, you instruct yum to only install updates that have been classified as security-related.
- name: Install only security-related updates
ansible.builtin.yum:
name: '*'
state: latest
security: yes
This is an excellent practice for maintaining a secure and stable production environment, minimizing the risk associated with non-essential version changes.
A Final Word of Caution: GPG Checks
The yum module includes a parameter called disable_gpg_check, which bypasses the verification of package signatures.
It is strongly recommended that you do not disable GPG checks in a production environment. Disabling this check is a significant security risk, as it prevents your system from verifying that the packages you are installing come from a trusted source and have not been tampered with. Only consider using this for trusted, internal repositories where you control the package signing process.
By mastering the Ansible yum module, you can transform your package management from a manual chore into a reliable, scalable, and automated process. Integrating these simple tasks into your playbooks will save you time, reduce errors, and give you precise control over the state of your infrastructure.
Source: https://linuxhandbook.com/ansible-yum-module/
