Trying to setup ubuntu security patching only

merrittr · December 11, 2025, 12:01am

from the command line in ubuntu i can run:

apt list --upgradable | grep security | cut -d/ -f1 | xargs sudo apt-get install -y

but the ansible I have is :

hosts: all
become: true
become_user: root
tasks:
- name: Update apt repo and cache on all Debian/Ubuntu boxes
  apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
- name: Upgrade all packages on servers
  apt: upgrade=dist force_apt_get=yes
- name: Check if a reboot is needed on all servers
  register: reboot_required_file
  stat: path=/var/run/reboot-required get_checksum=no
- name: Reboot the box if kernel updated
  reboot:
  msg: “Reboot initiated by Ansible for kernel updates”
  connect_timeout: 5
  reboot_timeout: 300
  pre_reboot_delay: 0
  post_reboot_delay: 30
  test_command: uptime
  when: reboot_required_file.stat.exists

how should I modify :

apt: update_cache=yes force_apt_get=yes cache_valid_time=3600

merrittr · December 21, 2025, 7:03am

I think I might have to use
shell: apt list --upgradable | grep security | cut -d/ -f1 | xargs sudo apt-get install -y

instead of that apt: task does that make sense?

mikemorency · December 22, 2025, 2:04pm

A long time ago, I remember reading that Ansible makes simple things hard and hard things simple. This kind of reminds me of that

Modules are great for reducing the maintenance burden on you/your team and providing an easy interface for more complicated checks. When a module doesnt meet your needs, you have two options:

Write a new module or open a PR to update an existing module
Use the shell/command module

I think your approach is great, given the constraints you’ve found. There is one change I would suggest though. I would use the shell module to get the list of packages, and then pass that into the apt module. That way, you get the best of both worlds. Something like this (I didnt test it):

- name: Get security patches
  ansible.builtin.shell: apt list --upgradable | grep security | cut -d/ -f1
  changed_when: false
  register: _security_pkg_list

- name: Update
  ansible.builtin.apt:
    name: "{{ _security_pkg_list.stdout_lines }}"
....

merrittr · December 29, 2025, 8:57pm

hmmm is there a command that I can use to write _security_pkg_list out to a file?

like

name: write to file
shell: echo “{{ _security_pkg_list.stdout_lines }}” | /root/{{ inventory_hostname }}.txt

mcen1 · December 30, 2025, 12:13am

You can use ansible.builtin.copy with content like so:

- name: Use copy module to write the stdout_lines
  ansible.builtin.copy:
    content: "{{ _security_pkg_list.stdout_lines }}"
    dest: "/root/{{ inventory_hostname }}.txt"
    owner: root
    group: root

Topic		Replies	Views
Apt module : install only security update Ansible Project	0	25	September 8, 2015
apt-get --with-new-pkgs upgrade ? Ansible Project	1	42	July 18, 2018
ansible.builtin.apt - Updating all installed packages to latest gives "parameters are mutually exclusive deb\|package\|upgrade Ansible Project fedora , ubuntu	2	86	March 22, 2022
how to get a list of upgradable packages from yum,apt or anothermodule Ansible Project	1	304	August 30, 2017
PR #2642: apt module: update to the upgrade logic Ansible Project ubuntu	0	3	April 11, 2013

Trying to setup ubuntu security patching only

Related topics