Lead Image © David Crockett, Fotolia.com

Quick patches with Ansible

Game Plan

Article from ADMIN 87/2025

By Thomas Reuß

Ansible has earned an excellent reputation as a tool for configuration management. Thanks to playbooks, updates are more or less child's play.

Nobody enjoys patching servers – or at least I don't know anyone who claims to – but everybody agrees that security patches are essential, at least for front-line systems such as web servers, firewalls, load balancers, mail servers, and so on. However, even in 2025, I still hear people saying (in essence): "You don't need to worry, you know. These machines are inaccessible from the Internet and hidden right at the back of the LAN."

This setup could even work for a while, until someone right at the back of the LAN has the bright idea of plugging the fancy USB stick they found earlier in the lounge into their work PC or of opening what appears to be a totally harmless email attachment – after all, the company has a painfully expensive state-of-the-art endpoint security solution in place. In these cases, even the most attractive, fancy software box on the shelf in the admin's office is of no use whatsoever. Do you have highly segmented networks in your back office? Are your LAN sockets protected by MAC filters? Do you disable USB ports or even lock away your hardware in metal boxes? The thought of users opening up a path for malware right into the heart of the company is likely to make many an admin break out in a cold sweat.

Against the backdrop of these horror scenarios, it will not hurt to look at some totally banal but still very real issues, including rolling out mass updates, which plays a particularly important role if you don't have access to powerful, but potentially expensive, tools like SUSE Multi-Linux Manager [1] or Uyuni [2]. In such a case, it's worth considering Ansible [3].