public-infra/maintenance-scripts
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
maintenance-scripts/README.md
rebecca 3574b47a5f Initialize infrastructure maintenance scripts with Ansible playbooks 
Add Ansible-based maintenance scripts for infrastructure operations:
- CVE scanner using NIST NVD database
- Package update checker with OpenAI risk assessment
- Docker cleanup playbook
- Log archiver for rotated logs
- Disk space analyzer

Supports Ubuntu 20.04/22.04/24.04, Debian 11/12/13, and Alpine Linux
2026-01-22 10:37:08 -03:00

249 lines
6.4 KiB
Markdown
Raw Blame History

# Infrastructure Maintenance Scripts
Ansible-based maintenance scripts for infrastructure operations across multiple Linux distributions.
## Supported Operating Systems
- Ubuntu 20.04, 22.04, 24.04
- Debian 11, 12, 13
- Alpine Linux
## Prerequisites
- Ansible 2.15 or higher
- Python 3.8+ on target hosts
- SSH access to target hosts
- Sudo privileges on target hosts
## Installation
1. Clone the repository:
```bash
git clone git@git.puddi.ng:public-infra/maintenance-scripts.git
cd maintenance-scripts
```
2. Install required Ansible collections:
```bash
ansible-galaxy collection install -r requirements.yml
```
3. Configure inventory:
```bash
vim inventory/hosts.ini
```
## Available Playbooks
### 1. CVE Scanner - `playbooks/scan_cves.yml`
Identifies packages with CVE vulnerabilities using the NIST NVD database.
**Features:**
- Parses installed packages across supported OS distributions
- Queries NIST NVD CVE database via API
- Correlates vulnerabilities with installed packages
- Outputs JSON report with findings
**Usage:**
```bash
ansible-playbook playbooks/scan_cves.yml -i inventory/hosts.ini
```
**Output:**
- JSON report saved to `/tmp/cve_report_*.json`
- Contains package name, version, CVE IDs, severity, and host information
### 2. Package Update Checker - `playbooks/check_updates.yml`
Checks for available package updates and assesses potential risks using OpenAI.
**Features:**
- Lists upgradable packages across supported distributions
- Uses OpenAI API to identify potential breaking changes
- Separates safe updates from risky ones
- Provides recommendation on whether to proceed
**Prerequisites:**
- Set `OPENAI_API_KEY` environment variable
**Usage:**
```bash
export OPENAI_API_KEY="your-openai-api-key"
ansible-playbook playbooks/check_updates.yml -i inventory/hosts.ini
```
**Output:**
- JSON report saved to `/tmp/update_report_*.json`
- Lists safe and risky updates with risk assessment
- Provides boolean flag for automatic update safety
### 3. Docker Cleanup - `playbooks/cleanup_docker.yml`
Cleans up Docker resources including images, containers, and build cache.
**Features:**
- Removes dangling images
- Removes stopped containers
- Cleans build cache
- Provides before/after disk usage comparison
- Optional volume cleanup (disabled by default)
**Usage:**
```bash
ansible-playbook playbooks/cleanup_docker.yml -i inventory/hosts.ini
```
**Output:**
- JSON report saved to `/tmp/docker_cleanup_report_*.json`
- Shows disk space reclaimed for each resource type
### 4. Log Archiver - `playbooks/archive_logs.yml`
Archives rotated log files and transfers them to remote storage.
**Features:**
- Archives gzipped rotated logs from `/var/log`
- Organizes logs by hostname, IP, and date
- Transfers archives to remote storage location
- Cleans up original logs after successful transfer
- Generates metadata for each archive
**Prerequisites:**
- Set `REMOTE_STORAGE_PATH` environment variable (defaults to `/mnt/log-archive`)
**Usage:**
```bash
export REMOTE_STORAGE_PATH="/path/to/log-storage"
ansible-playbook playbooks/archive_logs.yml -i inventory/hosts.ini
```
**Output:**
- JSON report saved to `/tmp/log_archive_report_*.json`
- Archives stored with structure: `YEAR/MONTH/DAY/logs_HOSTNAME_IP_DATE.tar.gz`
### 5. Disk Space Analyzer - `playbooks/analyze_disk_space.yml`
Analyzes disk usage and identifies directories consuming excessive space.
**Features:**
- Scans multiple paths with configurable depth (default 5)
- Identifies directories larger than threshold (default 1GB)
- Lists large files exceeding threshold
- Provides disk and inode usage statistics
- Alerts on high disk or inode usage
**Usage:**
```bash
ansible-playbook playbooks/analyze_disk_space.yml -i inventory/hosts.ini
```
**Output:**
- JSON report saved to `/tmp/disk_space_report_*.json`
- Lists large directories and files sorted by size
- Includes disk and inode usage alerts
## Configuration
### Environment Variables
- `OPENAI_API_KEY`: Required for package update risk assessment
- `REMOTE_STORAGE_PATH`: Path for log archive storage (default: `/mnt/log-archive`)
### Inventory Structure
The inventory file uses INI format with groups:
```ini
[webservers]
web1.example.com ansible_host=192.168.1.10
[dbservers]
db1.example.com ansible_host=192.168.1.20
```
### SSH Configuration
Configure SSH access in `ansible.cfg` or use SSH config file:
```ini
[defaults]
host_key_checking = False
```
## Running Playbooks
### Target specific hosts:
```bash
ansible-playbook playbooks/scan_cves.yml -i inventory/hosts.ini -l web1.example.com
```
### Target groups:
```bash
ansible-playbook playbooks/scan_cves.yml -i inventory/hosts.ini -l webservers
```
### Run with extra variables:
```bash
ansible-playbook playbooks/analyze_disk_space.yml -i inventory/hosts.ini -e "size_threshold_gb=5"
```
### Limit concurrency:
```bash
ansible-playbook playbooks/scan_cves.yml -i inventory/hosts.ini -f 10
```
## Output Locations
All playbooks generate JSON reports in `/tmp/` with timestamps:
- CVE reports: `/tmp/cve_report_TIMESTAMP.json`
- Update reports: `/tmp/update_report_TIMESTAMP.json`
- Docker cleanup reports: `/tmp/docker_cleanup_report_TIMESTAMP.json`
- Log archive reports: `/tmp/log_archive_report_TIMESTAMP.json`
- Disk space reports: `/tmp/disk_space_report_TIMESTAMP.json`
## Best Practices
1. **Test on non-production hosts first**: Always test playbooks on a subset of hosts
2. **Monitor output**: Review reports before taking automated actions
3. **Schedule regular runs**: Use cron or Jenkins for periodic scans
4. **Backup before updates**: Ensure backups exist before running update playbooks
5. **Review risky updates**: Manually review packages marked as risky before updating
## Troubleshooting
### Connection issues
```bash
ansible all -i inventory/hosts.ini -m ping
```
### Privilege issues
Ensure the user has sudo privileges:
```bash
ansible-playbook playbooks/scan_cves.yml -i inventory/hosts.ini -u ansible_user --become
```
### Collection not found
Install required collections:
```bash
ansible-galaxy collection install -r requirements.yml
```
### Python module issues
Ensure Python 3 is available:
```bash
ansible all -i inventory/hosts.ini -m shell -a "python3 --version"
```
## Contributing
1. Follow Ansible best practices
2. Use Ansible modules instead of shell commands when possible
3. Ensure cross-platform compatibility
4. Write clear and descriptive task names
5. Add error handling where appropriate
6. Test on all supported OS distributions
## License
Copyright (c) 2026. All rights reserved.
Reference in New Issue View Git Blame Copy Permalink