When managing Ubuntu/Debian servers through Ansible, you'll frequently encounter situations where old kernel packages and their dependencies remain installed after upgrades. The manual apt-get autoremove command cleans these up, but how do we automate this in our infrastructure?
The Ansible apt module actually includes built-in support for autoremoval functionality. Here's the simplest implementation:
- name: Remove automatically installed unused packages
apt:
autoremove: yes
For production environments, you might want to combine this with other package operations and add safety checks:
- name: Update apt package index
apt:
update_cache: yes
cache_valid_time: 86400
- name: Upgrade all packages
apt:
upgrade: dist
autoremove: no # We'll handle this separately
- name: Check for autoremovable packages
command: apt-get --just-print autoremove
register: autoremove_check
changed_when: false
- name: Perform autoremove if needed
apt:
autoremove: yes
when: "'The following packages will be REMOVED' in autoremove_check.stdout"
For EC2 instances where kernel management is critical, consider this targeted approach:
- name: Clean up old kernels (safer method)
apt:
purge: "{{ item }}"
loop: "{{ ansible_facts.packages | selectattr('source', 'match', 'linux-image-.*-generic')
| map(attribute='name') | list | difference([ansible_facts.kernel]) }}"
when: ansible_facts.packages is defined
- Always test autoremove operations in staging first
- Consider setting
autoclean: yesto remove downloaded .deb files - Combine with regular
apt-get cleanoperations - Monitor disk space before/after with Ansible's
statmodule
Wrap your autoremove tasks with proper error handling:
- name: Safe autoremove with error handling
block:
- name: Perform autoremove
apt:
autoremove: yes
rescue:
- name: Notify about failed autoremove
debug:
msg: "Autoremove failed on {{ inventory_hostname }}"
Here's how this fits into a complete server maintenance playbook:
- hosts: all
become: yes
tasks:
- name: Update and upgrade packages
apt:
update_cache: yes
upgrade: dist
autoremove: no
- name: Check for reboot required
stat:
path: /var/run/reboot-required
register: reboot_required
- name: Perform autoremove after upgrade
apt:
autoremove: yes
- name: Reboot if needed
reboot:
msg: "Reboot initiated by Ansible for kernel updates"
connect_timeout: 5
reboot_timeout: 600
when: reboot_required.stat.exists
When managing Ubuntu/Debian servers through Ansible, you'll often encounter leftover packages after system updates. These are dependencies that were automatically installed but are no longer needed after package removals or upgrades. While manual apt-get autoremove works, automating this in your infrastructure-as-code setup is crucial.
The Ansible apt module actually has built-in support for autoremove functionality:
- name: Remove unnecessary packages
apt:
autoremove: yes
For better control and logging, consider this enhanced playbook snippet:
- name: System maintenance
hosts: all
become: yes
tasks:
- name: Update package index
apt:
update_cache: yes
- name: Upgrade all packages
apt:
upgrade: dist
- name: Perform autoremove with dry-run first
command: apt-get -s autoremove
register: autoremove_check
changed_when: false
- name: Display packages to be removed
debug:
var: autoremove_check.stdout_lines
when: autoremove_check.stdout != ""
- name: Execute autoremove if needed
apt:
autoremove: yes
when: autoremove_check.stdout != ""
For servers accumulating old kernel packages (a common scenario), you might want a more targeted approach:
- name: Clean up old kernel packages
apt:
purge: "{{ item }}"
loop:
- "linux-headers-*"
- "linux-image-*"
when: "'linux-headers' in item or 'linux-image' in item"
ignore_errors: yes
register: kernel_cleanup
- name: Run standard autoremove
apt:
autoremove: yes
- Always test autoremove operations in staging first
- Consider adding notifications for removed packages
- Schedule regular maintenance windows for these operations
- Combine with
apt-get autocleanfor complete cleanup
To track the effectiveness of your autoremove operations:
- name: Check autoremove status
command: apt-get -s autoremove
register: autoremove_status
changed_when: false
- name: Report if cleanup needed
debug:
msg: "System has {{ autoremove_status.stdout_lines | select('match','^Remv') | list | length }} packages eligible for autoremove"