From 3f915a99a5a976c39a180e7b1d8312b73c4fcfa6 Mon Sep 17 00:00:00 2001
From: Semaphore <semaphore@internal>
Date: Thu, 12 Mar 2026 22:21:54 -0700
Subject: [PATCH] Update linux_reboot: use kernel version comparison instead of
 reboot-required flag

---
 playbooks/linux_reboot.yml | 83 ++++++++++++++++++++++++++++----------
 1 file changed, 61 insertions(+), 22 deletions(-)

diff --git a/playbooks/linux_reboot.yml b/playbooks/linux_reboot.yml
index 4ed64a8..3d66c71 100644
--- a/playbooks/linux_reboot.yml
+++ b/playbooks/linux_reboot.yml
@@ -10,43 +10,76 @@
   hosts: linux_hosts
   gather_facts: true
   vars:
-    force_reboot: false   # set to true in Semaphore extra vars to reboot regardless
+    force_reboot: false   # override with -e force_reboot=true to reboot all hosts
   tasks:
-    - name: Check if reboot is required (Debian/Ubuntu)
-      ansible.builtin.stat:
-        path: /var/run/reboot-required
-      register: reboot_required_file
-      when: ansible_os_family == "Debian"
 
-    - name: Set reboot_needed fact (Debian/Ubuntu)
-      ansible.builtin.set_fact:
-        reboot_needed: "{{ reboot_required_file.stat.exists | default(false) }}"
-      when: ansible_os_family == "Debian"
+    - name: Get running kernel version
+      ansible.builtin.command: uname -r
+      register: running_kernel
+      changed_when: false
 
-    - name: Check if reboot is required (Alpine)
+    - name: Get installed kernel version (Debian/Ubuntu)
       ansible.builtin.shell: |
-        apk version -l = 2>/dev/null | grep -q kernel && echo "yes" || echo "no"
-      register: alpine_reboot_check
+        dpkg -l 'linux-image-*' 2>/dev/null \
+          | awk '/^ii/ {print $3}' \
+          | sort -V | tail -1
+      register: installed_kernel_deb
+      changed_when: false
+      when: ansible_os_family == "Debian"
+
+    - name: Normalize installed kernel version (Debian/Ubuntu)
+      ansible.builtin.set_fact:
+        installed_kernel_version: "{{ installed_kernel_deb.stdout | trim }}"
+      when: ansible_os_family == "Debian"
+
+    - name: Get installed kernel version (Alpine)
+      ansible.builtin.shell: |
+        apk info --installed 2>/dev/null \
+          | grep '^linux-' | sort -V | tail -1 | awk '{print $1}'
+      register: installed_kernel_alpine
       changed_when: false
       when: ansible_os_family == "Alpine"
 
-    - name: Set reboot_needed fact (Alpine)
+    - name: Normalize installed kernel version (Alpine)
       ansible.builtin.set_fact:
-        reboot_needed: "{{ alpine_reboot_check.stdout | trim == 'yes' }}"
+        installed_kernel_version: "{{ installed_kernel_alpine.stdout | trim }}"
       when: ansible_os_family == "Alpine"
 
-    - name: Set reboot_needed fallback (RHEL or unknown)
+    - name: Get installed kernel version (RHEL/CentOS)
+      ansible.builtin.shell: |
+        rpm -q --last kernel 2>/dev/null \
+          | head -1 | awk '{print $1}' | sed 's/kernel-//'
+      register: installed_kernel_rhel
+      changed_when: false
+      when: ansible_os_family == "RedHat"
+
+    - name: Normalize installed kernel version (RHEL/CentOS)
       ansible.builtin.set_fact:
-        reboot_needed: false
-      when: reboot_needed is not defined
+        installed_kernel_version: "{{ installed_kernel_rhel.stdout | trim }}"
+      when: ansible_os_family == "RedHat"
+
+    - name: Set installed_kernel_version fallback
+      ansible.builtin.set_fact:
+        installed_kernel_version: "unknown"
+      when: installed_kernel_version is not defined
+
+    - name: Determine if reboot is needed (kernel mismatch)
+      ansible.builtin.set_fact:
+        reboot_needed: >-
+          {{
+            installed_kernel_version != 'unknown' and
+            running_kernel.stdout | trim not in installed_kernel_version
+          }}
 
     - name: Report reboot status
       ansible.builtin.debug:
         msg: >-
           {{ inventory_hostname }}:
+          running={{ running_kernel.stdout | trim }},
+          installed={{ installed_kernel_version }},
           reboot_needed={{ reboot_needed }},
           force_reboot={{ force_reboot }}
-          — {{ 'WILL reboot' if (reboot_needed or force_reboot) else 'Skipping reboot' }}
+          — {{ 'WILL reboot' if (reboot_needed | bool or force_reboot | bool) else 'Skipping reboot' }}
 
     - name: Reboot host
       ansible.builtin.reboot:
@@ -56,8 +89,14 @@
         msg: "Scheduled reboot — initiated by Ansible"
       when: reboot_needed | bool or force_reboot | bool
 
-    - name: Reboot complete
-      ansible.builtin.debug:
-        msg: "{{ inventory_hostname }} is back online and responding"
+    - name: Verify kernel version after reboot
+      ansible.builtin.command: uname -r
+      register: post_reboot_kernel
+      changed_when: false
+      when: reboot_needed | bool or force_reboot | bool
+
+    - name: Report post-reboot kernel
+      ansible.builtin.debug:
+        msg: "{{ inventory_hostname }} rebooted — now running kernel {{ post_reboot_kernel.stdout | trim }}"
       when: reboot_needed | bool or force_reboot | bool