From a1905f222554cc7246951674487cf6c866928c69 Mon Sep 17 00:00:00 2001
From: Semaphore <semaphore@internal>
Date: Thu, 12 Mar 2026 22:34:59 -0700
Subject: [PATCH] Fix linux_reboot: base version comparison for Debian kernels,
 skip LXC containers

---
 playbooks/linux_reboot.yml | 44 ++++++++++++++++++++++++++++++++------
 1 file changed, 38 insertions(+), 6 deletions(-)

diff --git a/playbooks/linux_reboot.yml b/playbooks/linux_reboot.yml
index c66fca7..a3a5908 100644
--- a/playbooks/linux_reboot.yml
+++ b/playbooks/linux_reboot.yml
@@ -11,6 +11,21 @@
       register: running_kernel
       changed_when: false
 
+    - name: Detect if running inside an LXC container
+      ansible.builtin.shell: |
+        grep -q 'lxc' /proc/1/environ 2>/dev/null \
+          || systemd-detect-virt --quiet --container 2>/dev/null \
+          || [ -f /run/.containerenv ] \
+          && echo "lxc" || echo "not-lxc"
+      register: virt_detect
+      changed_when: false
+      failed_when: false
+
+    - name: Set is_lxc fact
+      ansible.builtin.set_fact:
+        is_lxc: "{{ 'lxc' in virt_detect.stdout }}"
+
+    # ── Debian/Ubuntu ──────────────────────────────────────────────────────────
     - name: Get installed kernel version (Debian/Ubuntu)
       ansible.builtin.shell: |
         dpkg -l 'linux-image-*' 2>/dev/null \
@@ -21,10 +36,15 @@
       when: ansible_os_family == "Debian"
 
     - name: Normalize installed kernel version (Debian/Ubuntu)
+      # dpkg reports e.g. "6.12.74-2", uname -r reports "6.12.74+deb13+1-amd64"
+      # Extract just the base X.Y.Z for comparison
       ansible.builtin.set_fact:
         installed_kernel_version: "{{ installed_kernel_deb.stdout | trim }}"
+        installed_kernel_base: "{{ installed_kernel_deb.stdout | trim | regex_replace('^(\\d+\\.\\d+\\.\\d+).*', '\\1') }}"
+        running_kernel_base: "{{ running_kernel.stdout | trim | regex_replace('^(\\d+\\.\\d+\\.\\d+).*', '\\1') }}"
       when: ansible_os_family == "Debian"
 
+    # ── Alpine ─────────────────────────────────────────────────────────────────
     - name: Get installed kernel version (Alpine)
       ansible.builtin.shell: |
         apk info --installed 2>/dev/null \
@@ -36,8 +56,11 @@
     - name: Normalize installed kernel version (Alpine)
       ansible.builtin.set_fact:
         installed_kernel_version: "{{ installed_kernel_alpine.stdout | trim }}"
+        installed_kernel_base: "{{ installed_kernel_alpine.stdout | trim | regex_replace('^(\\d+\\.\\d+\\.\\d+).*', '\\1') }}"
+        running_kernel_base: "{{ running_kernel.stdout | trim | regex_replace('^(\\d+\\.\\d+\\.\\d+).*', '\\1') }}"
       when: ansible_os_family == "Alpine"
 
+    # ── RHEL/CentOS ────────────────────────────────────────────────────────────
     - name: Get installed kernel version (RHEL/CentOS)
       ansible.builtin.shell: |
         rpm -q --last kernel 2>/dev/null \
@@ -49,27 +72,36 @@
     - name: Normalize installed kernel version (RHEL/CentOS)
       ansible.builtin.set_fact:
         installed_kernel_version: "{{ installed_kernel_rhel.stdout | trim }}"
+        installed_kernel_base: "{{ installed_kernel_rhel.stdout | trim | regex_replace('^(\\d+\\.\\d+\\.\\d+).*', '\\1') }}"
+        running_kernel_base: "{{ running_kernel.stdout | trim | regex_replace('^(\\d+\\.\\d+\\.\\d+).*', '\\1') }}"
       when: ansible_os_family == "RedHat"
 
-    - name: Set installed_kernel_version fallback
+    # ── Fallbacks ──────────────────────────────────────────────────────────────
+    - name: Set fallback for unknown/LXC hosts
       ansible.builtin.set_fact:
         installed_kernel_version: "unknown"
+        installed_kernel_base: "unknown"
+        running_kernel_base: "unknown"
       when: installed_kernel_version is not defined
 
-    - name: Determine if reboot is needed (kernel mismatch)
+    # ── Determine reboot need ──────────────────────────────────────────────────
+    - name: Determine if reboot is needed
       ansible.builtin.set_fact:
         reboot_needed: >-
           {{
-            installed_kernel_version != 'unknown' and
-            running_kernel.stdout | trim not in installed_kernel_version
+            not is_lxc | bool
+            and installed_kernel_version != 'unknown'
+            and installed_kernel_base != ''
+            and installed_kernel_base != running_kernel_base
           }}
 
     - name: Report reboot status
       ansible.builtin.debug:
         msg: >-
           {{ inventory_hostname }}:
-          running={{ running_kernel.stdout | trim }},
-          installed={{ installed_kernel_version }},
+          running={{ running_kernel.stdout | trim }} (base={{ running_kernel_base }}),
+          installed={{ installed_kernel_version }} (base={{ installed_kernel_base }}),
+          is_lxc={{ is_lxc }},
           reboot_needed={{ reboot_needed }},
           force_reboot={{ force_reboot }}
           — {{ 'WILL reboot' if (reboot_needed | bool or force_reboot | bool) else 'Skipping reboot' }}