Using Puppet to roll out Windows Updates

[Pskov Shurik]

Hello everyone,

We have recently started using Puppet to do initial system prep on new servers, such as Apache, Java installs, hosts file updates etc. However, we are now exploring the possibility of extending Puppet to manage Windows Updates. Er... has anyone done it? 

The requirements are simple: give Puppet a list of KB items to download and it would go and deploy these on whatever servers Puppet Agent is running on. We are happy for servers to go download a copy of patches, so we won't be using Puppet's central repository of installers (since Windows update installers are different depending on OS and architecture).

I found a PowerHell script here - http://www.flobee.net/programmatically-run-windows-update-as-part-of-a-broader-patch-and-reboot-process/ - that could probably be, somehow, integrated into Puppet but if there's an easier way or modules that do it already, then I would appreciate a pointer.

Thanks

Alex

[Brian Mathis]

Why not use WSUS?  This is what it's made for, it's already part of Windows, and can be easily managed from the WSUS console.  Once you're operating in a Windows world, your life will be far better by doing things the "Windows Way" instead of resisting it.

Sounds like a case of: "if the only tool you have is a hammer, to treat everything as if it were a nail"

Incidentally, you typically wouldn't use Puppet to handle OS updates either (apt-get upgrade, yum update), which is the same thing, so it's not even a case of a Windows-specific thing.

That's not to say that Puppet couldn't be abused into doing it.

❧ Brian Mathis

@orev

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/87d8f0d8-8c47-4236-843a-5b5f1aa5d1b9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Alex Scoble]

You could use Puppet to manage WSUS though using stuff like PoshWSUS https://poshwsus.codeplex.com/

[Gregory Orange]

On 12/06/14 02:55, Brian Mathis wrote:
> Once you're
> operating in a Windows world, your life will be far better by doing
> things the "Windows Way" instead of resisting it.

Unless it yields a natural path toward Windows machines and services
proliferating despite you (perhaps) not wanting that. If you've a Samba
domain controller and only enough Windows machines to satisfy actual
need, then finding other methods can be quite useful.

> Incidentally, you typically wouldn't use Puppet to handle OS updates
> either (apt-get upgrade, yum update), which is the same thing, so it's
> not even a case of a Windows-specific thing.

Related, but not directly on topic:
We're getting good mileage out of Puppet performing our 'freebsd-update
cron' for the core of our OS, and I'm currently implementing a system
based on poudriere to build our packages, so that they can be maintained
on nodes by Puppet.

I never really thought I'd say it, but the more control I take over our
FreeBSD infrastructure, the more I hope to be able to use it instead of
GNU/Linux for a long time to come.

Greg.

[Pskov Shurik]

Thanks all for responses. Does seem like Puppet isn't really the tool for the job but can be persuaded to do it. I found Puppet WSUS, which leverages PoshWSUS to control WSUS... but you still need WSUS. I am not really sure why we are not using it... something to discuss with the management!

[Josh Cooper]

On Thu, Jun 12, 2014 at 3:00 AM, Pskov Shurik <pskov...@gmail.com> wrote:

Thanks all for responses. Does seem like Puppet isn't really the tool for the job but can be persuaded to do it. I found Puppet WSUS, which leverages PoshWSUS to control WSUS... but you still need WSUS. I am not really sure why we are not using it... something to discuss with the management!

Puppet is also good at ensuring the windows update service is running on agents, updates are enabled, pointing to the correct WSUS server, etc, and there is a module for that: https://forge.puppetlabs.com/liamjbennett/windows_autoupdate 

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/51c5d88a-9157-473b-adb1-ab8959b48067%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Josh Cooper

Developer, Puppet Labs

Join us at PuppetConf 2014, September 20-24 in San Francisco

Register by July 31st to take advantage of the Early Bird discount —save $249!