Puppet as patch management

[Alfredo De Luca]

Hi all.
I am configuring Puppet in our environment for configuration
management. Also I am using Hiera and it's so great so far.
Now managers are asking if we can use it as patch mgmt tool. I said
Puppet it's not but it can help with patch/pkg distribution which I
think it could be very good.
Do you agree on that?
Any more info/thoughts would be appreciated.

Regards


--
Alfredo

[Alessandro Franceschi]

I agree with what you wrote.
Puppet is not the best tool to execute one-shot operations like patching or deploying of applications.

It's good at maintaining the state of the resources of our systems, so you can use it to configure what you need to manage the patching or the deployment of a system's package or an application (apt/yum config files, deploy scripts, ssh keys, sudo permissions... ), but not to trigger the operation itself.

my2c

al

[Alfredo De Luca]

Agree.
Thanks

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c6307d1b-fa76-4b97-a46d-ed50a0c24bcc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Angel L. Mateo]

El 11/03/15 a las 14:26, Alessandro Franceschi escribió:

> I agree with what you wrote.
> Puppet is not the best tool to execute one-shot operations like patching
> or deploying of applications.
> It's good at maintaining the state of the resources of our systems, so
> you can use it to configure what you need to manage the patching or the
> deployment of a system's package or an application (apt/yum config
> files, deploy scripts, ssh keys, sudo permissions... ), but not to
> trigger the operation itself.
>

Although I agree with Alessandro about puppet is not the best solution
to run one-shoe operations, we are using it to patch a few exceptional
case where we need that some files (installed from a package which is
installed from puppet).

The advantage of this is that you can develop a new machine a ensure
that it is in the correct state with no extra effort.

--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868887590
Fax: 868888337

[Alex Harvey]

I don't recommend using Puppet for anything to do with patching, even in the distribution of the patches.  (Actually, I'm not sure how Puppet would be used to distribute patches even in principle.)  Anyhow, sooner or later you're going to want a tool that was actually designed for patch and package management so you'd to save yourself expensive rework, I'd just do it at the outset.  You may find that something like MCollective is useful if you need a way to, say, run yum update on a lot of boxes all at once, but that's about it.

[Brian Morris]

I don't have enough nodes to justify running my own patch repository, but here is the manifest I use for patching our Debian-derived systems. First, though, here is the facter called "updates_already_running"

Facter.add(:updates_already_running) do
 confine :osfamily => "Debian"
 setcode do
 if Facter::Util::Resolution.exec("ps aux | grep 'dpkg\|apt-get' | grep -v grep")
 "yes"
 end
 end
end

And, here is the manifest:

class system_updates {
 # ==Purpose
 # This class is used for running system updates on all Linux assets.
 #
 # ==Actions
 # * Compiles a list of available updates
 # * Ensures that any pending package problems are resolved
 # * Applies all available updates
 # * Automatically cleans up any packages that are no longer needed
 # * Empties genericadmin's mailbox

 # * Reboots the system if any updates require it
 #
 #
 if ( $::updates_already_running ) {
 }
 else {
 
 Exec["lock_prep"] -> Exec["apt_prep"] -> Exec["apt_update"] ->  Exec["apt_fix"] -> Exec["apt_upgrade"] -> Exec["apt_remove"] ->  Exec["empty_mailbox"] -> Exec["reboot"]
 #
 #
 exec { "lock_prep":
      command   => "rm -f /var/lib/dpkg/lock ; rm -f /var/lib/apt/lists/lock ; rm -f /var/cache/apt/archives/lock",
    }
 exec { "apt_prep":
  command   => "rm -rf /var/lib/apt/lists/* ; mkdir /var/lib/apt/lists/partial",
 }
 exec { "apt_update":
 command => "apt-get update",
 }
 exec { "apt_fix":
 command => "apt-get -f install",
 }
 exec { "apt_upgrade":
 command => "apt-get -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" -y --force-yes dist-upgrade",
 }
 exec { "apt_remove":
 command => "apt-get -y autoremove",
 }
 exec { "empty_mailbox":
 command   => 'echo "" > /home/genericadmin/mbox',
 onlyif    => "test -f /home/genericadmin/mbox",
 }
 exec { "reboot":
 command => "reboot",
 onlyif => "test -f /var/run/reboot-required",
 }
 }
}

I hope this helps you.

Brian

[Alex Harvey]

While it's possible to do stuff like this in Puppet, it's not really configuration management that you're doing here; it's systems administration.  If your requirement is to have patches installed automatically, I would write this as a 10 line shell script, and have Puppet just take care of installing the script as a cron task.

[Martin Willemsma]

I do have a succes story for using Puppet as a patch management tool. We build a system around PuppetDB and our internal CMDB to have patches installed automatically according to update schedules (input for puppet schedule type) and in a controlled manner.

- Display package updates from PuppetDB in our CMDB

- Manage schedules for installing the updates per node/region/datacenter

- Review,Commit and Approve updates

The puppetmaster is fetching the approved update information for nodes from our CMDB in its agent run together with the configured schedules. All nodes we manage have the module with the package update manifest. In an agent run a node is checking if it is enabled for auto updates, if so which updates are approved and installs them according to the assigned schedule. After the update run the stdout and stderr are available in the CMDB.

This works very well for us and allows unattended installation of updates in a controlled manner.

--

You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/42e006cd-df5d-4284-95ff-c243585c1eeb%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Met vriendelijke groet, Kind Regards,

Martin Willemsma

[Alfredo De Luca]

Thanks Martin.  It sounds really good.
Would you share some configuration on place?
When you say patching you mean only linux with packages updates?
Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAFcmyypmOqzNAvFS2jGhH-bFqLUo1xuYmoy0Bs0foK-P%2B2HC0Q%40mail.gmail.com.