I am thinking of using Puppet for massive patch management.
The way to go with this, based on some research, is to create a class and apply it wherever you need, like in the following case:
class mypack_update {
package { 'mypack':
# ensure => '1.0.1d-15.el6',
ensure => '1.0.1g-16.el6_5.7',
}
}
However this seems to be not practical especially if you have hundreds of available patches, from kernel to ssl, bash etc on many machines.
Is there any best practice that I could follow to make this more easy?
The Linux distro we mostly use is SLES 11.3.
Best Answer
The way we do it, is use "ensure => 'latest'", however, this is done against a controlled already tested repo. it gets more complicated if your environment has different roles with different requirements, then you need to use facts as a sensory mechanism to determine which patch applies to which role, we do this in hiera. after have been doing it for a year or so, i believe the right answer would be integrated puppet with repo management system such as pulp, and that is exactly what Satellite 6 is doing.