Puppet for Patch Management

configuration-managementpatch-managementpuppetsles

I am thinking of using Puppet for massive patch management.

The way to go with this, based on some research, is to create a class and apply it wherever you need, like in the following case:

class mypack_update {
  package { 'mypack':
   # ensure => '1.0.1d-15.el6',
    ensure  => '1.0.1g-16.el6_5.7',
  }
}

However this seems to be not practical especially if you have hundreds of available patches, from kernel to ssl, bash etc on many machines.

Is there any best practice that I could follow to make this more easy?

The Linux distro we mostly use is SLES 11.3.

Best Answer

The way we do it, is use "ensure => 'latest'", however, this is done against a controlled already tested repo. it gets more complicated if your environment has different roles with different requirements, then you need to use facts as a sensory mechanism to determine which patch applies to which role, we do this in hiera. after have been doing it for a year or so, i believe the right answer would be integrated puppet with repo management system such as pulp, and that is exactly what Satellite 6 is doing.

Related Solutions

Debian – Free centralized patch management for Debian

Puppet is great, but doesn't really handle that problem.

What should work (I've done the theory but haven't rolled it out) is using cron-apt in combination with repositories managed by debmashal to approve the patches that cron-apt will then deploy.

Debmarshal is out of google and there's a tech talk available on it:

http://code.google.com/p/debmarshal/

http://www.youtube.com/watch?v=L3hRToC23mQ

Specifying prerequisites for Puppet custom facts

As far as I know, you can't. Either let it fail, or detect and fail gracefully. I have a number of plugins that only work on Debian that fail on Red Hat without consequence.

Also, please note that it is IMPOSSIBLE to have a fact evaluated AFTER some configuration went in. The architecture just doesn't support it:

Client                               Server
Compute facts
Ask for catalog passing facts =>     Receive Catalog request
                                     Compute catalog using facts
                              <=     Return Catalog
Based on the dependency tree,
  For each configuration with satisfied dependencies
    Apply configuration
    Mark (or not) dependency as satisfied
Send report, if configured so

So, you see, the configuration is only applied long, long after the facts were processed, and there's no way of going back. What may happen is that the next run will now be able to generate that fact.

See also the trick used by the Common module to handle the lack of lsbrelease on Debian without producing fatal errors.

Best Answer

Related Solutions

Debian – Free centralized patch management for Debian

Specifying prerequisites for Puppet custom facts

Related Topic