Puppet for Patch Management

Question

I am thinking of using Puppet for massive patch management.

The way to go with this, based on some research, is to create a class and apply it wherever you need, like in the following case:

class mypack_update {
  package { 'mypack':
   # ensure => '1.0.1d-15.el6',
    ensure  => '1.0.1g-16.el6_5.7',
  }
}

However this seems to be not practical especially if you have hundreds of available patches, from kernel to ssl, bash etc on many machines.

Is there any best practice that I could follow to make this more easy?

The Linux distro we mostly use is SLES 11.3.

Answer 1

The way we do it, is use "ensure => 'latest'", however, this is done against a controlled already tested repo. it gets more complicated if your environment has different roles with different requirements, then you need to use facts as a sensory mechanism to determine which patch applies to which role, we do this in hiera. after have been doing it for a year or so, i believe the right answer would be integrated puppet with repo management system such as pulp, and that is exactly what Satellite 6 is doing.

Answer 2

Assuming that the impracticality you mention is the generation of such a class, that could potentially be done with some scripting. Combined with hiera, you could then have a .yaml list of packages with a version ID, and your puppet setup could look like this:

hieradata/patchlist.yaml:

---
packages:
  mypack:
    ensure: 1.0.1g-16.el6_5.7
  otherpack:
    ensure: latest
  otherpacktwo:
    ensure: 2.0.1

yourclass.pp

class patchset {
    create_resources('packages')
}

As to the scripting part, some awk/perl-fu applied to the rpm -qa command on a server you know has the right patches should do the job.