I'm playing around with Rudder (http://www.rudder-project.org/site/) but can't seem to see an option for what I want.
I'd like all packages on the 'nodes' checked for updates then upgraded, the equivalent of 'apt-get update && apt-get upgrade' on a Debian box.
I see directives for package management but they all seem to be for updating/installing individually named packages, not updating all packages currently on each node.
What is the best way of doing what I'm after?
I think the best way to achieve this is to create a technique with the technique editor and with a "command execution result" with "/usr/bin/apt-get update && /usr/bin/apt-get upgrade -y" with 0 as success and 1 as repaired
Please note that this will be executed at every run, which may not be what you want, but you can use condition to run it only at night or during specific range of date.
You can also look into "Job Scheduler" Directives, or create a technique using "Schedule" methods, in which you can define something to execute, like a cron job ...
Actually, using apt-get install -y will not suppress all prompts. If you (or Rudder on your behalf!) modify any of the control files for a package, apt-get will ask you if you want to keep your config file, or replace it with the package maintainers version.
Many folks deal with this by using something like this:
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt-get dist-upgrade \
-q -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold"
It is important to note that you cannot safely do this without investigating. The above invocation answers "No", which means that you must investigate the changes the package will make beforehand and make sure rudder will change the control files to include necessary changes.
For example, sometimes critical security fixes are made in the control files of a package (/etc/ImageMagick-6/policy.xml is one example). If you answer "No" or use --force-confold, the package update will not protect you against the vulnerability, but the package version will suggest that the fix is implemented (you are, after all, running the package version with the fix).
The only way to get this right is to install all the packages you use on an acceptance server, update it, say, a week before production, and collect and review all the .dpkg-new files that have been created. Yup, that's a lot of work and yup, not many companies do that, but if you automate updates you'd better be sure you're not papering over important configuration changes.
I'm toying with ideas on how to use Rudder to help me do this right, but haven't yet put a spade into the ground...
