Stop putting off patching!
Let's face it: no one likes patching. When I was a practitioner, we always put off patching until it was absolutely necessary. Until a business need – such as updating an application version or support ending for a version – arose, we didn't patch because "If it ain't broke, don't fix it." We all know this is a bad practice; let's remind ourselves why.
The longer a system goes without being patched, the more changes will accumulate. This exposes the machine to well-known vulnerabilities and prevents taking advantage of updates to functionality. Inconsistent patching leads to challenges in supporting a diverse environment, problems rolling out application updates, and difficulties in proving compliance during audits.
The bad news is that the longer you put off patching, the more difficult patching becomes and the more brittle the process is. The good news is the reverse is also true. The more routine patching is, the more of a non-event patching becomes. And Puppet can help!
The patching problem
Most modern organizations have a mix of operating systems and varying versions within those OSes. This can lead to bespoke patching practices for each, using the default package manager for the OS. This is challenging at any size, but it truly becomes a huge burden at scale.
The multitude of patching practices leads to poor visibility. Out-of-the-box package managers really aren't designed for reporting. Collecting data on what resources are patched and what aren't, even on a single OS, is a manual process. Reporting across operating systems and versions is nearly impossible.
Similarly, fine-grained control over scheduling is difficult and generally requires multiple orchestrators for the multiple package managers. Along with that, reporting on patching success, and current patching levels, just isn't easy. It's hard to assess which servers have and haven't been patched, even within a single OS, without a lot of manual data-gathering.
Enter Puppet Patch Management
Puppet Patch Management is used to orchestrate patching and report on success and patching levels across your entire IT estate. Puppet allows you the flexibility to manually trigger patching, schedule it with the built-in orchestrator, or trigger patching run via the Puppet API. Patching also allows you to differentiate between updates designated as security-related and non-security (when supported by the package manager), and apply one or both sets of updates. But the real value Patch Management brings is in the fine-grained control of patch groups.
Patch groups are exactly what you'd think; they're groups of servers that make sense in your environment that will be patched together. In a simple setup, those groups might be “Development,” “Test” and “Production.” Patch groups not only facilitate patching like servers as a unit, but the group allows you to customize blackout windows and many configuration and runtime parameters for the group. Patch groups give you the ability to accommodate different schedules, additional flexibility such as when to check for new patches, powerful post-patching options, and many other possibilities.
The Puppet scheduler allows for unattended execution of patching, running patches on a regular schedule, and integrating patching with other regular maintenance via Puppet Tasks. The scheduler also allows you to assign the execution of patches to service desk personnel via RBAC.
Stop putting off patching
As any environment grows and diversifies, it becomes more challenging and time-consuming to ensure that it is kept up-to-date and current with the latest software releases. This is inconvenient at best, and dangerous at worst, so having a strategy that incorporates continuous updates is essential to a healthy IT environment. Patch Management helps you stay ahead of the challenges of managing diverse infrastructure at scale, and is part of the overall self-healing solution offered by Puppet. There’s no better way to get started with Puppet-automated infrastructure than to leverage our patch management capabilities to stop putting off patching for good.
John Laffey is the Technical Product Marketing Director at Puppet by Perforce.