Patching nodes

We've updated our documentation to remove harmful terminology.

You can start viewing available patches and applying them to your nodes using the pe_patch::patch_server task after you have set up patch management. Review optional parameters for the patch_server task prior to running it.

Patch nodes

Select patches and then apply them by running the pe_patch::patch_server task. Limit patches to security or non-security updates, Windows or *nix nodes, or a specific patch group.

Before you begin
Ensure you have permission to run the pe_patch::patch_server task. The pe_patch::patch_server task is what applies patches and optionally reboots the selected nodes.

  1. On the Patches page, in the Apply patches section, use the filters to specify which patches to apply to which nodes.
    Note: Filters use and logic. This means that if you select Security updates and Windows, the results include security patches for Windows nodes, not all security patches and all Windows patches.
  2. Select Run > Task.
    The Run a task page appears with patching information pre-filled for the pe_patch::patch_server task.
  3. Optional: In the Job details field, provide a description of the task run. This appears on the Tasks page.
  4. Optional: Under Task parameters, add optional parameters to the task. See Patching task parameters for a full list of available parameters.
    Note: You must click Add parameter for each optional parameter-value pair you add to the task.
  5. Optional: If you want to schedule the task to run later, under Schedule, select Later and choose a time.
  6. Select Run task to apply patches.
To check the status of the task, look for it on the Tasks page. You can filter the results to view only pe_patch tasks.
Note: When using patch management to update core packages that affect the networking stack, the task run might look like it failed due to the PXP agent on the node losing connection with the primary server. However, the task still completes successfully. You can confirm by checking the pe_patch fact to verify the relevant packages were updated.

Patching task parameters

The pe_patch::patch_server task applies patches to nodes. When you patch nodes in the console, most of the information for the patch_server task is prefilled on the Run a task page, but you can add additional parameters to the task before you run it. Here are the optional parameters to review before you run the patching task.

Determines if the server should reboot after applying patches. [Boolean, Enum [always, never, patched, smart]]
  • always - The node always reboots during the task run, even if no patches are required.
  • never (or false) - The node never reboots during the task run, even if patches are applied.
  • patched (or true) - The node reboots if patches are applied.
  • smart - Use the OS supplied tools, like needs_restarting on RHEL or a pending reboot check on Windows, to determine if a reboot is required, if it is reboots, or if it does not reboot.
Default: never
Determines how many seconds before the task run times out. Integer.
Default: 3600 (seconds)
Indicates what additional parameters to include in the yum upgrade command, such as including or excluding repos. String.
Default: undef
Indicates if the yum/dpkg caches are cleaned at the start of the task. Boolean.
Default: false
Indicates what additional parameters to include in the dpkg command. String.
Default: undef
Determines whether to include only security patches in a task run. Boolean.
Default: false
Indicates what additional parameters to include in the zypper update command. String.
Default: undef
How helpful was this page?

If you leave us your email, we may contact you regarding your feedback. For more information on how Puppet uses your personal information, see our privacy policy.

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.