Configuring patch management
Sections
To enable patch management, create a node group for nodes you want to patch and add the node group to the PE Patch Management parent node group.
Patch management OS compatibility
Patch management is compatible with select agent operating systems.
Operating system | Versions |
---|---|
CentOS | 7, 8 |
Oracle Linux | 7, 8 |
Red Hat Enterprise Linux | 7, 8 |
Scientific Linux | 7 |
SUSE Linux Enterprise Server | 12, 15 |
Ubuntu | 16.04, 18.04, 20.04 |
Debian | 9, 10, 11 |
Fedora
Note: You must install cron to
run patch management on Fedora. To
install cron, run
dnf install cronie
|
32 |
Microsoft Windows | 10 |
Microsoft
Windows Server
Note: You must use
Powershell 3.0 or higher to patch Windows nodes.
|
2012, 2012 R2, 2016, 2019 |
Where patch information comes from
Your package management software is responsible for ensuring PE can find the latest patch information available.
The pe_patch
module uses OS level tools or APIs to find
patches for nodes. You still have to manage the configuration of your package manager,
like YUM, APT, Zypper, or Windows Update, so your nodes
can search for updates. For example, if you need to go through a proxy and you use YUM,
you must configure this on your own.
pe_patch
fact. You can specify when to run the cron job with
parameters in the pe_patch
class. Then, patches are
applied to specified nodes using the pe_patch::patch_server
task or the
pe_patch::group_patching
plan.yum versionlock
, apt-mark
, or zypper addlock
, or with a
package resource defined in the catalog for the node. The pinned_packages
field in the pe_patch
fact refers to versions locked using these methods; it does not refer to apt
pinned packages, which prioritize packages, rather than locking
them at a specific version.Security updates
To find security updates, the pe_patch
module uses
security metadata when it is available. For example, Red Hat provides security metadata as additional
metadata in YUM, Debian performs checks on the repo
the updates are coming from, and Windows provides
this information by default.
In the console, on the Patches page, security metadata feeds into the Apply patches table where you can filter for Security updates only.
Configure Windows Update
wsus_client
class. - Set the
server_url
parameter to the URL of your WSUS server. - Set the
auto_update_options
parameter toAutoNotify
to automatically download updates and notify users.
Create a node group for nodes under patch management
Create a node group for nodes you want to patch in PE
and add nodes to it. For example, create a node group for testing Windows and *nix patches prior
to rolling out patches to other node groups. The PE Patch Management
parent node group has the pe_patch
class assigned to it and is in the
console by default.
Specify patching parameters
Set parameters for node groups under patch management by first applying the pe_patch class to them, then specifying your desired parameters.
Assign a patch management blackout window
Apply a blackout window to prevent PE from applying patches to nodes for a specified duration of time. For example, limit applying patches during an end-of-year change freeze.
pe_patch
class to the applicable node group. See Specify patching parameters for more information.Patch management parameters
Configure and tune patch management by adjusting parameters in the pe_patch
class.
patch_data_owner
- User name for the owner of the patch data. String.
patch_data_group
- Group name for the owner of the patch data. String.
patch_cron_user
- User account for running the cron job that scans for new patches in the background. String.
manage_yum_utils
- Determines if the
yum_utils
package should be managed by this module on RedHat family nodes. Iftrue
, use theyum_utils
parameter to determine how it should be managed. Boolean. yum_utils
- If managed, determines what the package is set to. Enum[
installed
,absent
,purged
,held
,latest
] block_patching_on_warnings
- Determines if the patching task should run if there were warnings
present on the
pe_patch
fact. Iftrue
, the run will abort and take no action. Iffalse
, the run will continue and attempt to patch. Boolean. fact_upload
- Determines if
puppet fact upload
runs after any changes are made to the fact cache files. Boolean. apt_autoremove
- Determines if
apt-get autoremove
runs during reboot. Boolean. manage_delta_rpm
- Determines if the
delta_rpm
package should be managed by this module on RedHat family nodes. Iftrue
, use thedelta_rpm
parameter to determine how it should be managed. Boolean. delta_rpm
- If managed, determines what the
delta_rpm
package is set to. Enum[installed
,absent
,purged
,held
,latest
] manage_yum_plugin_security
- Determines if the
yum_plugin_security
package should be managed by this module on RedHat family nodes. Iftrue
, use theyum_plugin_security
parameter to determine how it should be managed. Boolean. yum_plugin_security
- If managed, determines what the
yum_plugin_security
package is set to. Enum[installed
,absent
,purged
,held
,latest
] -
reboot_override
- Determines if a node reboots after patching. This overrides the setting
in the task. Variant, Boolean, Enum[
always
,never
,patched
,smart
,default
]-
always
- The node always reboots during the task run, even if no patches are required. -
never
(orfalse
) - The node never reboots during the task run, even if patches are applied. -
patched
(ortrue
) - The node reboots if patches are applied. -
smart
- Use the OS supplied tools, likeneeds_restarting
on RHEL or a pending reboot check on Windows, to determine if a reboot is required, if it is reboots, or if it does not reboot. -
default
- Uses whatever option is set in thereboot
parameter for thepe_patch::patch_server
task.
-
patch_group
- Identifies nodes in or across patching node groups to run patching plans against.
pre_patching_scriptpath
- The full path to an executable script or binary on the target node to be run before patching.
post_patching_scriptpath
- The full path to an executable script or binary on the target node to be run after patching.
patch_cron_hour
- The hour or hours to run the cron job that scans for new patches.
patch_cron_month
- The month or months to run the cron job that scans for new patches.
patch_cron_monthday
- The monthday or monthdays to run the cron job that scans for new patches.
patch_cron_weekday
- The weekday or weekdays to run the cron job that scans for new patches.
patch_cron_min
- The min or mins to run the cron job that scans for new patches.
ensure
- Use
present
to install scripts, cronjobs, files, etc. Useabsent
to clean up system that previously hosted. blackout_windows
- Determines a window of time when nodes cannot be patched. Hash.
windows_update_criteria
- Determines which types of updates Windows Update searches for. To search
both software and driver updates, remove the
Type
argument. String.
Disable patch management
Use the console to disable patch management by editing the ensure
parameter in the PE Patch Management node group.
You can also remove patch management by deleting patching node groups.