We have a number of Debian servers that need to be patched and manual patching becomes an issue as their number grows. What I am lookig at is a way to push patches to the servers from the central location and have some sort of reporting on how it goes.I believe that there shoud be relatively easy way to do it without buying third party tools. Puppet comes to my mind but maybe there are other ideas that can serve this purpose better?
Asked
Active
Viewed 4,480 times
3 Answers
6
Puppet is great, but doesn't really handle that problem.
What should work (I've done the theory but haven't rolled it out) is using cron-apt in combination with repositories managed by debmashal to approve the patches that cron-apt will then deploy.
Debmarshal is out of google and there's a tech talk available on it:
LapTop006
- 6,496
- 20
- 26
1
We are trialling using puppet to roll out the majority of security updates. We only use it to roll out packages that we don't care about. We don't use it, for example, to upgrade MySQL, because we would need to arrange downtime, and should do that by hand. On the other hand we have upgrades like Mutt, which can just be upgraded without much concern. We did this by creating a define which takes the package name as the name and a version parameter. We didn't implement this using the native "package" type, because there could be conflicts with other manifests and there is no way to only upgrade packages which are installed. Puppet would install the package regardless.
Our current problems with this solution is that we have three different distributions to track (Jaunty, Hardy and Dapper) and keeping the file up to date with the output of apticron is a little time consuming, but hopefully both these problems can be fairly easily solved, or at least greatly reduced, with some scripting to automatically create the manifest files direct from the emails. This is the next step. If this works, then I'd recommend it as a valid method. If it doesn't, then it's possibly too much work.
David Pashley
- 23,497
- 2
- 46
- 73
0
I'm not sure how many Debian servers you have so it's hard to say whether or not this would scale appropriately for you, but we do this using SSHD with key-based authentication, ClusterSSH and cron-apt. It's simple enough to start ClusterSSH for our two dozen or so Debian machines, and execute an aptitude update && aptitude upgrade (or whatever apt command is required). Because cron-apt is set to automatically download, but not install the appropriate .deb files, it is just a matter of reviewing what patches are available, deciding which ones we want to install, and then sending the desired aptitude commands to all of the hosts to upgrade them in one fell swoop.