Table of contents

Introduction

Configuring patch management

2.1.

Creating a node group

2.2.

Specify Patching parameters

2.3.

Patch management parameters

Patch nodes

3.1.

Patching task parameters

Patch nodes with built-in health checks

4.1.

Patching options

4.2.

Health check options

4.3.

Reboot options

Frequently Asked Questions

5.1.

What is the use of the patch_group parameter?

5.2.

What are the other OS platforms suited for Patch management?

5.3.

How to add nodes to a node group?

Conclusion

Last Updated: Mar 27, 2024

Easy

Managing Patches in Puppet

Q: What are the other OS platforms suited for Patch management?

CentOS (Version 7), Debian (Version 9,10,11) Fedora (Version34), Oracle Linux (Version 7,8), Red Hat Enterprise Linux (Version 7,8), Ubuntu (Version 18.04, 20.04, 22.04) and SUSE Linux Enterprise Server (Verison 12,15).

Author Yashesvinee V

Do you think IIT Guwahati certified course can help you in your career?

Yes

Introduction

Hello there!

Did you know that back in the day, punched cards with holes were used to represent digital data and patches made out of magnetic tape were used to cut out certain parts? The patches we use today for fixes or updates have surely come a long way.

Patching is extremely important for vulnerability management. Puppet offers its users the facility to configure patching node groups according to their needs and view the patches available for their nodes in the console. Let us discuss how to configure patch management and patch nodes in Puppet.

Configuring patch management

To patch, the user must create a node group for the required nodes and add the node group to the PE Patch Management parent node group. Patch management can then be enabled depending on OS compatibility. It is compatible with Microsoft Windows and the current Linux OS using YUM, APT, and Zypper package management.

The user needs to manage the configuration of their package manager, to allow search for updates. The pe_patch module uses security metadata to find security updates. The process of Patching involves a cron job that scans new patches and uploads their details to PuppetDB. Users can schedule the cron jobs using parameters in the pe_patch class. The pe_patch::patch_server task applies patches to the nodes.

Creating a node group

Step 1: In the console, click on Node groups, and select Add group.

Step 2: Specify the options for the node group. Give the Parent name, Group name, and Environment and unselect the Environment group. Click on Add.

Step 3: Select the created patching node group.

Step 4: Go to the Rules tab on the Node group details page and add nodes to the group by pinning them individually or adding a rule to add nodes that meet certain specifications.
Step 5: Select Run > Puppet.

Specify Patching parameters

Parameters for node groups under Patch Management can be set using the pe_patch class.

Step 1: Select the patching node group to add parameters.

Step 2: Add the pe_patch class to the node group from the Classes tab and Commit changes.

Step 3: Add the patch_group parameter and specify a value to describe the nodes in the node group. Specify additional parameters, if any, in the pe_patch class.

Users can disable patch management by setting the value of the ensure parameter to absent in the patch management node group or by deleting the patch node group. The Patch Management section will remain active even after disabling patch management, but the Patches page will no longer report patch information.

We can prevent PE from applying patches to nodes for a particular duration using a blackout window. Adding the blackout_windows parameter to the pe_patch class can accomplish this. Enter a JSON hash of keys and an ISO-compliant timestamp of the blackout window as its value. Here is an example.

{
  "End of year change freeze": {
          "start": "2021-12-09T00:00:00+15:00",
          "end": "2022-01-09T23:59:59+15:00"
    }
}

Patch management parameters

Following are some of the Patch Management parameters of the pe_patch class.

Patch nodes

The patch_server task helps apply patches to nodes after configuring Patch management. This requires permission to run the pe_patch::patch_server task.

Source: Puppet Enterprise Guide

Step 1: In the Apply patches section of the Patches page, specify the patches for the nodes

Step 2: Select Run > Task. Optionally, you can describe the task run in the Job details field and set additional task parameters.

Step 3: Click on the Run task to apply patches. The status of the task can be viewed on the Tasks Page.

Patching task parameters

Some of the optional parameters that can be applied to a task are shown below.

Patch nodes with built-in health checks

The group_patching plan helps perform health checks before and after the patches are applied on nodes. It verifies if Puppet is running correctly on the target nodes and patches the nodes. It considers a node to be ‘healthy’ if the puppet service is up and running, the Noop mode and cached catalogues are disabled, and the run interval is 30 minutes. It then waits for reboots and runs Puppet on the nodes to check if they are operational.

Step 1: Select Plans in the Orchestration section and click on Run a plan.

Step 2: Specify the details of the plan - the Code environment and Job description. Select pe_patch::group_patching for Plan.

Step 3: Under Plan parameters, specify the patch group to run the plan on, along with additional parameters if required.

Step 4: Click Run job.

Plan behaviour can be modified using patching options, Health check options and reboot options.

Patching options

Health check options

Reboot options

Frequently Asked Questions

What is the use of the patch_group parameter?

The patch_group parameter can identify which nodes to run patching plans against. It is defined in the pe_patch class for node groups under patch management. The patch_group names are matched to node groups.

What are the other OS platforms suited for Patch management?

CentOS (Version 7), Debian (Version 9,10,11), Fedora (Version34), Oracle Linux (Version 7,8), Red Hat Enterprise Linux (Version 7,8), Ubuntu (Version 18.04, 20.04, 22.04) and SUSE Linux Enterprise Server (Verison 12,15).

How to add nodes to a node group?

Nodes can be added to node groups statically by pinning them individually. Dynamically, rules can be used to include nodes in a node group.

Conclusion

This blog has covered the Management of Patches in Puppet. It discusses how to configure patch management and patch nodes. Check out our articles on Overview of Puppet Server, Overview of PuppetDB and Configuring PuppetDB. Explore our Library on Coding Ninjas Studio to gain knowledge on Data Structures and Algorithms, Machine Learning, Deep Learning, Cloud Computing and many more! Test your coding skills by solving our test series and participating in the contests hosted on Coding Ninjas Studio!

Looking for questions from tech giants like Amazon, Microsoft, Uber, etc.? Look at the problems, interview experiences, and interview bundle for placement preparations. Upvote our blogs if you find them insightful and engaging! Happy Coding!