Chef Cookbook for automatically patching nodes on a specific schedule (weekday, hour, and minute). Handles weekly or monthly patching routines with or without node splay for large environments. Can automatically prepare node for true patch window by cleaning and pre-downloading packages, which speeds up patch process and can help guarantee meeting patching timeframes.
If you're looking for daily upgrades on Ubuntu, check out the unattended-upgrades package and a corresponding cookbook. (/ht @hectcastro for this information).
- RedHat 6.3 (Santiago)
- Ubuntu 12.04 (Precise)
- cron
node["auto-patch"]["disable"]- defaults to falsenode["auto-patch"]["hour"]- defaults to 3node["auto-patch"]["minute"]- defaults to 0node["auto-patch"]["monthly"]- auto patching occurs once a month on the corresponding textual week number ("first","second",etc) and weekday ("monday","tuesday",etc), overridden bynode["auto-patch"]["weekly"], defaults to "first sunday"node["auto-patch"]["reboot"]- reboot automatically after patching, defaults to truenode["auto-patch"]["splay"]- seconds of random delay before beginning, defaults to 0node["auto-patch"]["weekly"]- auto patching occurs once a week on the corresponding textual weekday ("monday","tuesday",etc), overridesnode["auto-patch"]["monthly"], defaults to nilnode["auto-patch"]["now"], patches the system immediately, default to false
node["auto-patch"]["prep"]["clean"]- cleans updater cache files, defaults to truenode["auto-patch"]["prep"]["disable"]- defaults to truenode["auto-patch"]["prep"]["hour"]- defaults to 2node["auto-patch"]["prep"]["minute"]- defaults to 0node["auto-patch"]["prep"]["monthly"]- auto patching prep occurs once a month on the corresponding textual week number ("first","second",etc) and weekday ("monday","tuesday",etc), overridden bynode["auto-patch"]["prep"]["weekly"], defaults to "first sunday"node["auto-patch"]["prep"]["splay"]- seconds of random delay before beginning, defaults to 1800node["auto-patch"]["prep"]["weekly"]- auto patching prep occurs once a week on the corresponding textual weekday ("monday","tuesday",etc), overridesnode["auto-patch"]["prep"]["monthly"], defaults to nilnode["auto-patch"]["prep"]["update_updater"]- updates apt or yum before actual patching occurs, defaults to true
recipe[auto-patch]configures automatic patching
- Change any attributes to fit your patching cycle
- If using auto patch preparation, ensure it starts before auto patch (remember any splay!)
- Add
recipe[auto-patch]to your node's run list
Set node["auto-patch"]["once"] attribute to true will set the system to update
and reboot by default a single instance at the date and time indicated.
Just use the node["auto-patch"]["weekly"] attribute to override the monthly
setting. Don't forget to add appropriate node["auto-patch"]["prep"]["weekly"]
if you're using automatic patch preparation.
If you're auto patching many nodes at once, you have two attributes you can optionally add to prevent denial of service against your network, update server(s), and resources:
- Adding
node["auto-patch"]["splay"] - Setting
node["auto-patch"]["prep"]["disable"]to false (along with setting associated prep attributes to meet your patch cycle)
If you'd like to specify groups of nodes for auto patching, you can setup roles.
Say you want to auto patch some nodes at 8am and some at 10pm on your monthly "patch day" of the fourth Wednesday every month.
If you have a base role (you do, right?), you can save duplicating attributes and specify some base information first:
"auto-patch" => {
"monthly" => "fourth wednesday",
"prep" => {
"disable" => false,
"hour" => 7,
"monthly" => "fourth wednesday"
}
}
Example role that then could be added to 8am nodes:
name "auto-patch-0800"
description "Role for automatically patching nodes at 8am on patch day."
default_attributes(
"auto-patch" => {
"hour" => 8
}
)
run_list(
"recipe[auto-patch]"
)
Example role that then could be added to 10pm nodes:
name "auto-patch-2200"
description "Role for automatically patching nodes at 10pm on patch day."
default_attributes(
"auto-patch" => {
"hour" => 22
}
)
run_list(
"recipe[auto-patch]"
)
- Specify
node["auto-patch"]["disable"]to true - If necessary, specify
node["auto-patch"]["prep"]["disable"]to true - Run chef-client on your node
recipe[auto-patch::update-now]performs patching
- Specify
node["auto-patch"]["now"]to true - node will install all updates during each chef run
This repo includes a .kitchen.yml file which leverages Test Kitchen and Vagrant to test and verify.
Test Kitchen is already included as part of ChefDK. To start testing run:
kitchen converge
Only the system has finished converging you can log into it by using the command
kitchen login
All rspec and integration tests are performed and the system can be manually verified.
Please use standard Github issues/pull requests.
Author:: Brian Flad ([email protected]) Derek Groh ([email protected])
Copyright:: 2012-2013
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.