Forge Home
❮ Return to Configuration Management

Automate patch management on Windows and Linux with real-time reporting

by Puppet
Posted: January 17, 2020

This guide will walk you through using Puppet Enterprise to set up a patch management workflow, complete with options for scheduling, blackouts, and narrowing patch sets, which should be used with lab-grade infrastructure until you are comfortable with how it works. That said, the act of upgrading software packages will be a deliberate step, so you can complete most of this guide on systems without impacting the software installed.

1. Setup Puppet Enterprise for patch management

Using your lab deployment of Puppet Enterprise, follow the documentation to deploy the provided control repo which includes all of the content necessary to complete a patch management workflow on Linux and Windows systems.

2. Connect nodes to Puppet Enterprise and prepare them for patching

Log-in to the Puppet Enterprise console (https://master-fqdn:443 by default) and follow the instructions in the Setup > Unsigned certs menu to connect non-production nodes which you'll patch with this guide.

Next, use the Configure > Classification menu to create a node group which includes a rule or pinned certnames to match the nodes you want to patch and adds the os_patching class, which is provided by the control repository deployed in step 1. No parameters are needed to perform basic patch management.

Finally, use the Run > Puppet menu to run Puppet on the node group you just created. This will apply the os_patching class to them which will not patch your nodes yet but will install a custom fact and cron job or scheduled task to collect data on available patches for use later in the workflow.

3. Examine your patch inventory

Puppet Enterprise is now populated with a wealth of data about installed packages and available patches, including which provide security updates.

You can browse this data in the PE Console in two ways:

  • Use the Inspect > Packages menu to browse packages across the fleet, enabling you to quickly assess version differences and whether certain packages are being managed by Puppet.
  • Use the Inspect > Nodes menu to view facts about individual nodes, where you will find the os_patching Fact populated with data about available package updates and how many of these are security updates.

Familiarize yourself with the data provided, which you can use to conduct precise patch management jobs on-demand or scheduled for PE to perform in the future. You'll patch all security updates next.

4. Apply security updates only

Now we'll use the data to apply security updates to only the nodes who need them. Use the Run > Task menu in the PE Console to setup a Bolt Task that will identify nodes with available security updates and apply them.

  • Select the task os_patching::patch_server, which was provided by the control repo in step 1

  • Select security_only from the task parameters menu and choose the value true to enforce only security updates when you run the patch task.

  • Select PQL query from Inventory and paste the following query into the text box:

    inventory[certname] { facts.os_patching.security_package_update_count > 0 and facts.os_patching.blocked = false }

    and then click Submit Query.

    This query uses the data you examined in the last step to identify applicable nodes as the target for the patch management task.

  • The nodes box should populate with at least one node that has applicable updates. If it does not, try repeating steps 2 & 3 with another device that has available patches.

  • Click Run Job to patch the targeted systems with security updates.

5. Patch with purpose!

You've just completed the core patch management loop! Here's a recap:

  • Connect infrastructure to Puppet Enterprise with the os_patching baseline applied, then run Puppet.
  • Browse patch data to make decisions on which devices to work with, or just go straight to patching.
  • Use the os_patching::patch_server task to patch your infrastructure on demand or on a schedule.

Now you're set-up to patch more systems or explore how to customize this workflow to your needs, complete with blackout windows, reboot considerations, and much more.

Kevin Reeuwijk wrote a thorough blog post on that will extend your learning from this guide into creating whitelists, blacklists, and approval policies.

Want to try a different approach? We recommend trying out Encore/Patching with Bolt for an agentless patch management workflow.

Ready for more? Learn how to deploy packages across your windows estate with Bolt and Chocolately with Claire Cadman and Adam Buxton on the Puppet Blog.