search

Azure / az-hop

The Azure HPC On-Demand Platform provides an HPC Cluster Ready solution
https://azure.github.io/az-hop/
MIT License
65 stars 53 forks source link

automatic security updates #1594

Open ltalirz opened 1 year ago

ltalirz commented 1 year ago

In what area(s)?

/area administration /area ansible /area autoscaling /area configuration /area cyclecloud /area documentation /area image /area job-scheduling /area monitoring /area ood /area remote-visualization /area user-management

Describe the feature

Many playbooks currently contain a task

  - name: update packages for security
    become: true
    yum:
      name: '*'
      state: latest
      exclude: cyclecloud*

Not only does this task slow down the playbooks, it also does not keep the systems up to date when you are not running playbooks.

There are ansible roles for this, such as https://github.com/geerlingguy/ansible-role-security that will install cronjobs (yum-cron for rhel-based, unattended-upgrades for debian-based systems) that periodically install security patches (and only security patches) to keep the VMs up to date at all times. I believe we should use them

xpillons commented 1 year ago

I think it would probably be easier to do our own cron instead of relying on another repo. At the end it's just a cron running yum with security updates. Best would be to rely on the azure platform for managing security update globally see #1413 issue with azure update is that it only support a specific list of marketplace images and not custom images