search

albatrossflavour / puppet_os_patching

A Puppet module that provides a set of tasks and custom facts which allows the automation of and reporting on OS patching
Apache License 2.0
44 stars 42 forks source link

Can the security_flag be ran as part of the manifest, instead of a task only? #210

Closed reboss closed 2 years ago

reboss commented 3 years ago

Is your feature request related to a problem? Please describe.

We'd like to be able to run a task with the security_only key inside a manifest. It seems that this library only supports that feature when running as a task. For example, we'd like to run as follows:

class { 'os_patching':
  patch_window     => 'Week3',
  blackout_windows => { 'End of year change freeze':
    {
      'start': '2018-12-15T00:00:00+1000',
      'end':   '2019-01-15T23:59:59+1000',
    }
  },
  security_only => true
}

Describe the solution you'd like

We'd like to be able to get only security patches using this module without running as a puppet task.

Describe alternatives you've considered

One alternative we've considered is simply using puppet to create a cronjob that gets security patches only on our infrastructure machines.

albatrossflavour commented 3 years ago

Hi @reboss

How would you see this working from an orchestration perspective? The settings for installing 'security only' updates varies between OSs, I'm not aware of a config parameter which you could change to prevent non-security updates being applied.

Even if there were one, how would you then get the non-security updates applied when you're ready to?

The task approach offers flexibility to do just security or all updates.

If you can give me a bit more info about how you see this working I can see if it's something we could look at.

Cheers

albatrossflavour commented 2 years ago

Didn't get any more info, can't proceed.