search

puppetlabs / puppetlabs-patching_as_code

Automated Patching through desired state code
Apache License 2.0
10 stars 13 forks source link

Edge case where 0 patches to be applied but reboot still required. #29

Closed sifex closed 3 years ago

sifex commented 3 years ago

When an environment is running both patching_as_code and an alternate patching tool (eg. yum-cron), the host can sometimes never reboot due to this check.

Possibly think about taking the reboot branch from the init.pp file and placing it outside the patching branch?

https://github.com/puppetlabs/puppetlabs-patching_as_code/blob/3e5d9deea1257040d689698f1a509bdc97a7c860/manifests/init.pp#L282

kreeuwijk commented 3 years ago

That change would allow the system to reboot on patch days, even if no patches were installed. Are you saying that yum-cron is installing patches on the same day, but earlier than Puppet?

sifex commented 3 years ago

I've got yum-cron as there are requirements from auditors to patch "serious" vulnerabilities in < 48h, so for this use case we're rolling out OS package updates every hour.

But for kernel updates we're updating & rebooting depending on the schedule group, which is delightfully handy with a large amount of hosts.

I understand that if you've got no other patching solutions, then this should work perfectly, but the module should rely on the /usr/bin/needs-restarting-bin / /var/run/reboot-required-file instead of assuming none from 0 updates.

I'm not sure how this will affect Windows, as I'm not as familiar with their reboot schedule.

Let me know how you'd like a PR. Might have to be tomorrow.

Edit: Thanks for the quick response :)

kreeuwijk commented 3 years ago

what is the restart behavior you're using? restart: always or restart: ifneeded? restart: ifneeded will detect the pending reboot and restart the node at the very start of the patch run, before even attempting to install patches.

kreeuwijk commented 3 years ago

Oh I see...

reboot_if_pending {'Patching as Code':
                patch_window => 'Patching as Code - Patch Window',
                os           => $0
              }

Is only happening if there are patches.

kreeuwijk commented 3 years ago

Ok that seems fair; reboots should be fair game during the patch window. I'll move the reboot_if_pending resource to still be within the $is_patchday conditional, but not require that there are patches to install.

kreeuwijk commented 3 years ago

Fixed in v0.7.2, now available on the Puppet Forge

sifex commented 3 years ago

Thanks for that! Let me know if you have a buymeacoffee link or something. Really appreciate the package 😊

kreeuwijk commented 3 years ago

Haha no worries! Just spread the word!