Open gggkearney opened 1 year ago
@gggkearney the max_runs
parameter controls the repeat
parameter of the schedule
resource that gets created from the patch_window specs. It will allow the resources from the patch run to be applied that number of times. This however does not prevent newly detected to-be-patched packages from getting applied if another run happens within the same patch window. This is because from Puppet's perspective, a new package has had 0 applies within the patch window and thus is allowed to be applied once.
For some reason, the ‘max runs’ option within the patch windows is being ignored. All of our patch groups have max_runs set to 1 but will continue to patch systems if patches are still available after the 'pe_patch_fact_generation.sh’ script is executed at the end of each patch run. Example below.
2nd_thu_20_22_prod_nr: day_of_week: Thursday count_of_week: 2 hours: 20:00 - 22:00 max_runs: 1 reboot: never
first puppet run within patch window – the packages available for patching were determined from the cron job (pe_patch_fact_generation.sh) which ran on March 27th
Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[bpftool.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[diffutils.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[kernel.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[kernel-tools.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[kernel-tools-libs.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[nss.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[nss-sysinit.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[nss-tools.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[openssl.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[openssl-libs.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[zlib.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:55 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code/Exec[Patching as Code - Before patching - pre patch default commands]/returns) executed successfully Apr 13 20:00:56 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Exec[Patching as Code - Clean Cache]/returns) executed successfully Apr 13 20:01:40 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[bpftool.x86_64]/ensure) ensure changed '3.10.0-1160.83.1.el7' to '0:3.10.0-1160.88.1.el7' Apr 13 20:01:46 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[diffutils.x86_64]/ensure) ensure changed '3.3-5.el7' to '0:3.3-6.el7_9' Apr 13 20:03:38 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[kernel.x86_64]/ensure) ensure changed '3.10.0-1160.71.1.el7; 3.10.0-1160.76.1.el7; 3.10.0-1160.80.1.el7; 3.10.0-1160.81.1.el7; 3.10.0-1160.83.1.el7' to '0:3.10.0-1160.88.1.el7' Apr 13 20:03:47 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[kernel-tools.x86_64]/ensure) ensure changed '3.10.0-1160.83.1.el7' to '0:3.10.0-1160.88.1.el7' Apr 13 20:03:51 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[kernel-tools-libs.x86_64]/ensure) ensure changed '3.10.0-1160.88.1.el7' to '0:3.10.0-1160.88.1.el7' Apr 13 20:03:57 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[nss.x86_64]/ensure) ensure changed '3.79.0-4.el7_9' to '0:3.79.0-5.el7_9' Apr 13 20:04:00 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[nss-sysinit.x86_64]/ensure) ensure changed '3.79.0-5.el7_9' to '0:3.79.0-5.el7_9' Apr 13 20:04:03 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[nss-tools.x86_64]/ensure) ensure changed '3.79.0-5.el7_9' to '0:3.79.0-5.el7_9' Apr 13 20:04:10 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[openssl.x86_64]/ensure) ensure changed '1:1.0.2k-25.el7_9' to '1:1.0.2k-26.el7_9' Apr 13 20:04:16 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[zlib.x86_64]/ensure) ensure changed '1.2.7-20.el7_9' to '0:1.2.7-21.el7_9' Apr 13 20:04:16 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code/File[Patching as Code - Save Patch Run Info]/ensure) defined content as '{sha256}363495f191055656bfb3ca11c9fe561d9497a656117dba2cf3f465bff65f4fd8' Apr 13 20:04:16 itf-sannav puppet-agent[89855]: Patches installed, refreshing patching facts... Apr 13 20:04:16 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code/Notify[Patching as Code - Update Fact]/message) defined 'message' as 'Patches installed, refreshing patching facts...' Apr 13 20:04:23 itf-sannav puppet-agent[89855]: (/Stage[main]/Pe_patch/Exec[pe_patch::exec::fact_upload]) Triggered 'refresh' from 1 event
Apr 13 20:04:45 itf-sannav pe_patch_fact_generation.sh: Uploading facts Apr 13 20:04:51 itf-sannav pe_patch_fact_generation.sh: Patch data refreshed - This is checking for new packages available for patching. If any are found, PE_PATCH facts will be updated and they will be patched on the next Puppet run. (Should be during the next Patch window)
Apr 13 20:04:51 itf-sannav puppet-agent[89855]: (/Stage[main]/Pe_patch/Exec[pe_patch::exec::fact]) Triggered 'refresh' from 1 event Apr 13 20:04:51 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code/Exec[Patching as Code - After patching - post patch default commands]/returns) executed successfully