puppetlabs / puppetlabs-patching_as_code

Automated Patching through desired state code
Apache License 2.0
10 stars 15 forks source link

max number of times that Puppet can perform patching within the patch window functionality is not working #88

Open gggkearney opened 1 year ago

gggkearney commented 1 year ago

For some reason, the ‘max runs’ option within the patch windows is being ignored. All of our patch groups have max_runs set to 1 but will continue to patch systems if patches are still available after the 'pe_patch_fact_generation.sh’ script is executed at the end of each patch run. Example below.

2nd_thu_20_22_prod_nr: day_of_week: Thursday count_of_week: 2 hours: 20:00 - 22:00 max_runs: 1 reboot: never

first puppet run within patch window – the packages available for patching were determined from the cron job (pe_patch_fact_generation.sh) which ran on March 27th

Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[bpftool.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[diffutils.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[kernel.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[kernel-tools.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[kernel-tools-libs.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[nss.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[nss-sysinit.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[nss-tools.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[openssl.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[openssl-libs.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:54 itf-sannav puppet-agent[89855]: Package[zlib.x86_64] (unmanaged) will be updated by Patching_as_code Apr 13 20:00:55 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code/Exec[Patching as Code - Before patching - pre patch default commands]/returns) executed successfully Apr 13 20:00:56 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Exec[Patching as Code - Clean Cache]/returns) executed successfully Apr 13 20:01:40 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[bpftool.x86_64]/ensure) ensure changed '3.10.0-1160.83.1.el7' to '0:3.10.0-1160.88.1.el7' Apr 13 20:01:46 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[diffutils.x86_64]/ensure) ensure changed '3.3-5.el7' to '0:3.3-6.el7_9' Apr 13 20:03:38 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[kernel.x86_64]/ensure) ensure changed '3.10.0-1160.71.1.el7; 3.10.0-1160.76.1.el7; 3.10.0-1160.80.1.el7; 3.10.0-1160.81.1.el7; 3.10.0-1160.83.1.el7' to '0:3.10.0-1160.88.1.el7' Apr 13 20:03:47 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[kernel-tools.x86_64]/ensure) ensure changed '3.10.0-1160.83.1.el7' to '0:3.10.0-1160.88.1.el7' Apr 13 20:03:51 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[kernel-tools-libs.x86_64]/ensure) ensure changed '3.10.0-1160.88.1.el7' to '0:3.10.0-1160.88.1.el7' Apr 13 20:03:57 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[nss.x86_64]/ensure) ensure changed '3.79.0-4.el7_9' to '0:3.79.0-5.el7_9' Apr 13 20:04:00 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[nss-sysinit.x86_64]/ensure) ensure changed '3.79.0-5.el7_9' to '0:3.79.0-5.el7_9' Apr 13 20:04:03 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[nss-tools.x86_64]/ensure) ensure changed '3.79.0-5.el7_9' to '0:3.79.0-5.el7_9' Apr 13 20:04:10 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[openssl.x86_64]/ensure) ensure changed '1:1.0.2k-25.el7_9' to '1:1.0.2k-26.el7_9' Apr 13 20:04:16 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code::Linux::Patchday/Package[zlib.x86_64]/ensure) ensure changed '1.2.7-20.el7_9' to '0:1.2.7-21.el7_9' Apr 13 20:04:16 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code/File[Patching as Code - Save Patch Run Info]/ensure) defined content as '{sha256}363495f191055656bfb3ca11c9fe561d9497a656117dba2cf3f465bff65f4fd8' Apr 13 20:04:16 itf-sannav puppet-agent[89855]: Patches installed, refreshing patching facts... Apr 13 20:04:16 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code/Notify[Patching as Code - Update Fact]/message) defined 'message' as 'Patches installed, refreshing patching facts...' Apr 13 20:04:23 itf-sannav puppet-agent[89855]: (/Stage[main]/Pe_patch/Exec[pe_patch::exec::fact_upload]) Triggered 'refresh' from 1 event

Apr 13 20:04:45 itf-sannav pe_patch_fact_generation.sh: Uploading facts Apr 13 20:04:51 itf-sannav pe_patch_fact_generation.sh: Patch data refreshed - This is checking for new packages available for patching. If any are found, PE_PATCH facts will be updated and they will be patched on the next Puppet run. (Should be during the next Patch window)

Apr 13 20:04:51 itf-sannav puppet-agent[89855]: (/Stage[main]/Pe_patch/Exec[pe_patch::exec::fact]) Triggered 'refresh' from 1 event Apr 13 20:04:51 itf-sannav puppet-agent[89855]: (/Stage[main]/Patching_as_code/Exec[Patching as Code - After patching - post patch default commands]/returns) executed successfully

kreeuwijk commented 1 year ago

@gggkearney the max_runs parameter controls the repeat parameter of the schedule resource that gets created from the patch_window specs. It will allow the resources from the patch run to be applied that number of times. This however does not prevent newly detected to-be-patched packages from getting applied if another run happens within the same patch window. This is because from Puppet's perspective, a new package has had 0 applies within the patch window and thus is allowed to be applied once.