I'm interested in hearing how everyone is managing security patching for Linux endpoints, particularly Rocky and Ubuntu, in real-world scenarios. I'm currently using a setup that includes Netbox, Ansible, Rundeck, GitLab, and OpenSearch, and here's my typical workflow:
- Use Ansible to patch Ubuntu and Rocky endpoints.
- Temporarily back up existing user-added and third-party repos with Ansible.
- Apply patches for kernel and OS packages from official sources.
- Restore the repository state afterward.
- Keep logs of what has been patched, what didn't change, what failed, along with reboot status and uptime.
- Store this information in OpenSearch for auditing purposes.
- Update device tags in Netbox to mark them as patched and maintain a last patch date.
- Review the hosts again after about 30 days.
Additionally, I have a recurring job that checks connectivity through SSH every 10 minutes, which updates status in Netbox. While it works, I sometimes feel like I'm running a complicated patch management system with a lot of moving parts. I'm curious to know if anyone has a more streamlined or effective solution. Would using Tower provide benefits that Rundeck can't?
5 Answers
I’ve been experimenting with Orcharhino, which is built on Foreman/Katello. It’s great for managing multiple Linux distros, including Debian and Ubuntu. It does a lot more than just patching and can give you a comprehensive view of various repositories and errata.
I've been using a simple daily cron job with 'yum upgrade' for years, and it’s worked without issues. I think people tend to overcomplicate it. If you keep up with frequent patches, you’ll avoid a lot of the headaches that come from trying to manage complex procedures. In the last two decades, I’ve only ever had to roll back one package!
Totally agree! Keeping it simple can lead to a smoother experience, especially if you're patching often.
Right, but for companies under strict audits, having a more controlled process might be necessary.
We've been using Ansible along with Automox for about two years and it’s been fantastic! Automox helps us manage all the patching as code. It’s been a real game-changer for keeping everything updated.
I’ve heard good things about Automox! Just hope we can fit it into our budget.
I’m using Ansible combined with Satellite and Azure Update Manager. It helps track patch status and can freeze repositories at certain times. So, I can use Ansible to update the nodes and reboot them as necessary.
Just a heads up, Satellite is designed for Red Hat environments primarily, but it does a good job at managing patching.
My setup is much simpler, really. I just have a cron job that checks the version and last patch date for all servers. I group production servers to minimize risk when something goes wrong during updates. Plus, I take VMware snapshots and log everything meticulously without patching all servers at once.
That’s a smart approach to minimize disruptions—good idea with the snapshots!
That sounds interesting! We primarily use RHEL, but I might look into it for our Ubuntu instances.