linux_patching

Work-In-Progress for applying Linux OS patches to systems without using an upstream application for locking package versions.

• linux_patching
  • Supported Platforms
  • Attributes
    • Attributes - default
    • Attributes - base_packages
    • Attributes - freeze_packages
  • Data Bags
    • Data Bags - linux_patching
    • Data Bags - linux_patching_stage
  • Helpers
  • Resources
  • Usage

Supported Platforms

• CentOS
• Fedora
• Red Hat Enterprise Linux
• Oracle Linux
• Amazon Linux
• Ubuntu (Not Yet Implented)
• Debian (Not Yet Implented)
• OpenSuse (Not Yet Implented)

Attributes

All attributes used by this cookbook are nested under the linux_patching key.

Attributes - default

Default attributes are used in this cookbook to provide values which can be set via policy as needed for deployments.

# Enrollment status, cookbook logic will not process node is enrolled
default['linux_patching']['enrollment'] = true

# Enables verbosity for some of the patching components, disabled by default.
default['linux_patching']['debug'] = false

# Directories which should be present on the system, used by config and patch processes
default['linux_patching']['dirs'] = {
  base: '/path/to/dir',
  logging: '/path/to/dir',
}

# Data bag name to use for item lookups
default['linux_patching']['data_bag'] = 'data_bag_name'

Attributes - base_packages

Used to populate listing of base packages which should exist on systems without a specific version pin.

default['linux_patching']['base_packages'] = {
  'platform_name' => {
    'platform_version' => [
      'package',
      'name',
      'array,
    ],
  },
}

• base_packages : Base packages are consumed by the config recipe to specify packages which should always exist on a system.

Attributes - freeze_packages

Listing of packages which should be kept at a specified version level, per platform/version.

default['linux_patching']['freeze_packages'] = {
  'platform_name' => {
    'platform_version' => [
      # Example:
      # {"package" => "audit-libs.x86_64", "version" => "1.8-2.el5"}
    ],
  },
}

Data Bags

This cookbook has the option to source schedule and patching information from Data Bag contents.

Data Bags - linux_patching

The linux_patching data bag can optionally contain items which provide schedule and patch data to clients during the patch process.

• schedule : The schedule data bag item is consumed by the linux_package_update resource when use_data_bag property is set to true and searched by the patch_window_active? helper method.

  {
    "id": "schedule",
    "policy_group1": {
        "start_date": "YYYYMMDD",
        "end_date": "YYYYMMDD",
        "start_hour": "HH",
        "end_hour": "HH"
    },
    "policy_group2": {
        "start_date": "YYYYMMDD",
        "end_date": "YYYYMMDD",
        "start_hour": "HH",
        "end_hour": "HH"
    }
  }

  • policy_group : This should be the policy group name (or Chef Environment) which the schedule is set for. Nodes will search the data bag item for their node['policy_group'] or node['chef_environment'] to find a match.
  • updates-platform-version : Items that start with updates are lists of packages which should be applied to systems. These packages are generated by the update_patchlist fixture cookbook included in this repository as the named run-list update_patchlist.

Data Bags - linux_patching_stage

the linux_patching_stage data bag is fed from the update_patchlist fixture cookbook included in this repository. When update_patchlist converges on a kitchen suite, a current snapshot of available packages will be generated and saved as an item to this data bag in the format of updates-platform_name-platform_version. This list can be promoted from the linux_patching_stage data bag to linux_patching to act as the list of frozen package numbers that should be referenced when running the patch update process.

Helpers

This cookbook contains custom helper methods, defined in libraries/linux_patching.rb.

• my_baseline_packages : Used in the config recipe, this method looks for packages which should be installed by default from attribute node['linux_patching']['base_packages'] without regard to a specific version. This will search for node['linux_patching']['base_packages'] contents that further match the node's platform and platform_version (converted to Integer form).
• my_frozen_packages : Used as a reference list of packages that should not be updated by the patching process. Packages which match the platform and platform_version in this list from attribute node['linux_patching']['freeze_packages'] will be omitted from patching, allowing for a mechanism to skip patches for specific packages if needed.
• my_update_packages : Used by the linux_package_update custom resource, this helper runs a data bag search if use_data_bag property is set to true to provide a result list of packages which should be applied during the update process.
• patch_window_active? : Used by the linux_package_update custom resource, this helper runs a data bag search if use_schedule property is set to true and evaluates to see if there is schedule data present for the node's policy group or environment and whether or not the patch window is currently active if a result is found.

Resources

This cookbook contains custom resources for some functionality, included under the resources directory

• linux_package_update :
• inspec_exec :

Usage