On Nov 2, 2:26 pm, Joel Merrick <joel.merr...@gmail.com> wrote:
> Hi Puppeteers!
>
> I've just been speaking to Ohad on #theforeman about package
> management, specifically about generating lists of packages : version
> numbers across the estate for things like patch management.
>
> DISCLAIMER: I'm new to puppet!
>
> What I was initially thinking was extended facter to produce a
> dpkg/rpm etc.. output but I've been told that facter doesn't produce
> hashes and the size of the list would probably exceed the available
> HTTP GET? Ohad showed me some code that would generate this list, but
> it obviously doesn't tie straight into puppet.
>
> Is there any way this could be accomplished? I suppose the nirvana for
> me would be to be able to instantly see if a package needs updating,
> based upon a CVE/DSA/RSA etc similar to the way pakiti does it [1]..
> (although I suppose a sources.list with just security sources would
> do) and then use something like mcollective to slowly, but safely
> upgrade the package.
Not 100% on what you're trying to achieve, even after looking at
Pakiti. A few questions... Do you know the packages that need updating
or do you have a list of ones that need to be kept up to date? Do you
just want to keep everything up to date? Do you want to be TOLD what
needs updating across your site and then click/run something that will
automatically do it?
For the first one, you can use Puppet to ensure the latest version of
a set list of packages is the latest version. This of course assumes
you're running on an OS where the Puppet provider allows such an
action:
$package_list = [ "glibc", "kernel" ]
package { $package_list:
ensure => latest,
}
For the second, you could use Puppet to execute a global update of
packages every night either with an 'exec' resource or 'cron'
resource.
For the third you won't be able to easily achieve that with stock
Puppet. One idea might be to write a custom fact to print a comma
separated list of packages and version numbers that you could then do
"something" with. The facter output might look like:
$facter
...
upgradeable_packages => lm_sensors-2.10.7-9.el5,glibc-
common-2.5-49.el5_5.7,nscd-2.5-49.el5_5.7
But you might run into some string size limit somewhere.
What do you mean by "slowly, but safely upgrade the package"? Are you
afraid of compatibility issues between upgrades and want a great deal
of control?
If you are gearing towards option 3, I'm not sure Puppet's the best
tool the job. I use CentOS and so I'd look into the free version of
Red Hat's Satellite, Spacewalk for fine tuned software update control
and deployment if I wanted to achieve the same thing.
> Has this been thought of as an approach at all, or do people here use
> their own repo's and just finely control what goes into it and use
> some other mechanism to push the updates?
> Any thoughts on this matter greatly appreciated,
>
> Cheers
> Joel
>
> [1]http://pakiti.sourceforge.net/
>
> --
> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
