Re,
On 2014-07-21 09:35, dhaval thakar -SkillnetED wrote:
-------- Original Message --------
Subject: Re: [Puppet Users] Apply patch once to windows node
From: David Schmitt <da...@dasz.at>
To: puppet-users@googlegroups.com
Date: 07/21/2014 11:39 AM
On 2014-07-15 15:36, Dhaval Thakar wrote:
Hi All,
I am starting to use puppet to manage windows nodes, tried searching but
couldn't find solution for this...
I need to apply kaspersky patch using puppet to windows nodes. So far I
have used kaspersky server to install / upgrade / patch antivirus.
Trying to get it done using puppet.
Can someone guide me to run windows command on nodes only once ? This
patch does not update installed application version hence couldn't use
Package in manifest file.
Trying to understand your use-case here: What is the problem of using
the kaspersky server to deploy the AV patches?
To answer you primary question: If you find a way to programmatically
check whether the patch is applied or not, and you know how to install
the patch by code, you can implement a exec resource with an onlyif
argument to do so. It'll probably be a pain to maintain and will not
scale as patches accumulate.
Regards, David
Hi,
Thanks for the reply.
Only valid reason I have is to install patches on fresh OS, along with
AV which may not work if I push patches using kasper, kasper admin
maintains its local catalogue for app / patch deployment. Also these
patches does not change ver number for installed AV. Another reason is
to learn puppet.
For now I have created following menifest which works fine on test
setup. I am yet to use it for all users. Pl reply if you find any kind
of configuration error etc.
class av_patches {
if ! defined(Package["Kaspersky Endpoint Security 10 for
This defined() condition should not be necessary: Have only a single
location where the package is defined.
Windows"]) {
package { "Kaspersky Endpoint Security 10 for Windows":
ensure => installed,
}
}
file { "c:/software/patch_10_1_249.exe":
ensure => present,
source =>
"puppet:///modules/av_patches/patch_10_1_249.exe",
require => Package["Kaspersky Endpoint Security 10 for Windows"],
}
file { "c:/software/patch_pfsf2.exe":
ensure => present,
source => "puppet:///modules/av_patches/patch_pfsf2.exe",
require => Package["Kaspersky Endpoint Security 10 for Windows"],
}
exec { "patch_10_1_249":
command => 'c:/software/patch_10_1_249.exe /s',
creates => "c:/software/patch_10_1_249-installed",
require => File["c:/software/patch_10_1_249.exe"],
notify => File["c:/software/patch_10_1_249-installed"],
}
file { "c:/software/patch_10_1_249-installed":
ensure => file,
require => Exec["patch_10_1_249"],
}
exec { "patch_pfsf2":
command => 'c:/software/patch_pfsf2.exe /s',
creates => "c:/software/patch_pfsf2-installed",
require => File["c:/software/patch_pfsf2.exe"],
notify => File["c:/software/patch_pfsf2-installed"],
}
file { "c:/software/patch_pfsf2-installed":
ensure => file,
require => Exec["patch_pfsf2"],
}
Interesting chaining for stampfileing! I haven't seen that one before
and it looks nice, given the circumstances.
The important thing to test is that calling the patch installers a
second time doesn't result in an error. Else that construct might need
manual intervention, when something interrupts puppet after installing
the patch but before doing the -installed file.
}
All in all it looks like a pragmatic solution to an ugly problem. When
you'll gain experience with new patches in your environment, you might
want to look into extracting the patch versions into a variable to avoid
editing it in many places, but that is already nitpicking.
Regards, David
--
* Always looking for people I can help with awesome projects *
G+: https://plus.google.com/+DavidSchmitt
Blog: http://club.black.co.at/log/
LinkedIn: http://at.linkedin.com/in/davidschmitt
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/53CCDFAB.3080909%40dasz.at.
For more options, visit https://groups.google.com/d/optout.
