LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Is there a patch management tool for patching Heterogeneous Linux servers in an enterprise? (https://www.linuxquestions.org/questions/linux-server-73/is-there-a-patch-management-tool-for-patching-heterogeneous-linux-servers-in-an-enterprise-4175613437/)

pranesh.annamalai 09-08-2017 06:35 AM

Is there a patch management tool for patching Heterogeneous Linux servers in an enterprise?
 
Hi,
Is there a centralized patch management tool/mechanism by which we can patch heterogeneous Linux servers like CentOS, Ubuntu and Redhat Linux etc? How patching of these servers can be done efficiently? Apologies for my ignorance and I am studying if such tool is available and how efficient it can be for an enterprise level with ~4000 - 5000 Linux servers with various flavours

wpeckham 09-08-2017 07:30 AM

Quote:

Originally Posted by pranesh.annamalai (Post 5756759)
Hi,
Is there a centralized patch management tool/mechanism by which we can patch heterogeneous Linux servers like CentOS, Ubuntu and Redhat Linux etc? How patching of these servers can be done efficiently? Apologies for my ignorance and I am studying if such tool is available and how efficient it can be for an enterprise level with ~4000 - 5000 Linux servers with various flavours

In general, the answer is "no". Both kernel and application versions, patch formats, package formats, file system trees, and configuration differences between those versions of Linux make them almost as different as Linux and Windows. One patch manager will not apply to all of them.

Now to specifics. There are some patch managers that CAN be configured to handle each of those versions separately and install what patches are available in the default repositories for that version. It is not pretty.

I have, in the past, built my own solutions rather than put up with the flaws in all of the existing packages I was able to discover. Something may have evolved to improve the situation since then, my last testing and rollout was a couple of years ago now.

PS. This gets REALLY easy if all of your nodes are the same version of the same distribution. For that there are multiple tools for patch management, and several good configuration management tools. Your problem is the range of distributions you run makes the problem "interesting".

pranesh.annamalai 09-11-2017 05:10 AM

Quote:

Originally Posted by wpeckham (Post 5756775)
In general, the answer is "no". Both kernel and application versions, patch formats, package formats, file system trees, and configuration differences between those versions of Linux make them almost as different as Linux and Windows. One patch manager will not apply to all of them.

Now to specifics. There are some patch managers that CAN be configured to handle each of those versions separately and install what patches are available in the default repositories for that version. It is not pretty.

I have, in the past, built my own solutions rather than put up with the flaws in all of the existing packages I was able to discover. Something may have evolved to improve the situation since then, my last testing and rollout was a couple of years ago now.

PS. This gets REALLY easy if all of your nodes are the same version of the same distribution. For that there are multiple tools for patch management, and several good configuration management tools. Your problem is the range of distributions you run makes the problem "interesting".

Thanks a lot for this reply and your response made me to dig in further in the internet and I came up with this, https://www.ivanti.com/products/patc...linux-unix-mac please share your opinion if this tool would help patching heterogeneously? Also, I came across some of the blogs, where they had mentioned at a high level about 'ansible' system configuration tool, that can be used for automating the patch management in Linux servers. Also few about spacewalk, please share if these tool would be of help?

wpeckham 09-11-2017 07:52 AM

Your link provided some interesting reading. I was not aware of that product, and they do a good of of selling the concept (and product) without actually revealing anything about HOW they resolve the problem. Without actually trying the product in a mixed environment I cannot tell you how well it works for a situation like yours, but they offer a free trial that might be illuminating.

Ansible is a powerful tool for configuration management and some kinds of automation. It understands a bit about RHEL, Windows server, and VMWARE, but I am not at all sure it will grok Ubuntu or SUSE. I have not seen it used for patch management of any kind, and have no idea what a YAML rule for that would look like. Just because I have not used it for that does not mean no one has, you may want to get information from those who have tried.

SPACEWALK is a neat tool, but very RHEL specific (Which means it works well also with Fedora, Scientific, and CentOS). To my knowledge, no one uses it for patch management for ANYTHING that does not look like RHEL.

There are tools that are nearly optimal for configuration management in an environment with many kinds of Linux, BSD, and Unix (AIX/HP_UX, etc). There are tools that are optimal for configuration management of a Windows farm. I have not seen one that works over a range including multiple DIFFERENT version of Linux AND works well with Windows, but I can believe one should exist. Those are not what you want, you want patch deployment over that range of systems. Since the patches and patch tools differ widely over that range of systems the problem is "interesting" and the solution complex. I have not seen one working that is worth the price of a free trial. That does not mean it does not exist, it means I did not find one.

I would look for more answers before you test, and I would test before you buy. I might also want to contact and communicate with people who have tried and discovered the problems. (There are ALWAYS problems.) Generally the company will not want to give you contact information for contracts that they lost, but you need to find one or two of those people as well. All of this makes sure you do not pay for a product that does not solve your problems, or makes them WORSE. It also helps make your expectations realistic when you do adopt a solution.

A new thread requesting feedback from anyone who has attempted to use the IVANTI tool for patch management in a mixed environment might be in order.

I hope that this helps you a bit. I feel like I have provided a lot of NON-information, rather than any answers.

pranesh.annamalai 09-11-2017 08:05 AM

Quote:

Originally Posted by wpeckham (Post 5757581)
Your link provided some interesting reading. I was not aware of that product, and they do a good of of selling the concept (and product) without actually revealing anything about HOW they resolve the problem. Without actually trying the product in a mixed environment I cannot tell you how well it works for a situation like yours, but they offer a free trial that might be illuminating.

Ansible is a powerful tool for configuration management and some kinds of automation. It understands a bit about RHEL, Windows server, and VMWARE, but I am not at all sure it will grok Ubuntu or SUSE. I have not seen it used for patch management of any kind, and have no idea what a YAML rule for that would look like. Just because I have not used it for that does not mean no one has, you may want to get information from those who have tried.

SPACEWALK is a neat tool, but very RHEL specific (Which means it works well also with Fedora, Scientific, and CentOS). To my knowledge, no one uses it for patch management for ANYTHING that does not look like RHEL.

There are tools that are nearly optimal for configuration management in an environment with many kinds of Linux, BSD, and Unix (AIX/HP_UX, etc). There are tools that are optimal for configuration management of a Windows farm. I have not seen one that works over a range including multiple DIFFERENT version of Linux AND works well with Windows, but I can believe one should exist. Those are not what you want, you want patch deployment over that range of systems. Since the patches and patch tools differ widely over that range of systems the problem is "interesting" and the solution complex. I have not seen one working that is worth the price of a free trial. That does not mean it does not exist, it means I did not find one.

I would look for more answers before you test, and I would test before you buy. I might also want to contact and communicate with people who have tried and discovered the problems. (There are ALWAYS problems.) Generally the company will not want to give you contact information for contracts that they lost, but you need to find one or two of those people as well. All of this makes sure you do not pay for a product that does not solve your problems, or makes them WORSE. It also helps make your expectations realistic when you do adopt a solution.

A new thread requesting feedback from anyone who has attempted to use the IVANTI tool for patch management in a mixed environment might be in order.

I hope that this helps you a bit. I feel like I have provided a lot of NON-information, rather than any answers.

I think, I am moving in the right direction to find the solution and all your "Non-Information" really makes sense to me and thanks for showing a direction.

chrism01 09-11-2017 11:40 PM

An alternative to Ansible is 'puppet', which can handle those 3 Linuxes.
It also handles MSWin (though only as a client I believe).
It comes as Enterprise (paid for) or open src ie free - no support. Your choice.

Others in that area inc Chef & Salt. You should have a read (& play if possible) with all of them and decide which one you want.

pranesh.annamalai 09-12-2017 12:26 AM

Quote:

Originally Posted by chrism01 (Post 5757839)
An alternative to Ansible is 'puppet', which can handle those 3 Linuxes.
It also handles MSWin (though only as a client I believe).
It comes as Enterprise (paid for) or open src ie free - no support. Your choice.

Others in that area inc Chef & Salt. You should have a read (& play if possible) with all of them and decide which one you want.

Ok. But, can Chef be used for patching the servers as well? If so, can you help me on how is it used?

chrism01 09-13-2017 05:04 AM

I'm afraid we use Puppet where I work; I haven't used the other players in the market.
If you use Chef, I'd assume they have their own Community support setup eg https://www.chef.io/community/

pranesh.annamalai 09-13-2017 05:16 AM

Quote:

Originally Posted by chrism01 (Post 5758301)
I'm afraid we use Puppet where I work; I haven't used the other players in the market.
If you use Chef, I'd assume they have their own Community support setup eg https://www.chef.io/community/

Thanks a lot

wpeckham 09-13-2017 05:20 AM

Quote:

Originally Posted by chrism01 (Post 5758301)
I'm afraid we use Puppet where I work; I haven't used the other players in the market.
If you use Chef, I'd assume they have their own Community support setup eg https://www.chef.io/community/

Do you control patch levels or software version updates using puppet?

chrism01 09-26-2017 04:09 AM

Quote:

Do you control patch levels or software version updates using puppet?
Actually, in Puppet you can tag a pkg 'latest' so it always updates, or you can specify a specific 'version' (amongst other attributes) so its always locked to that and won't update; see eg

derek765 01-17-2018 05:02 AM

Ivanti / Lumension .. ?
 
Anyone used / what are your thoughts about the product. We use on Windows and are thinking of extending to Linux (OEL and RHEL)

Thanks


All times are GMT -5. The time now is 05:54 AM.