Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/stromweld/chef_autopatch_ii

Development repository for the autopatch_ii Chef Cookbook
https://github.com/stromweld/chef_autopatch_ii

chef chef-cookbook chef-resource managed-by-terraform

Last synced: 9 days ago
JSON representation

Development repository for the autopatch_ii Chef Cookbook

Awesome Lists containing this project

README

        

[![Chef cookbook](https://img.shields.io/cookbook/v/autopatch_ii.svg)]()

# autopatch_ii

## Description

Chef Cookbook for automatically patching nodes on a specific schedule (weekday, hour, and minute). Handles weekly or monthly patching routines with or without node splay for large environments.

Much of this code was copied from chef cookbook auto-patch written by Brian Flad. I've modified it to work with windows and use windows more flexible task scheduling with some magic to get it to also work with linux cron.

## Requirements

### Platforms

* RHEL based platforms
* Debian based platforms
* Windows baased platforms

### Cookbooks

* cron
* logrotate

## Attributes

| Attribute | Default | Comment |
| ------------- | ------------- | ------------- |
| ['autopatch_ii']['disable'] | false | Boolean, enable or disable patches |
| ['autopatch_ii']['domain'] | 'example.com' | String, Domain server resides in |
| ['autopatch_ii']['task_username'] | 'SYSTEM' | String, Used only for winows task scheduling |
| ['autopatch_ii']['task_frequency'] | :monthly | Symbol, one of either :monthly or :weekly |
| ['autopatch_ii']['task_frequency_modifier'] | 'THIRD' | String, used to denote which week of the month you want to run the task |
| ['autopatch_ii']['task_months'] | 'JAN,FEB,MAR,APR,MAY,JUN,JUL,AUG,SEP,OCT,NOV' | String, CSV list of short names for months you want the task to run in, * is used for all months |
| ['autopatch_ii']['task_days'] | 'TUE' | String, which days of the week in short form you want the task to run on |
| ['autopatch_ii']['task_start_time'] | '04:00' | String, 24h Time format for when to start patches |
| ['autopatch_ii']['desired_timezone_name'] | nil | String, TZ database name |
| ['autopatch_ii']['working_dir'] | node['os'] == 'windows' ? 'C:\chef_autopatch' : '/var/log/chef_autopatch' | String, Directory for log file and temp files |
| ['autopatch_ii']['command'] | value_for_platform_family(windows: "PowerShell -ExecutionPolicy Bypass -Command \"#{node['autopatch_ii']['working_dir']}\\autopatch.ps1\"", default: '/usr/local/sbin/autopatch 2>&1',) | String, cron command to start script |
| ['autopatch_ii']['download_install_splay_max_seconds'] | 3600 | Integer, Max allowed random time to wait before downloading and installing patches, this way we don't overwhelm on premise patch repo |
| ['autopatch_ii']['email_notification_mode'] | 'Always' | String, whether to send email after patches and before reboot with status of patch install |
| ['autopatch_ii']['email_to_addresses'] | '"[email protected]"' | String, email address for nodes to send the email to |
| ['autopatch_ii']['email_from_address'] | "#{node['hostname']}@example.com" | String, email address the email came from |
| ['autopatch_ii']['email_smtp_server'] | 'smtp.example.com' | String, email server to forward the email to, relay with no authentication is recommended |
| ['autopatch_ii']['auto_reboot_enabled'] | true | Boolean, to reboot the server automatically after patches have been installed or to leave it for manual reboot |
| ['autopatch_ii']['updates_to_skip'] | os.windows? ? '' : [] | Regex String to pass to windows -notmatch or Array of Strings, package names to skip during patches on linux |
| ['autopatch_ii']['update_command_options'] | '' | String, any additional options to be passed to the yum command on linux |
| ['autopatch_ii']['private_lin_autopatch_disabled_programmatically'] | false | Boolean, DO NOT MODIFY THIS, this is modified programatically based on if cron job should skip this month or not |

## Recipes

* `recipe[autopatch_ii]` configures automatic patching and patches server on first chef-client run
* `recipe[autopatch_ii::firstrun_patches]` creates a lock file and runs patches for the first time, afterwards doesn't run as long as lock file exists on the filesystem.
* `recipe[autopatch_ii::linux]` creates cron job and sets up autopatch scripts
* `recipe[autopatch_ii::windows]` creates windows task and sets up autopatch scripts

## Usage

* Change any attributes to fit your patching cycle
* Add `recipe[autopatch_ii]` to your node's run list

### Weekly automatic patching

Just use the `node["autopatch_ii"]['task_frequency'] = :weekly` attribute to override the monthly setting.

### Automatic patching of large numbers of nodes

If you're auto patching many nodes at once, you can optionally modify the splay to prevent denial of service against your network, update server(s), and resources:

* Adding `node["autopatch_ii"]["splay"]`

### Disabling automatic patching

* Specify `node["autopatch_ii"]["disable"]` to true
* Run chef-client on your node

## License and Author

Author:: Brian Flad ()

Author:: Corey Hemminger ()

Copyright:: 2022

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.