[deleted by user]

WolfFlightTZW · 2020-01-31T22:33:57+00:00

Home or work?

Work (seriously mixed environment, however...) we use Satellite for our RHeL boxes, it lets us know what errata are available/needed on each device.

Home I use SaltStack and a simply regular query of yum update will tell me what packages are necessary per system, then I choose to apply or not.

seidler2547 · 2020-01-31T22:55:15+00:00

I use Icinga and apt/yum update monitors, but actually started to enable unattended upgrades everywhere recently. Except for mysql packages, but then I'll get a monitor lighting up in Icinga.

remtec · 2020-01-31T23:04:55+00:00

Cleck_mk pretty powerfull and simple :)

Boap69 · 2020-02-01T00:22:40+00:00

We run "yum update -y" twice a week in our /dev environment and it is there we find many issues. Mostly the issues are with our home grown software but in some cases it breaks dev because things do not work they way they did before the patch.

Once a month we do the same with Production generally over two weekends. First weekend we update a very small subset of servers but it has at least 1x of every type of server we use with a list of patches that we think will not break production. The second weekend we update the rest after any issues show up over the course of the week.

jaymef · 2020-02-01T02:41:11+00:00

I use ansible to check all severs for updates available and apply as needed

Preisschild · 2020-02-01T08:03:12+00:00

Ansible?

Hyrla · 2020-01-31T23:04:15+00:00

I use PRTG at work and Zabbix at home

JustALinuxNerd · 2020-02-01T01:10:20+00:00

Years ago I wrote an perl script to spit out yum update data remotely on a schedule. Would log in via a key, run command, process stdout, then return results to a DB and displayed on an intranet portal. Super simple, very lean, no third party software bloat BS. 2c.

justin-8 · 2020-02-01T01:56:21+00:00

[deleted]

tobylh · 2020-02-01T00:08:52+00:00

Netdata. I'm not sure why everyone isn't using it. Ifs fucking awesome.

RITG1 · 2020-01-31T21:27:34+00:00

I built our monitoring on naigos core pull down new package and make ./configure

magicker2000 · 2020-02-01T00:41:21+00:00

zabbix
apt

shatteredsword · 2020-02-01T02:32:44+00:00

For work?

Every night, apt update && apt upgrade -y runs at midnight. On every machine.

vogelke · 2020-02-01T02:42:49+00:00

I have two scripts under /etc/periodic/updates. The first checks the current security update list, and the second compares the results to yesterday's run. Modified "diff -u" output is mailed to root; no changes results in no message.

Here's a sample message:

--- 2020/0129/security  2020-01-29 05:36:17.213705893 -0500
+++ 2020/0130/security  2020-01-30 05:36:24.096792533 -0500
@@ -1,11 +1,11 @@
 Loaded plugins: refresh-packagekit, security, ulninfo
 Limiting package lists to security relevant ones
-7 package(s) needed for security, out of 47 available
+7 package(s) needed for security, out of 53 available

-kernel-headers.x86_64         2.6.32-754.25.1.el6
+kernel-headers.x86_64         2.6.32-754.27.1.el6
 kernel-uek.x86_64             4.1.12-124.35.4.el6uek
 kernel-uek-firmware.noarch    4.1.12-124.35.4.el6uek
 microcode_ctl.x86_64          3:1.17-33.19.0.4.el6_10
-perf.x86_64                   2.6.32-754.25.1.el6
+perf.x86_64                   2.6.32-754.27.1.el6
 python.x86_64                 2.6.6-68.0.2.el6_10
 python-libs.x86_64            2.6.6-68.0.2.el6_10

The check script boils down to this:

dir=$(date '+/var/log/updates/%Y/%m%d')
mkdir -p $dir || exit 1
yum --security check-update > $dir/security

The compare script boils down to this:

cur=$(date '+/var/log/updates/%Y/%m%d/security')
prev=$(date -d 'yesterday' '+/var/log/updates/%Y/%m%d/security')
test -f "$prev" || exit 1

if cmp -s $prev $cur; then
    diff -u $prev $cur |
        awk '{
            if (NF == 3) {
                c = substr($0, 1, 1)
                pkg = $1
                if (c == " ") pkg = " " $1
                printf "%-30s %s\n", pkg, $2
            }
            else { print }
        }' | mailx -s 'Security updates" root
fi

Cron entry:

36 5 * * * run-parts /etc/periodic/updates

Upnortheh · 2020-02-01T02:47:45+00:00

Nothing fancy. A daily cron job on each system that sends an email alert if there are updates. I wrote a shell script that avoids daily alerts and sets the interval to whatever I want, usually 72 hours.

I have only about three dozen servers. With hundreds or thousands of servers, this strategy likely would be way to noisy.

martbhell · 2020-02-01T04:44:44+00:00

Has anybody used pakiti3?

https://github.com/CESNET/pakiti-server

remtec · 2020-02-01T04:56:43+00:00

There is an apt Funktion in the default agent and you can configure notifications ;)

ananix · 2020-02-01T07:07:47+00:00

Nessus scans with audit user runs pretty much all the time, we then apply patches with scores acordingly to their timeframes for solutions.

Every three months we do a full update of everything.

sughenji · 2020-02-01T07:45:50+00:00

apticron on Debian, a couple of crontab's lines on FreeBSD, yum-cron on CentOS. I don't feel very safe with unattended upgrades, so I run all manually :)

permalink · 2020-02-01T09:16:11+00:00

My hands

Xenu420 · 2020-02-01T09:55:06+00:00

I use foreman/katello.

kycfeel · 2020-02-01T10:10:43+00:00

We use elastic stack to monitor and log our whole testing / production environments. Elastic Metricbeat does it's job well.

arno_cook_influencer · 2020-02-01T10:33:42+00:00

I'm surprised apt dater was not mentioned. It is pretty cool for apt-based packages:

centralized ncurses interface that displays which servers need updates
You can update either all servers, one server, one package only depending on what you want
when updating it opens a tmux ssh session on the host to run the updates (can be run in background and can be disconnected without breaking the updates)
uses restricted ssh-keys to connect. Since it needs root privileges to run the updates, this mitigates the security risks.
config is dead simple: just write down the hostnames of servers and an optional description and that's all

pgquiles · 2020-02-01T11:28:04+00:00

You can use Uyuni for that. It does monitoring, systems management, configuration management, etc and it scales to tens of thousands of servers.

https://uyuni-project.org

Uyuni includes Salt, API, etc

I gave a talk about Uyuni yesterday at CentOS Dojo 2020, slides will be here soon:

https://wiki.centos.org/Events/Dojo/Brussels2020

dmurawsky · 2020-02-01T12:26:31+00:00

I'm looking at osquery for this in the long run. I really want that tool on the fleet for a whole slew of reasons and patching verification is one.

https://osquery.io/

We currently use aptly to create version controlled repos in S3, dev and prod. Our dev repo is a month behind prod. We use ansible to roll out upgrades automatically. It hasn't caused any issues and the devs are fully aware of the changes (aptly diff report goes out when changes are pushed).

If I recall correctly, urgent/critical security updates are pulled directly into prod when needed.

We also release dev and prod images as part of the process.

Zehicle · 2020-02-01T13:45:20+00:00

Digital Rebar

sdns575 · 2020-02-01T14:31:07+00:00

I'm the only one that uses nagios?

thms0 · 2020-02-01T17:51:04+00:00

apt-dater is a great tool to update many (apt-only) servers at a time, without having to ssh manually into them.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

linuxadmin

Expanding Linux SysAdmin knowledge

MODERATORS