Where patch information comes from
Your package management software is responsible for ensuring PE can find the latest patch information available.
The pe_patch module uses OS level tools or APIs to find
patches for nodes. You still have to manage the configuration of your package manager,
like YUM, APT, Zypper, WSUS, or Windows
Update, so your nodes can search for updates. For example, if you need to go through a
proxy and you use YUM, you must configure this on your
own.
Patching involves two distinct steps. First, a cron job scans for new patches and uploads
related details to PuppetDB as part of the pe_patch fact. You can specify when to run the cron job with
parameters in the pe_patch class. Then, patches are
applied to specified nodes using the pe_patch::patch_server task or the
pe_patch::group_patching plan.
- For *nix agents patching: Pin a package using
yum versionlock,apt-mark, orzypper addlock. Thepinned_packagesfield in thepe_patchfact refers to versions locked using these methods. This is different from apt-pinning packages, which is used to prioritize packages rather than locking them at a specific version. - For Windows agents patching: If you use WSUS or Windows Update to deliver updates, use WSUS to approve desired updates independently.
Security updates
To find security updates, the pe_patch module uses
security metadata when it is available. For example, Red Hat provides security metadata as additional
metadata in YUM, Debian performs checks on the repo the updates are coming from, and Windows provides this information by default.
In the console, on the Patches page, security metadata feeds into the Apply patches table where you can filter for Security updates only.
Configure Windows Update
If you are using Windows Update, we recommend you use
the puppetlabs/wsus_client module and configure these
parameters in the wsus_client class.
- Set the
server_urlparameter to the URL of your WSUS server. - Set the
auto_update_optionsparameter toAutoNotifyto automatically download updates and notify users.
