Advanced Patching

If you have a Puppet Enterprise (PE) Advanced license you can enable Advanced Patching with vulnerability remediation capabilities. From the PE console navigation bar, select System updates and click Get started with Advanced Patching now.

You can use Advanced Patching to:

  • Create patch groups

  • Define maintenance and blackout windows

  • Run or schedule patch jobs to apply all available package/software updates

  • Integrate data from a third party security scanner to detect vulnerabilities

  • Run or schedule patch jobs to apply the specific updates necessary to remediate detected vulnerabilities on affected nodes

  • Configure post-patch behavior, including automatically triggering PE runs to refresh patch status

Before you begin:
  • The service requires an extra 1 GB of RAM, to operate by default. CPU usage varies based on how many systems are being patched and how often, but is an incremental amount of usage. The service also requires incremental additional disk storage for the vulnerabilities database, with usage varying based on the number of nodes being managed.
  • To enable Advanced Patching, you must acquire a Puppet Enterprise (PE) Advanced license. Contact your Puppet Enterprise (PE) administrator or Contact our sales team to acquire a license and enable this feature.
  • Ensure there are no classification issues on the primary server and that a Puppet run can complete successfully before you enable Advanced Patching.
  • The Advanced Patching feature is not enabled by default, and requires a user with permissions to run all plans in order to enable the feature. Once enabled, the feature cannot currently be disabled.
  • The Advanced Patching feature assumes ownership of the PE Patch Management node group tree. Any patch groups declared under that group are modified or deleted by the Advanced Patching service. It is important that no additional classification is applied beyond use of the pe_patch class to the PE Patch Management group, or any groups underneath it otherwise Advanced Patching will not enable successfully.
  • Once enabled, the PE Advanced Patching feature enforces the state of the PE Patch Management node group tree, so any manual changes made to it are replaced.
  • RBAC: A default role is available for patching in PE. That role can be assigned to a user to do patching. The Administrator by default has all permissions. The permission needed for onboarding customers must have permissions to run a plan on the primary server. For more information about Advanced Patching user permissions and roles see User permissions and user roles.

Configure post-patch Puppet runs

You can configure Puppet Enterprise to automatically trigger a Puppet run after patch jobs complete to refresh pe_patch facts. By default, patch jobs do not trigger a post-patch Puppet run, and facts are refreshed during the next scheduled Puppet run.

When enabled, a Puppet run is submitted immediately after patching completes on successfully patched nodes. The run executes asynchronously, so updated patch status becomes available shortly after the job completes.

Enable or disable post-patch Puppet runs

You can enable or disable this behavior using one of the following methods:

  • Set the puppet_enterprise::profile::master::post_patch_puppet_run_enabled parameter in the PE console classifier

  • Configure the same parameter in Hiera

  • Use the enterprise_tasks::toggle_post_patch_puppet_run Bolt plan

Example configurations

Hiera example

puppet_enterprise::profile::master::post_patch_puppet_run_enabled: true 

Bolt plan example

bolt plan run  
  enterprise_tasks::toggle_post_patch_puppet_run  
  primary=<primary-certname> enable=true 

Verify the setting

After a Puppet run, you can verify that the setting is applied:

grep post-patch-puppet-run-enabled 
  /etc/puppetlabs/patching-service/conf.d/pe-patching-service.conf 

This setting is applied at the system level and affects all patch jobs. The default value is disabled.

Behavior

  • When enabled, a Puppet run is triggered automatically after patch completion on successfully patched nodes.

  • The run is submitted immediately and executes asynchronously.

  • Patch jobs are marked complete before the Puppet run finishes.

  • Updated pe_patch facts become available after the Puppet run completes.

  • If the post-patch Puppet run cannot be submitted (for example, if pe-orchestration-services is temporarily unavailable), the patch job still completes successfully, but pe_patch facts are not refreshed until the next scheduled Puppet run. You can confirm that the post-patch Puppet run was submitted by checking the patch operation’s event history for a finished-patching event.

  • When disabled, patch jobs complete without triggering a post-patch Puppet run.

 
  • Do not modify this setting while a patch job is in progress. Changing the setting restarts the pe-patching-service and can interrupt running jobs, and causes it to be re-queued from the beginning. This can result in already-patched nodes being reprocessed.

  • Enabling automatic post-patch Puppet runs increases orchestrator activity and system load, particularly for large patch jobs.