SlideShare a Scribd company logo

Puppetize PDX 2019 - Automated Patching with Bolt by Nick Maludy

Download as PPTX, PDF
N
Nick Maludy

If patch management is a problem in your infrastructure, then this talk is for you. This talk will walk through our journey to automate the patch management of our infrastructure. Details will be shared about our architecture, phased approach and implementation. We will also showcase our new Puppet module that can be used as a framework for patch management with Bolt and Puppet.

Technology
1 of 32
Automated Patching With Bolt
Nick Maludy @NickMaludy github.com/nmaludy Encore Technologies @EncoreTechCincy github.com/EncoreTechnologies encoretechnologies.github.io DevOps Manager, Husband, Dad Managed Services Provider
Encore
Got 99 Problems and Patching is One •CVEs and Zero Days •Manual •Slow •Burnout •Broken Applications •Snapshots… doh! •Monitoring? … oops!
Landscape •Windows - 2008 - 2012 - 2016 •Linux - RHEL 6, 7 - Ubuntu 14.04, 16.04, 18.04
Existing Tools… •Windows - SCCM - WSUS •Everything is a “suggestion” •Lack of customization •Linux - RHEL = Satellite - Ubuntu = ?
Requirements •Security • More often (weekly) • Fast as possible (<1 day) • Reports •DevOps • HA groups • Customizable workflows • Cross-platform • Windows Update + Chocolatey
encore/patching •Bolt •Community •Eat our own dog food •forge.puppet.com/encore/patching
Design •Framework •Components / building blocks •Agent-less •Everything is a Plan and a Task •Group based •Common interfaces •Customizable •NOT MAGIC
Architecture
Available? Create Snapshot Pre Update Post Reboot Delete Snapshot Workflow
patching::ordered_groups •Input = Array[TargetSpec] •patching_order “var” assigns group •Group by common patching_order •sort() on patching_order •Result = sorted array of groups bolt plan run patching::ordered_groups
--- groups: - name: patching_a vars: patching_order: 1 targets: - postgres01 - postgres03 - name: patching_b vars: patching_order: 2 targets: - postgres02 [ { “order”: 1, “nodes”: [ TargetSpec(“postgres01”), TargetSpec(“postgres03”) ] }, { “order”: 2, “nodes”: [ TargetSpec(“postgres02”), ] } ] inventory.yaml patching::ordered_groups
$ordered_groups = run_plan('patching::ordered_groups’, nodes => $targets) $ordered_groups.each |$group_hash| { run_plan(‘facts’, nodes => $group_hash['nodes’]) } Example
patching::available_updates •Check for available updates •Windows - Windows Update Agent API - choco outdated •RHEL - yum -q check-update •Ubuntu - apt upgrade –simulate • Output = Array of updates bolt plan run patching::available_udpates
{ "updates": [ { "name": "Definition Update …", "version": 200, "server_selection": 0, "id": "a54401ad-…", "kb_ids": ["2267602"], "provider": "windows" }, { "name": “notepad++", "version": “4.0.0", "pinned": "false", "provider": "chocolatey" } ] } { "updates": [ { "name": "puppet-bolt", "version": "1.30.1-1.el7", "repo": "puppet6" }, ] } { "updates": [ { "name": "puppet-bolt", "version": "1.30.1-1xenial", "repo": "Puppetlabs:xenial“ }, ] } Windows RHEL Ubuntu
patching::snapshot_vmware •VMware only (for now) - Bolt control node - rbvmomi gem •Optional •Customizable •Pluggable - Dynamic Dispatch bolt plan run patching::snapshot_vmware
Dynamic Dispatch in Bolt plan patching ( TargetSpec $nodes, String $snapshot_plan, ) { # lots of things… run_plan($snapshot_plan, nodes => $nodes, action => ‘create’) } plan patching::snapshot_vmware ( TargetSpec $nodes, String $action, ) { … } bolt plan run patching snapshot_plan=patching::snapshot_vmware Requirement : Plans must conform to same “interface”
patching::pre_update •Service health checks •Backups •Stop services •etc •Runs script on remote node Linux = /opt/patching/bin/pre_update.sh Windows = C:ProgramDatapatchingbinpre_update.ps1 •Customizable bolt plan run patching::pre_update
Customizing with vars--- vars: patching_pre_patch_plan: ‘mymodule::pre_patch’ patching_pre_update_script_linux: ‘/my/custom/patching/script.sh’ patching_pre_update_script_windows: ‘C:mycustompatchingscript.ps1’ plan patching::pre_update ( Target-spec $n, String $script_linux = ‘/opt/patching/bin/pre_update.sh’ String $script_windows = ‘C:ProgramDatapatchingbinpre_update.ps1’, ) { $vars = get_targets($n)[0].vars $_script_linux = pick($vars[‘patching_pre_update_script_linux’], $script_linux) $_script_windows = pick($vars[‘patching_pre_update_script_windows’], $script_windows) # … do things } inventory.yaml plan
Group custom vars --- vars: patching_pre_update_script_windows: C:awesomepatch_script.ps1 groups: - name: regular_nodes targets: - tomcat01.domain.tld - name: sql_nodes vars: patching_pre_update_script_windows: C:MSSQLstop_services.ps1 targets: - sql01.domain.tld
patching::update •Windows - Windows Update Agent API • Special snowflake scheduled task… - choco upgrade all •RHEL - yum update •Ubuntu - apt-get dist-upgrade bolt task run patching::update
Logs and Results •Linux - Writes stdout log /var/log/patching.log - Writes results to /var/log/patching.json •Windows - Writes logs to C:ProgramDatapatchinglogpatching.log - Writes results to C:ProgramDatapatchinglogpatching.json
patching::post_update •Start services •Waiting for services •Health check •etc •Pluggable same as pre_upate - Linux = /opt/patching/bin/post_update.sh - Windows = C:ProgramDatapatchingbinpost_update.ps1 bolt plan run patching::post_update
patching::reboot_required •Reboot strategy •Windows - https://ilovepowershell.com/2015/09/10/how-to-check-if-a-server-needs-a-reboot/ - https://gist.github.com/altrive/5329377 - http://gallery.technet.microsoft.com/scriptcenter/Get-PendingReboot-Query-bdb79542 •RHEL - needs-restarting •Ubuntu - [ -f /var/run/reboot-required ] bolt plan run patching::reboot_required
patching $groups = patching::ordered_groups $groups.each | $g | { patching::available_updates patching::snapshot_vmware # create patching::pre_update patching::update patching::post_update patching::reboot_required patching::snapshot_vmware # delete } bolt plan run patching
Patching Now •500+ VMs • 5x environments •1 engineer •< 1 day •Every week • Dev = latest • Prod = Dev last week
Lessons Learned - Bolt •Simple tasks •Tie tasks together with plans •Standardize parameters •Standardize results •Keep large binaries out of files/
Lessons Learned - Linux •Bash lowest common denominator •+100s of systems in a group •Remember to update cache •Careful of /tmp and noexec
Lessons Learned - Windows •Connect timeouts - 200+ seconds •100 nodes max •Long tasks = bad •Slow updates •Slow File Tx WinRM •PowerShell versions •WUA = PITA
Roadmap •Monitoring •Reporting •Notifications •ServiceNow Changes •Inventory creation from Satellite, WSUS, AD, IPA, VMware, ServiceNow •More workflows •Network and VMware patching •Puppet Remediate Integration
Thanks! @NickMaludy github.com/nmaludy @EncoreTechCincy github.com/EncoreTechnologies forge.puppet.com/encore/patching slack.puppet.com #puppetize-pdx @nmaludy

Recommended

Mastering IntelliTrace in Development and Production
Mastering IntelliTrace in Development and ProductionMastering IntelliTrace in Development and Production
Mastering IntelliTrace in Development and Production
Sasha Goldshtein
 
Ansible: What, Why & How
Ansible: What, Why & HowAnsible: What, Why & How
Ansible: What, Why & How
Alfonso Cabrera
 
Vagrant and Chef on FOSSASIA 2014
Vagrant and Chef on FOSSASIA 2014Vagrant and Chef on FOSSASIA 2014
Vagrant and Chef on FOSSASIA 2014
Michael Lihs
 
Rex - Lightning Talk yapc.eu 2013
Rex - Lightning Talk yapc.eu 2013Rex - Lightning Talk yapc.eu 2013
Rex - Lightning Talk yapc.eu 2013
Jan Gehring
 
Package Management on Windows with Chocolatey
Package Management on Windows with ChocolateyPackage Management on Windows with Chocolatey
Package Management on Windows with Chocolatey
Puppet
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
Docker
DockerDocker
Docker
Michael Lihs
 
Test-Driven Infrastructure with Chef
Test-Driven Infrastructure with ChefTest-Driven Infrastructure with Chef
Test-Driven Infrastructure with Chef
Michael Lihs
 

Recommended

Mastering IntelliTrace in Development and Production
Mastering IntelliTrace in Development and ProductionMastering IntelliTrace in Development and Production
Mastering IntelliTrace in Development and Production
Sasha Goldshtein
 
Ansible: What, Why & How
Ansible: What, Why & HowAnsible: What, Why & How
Ansible: What, Why & How
Alfonso Cabrera
 
Vagrant and Chef on FOSSASIA 2014
Vagrant and Chef on FOSSASIA 2014Vagrant and Chef on FOSSASIA 2014
Vagrant and Chef on FOSSASIA 2014
Michael Lihs
 
Rex - Lightning Talk yapc.eu 2013
Rex - Lightning Talk yapc.eu 2013Rex - Lightning Talk yapc.eu 2013
Rex - Lightning Talk yapc.eu 2013
Jan Gehring
 
Package Management on Windows with Chocolatey
Package Management on Windows with ChocolateyPackage Management on Windows with Chocolatey
Package Management on Windows with Chocolatey
Puppet
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
Docker
DockerDocker
Docker
Michael Lihs
 
Test-Driven Infrastructure with Chef
Test-Driven Infrastructure with ChefTest-Driven Infrastructure with Chef
Test-Driven Infrastructure with Chef
Michael Lihs
 
Git+jenkins+rex presentation
Git+jenkins+rex presentationGit+jenkins+rex presentation
Git+jenkins+rex presentation
Dwi Sasongko Supriyadi
 
Drupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsDrupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The Basics
John Smith
 
TYPO3 Camp Stuttgart 2015 - Continuous Delivery with Open Source Tools
TYPO3 Camp Stuttgart 2015 - Continuous Delivery with Open Source ToolsTYPO3 Camp Stuttgart 2015 - Continuous Delivery with Open Source Tools
TYPO3 Camp Stuttgart 2015 - Continuous Delivery with Open Source Tools
Michael Lihs
 
PuppetConf 2016: Easily Manage Software on Windows with Chocolatey – Rob Reyn...
PuppetConf 2016: Easily Manage Software on Windows with Chocolatey – Rob Reyn...PuppetConf 2016: Easily Manage Software on Windows with Chocolatey – Rob Reyn...
PuppetConf 2016: Easily Manage Software on Windows with Chocolatey – Rob Reyn...
Puppet
 
Drupal Deployment
Drupal DeploymentDrupal Deployment
Drupal Deployment
q0rban
 
Testable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and DockerTestable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and Docker
Mandi Walls
 
Vagrant to-aws-flow
Vagrant to-aws-flowVagrant to-aws-flow
Vagrant to-aws-flow
Kimberly Macias
 
Mastering composer
Mastering composerMastering composer
Mastering composer
Adán Lobato Lorenzo
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
Ryan Cobb
 
PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...
PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...
PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...
Puppet
 
High Performance Drupal
High Performance DrupalHigh Performance Drupal
High Performance Drupal
Jeff Geerling
 
Chef and PowerShell Desired State Configuration
Chef and PowerShell Desired State ConfigurationChef and PowerShell Desired State Configuration
Chef and PowerShell Desired State Configuration
Julian Dunn
 
20151229 wnmp & phalcon micro app - part I
20151229 wnmp & phalcon micro app - part I20151229 wnmp & phalcon micro app - part I
20151229 wnmp & phalcon micro app - part I
Taien Wang
 
Ansible + Drupal: A Fortuitous DevOps Match
Ansible + Drupal: A Fortuitous DevOps MatchAnsible + Drupal: A Fortuitous DevOps Match
Ansible + Drupal: A Fortuitous DevOps Match
Jeff Geerling
 
Linux HA anno 2014
Linux HA anno 2014Linux HA anno 2014
Linux HA anno 2014
Julien Pivotto
 
Configuration management with puppet
Configuration management with puppetConfiguration management with puppet
Configuration management with puppet
Jakub Stransky
 
London Hashicorp Meetup #8 - Testing Programmable Infrastructure By Matt Long
London Hashicorp Meetup #8 - Testing Programmable Infrastructure By Matt LongLondon Hashicorp Meetup #8 - Testing Programmable Infrastructure By Matt Long
London Hashicorp Meetup #8 - Testing Programmable Infrastructure By Matt Long
OpenCredo
 
Automation: PowerShell & DSC
Automation: PowerShell & DSCAutomation: PowerShell & DSC
Automation: PowerShell & DSC
Josh Gillespie
 
SaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsSaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertools
Thomas Jackson
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!
Thomas Lee
 
Deploying software at Scale
Deploying software at ScaleDeploying software at Scale
Deploying software at Scale
Kris Buytaert
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017
Mandi Walls
 

More Related Content

What's hot

High Performance Drupal
High Performance DrupalHigh Performance Drupal
High Performance Drupal
Jeff Geerling
 
Ansible + Drupal: A Fortuitous DevOps Match
Ansible + Drupal: A Fortuitous DevOps MatchAnsible + Drupal: A Fortuitous DevOps Match
Ansible + Drupal: A Fortuitous DevOps Match
Jeff Geerling
 
SaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsSaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertools
Thomas Jackson
 

What's hot (20)

Git+jenkins+rex presentation
Git+jenkins+rex presentationGit+jenkins+rex presentation
Git+jenkins+rex presentation
 
Drupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The BasicsDrupal Continuous Integration with Jenkins - The Basics
Drupal Continuous Integration with Jenkins - The Basics
 
TYPO3 Camp Stuttgart 2015 - Continuous Delivery with Open Source Tools
TYPO3 Camp Stuttgart 2015 - Continuous Delivery with Open Source ToolsTYPO3 Camp Stuttgart 2015 - Continuous Delivery with Open Source Tools
TYPO3 Camp Stuttgart 2015 - Continuous Delivery with Open Source Tools
 
PuppetConf 2016: Easily Manage Software on Windows with Chocolatey – Rob Reyn...
PuppetConf 2016: Easily Manage Software on Windows with Chocolatey – Rob Reyn...PuppetConf 2016: Easily Manage Software on Windows with Chocolatey – Rob Reyn...
PuppetConf 2016: Easily Manage Software on Windows with Chocolatey – Rob Reyn...
 
Drupal Deployment
Drupal DeploymentDrupal Deployment
Drupal Deployment
 
Testable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and DockerTestable Infrastructure with Chef, Test Kitchen, and Docker
Testable Infrastructure with Chef, Test Kitchen, and Docker
 
Vagrant to-aws-flow
Vagrant to-aws-flowVagrant to-aws-flow
Vagrant to-aws-flow
 
Mastering composer
Mastering composerMastering composer
Mastering composer
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...
PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...
PuppetConf 2016: How Not to Freak Out When You Start Writing Puppet Modules f...
 
High Performance Drupal
High Performance DrupalHigh Performance Drupal
High Performance Drupal
 
Chef and PowerShell Desired State Configuration
Chef and PowerShell Desired State ConfigurationChef and PowerShell Desired State Configuration
Chef and PowerShell Desired State Configuration
 
20151229 wnmp & phalcon micro app - part I
20151229 wnmp & phalcon micro app - part I20151229 wnmp & phalcon micro app - part I
20151229 wnmp & phalcon micro app - part I
 
Ansible + Drupal: A Fortuitous DevOps Match
Ansible + Drupal: A Fortuitous DevOps MatchAnsible + Drupal: A Fortuitous DevOps Match
Ansible + Drupal: A Fortuitous DevOps Match
 
Linux HA anno 2014
Linux HA anno 2014Linux HA anno 2014
Linux HA anno 2014
 
Configuration management with puppet
Configuration management with puppetConfiguration management with puppet
Configuration management with puppet
 
London Hashicorp Meetup #8 - Testing Programmable Infrastructure By Matt Long
London Hashicorp Meetup #8 - Testing Programmable Infrastructure By Matt LongLondon Hashicorp Meetup #8 - Testing Programmable Infrastructure By Matt Long
London Hashicorp Meetup #8 - Testing Programmable Infrastructure By Matt Long
 
Automation: PowerShell & DSC
Automation: PowerShell & DSCAutomation: PowerShell & DSC
Automation: PowerShell & DSC
 
SaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertoolsSaltConf 2014: Safety with powertools
SaltConf 2014: Safety with powertools
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!
 

Similar to Puppetize PDX 2019 - Automated Patching with Bolt by Nick Maludy

DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDays Riga
 
Automatize everything
Automatize everythingAutomatize everything
Automatize everything
Boris Bucha
 
Tuenti Release Workflow
Tuenti Release WorkflowTuenti Release Workflow
Tuenti Release Workflow
Tuenti
 
Ad01_Navigating-HCL-Notes-14-Upgrades_A-Comprehensive-Guide-for-Conquering-Ch...
Ad01_Navigating-HCL-Notes-14-Upgrades_A-Comprehensive-Guide-for-Conquering-Ch...Ad01_Navigating-HCL-Notes-14-Upgrades_A-Comprehensive-Guide-for-Conquering-Ch...
Ad01_Navigating-HCL-Notes-14-Upgrades_A-Comprehensive-Guide-for-Conquering-Ch...
panagenda
 

Similar to Puppetize PDX 2019 - Automated Patching with Bolt by Nick Maludy (20)

Deploying software at Scale
Deploying software at ScaleDeploying software at Scale
Deploying software at Scale
 
InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017InSpec Workflow for DevOpsDays Riga 2017
InSpec Workflow for DevOpsDays Riga 2017
 
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...
 
Automatize everything
Automatize everythingAutomatize everything
Automatize everything
 
Prescriptive System Security with InSpec
Prescriptive System Security with InSpecPrescriptive System Security with InSpec
Prescriptive System Security with InSpec
 
Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019Prescriptive Security with InSpec - All Things Open 2019
Prescriptive Security with InSpec - All Things Open 2019
 
Django dev-env-my-way
Django dev-env-my-wayDjango dev-env-my-way
Django dev-env-my-way
 
InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017InSpec For DevOpsDays Amsterdam 2017
InSpec For DevOpsDays Amsterdam 2017
 
Magento 2 Workflows
Magento 2 WorkflowsMagento 2 Workflows
Magento 2 Workflows
 
InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020InSpec at DevOps ATL Meetup January 22, 2020
InSpec at DevOps ATL Meetup January 22, 2020
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure Security
 
Running CentOS on the Facebook fleet
Running CentOS on the Facebook fleetRunning CentOS on the Facebook fleet
Running CentOS on the Facebook fleet
 
программное обеспечение (по)
программное обеспечение (по) программное обеспечение (по)
программное обеспечение (по)
 
Adding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpecAdding Security and Compliance to Your Workflow with InSpec
Adding Security and Compliance to Your Workflow with InSpec
 
Fluo CICD OpenStack Summit
Fluo CICD OpenStack SummitFluo CICD OpenStack Summit
Fluo CICD OpenStack Summit
 
Tuenti Release Workflow
Tuenti Release WorkflowTuenti Release Workflow
Tuenti Release Workflow
 
Static Code Analysis PHP[tek] 2023
Static Code Analysis PHP[tek] 2023Static Code Analysis PHP[tek] 2023
Static Code Analysis PHP[tek] 2023
 
Cross-Platform Desktop Apps with Electron (CodeStock Edition)
Cross-Platform Desktop Apps with Electron (CodeStock Edition)Cross-Platform Desktop Apps with Electron (CodeStock Edition)
Cross-Platform Desktop Apps with Electron (CodeStock Edition)
 
Ad01_Navigating-HCL-Notes-14-Upgrades_A-Comprehensive-Guide-for-Conquering-Ch...
Ad01_Navigating-HCL-Notes-14-Upgrades_A-Comprehensive-Guide-for-Conquering-Ch...Ad01_Navigating-HCL-Notes-14-Upgrades_A-Comprehensive-Guide-for-Conquering-Ch...
Ad01_Navigating-HCL-Notes-14-Upgrades_A-Comprehensive-Guide-for-Conquering-Ch...
 
C++ Windows Forms L01 - Intro
C++ Windows Forms L01 - IntroC++ Windows Forms L01 - Intro
C++ Windows Forms L01 - Intro
 

Recently uploaded

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Puppetize PDX 2019 - Automated Patching with Bolt by Nick Maludy

Editor's Notes

  1. - NO BUZZ WORDS HERE - - Automated patching with bolt
  2. - IT SERVICES PROVIDER - Cincy - Work in Managed Services - - Goal is to make IT suck less - Solving IT problems with modern tools and techniques - Allowing customers to focus on their business problmes
  3. - How often are YOU patching??? - Weekly, Monthly, Quarterly, Yearly - - 1 year ago - CVEs and Zero Days - Us and our customers - - Manual - Slow (days -> weeks) - Long nights - Apps broken before patching - Lack of shutdowns/startups - Forgotten snapshots - Forgotten monitoring
  4. - Landscape? - Ohio in middle of the Brown Field - - Windows - 2008 - 2012 - 2016 - Linux - RHEL 6 & 7 - Ubuntu 14.04, 16.04, 18.04
  5. - Windows - SCCM - WSUS - RHEL = Satellite - Ubuntu = ?? - - Everything is a “suggestion” - Randomly in a window - No custom steps
  6. - Security - More often (weekly) - Faster (1 day or less) - Reports of available patches - - DevOps - HA groups - Customizable workflows - Cross-platform - Windows Update + Chocolatey
  7. - Built on bolt - - Open source for community - - Eat our own dogfood - - Forge
  8. - Patching NOT one size - Framework of building blocks - Agent-less - Everything is a plan and a task - Task does work - Plan calls Task - “User friendly” output - Group inventory - Common interfaces - Customizable - Vars - Parameters - NOT MAGIC
  9. - Windows clients register to - WSUS - Chocolatey - - Red Hat register to - Satellite (Foreman + Katello) - - Ubunutu - internet - - Bolt orchestrates everything - NOTE: Puppet agent not necessary (customers) - TODO promote content
  10. - Available updates - Create snapshot - Pre - app shutdowns - Update - Post - Reboot - Delete snapshot
  11. - Input of Array[TargetSpec] - Targets have patching_order var - Group by common patching order - sort() on patching order - Result is sorted array of groups (targets)
  12. - Inventory YAML on the left - - Result on the right - - Puts data into a array - - Sorted by patching order - - If multiple inventory groups with same patching_order, result in one group - - Allows inventory to be defined by different dimension, say application
  13. - Runs plan to get ordered groups - - Iterate over each group - - Gather facts for each group - - Facilitates us being able to patch sets of nodes in ORDER
  14. - Queries the node for available updates - - Windows - Windows Update Agent API - choco outdated - - RHEL - yum check-update - - Ubuntu - apt upgrade –simulate - - Output = Array of updates
  15. - Windows output on the left - windows update - chocolatey - “providers” - - RHEL - Debian - - Common - name - version - - Allow data custom to each
  16. - Vmware only, for now - Installs rbvmomi - bolt control node - Optional - Customizable with vars - create - delete - allow us to wait overnight - quiesce - memory - - Pluggable with dynamic dispatch
  17. - Dynamic dispatch from CS - determine path at runtime - - Pass plan/task to execute as string - - Plans/tasks need common “interface” - - Example - run example with plan snapshot - - example runs snapshot plan’ - - snapshot plan has ‘action’ interface
  18. - Custom processes before patching - service health checks (in case it’s already broken) - backups - stop services - etc - Default - runs script on remote node - Customizable
  19. - Inventory file up top - - Vars section for global customizations - - Default = hard coded - - pick() to read from “vars” - - Allows customizing at runtime / CLI - - Order of precedence - CLI - Inventory Var - default in the plan - - Great pattern
  20. - customizing global up top - - regular_nodes group gets that - - customizing for a group - - sql_nodes for graceful SQL failover
  21. - Windows - Choco upagrade all : EASY - Special snowflake windows update - Scheduled task - RHEL - yum update - Ubuntu - apt-get dist-upgrade
  22. - Write logs on every node - Can come query them later - - Great for debugging - - Great for reporting
  23. - Same as pre_patch - different script - - Start services - Wait for sockets/services - Health checks
  24. - Customizable with strategy - never - always - only required - - Windows - check a bunch of registry and other Win32 APIs - - RHEL - needs-restarting - - Ubuntu - existence of “/var/run/reboot-required”
  25. - Opinionated workflow - - Uses all of the components we just talked about - - Customizable / pluggable - vars - dynamic dispatch - - Super easy way to get started - - Fully expect people to make their own workflows
  26. - 500+ Vms - 6x internal and customer environments - - 1 engineer - < 1 day - - Every week - dev = latest - prod = dev from week before
  27. - Simple tasks - Tie tasks together with plans - Standardize parameters - Standardize results - Keep large binaries out of files/ - files/ come from some other module - take advantage of isolated boltdir + puppetfile
  28. - Bash lowest common denominator - python - perl - ruby - - +100s of systems in a group - - Remember to update cache - - Carefule of /tmp and noexec
  29. - Connection timeouts - 200+ seconds - - 100 nodes max per group - - Long tasks can timeout in WinRM randomly - - Updates SUPER slow - - Slow transfer files with WinRM - - PowerShell versions matter - cmdlets don’t exist - - Windows Update API == PITA
  30. - Monitoring - SolarWinds - Prometheus - - Reporting - - Notifications - email - Slack - - ServiceNow change integration - - Inventory from Satellite, WSUS, AD, IPA, Vmware, ServiceNow - - More workflows - Network and VMware patching - Puppet remediate integration
  31. - Thanks! - - Build a patching community - - Twitter, github - - Puppet slack #puppetize-pdx