Patching the resources consistently ensures complete protection against any security threat. Configuring the patch schedule allows the administrator to decide when to apply the patch updates.
You can schedule patch configurations on a periodic or on-demand basis.
Select a client from the All Clients list.
Go to Configuration Management > Patch Management > Patch Configuration and click Add.
From Add Patch Configuration, enter:
- Select Client
- Patch Configuration Name: Name for the patch ready for installation.
- Description: Patch details.
- Apply To: Applying the patch to desktops or servers.
- Resource Groups: Applying patches to Windows and Linux devices in the resource groups.
After providing the basic details, navigate to the Assign Devices section.
From Assign Devices, select the devices from the Available Devices section. The selected devices appear in the Assigned Devices section.
Note
If you select more than one device for Patch Configuration, a unique Process Instance IDs for each device respectively is created with the same Process Name.After selecting the devices, navigate to Patching Schedule.
From Patching Schedule, enter the following parameter:
- Select Time Zone: The patching process runs according to the selected time zone. For existing patch configurations, Resource Time Zone is automatically assigned.
- Start Date: Select the date and time (In hours and minutes) to start the patching process.
- Recurrence Pattern: Select the pattern to run the patching process. For example, Run On Demand, Patch Tuesday. For Windows, select Patch Tuesday to schedule the patch installation process. This selection helps to align patching with the Microsoft Patch Tuesday every month. You can set up patching to trigger at an offset of up to 26 days after the Patch Tuesday of every month. For example, if the Patch Tuesday of the current month falls on the 11th, an offset of one day schedules the patching to trigger on the 12th of the same month. Similarly, if Patch Tuesday falls on the 9th of the following month, patching for the same schedule triggers again on the 10th.
- Enable patching during shutdown/reboot: Select to enable automatic patching when the device is in shutdown or reboot mode.
After providing the patching schedule, navigate to the Assign Process section.
From Assign Process, select Select Process if you want to assign a patch management process definition.
The Process Definitions dialog box displays the patch management process definitions. Select the Process Name to use for the patch schedule.
The patch management process definitions are created using the Automation > Process Definitions page.
See the Define a Patch Management Process tutorial to learn how to create a simple patch management process definition.
After assigning a process, navigate to Approval Type.
From Approval Type, select one of the following options:
- Manual Approve
- Auto Approve
After selecting Approval Type, navigate to Reboot Options.
From Reboot Options, select one of the following options:
- Do not reboot
- Reboot after install if required
After selecting the reboot options, navigate to the Add Maintenance Period section.
Enable maintenance: Select to enable maintenance period.
Escalate maintenance alerts when window ends: Toggle
ON
orOFF
to escalate maintenance alerts that do not auto-resolve after the patch maintenance duration.
To view the Escalate maintenance alerts when period ends column displaying Yes or No according to the selection, go to Infrastructure > Maintenance.Select schedule duration: After enabling the maintenance period, select the duration.
Add Users: To add users:
- Click +Add Users.
- From the Users screen, select the users.
- Click Add Users.
The selected users receive an email notification after completing the patch configuration job.
Click Finish.
The patch configuration is displayed in the configured list. Click Run Now to install the approved patches as per requirement.
After the patch configuration job begins, the agent executes the following as shown for a Linux resource:
The agent receives an XML control message, which can be seen in debug logs:
<cm><id>MISSING_PATCH_DL_IN</id><reqid>2018-06-25 06:49:14</reqid><params>2</params></cm>
The agent sends a response:
<cm><id>RES_MISSING_PATCH_DL_IN</id><response><![CDATA[<winadviceinfo><result params="2″>success</result><reqid>2018-06-25 06:49:14</reqid></winadviceinfo>]]></response></cm>
The agent receives an XML control message:
<cm><id>MISSING_PATCH_DL_IN_LIST</id><reqid>0</reqid><params><ps><p><name>fcoe-utils-1.0.28-6.el6.x86_64 — ""</name><name>curl-7.19.7-53.el6_9.x86_64 — ""</name><name>libtiff-3.9.4-21.el6_8.x86_64 — ""</name><name>efibootmgr-0.5.4-15.el6.x86_64 — ""</name><name>grep-2.20-6.el6.x86_64 — ""</name></p><list>0</list></ps></params></cm>
The agent saves the KBID in the
/opt/opsramp/agent/tmp/approved_pkgs.json
file.The agent runs a patch install job. The following OS-dependent commands are used to generate a
patch_install_result.json
file at location/opt/opsramp/agent/tmp/patch_install_result.json
:- Ubuntu –
/usr/bin/python /opt/opsramp/agent/lib/apt_frame.py install
- CentOS, Fedora –
/usr/bin/python /opt/opsramp/agent/lib/yum_frame.py install
- SUSE -
/usr/bin/python /opt/opsramp/agent/lib/zypper_frame.py install
- DARWIN –
/usr/bin/python /opt/opsramp/agent/lib/mac_frame.py install
- Ubuntu –
After running the patch install job, the agent checks for the KBIDs that requires a reboot.
The approved patches are installed only when a patch configuration is added.
Patches are downloaded directly to individual desktops and servers. The administrators can install Patches using Agent for Windows. The administrator might experience above normal bandwidth usage during the weekend patch maintenance period.