Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# server_patching
The module provides classes built around server patching procedures.
## Table of Contents
1. [Description](#description)
2. [Setup - The basics of getting started with server_patching](#setup)
* [Setup requirements](#setup-requirements)
* [Beginning with server_patching](#beginning-with-server_patching)
3. [Usage - Configuration options and additional functionality](#usage)
4. [Limitations - OS compatibility, etc.](#limitations)
## Description
At the moment the only useable class is `server_patching::validation`, which
allows to define post-patching checks and generate a bash script implementing
these checks. Designed to be invoked with AWS SSM software.
## Setup
### Setup Requirements
The module uses `netstat`, `curl` and `pgrep`. These utilities have to be
installed on the system. Designed to work only with modern systems managed
by systemd.
### Beginning with server_patching
Commonly the module is invoked by including a subclass. For patching validation
it is just
```
include server_patching::validate
```
Further configuration is more conveniently performed in hiera.
## Usage
The following example covers the use of all module parameters:
```yaml
server_patching::validate::ensure: present
server_patching::validate::validation_script: /usr/local/sbin/validate.sh
server_patching::validate::services:
- name: open-vm-tools.service
active: true
- name: openipmi.service
active: false
server_patching::validate::processes:
- name: falcond
running: true
- url: https://netdb.stanford.edu/status-DLK87ufdskjf
- url: https://netdb.stanford.edu
resolve_to: 171.67.5.154
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
status: 302
server_patching::validate::ports:
- port: 22
proto: tcp
ip_ver: ipv4
listening: true
- port: 23
proto: tcp
ip_ver: ipv4
listening: false
server_patching::validate::mounts:
- /home
- /mnt/data
server_patching::validate::exports:
- /share/raw_data
- /share/processed_data
server_patching::validate::zfs_pools:
- pool1
- pool2
```
The fragment generates verifies if:
* VMWare tools service is running
* CrowdStrike daemon process is running
* NetDB URL redirects somewhere (to WebAuth presumably)
* NetDB status URL returns success
* SSH port is open over IPv4
* Telnet port is closed over IPv4
* Given ZFS pools are imported
* Given NFS shares are exported
The module would generate a validation script `validation.sh` in
`/usr/local/bin/` directory, which can be triggered by SSM and return a zero
exit code if all checks pass or non-zero code with a number of failed checks. It
outputs the log of the checks run to stdout.
## Limitations
Designed for use only with the systems managed by systemd.