Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# server_patching
The module provides classes built around server patching procedures.
## Table of Contents
1. [Description](#description)
2. [Setup - The basics of getting started with server_patching](#setup)
* [Setup requirements](#setup-requirements)
* [Beginning with server_patching](#beginning-with-server_patching)
3. [Usage - Configuration options and additional functionality](#usage)
4. [Limitations - OS compatibility, etc.](#limitations)
## Description
At the moment the only useable class is `server_patching::validation`, which
allows to define post-patching checks and generate a bash script implementing
these checks. Designed to be invoked with AWS SSM software.
## Setup
### Setup Requirements
The module uses `netstat`, `curl` and `pgrep`. These utilities have to be
installed on the system. Designed to work only with modern systems managed
by systemd.
### Beginning with server_patching
Commonly the module is invoked by including a subclass. For patching validation
it is just
```
include server_patching::validate
```
Further configuration is more conveniently performed in hiera.
## Usage
The following example covers the use of all module parameters:
```yaml
server_patching::validate::ensure: present
server_patching::validate::validation_script: /usr/local/sbin/validate.sh
server_patching::validate::services:
- name: open-vm-tools.service
active: true
- name: openipmi.service
active: false
server_patching::validate::processes:
- name: falcond
running: true
- url: https://netdb.stanford.edu/status-DLK87ufdskjf
- url: https://netdb.stanford.edu
resolve_to: 171.67.5.154
status: 302
server_patching::validate::ports:
- port: 22
proto: tcp
ip_ver: ipv4
listening: true
- port: 23
proto: tcp
ip_ver: ipv4
listening: false
server_patching::validate::mounts:
- /home
- /mnt/data
server_patching::validate::exports:
- /share/raw_data
- /share/processed_data
server_patching::validate::zfs_pools:
- pool1
- pool2
```
The fragment generates verifies if:
* VMWare tools service is running
* CrowdStrike daemon process is running
* Java process which has *solr* in its command line is running
* NetDB server 171.67.5.154 status URL returns success
* SSH port is open over IPv4
* Telnet port is closed over IPv4
* Given ZFS pools are imported
* Given NFS shares are exported
The module would generate a validation script `validation.sh` in
`/usr/local/bin/` directory, which can be triggered by SSM and return a zero
exit code if all checks pass or non-zero code with a number of failed checks. It
outputs the log of the checks run to stdout.
## Limitations
Designed for use only with the systems managed by systemd.