server_patching
The module provides classes built around server patching procedures.
Table of Contents
- Description
- Setup - The basics of getting started with server_patching
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
Description
At the moment the only useable class is server_patching::validation
, which
allows to define post-patching checks and generate a bash script implementing
these checks. Designed to be invoked with AWS SSM software.
Setup
Setup Requirements
The module uses netstat
, curl
and pgrep
. These utilities have to be
installed on the system. Designed to work only with modern systems managed
by systemd.
Beginning with server_patching
Commonly the module is invoked by including a subclass. For patching validation it is just
include server_patching::validate
Further configuration is more conveniently performed in hiera.
Usage
The following example covers the use of all module parameters:
server_patching::validate::ensure: present
server_patching::validate::validation_script: /usr/local/sbin/validate.sh
server_patching::validate::services:
- name: open-vm-tools.service
active: true
- name: openipmi.service
active: false
server_patching::validate::processes:
- name: falcond
running: true
- name: java
command: solr
server_patching::validate::urls:
- url: https://netdb.stanford.edu/status-DLK87ufdskjf
status: 200
- url: https://netdb.stanford.edu
resolve_to: 171.67.5.154
status: 302
server_patching::validate::ports:
- port: 22
proto: tcp
ip_ver: ipv4
listening: true
- port: 23
proto: tcp
ip_ver: ipv4
listening: false
server_patching::validate::mounts:
- /home
- /mnt/data
server_patching::validate::exports:
- /share/raw_data
- /share/processed_data
server_patching::validate::zfs_pools:
- pool1
- pool2
The fragment generates verifies if:
- VMWare tools service is running
- CrowdStrike daemon process is running
- Java process which has solr in its command line is running
- NetDB URL redirects somewhere (to WebAuth presumably)
- NetDB server 171.67.5.154 status URL returns success
- SSH port is open over IPv4
- Telnet port is closed over IPv4
- Given ZFS pools are imported
- Given NFS shares are exported
The module would generate a validation script validation.sh
in
/usr/local/bin/
directory, which can be triggered by SSM and return a zero
exit code if all checks pass or non-zero code with a number of failed checks. It
outputs the log of the checks run to stdout.
Limitations
Designed for use only with the systems managed by systemd.