++ RIP, I've piloted mcollective but have not yet deployed as a standard
C&C tool. It is the future IMO, so if you're starting from scratch, it's
probably what you want to go with, as I sort of view puppet as not being
the tool for this job
For this stuff now, I use a combo of Nagios and capistrano. Nagios can
tell me when nodes are out of date via the check_cluster plugin (info
generated dynamically from puppet) as a cluster of the check_apt plugin.
Capistrano can easily pull my nodes from puppet stored configs,
dynamically stuff them into roles based on hostname (mcollective does
not have the limitation of relying on hostnames), and I can update to
various groups of hosts based on OS, DC/location, or type of service
such as webservers, smtp servers, etc. I suppose some logic could be
coded into my capfile to get this info more gracefully than simple
hostname parsing, but at that point I would just deploy mcollective.
I have some really simple code I can share if you need to, but I am
warning you right now, capistrano is not a scalable tool. It barfs, last
time I checked, on more than 30 or so simultaneous ssh connections. This
could be a limitation of the ssh-agent, but I've worked around it and
haven't done any stress testing in months.
Security stuff like CVE's would be a little more involved. The company I
work for scans for this stuff, but we don't really have an automated fix
integration process. We generate remediation reports, but that just
tells a human what to do.
Like I said, mcollective is the future for this kind of stuff, but cap
is sort of easier to get going with since it's plain ssh connections. I
guess it depends on a few factors like, size of your infrastructure, how
quick you need it, etc. If you have time, go with mcollective.
On 11/02/2010 10:38 AM, R.I.Pienaar wrote:
----- "Joel Merrick"<joel.merr...@gmail.com> wrote:
Is there any way this could be accomplished? I suppose the nirvana
for me would be to be able to instantly see if a package needs updating,
based upon a CVE/DSA/RSA etc similar to the way pakiti does it [1]..
(although I suppose a sources.list with just security sources would
do) and then use something like mcollective to slowly, but safely
upgrade the package.
not sure if this will solve all your needs but it should be trivial to
write something for mcollective to parse 'yum check-update' output and
aggregate that over your entire estate.
--
--
Joe McDonagh
Operations Engineer
AIM: YoosingYoonickz
IRC: joe-mac on freenode
"When the going gets weird, the weird turn pro."
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
