All notable changes to this project will be documented in this file.
Improvements
- Added support for RHEL 9 in the reboot detection script.
Improvements
- Added support for matching against full process arguments for the
patching_as_code::unsafe_process_list.
Bugfixes
- No longer logs
Puppet Unknown variable: 'reboot'on runs outside of the patch day.
Improvements
- Correctly handles multi-architecture package updates, e.g. when there is an update for both the
i686andx86_64version of a package.
Bugfixes
- Fixes a bug that caused High Priority OS patches for Windows not to be installed, due to the wrong variable being used.
Improvements
- Deduplicates the list of installed patches on the last run, reported in the
patching_as_codefact.
Improvements
- Fix incorrect YAML code markers in
README.md.
Features
- Adds support for high priority patches on an alternate patch schedule.
- Adds
high_priority_onlyparameter to thepatching_as_codeclass, for compatibility with thepuppetlabs/change_windowmodule.
Improvements
- Ensures the last_run fact data only gets written during the patch window.
Bugfixes
- Moves the location of the
patching_as_codefact content to/opt/puppetlabs/patching_as_code(or%ProgramData%\PuppetLabs\patching_as_codeon Windows), to remove a dependency onpe_patch/os_patchingcreating the directory where the last_run file content can be stored. - Fixes an incompatibility with
os_patchingthat was caused by the wrong directory being assumed for thepatching_as_codefact content when usingos_patching.
Features
- Added a
patching_as_codefact that details the date & time of the last successful patch run, as well as which packages were installed.
Bugfixes
- No longer adds
Exec[Patching as Code - Clean Cache]to therequiremetaparameter of managed Chocolatey package resources that will be patched.
Improvements
- Split the
allowlistandblacklistto have dedicated lists for Chocolatey, with the newallowlist_chocoandblacklist_chocoparameters. These new parameters now must be used for Chocolatey packages, the regularallowlistandblacklistwill not affect Chocolatey packages anymore. - Pending OS reboots will now no longer occur if
enable_patchinghas been changed tofalse. This is to enable theenable_patchingparameter being used as a single switch to ensure that no disruptive action can happen at all.
Bugfixes
- Improved processing of the
patching_as_config_chocofact, to ensure backwards compatibility with Facter 3. - The
patching_as_config_chocofact now no longer errors on a system that does not havepatching_as_configenabled.
Features
- Added ability to update Chocolatey packages as part of the patching run, by setting
patch_choco => true. Allowlist & blocklist settings will be applied to Chocolatey packages as well.
Improvements
- Enable control of behavior for automatic uploading of facts by the
pe_patchandos_patchingmodules (contributed by @prolixalias) - Fix cause of deprecation message
Calling function empty() with Numeric value is deprecated(contributed by @prolixalias)
Improvements
- Deduplicates the list of patches to install, preventing any possible duplicate resource declarations if the list of patches to install contains the same patch more than once for any reason
Improvements
- Allow reinstalls of KB4052623 as these are also monthly AV definition updates
Bugfixes
- Correct KB2267202 to KB2267602
Improvements
- Allow reinstalls of KB2267202 and KB2461484 as these are monthly AV definition updates
Bugfixes
- Removed a dependency on the
patching_as_code_configfact inside of theis_patchday()function, preventing possible catalog compilation failures as a result of thepatching_as_code_configfact not yet existing for new agents.
Bugfixes
- Account for the
patching_as_code_utc_offsetfact to be empty in some situations
Improvements
- Now correctly adjusts for timezone differences between the Puppet Server and the managed node, ensuring that the local node time & date gets used to calculate if today is patch day.
- Now logs messages in the Puppet Server log to report the calculated local node time & day, as well as whether or not today is patch day for the node.
Bugfixes
- Fixes a missing
schedulemetaparameter for theNotify[Patching as Code - Update Fact], which would cause thepe_patchfact to update at every Puppet run during the patch day, instead of only during the maintenance window.
Bugfixes
- Correctly handles package declarations where the title of the package resource does not match the name of the package.
Improvements
- The pre-patch reboot in case of any pending reboots now happens also if it is patchday but there are no patches to install. This facilitates parallel patching tools to have installed patches before Puppet's patch window, with Puppet performing the actual reboot.
Improvements
- Adopted the
eval_generatefunction in thepatch_packagetype to ensure that newly generatedpackageresources become children of thepatching_as_code::linux::patchdayclass. This provides better context for these package resources, which can be leveraged in external reporting tools (e.g. Splunk). - Simplified the
patch_packagetype, removed capabilities that are no longer needed - Moved the logic to trigger the patch fact refresh to the main manifest
- Simplified the patchday classes
Features
- Moves the post-patch reboot logic to its own stage (
patch_reboot), which runs after themainstage. This should ensure that reboots only happen at the end of the Puppet run. - Removed the
notifylogic for triggering the reboots from installed patches, in favor of handling the reboot logic in the newpatch_rebootstage. - Deduplicated the calling of the Exec resource that refreshes the patch fact, ensuring this only happens once now.
Features
- Adds support for setting the value
Anyto theday_of_weekparameter in a patch schedule
Bugfixes
- Removed the
weekdayattribute of thescheduleresource that this module uses internally to restrict when patches can be applied. In certain edge cases where the Puppet server is in a very different timezone from a managed node, there can be a 1 day date difference between the two systems. This creates a scenario where the node never receives a valid patch schedule. By removing theweekdayparameter from thescheduleresource, this can no longer occur. Other logic still protects the actual day on which the patching is allowed so this parameter wasn't necessary.
Features
- Adds support for providing an array of values to the
patch_groupattribute of thepatching_as_codeclass - Adds support for providing an array of values to the
count_of_weekparameter in a patch schedule
Features
- Removes dependency on the
windows_updatesmodule, we can now install Windows Updates natively - Adds a Task to install a Windows Update over WinRM or PCP
- Updates the PDK to 2.0.0
- No longer fails the resource if the Windows Update is no longer available/applicable for the node
- Write a
patching_as_code_configfact that reports configuration state - Support security-only patching via a new
security_onlyparameter to the class. This works for Linux today, but requires a not-yet shipped update tope_patchfor Windows - Preparations for being able to run
patching_as_codeas a plan, not yet active.
Bugfixes
- Ensure
yum-utilspackage on all RedHat/CentOS versions, not just 8 - Use
ensure_packages()for safer enforcement ofyum-utilspackage
Bugfixes
- Account for
$facts['operatingsystemmajrelease']returning a string instead of an integer
Bugfixes
- For parsing the result of
/usr/bin/needs-restarting -rin CentOS 7/8, the script wasif [ $? -eq 0 ]instead ofif [ $? -eq 1 ], which caused the logic to be flipped.
Features
- Completely rewrote the reboot behavior, so that pending reboot detections fully works both before patching and after patching, in the same Puppet run. There is no more dependency on the
reboots.reboot_requiredportion of thepe_patch/os_patchingfact, all logic is now internal and no longer requires multiple Puppet runs. - Changed the default schedules to
reboot: ifneeded(wasreboot: always), now that the pending reboot logic has improved so much - Ensured that pre_reboot commands will now trigger when necessary (only one scenario can happen at a time):
- when an OS pending reboot is detected at the start of a run (before patching)
- when an OS pending reboot is detected at the end of a run (after patching)
- Forced pre_reboot commands (which are essentially Exec resources) to use the
posixprovider on Linux and thepowershellprovider on Windows, so that the pending reboot detection logic can be injected to the resource dynamically.
Features
- Rewrote updating of Linux packages to use a custom type (
patch_package), which dynamically updates and/or createspackageresources for patching in the catalog on the agent side. This ensures no duplicate package declarations can occur on the server side, due to the parsing-order dependency ofdefined()anddefined_with_params(). Neither of these functions are used anymore.
Bugfixes
- Also protect against duplicate package declarations when
ensureis set to a version. This isn't 100% bulletproof as the check is parse-order-dependent, but will work in most cases.
Bugfixes
- Ensured Linux patches cannot cause duplicate declarations
Bugfixes
- Added dependency to
puppetlabs/puppet_agentto the module's metadata
Features
- Added a
patch_unsafe_process_activecustom fact that reflects if any process from theunsafe_process_listparameter was found active on the system. - Added a
unsafe_process_listparameter to thepatching_as_codeclass, which defines processes for the system that must cause patching to be skipped if any of those processes are active. Defaults to an empty array.
Features
- Added cache cleanup for other providers (dnf, apt, zypper)
- Added refresh of
pe_patch::fact::exec/os_patching::fact::execresources, to auto-update patch state after patching. This prevents unneccesary patching runs that perform no updates
Bugfixes
- Increased reboot delay after patching from 1 to 5 minutes, to account for remaining activities in the Puppet run
Bugfixes
- Fixes the datatype of the
metered_linkfact, this was expected to be Boolean but got reported as a String, causing the logic to break.
Features
- Added a
metered_linkcustom fact that detects metered network connections on Windows - Added a
patch_on_metered_linksparameter to thepatching_as_codeclass, which controls if patches are installed when running over a metered link (Windows only). Defaults tofalse.
Features
- This update ensures that patching_as_code defaults to NOT classify the pe_patch class on PE 2019.8.0, so that you can use the builtin "PE Patch Management" node group(s) to classify pe_patch. Since UI will be further improved in PE for this, it makes sense that this would be the leading way to classify pe_patch. This module can still be given control over pe_patch, as described in the updated Readme.
- The blacklist and whitelist have been renamed to blocklist and allowlist.
- Documentation has been updated, with a reference for the main manifest.
Bugfixes Ensure pre/post-patching & pre-reboot commands use the same schedule
Fixes pending reboot logic, adds pre/post-patching & pre-reboot command support
Features
- Ensures pending reboots are handled correctly, skipping patch installs completely
- Allows defining
Execresources dynamically for pre/post-patching & pre-reboot commands - Refactors reboot logic into main manifest
Known Issues Tested on Windows 2016 and 2019, and CentOS 7
Initial release
Features
- Integrates with
albatrossflavour/os_patchingandpuppetlabs/pe_patch - Customizable patch windows
- Patch window based on Nth weekday in the month
- Reboot control
- Yum clean support
Known Issues Tested on Windows 2016 and 2019, and CentOS 7