Configuring Patch Schedules

Introduction

Patching consistently ensures complete protection against any security threat for your resources. Configuring the patch schedule allows you to decide when to apply the patch updates.

Note

Patch configuration can be scheduled on a periodic or on-demand basis.

Adding and scheduling patches

To add a patch configuration:

From All Clients, select a client.
Go to Automation > Patch Management > Patch Configuration and click Add.
From Add Patch Configuration, provide the following:
- Select Client
- Patch Configuration Name: Refers to the name for the patch ready for installation.
- Description: Refers to the details of the patch.
- Apply To: Refers to applying the patch to Desktops or Servers.
- Resource Groups: Refers to applying patches to Windows and Linux devices in the resource groups.
After providing the basic details, navigate to Assign Devices section.
From Assign Devices, select the devices from the Available Devices section.
The selected devices appear in the Assigned Devices section.
After selecting the devices, navigate to Approval Type.
From Approval Type, select one of the following options:
- Manual Approve
- Auto Approve
After selecting Approval Type, navigate to Reboot Options.
From Reboot Options, select one of the following options:
- Do not reboot
- Reboot after install if required
After selecting the reboot options, navigate to Patching Schedule section.
From Patching Schedule, provide details for the following parameters:
- Start Date
- Recurrence Pattern
Select the check-box to select the following parameters:
- Enable patching during shutdown/reboot
- Enable maintenance
Click Add Users. The selected users receive an email notification after completing the patch configuration job.
Click Finish.

Notes

The patch configuration is displayed in the configured list and click Run Now to install the approved patches as per requirement.
The approved patches are installed only when a patch configuration is added.
Patches are downloaded directly to individual desktops and servers. You can install Patches using Agent for Windows. You may experience above normal bandwidth usage during the weekend patch maintenance period.

Internal patch configuration process

After the patch configuration job begins, the agent executes the following:

Note

This process is shown for Linux resources.

Step 1: Agent receives control MSG xml (as seen in debug logs)

<cm><id>MISSING_PATCH_DL_IN</id><reqid>2018-06-25 06:49:14</reqid><params>2</params></cm>

Step 2: Agent sends response

<cm><id>RES_MISSING_PATCH_DL_IN</id><response><![CDATA[<winadviceinfo><result params=”2″>success</result><reqid>2018-06-25 06:49:14</reqid></winadviceinfo>]]></response></cm>

Step 3: Agent receives control MSG xml

<cm><id>MISSING_PATCH_DL_IN_LIST</id><reqid>0</reqid><params><ps><p><name>fcoe-utils-1.0.28-6.el6.x86_64 — “”</name><name>curl-7.19.7-53.el6_9.x86_64 — “”</name><name>libtiff-3.9.4-21.el6_8.x86_64 — “”</name><name>efibootmgr-0.5.4-15.el6.x86_64 — “”</name><name>grep-2.20-6.el6.x86_64 — “”</name></p><list>0</list></ps></params></cm>

The agent saves the kbid in path location /opt/opsramp/agent/tmp/approved_pkgs.json file.

Step 4: Agent runs patch install job

The following commands are used (depending on the OS) to generate a patch_install_result.json file in path location /opt/opsramp/agent/tmp/patch_install_result.json:

Ubuntu – /usr/bin/python /opt/opsramp/agent/lib/apt_frame.py install
CentOS, Fedora – /usr/bin/python /opt/opsramp/agent/lib/yum_frame.py install
SUSE - /usr/bin/python /opt/opsramp/agent/lib/zypper_frame.py install
DARWIN – /usr/bin/python /opt/opsramp/agent/lib/mac_frame.py install

After running the patch install job, the agent checks for the KBIDs that requires a reboot.