Puppet is used for configuration management, what about software updates etc?

puppet ubuntu amazon-ec2

Well, for APT in particular, you can configure many daily jobs, such as update. Just look at /etc/cron.daily/apt for a list of variables you can configure, and check the man page for apt.conf for how to do it. The ones of most interest to you are these:

#  APT::Periodic::Update-Package-Lists "0";
#  - Do "apt-get update" automatically every n-days (0=disable)
#    
#  APT::Periodic::Download-Upgradeable-Packages "0";
#  - Do "apt-get upgrade --download-only" every n-days (0=disable)
#
#  APT::Periodic::Download-Upgradeable-Packages-Debdelta "1";
#  - Use debdelta-upgrade to download updates if available (0=disable)
#
#  APT::Periodic::Unattended-Upgrade "0";
#  - Run the "unattended-upgrade" security upgrade script 
#    every n-days (0=disabled)
#    Requires the package "unattended-upgrades" and will write
#    a log in /var/log/unattended-upgrades

As for upgrading the system, use the package unattended-upgrades.

Having said all that, I prefer to use Puppet to control what packages must be kept at ensure => latest, or ensure => version, as well as controlling pin numbers for various source list and packages.

And, I suppose, one could use a configuration like this:

cron { 'upgrade': command => 'apt-get update && apt-get upgrade' }

Now, you mention doing stuff before calling puppet agent. Do you mean before running puppet agent for the first time? If so, then a solution such as Foreman might do the trick for you.

Here, where I manage my virtual hosts through Ganeti, we have puppet being installed by Ganeti's instance-debootstrap. We also have a small script we use to install puppet on older servers.

In the end, it is not possible to use an automated solution to install Puppet on existing servers unless said automated solution has been already installed. Our own preference is to install puppet first, and distribute anything else through it.


I have always used cron-apt for unattended automated updates. It is a bit clunky to configure, but once setup it works well. If you pair it with sSMTP you can get automated updates and/or notification via email.

In your situation you could use Puppet to control the cron-apt, sSMTP and crontab configuration files.

Here's my standard setup... tweak as appropriate.


Puppet uses a declarative language in which you specify how things ought to be according to your desired configuration, and you leave the method used to achieve that up to puppet to sort out. As such, it's not incredibly well-suited for running arbitrary commands from time to time.

It's easy enough to ask puppet to ensure that a package is installed, but for regular updates, I'd recommend you have puppet add a line to root's cron to do $ apt-get update && apt-get upgrade periodically. If you want to have fine-grained control over which packages get applied, then you could look into running your own apt repository.

Related

opvnvpn: addressing nodes in LAN-behinds
Installing IIS on windows 2003 without the windows CD
bad network adapter takes down entire network?
Is Node.js mature for enterprise security?
Using Puppet to install software "bundles"
Fixing Shared PCRE Library on CentOS
Must I install every possible printer driver for RDP clients?
Evaluate $\int\frac{3\cot3x-\cot x}{\tan x-3\tan3x}\,dx$
How to formalize the below solution
Expected Value of Guessing Game
Finding the surface area of a minor arc rotated over a chord
Changing the bounds in an improper double integral