Patch Management with InfraGuard
By Kislay Chandra
Arguably, AWS might be the most documented name in cloud computing. The main reason being they were the first one and they do everything right. But, do they? If you use InfraGuard for maintaining patches for your servers you know that we are able to provide what can be considered as operations guy's dream.
Limitation of using SSM in patch management:
Things were not same when we started. Like every other company which wants to play safe, we went for the market accepted norms i.e. do it how AWS does it. We made ourselves familiar with "AWS Systems Manager Patch Manager". There were red flags right from the beginning:
- “AWS does not test patches for Windows or Linux before making them available in Patch Manager.” What this means is AWS does not take any responsibility if patches do not install.
- AWS Systems Manager Patch Manager automates the process of patching managed instances with "security-related updates" only for windows. Truth is we were not getting even all security updates.
- AWS Patch Manager uses the concept of "Patch Baselines". It looks like a good idea when you first get it but eventually we realized it is useful just for AWS instances. We can’t manage hybrid instances with baseline. We had our trust in AWS so we thought we can't go wrong and boy we were incorrect. First moment of realization was when we found out AWS system manager does not support all operating systems.
How we solved it:
We knew about all these problems because we had access to the server’s console. We were executing commands to find about new and pending patches, list of installed patches, installed patches etc. The data was accurate and easy to get. Gradually it struck us that there is no better way to get information about an operating system except from the operating system itself.
The great realization:
We had the SSM installed and we were running commands all the time. The great realization was why not use the same command to actually get the data for our application.
So the process was broken into two parts:
- Recognize the operating system
- Execute the get update command
For Red Hat OS it looks something like this:
if [ -f /etc/lsb-release ]; then apt-get update fi
How it's better?
- We are using Native commands. That means this is how the OS wants to be updated
- There are no missing patches i.e. if the OS released it, we see it. No midway bridge between OS released patches and what we see
- It is so much simpler than "AWS Systems Manager Patch Manager". No more patch baseline creation, limited OS and limited type of patches
- We can run whenever we want – with cron or with actions
The result was phenomenal. Customers who expressed concerns about InfraGuard just because of patch management, started loving it for its patch management feature. The simplicity it offers is unlike anything available right now. It literally takes two clicks to scan or install patches on your servers.
- Go to your Project or Server page to see the number of Pending patches
- Click on the Pending Patches button to see the list of pending patches with version, category and severity.
- You can even filter patches based of category
- Than select the patches to be installed or select them all and hit Install Selected Patches button and sit back and let InfraGuard do the heavy lifting
- You will be notified by email when patches are installed. Alternatively, you can also click on Installed Patches to access installed patch history with date and status filter