Giters

SeaPhor / suma-channel-mgr_5

SUSE Manager LifeCycle Patch Channel Management

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

suse-managerspacewalklifecycle-management

suma5

In 2017 I was asked to give a presentation and speech at SUSECon-2017 based on the process and execution for automating Patch LifeCycle Management through this scripted portable, scaleable, and automate-able set of commands and API calls on SUSE-Manager. I was not able to attend due to an employer conflict, but, it was an honor just to be asked.

Lifecycle-Management

  • According to "SUSE Manager Best Practices" and "Advanced Patch Lifecycle Management with SUSE Manager" [By Jeff Price, SUSE] ... "SUSE provided channels should NEVER be assigned to managed systems. One reason is that you do not have control over when the content is updated and made available." [Chapter 5-1 of the Administration guide for SUSE Manager and is also in the 2 titles mentioned above.]

    • EXAMPLE => Patch Non-Production one week/month to test the patches prior to implementing to Production, and then patch the Production the following week/month => packages will be different and test in Non-Production will be invalid.

  • There are 2 ways to accomplish this,

    • 1 => Manually in WebUI with some manual CLI as well <= NOT Discussed in this writing
    • 2 => Use my script, or create your own, to automate this entire process.
    • My Automation Script
      • Requirements-
        • Package => "spacewalk-utils" (in the repository for SUSE Manager)
          • This will give you the "spacewalk-manage-channel-lifecycle" command used in my script.
          • Upon the first run of the script it will check for this package and offer to install it for you if it not installed.
        • Source File for Local credentials and custom additions.
          • Upon the first run of the script it will check for this file and offer to create it for you if it does not exist.
      • Script Actions
        • First Run (Every run will check and verify)
          • Check for a "credentials" file to be sourced, and offer to create it if not present.
          • Source the "credentials" file
          • Check for the "spacewalk-utils" package and offer to install it for you if it not installed.
          • Check for the "~/.mgr-sync" file and create and populate it if not present
          • Refresh and sync all SUSE Channel Trees using the "mgr-sync -s refresh" and the "spacewalk-repo-sync" commands.
          • Check for the "dev-..." channel tree to determine first-run or not
            • Run the "spacewalk-manage-channel-lifecycle" command with the "--init" option in the first-run only, it uses the "--promote" thereafter.
              • This will clone the SUSE Channel Tree/s into "dev-..." trees as in "sles12-sp3-pool-x86_64" => "dev-sles12-sp3-pool-x86_64" and all child channels accordingly.
            • If not present it will create an "Activation Key" for each "dev-..." pool.
            • If not present it will create a "Bootstrap Script" with it's activation key for each "dev-..." pool.
          • Check for the "test-..." channel tree to determine first-run or not
            • Run the "spacewalk-manage-channel-lifecycle" command with the "--promote" option.
              • This will Promote (clone) the "dev-..." Channel Trees into "test-..." as in "dev-sles12-sp3-pool-x86_64" => "test-sles12-sp3-pool-x86_64" and all child channels accordingly.
            • If not present it will create an "Activation Key" for each "test-..." pool.
            • If not present it will create a "Bootstrap Script" with it's activation key for each "test-..." pool.
              • This will Promote (clone) the "test-..." Channel Trees into "prod-..." as in "test-sles12-sp3-pool-x86_64" => "prod-sles12-sp3-pool-x86_64" and all child channels accordingly.
            • If not present it will create an "Activation Key" for each "prod-..." pool.
            • If not present it will create a "Bootstrap Script" with it's activation key for each "prod-..." pool.
          • Run any Custom functions added to the "credentials" file- NOTE => this function call needs to be manually created and called either in the "credentials" file or in the script itself.
          • Email the named recipient with the results.
        • All logging is done in '~/reposync.log'
        • The script and the "credentials" file are located in '~/bin/'
        • The first-run will not run them out of sequence- they must be run i order- -b, -d, then -p
        • All runs after the first run will require no user interaction and can be put into cron-job/s.

APPENDIX A Lifecycle-Management Here's how I manage mine-

  • First Monday of every Month at 1am, 3am, 5am =>
  • [-b], [-d], [-p]
  • Every Monday at 1am =>
    • [-b] <= This channel is exclusively used for our PCI and other Compliance clients that MUST be kept patched at least Every Month with the Latest available packages.
  • We patch Non-Production PCI and other Compliance clients on a Monday, and then their Production counterparts on the following Thursday, allowing 3 days for OS and Application/s testing.
  • NON-Compliance clients are patched Quarterly, by groups, 1 group per month with the Non-Prod done in the first week of the month and the Production done in the third or fourth week of the month.

About

SUSE Manager LifeCycle Patch Channel Management

suse-managerspacewalklifecycle-management

License:GNU Lesser General Public License v2.1

Languages

Language:Shell 100.0%