Ask Your Question

Inspiration for long term package management

asked 2013-11-28 16:37:14 -0600

geppetto gravatar image

I'm exploring Puppet and over the past weeks have created a nice manifest that installs and configures all applications that I need over the two OS that we use. I can now spin up boxes real fast and keep configuration in sync, and that already solves a major problem!

However, with creating boxes out of the way, maintaining them is still an unknown for me. I'm not yet sure on a good Puppet strategy for managing package updates over a longer time.

Currently, I don't specify package versions, I just 'ensure' what I need to 'installed'. So ... (more)

edit retag flag offensive close merge delete


Does help answering your question? I'd say this is a duplicate.

Stefan gravatar imageStefan ( 2013-11-28 18:50:31 -0600 )edit


Kai Burghardt gravatar imageKai Burghardt ( 2015-04-04 11:01:48 -0600 )edit

One additional thing that you can do... you can always have 'update' to latest, BUT point at your own apt mirror which only has the additional packages you pass to it. That means you can manage version once (bringing in new versions to your apt mirror), but still control/block unwanted upgrades

DarylW gravatar imageDarylW ( 2017-06-27 07:35:55 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2017-06-27 03:17:36 -0600

Tozz gravatar image

We do not specify versions in our Puppet manifests. We just use 'ensure => 'installed'. (not latest, or anything else).

We manage updates in two ways: - We use unattended-upgrade (Debian/Ubuntu) and we publish the unattended-upgrade configuration file using Puppet. We also install unattended-upgrade package using Puppet. - We monitor the available updates using Nagios. Unattended-Upgrades will not always work. Sometimes updates simply require user intervention. Our Nagios instance lets us know if that is the case.

The majority of updates are installed without any intervention from us.

You could also use 'ensure => latest'. This however has the disadvantage that it will only update packages that you have defined in Puppet, and not any of the other package that might or might not be very important for overal system security (such as libc). So to me that is not a foolproof solution.

Another disadvantage of this method is that it will run 'apt-get update' every PUppet run (usually every 30 minutes). That is a bit overkill, since updates are not released that frequently.

So I suggest you take a look at 'unattended-upgrade', install that package, manage its configuration file using puppet, and monitor available updates using a monitoring solution such as Nagios.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2013-11-28 16:37:14 -0600

Seen: 263 times

Last updated: Jun 27 '17