Confessions of a Patchaholic

Exception Management

For reasons stated earlier, some systems won’t allow themselves to be patched with the use of an automated tool because of security, legacy tools, service exceptions, or an unknown reasons. Short of re-imaging these troubled systems, you’ll have to patch them manually for the entirety of their life cycles. You’ll probably spend as much time performing manual patches as you do your automated ones. Plan for it.

To say that managing patches in a complex, multilocation, multiplatform, diverse-operating-system, security-enhanced network is difficult is an understatement of the magnitude of the task facing system administrators. And, it isn’t just security patches you have to worry about. Firmware, BIOS, and drivers are part of the mix, adding a special level of complexity to your job because you’ll need physical access or Integrated Lights-Out connectivity to apply them.

In the Toolbox

It’s time to look into the patch management system possibilities. Not every available software program is listed here but these three are worth further exploration. I personally have experience with all three of these systems and have used them over the past 12 years in large complex environments.

VMware Update Manager

For VMware virtual data centers and VMware shops, you might never find a better tool for patch management than VMware’s own Update Manager (VUM). With it, you can patch and update your ESX hosts and your Windows and Linux virtual machines (VMs). It has a simple three-step process to patch management:

  1. Baseline creation
  2. Compliance scan
  3. Remediation

Using profiles, you can establish compliance baselines that VI Center uses to update data centers, hosts, clusters, VMs, or groups. Once you’ve created a baseline for your systems, you scan them to compare that baseline to the compliance database for patches and updates that need to be installed. The remediation phase prepares the systems, applies the patches, and reboots the systems if necessary.

Scanning and remediating systems can take a very long time, so it is best to separate systems into logical groups for patching. Remember that part of the host remediation process requires migration (VMotion) of VMs from the target host to other hosts. Adherence to narrow maintenance windows is often a sketchy process and may require a phased or multi-night schedule to complete.

But, what if your data center contains systems of both the virtual and physical types? IT managers who want to use a single tool for all systems won’t be able to use VUM. Whatever tool or tools you decide to use for your virtual or mixed data center, you should allow ESX updates to occur via VUM.

The primary upside to VUM is that it’s a VMware product, and VMware knows its own products better than anyone else. The significant downside to VUM is that it requires the VUM server to have Internet access.

HP Server Automation

HP’s Server Automation (HPSA) software (f.k.a. Opsware) takes care of patch and update management for any system for which there is a client or agent, physical or virtual. Because it is agent-based, HPSA requires that firewall access for its TCP communications ports be open between the HPSA server and the agents. HPSA integrates with Microsoft Patch Network and Red Hat Network.

However, HPSA is much more than a patch management solution: It is a software suite that can manage everything from operating system provisioning to database automation to integration with network automation, storage, and applications.

HPSA’s upsides as an enterprise system management suite are its customizability and extensibility. A potential downside for large networks is the requirement for satellite HPSA servers to improve performance for systems remotely located from the primary HPSA servers.

IBM Tivoli Endpoint Manager

Like HPSA, Tivoli Endpoint Manager (TEM) is more than a patch management solution. It is agent based and supports a variety of operating systems and platforms. TEM is far less complex than its predecessor, IBM Tivoli Framework, which required a large number of physical and human resources to operate and maintain. TEM requires very little of either.

TEM supports both physical and virtual systems as endpoints. An endpoint is any system onto which the TEM agent is installed. The agent requires two-way network communications with the TEM server.

The upside to TEM is its ability to manage and monitor thousands of endpoints. TEM’s downside is its expense (~US$ 40 per device). And, for greater efficiency, you might need satellite or relay TEM servers.

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.