No one likes OS patching, but it is undeniably necessary. Whether your organization runs Windows, Red Hat or Ubuntu...
servers, there are tools and techniques that make these updates a joy -- or at least less of a chore.
In a relatively large server farm, OS patching is a combination of technical planning, personnel and process management.
Technical plans should cover compliance, accuracy and routines -- especially for when things go wrong. Compliance falls squarely on the shoulders of the OS admin in highly regulated environments, so manage patches carefully within compliance rules. One of the biggest dangers is that a patch bundle ends up on the wrong destination server. The last thing the administrator wants is servers with different updates or revisions of updates, so use standardized patch sets. Have a documented routine for OS patching that starts with the lowest importance servers through to the most important. Without a doubt, some servers will break down when patched. When something goes wrong, have a plan to remediate the issue.
Management is equally important to the OS patching process. Keep everyone informed. Use change management. Plan the upgrade, and get approval from the key people. If things do go wrong, this initial due diligence will pay off in postmortem meetings. Don't blindly apply patches because the patches came out. What does each patch do? Does your server need it? How dangerous are the side effects, such as changes to unknown dependencies?
OS administrators for server and cloud deployments rarely work with just one OS. Even majority-Windows shops run a few Linux servers. In majority Linux shops, some workloads use Red Hat Enterprise Linux (RHEL); however, others might do fine without professional support on the free CentOS distributions. And still others sit atop Ubuntu in a private cloud.
Patch Windows Server with tool support
Windows patch management has been changing. Microsoft Systems Center Configuration Manager (SCCM) tools deploy patches automatically, manage machines and enable patch self-service, if the administrator desires.
Patching Windows servers and desktops manually is not practical; any administrator wanting to upgrade Windows needs to get on the case with SCCM or similar tools. There are also third-party Windows patch management tools, such as IBM BigFix Patch for large environments.
Administrators with established OS patching habits find themselves in a bind now that Microsoft changed to a constantly evolving model of Windows OSes. Large-scale, big-change updates have to be flawless. For administrators patching device OSes, there's an added layer of difficulty: A lot of Windows devices are employee-owned, so patching cannot have any negative effect on the user's machine.
Try Satellite on RHEL servers
RHEL patch management at scale is based on Red Hat's commercial Satellite tool. OS patching with Satellite involves a web interface rather than the command line that Linux admins are used to.
Satellite has complete lifecycle management, which goes beyond just patch support. Satellite can deploy, maintain and retire machines.
It also supports multi-tenancy, so the administrator can split out infrastructure into separate entities that only certain users can see, where the patch bundle has to be X or Y. Production can be separate and use only patch bundle A or B. Satellite Capsule Server is a way to scale up the tool's use across multiple locations.
Satellite comes with a set of best practices, which is Red Hat's push for Linux admins to do things in a certain prescribed way. Administrators skilled in Satellite patching and lifecycle management will come up to speed quickly on a new deployment or at a new organization. As long as the employer follows RHEL's best practices, the only difference is the patch configuration and machines.
With Satellite, a RHEL admin can perform quality assurance on patches. As the patch or patch set is successfully applied to a growing number of servers, Satellite views the patch as increasingly mature, giving it a higher level of trust.
Patch Ubuntu via creative tool features
Ubuntu patch management takes two forms: classic and commercial.
Ubuntu server administrators can use the apt-get package management command-line utility with appropriate internal update repositories. This approach works with most Linux servers.
The Ubuntu Landscape tool is a more useful OS patching approach. Users can group servers by function, deploy and roll back patches if needed, visually manage and deploy the updates and build patch profiles per machine or per groups of machines.
To experiment with Landscape, organizations can access the free version, which is limited to 10 machines.
Like Satellite for Red Hat, Landscape goes beyond a patch management system to offer complete lifecycle management of Ubuntu machines. It can deploy and also decommission servers as needed.
Third-party vendors provide patch management options for Linux and Windows. They might fit your organization's needs. However, these tools tend to add a layer of complexity to server management and erase some fine-grained control that the vendor-native OS patch management products supply.
OS patching is never fun, but there are definitely right and wrong ways to go about it. If your company doesn't have an approved methodology, develop one. It will make it easier to plan, execute and manage patches using an appropriate process.
Change management sounds easy -- it isn't
Windows cancelled February's Patch Tuesday
Java patching is a futile effort for security's sake