Hi,
Does anyone have or know of any code that allows the installing of windows
updates using Chef?
Kind regards
Sean.
We use wsus-client versions
On Jun 16, 2015 5:59 AM, "Sean Farrow" seanfarrow1984@gmail.com wrote:
Hi,
Does anyone have or know of any code that allows the installing of windows
updates using Chef?Kind regards
Sean.
1 Like
Chef is great for configuring Windows update settings (with the below mentioned cookbook). I wouldn’t look to use Chef to manage all the updates being applied to a box. That’s the point of Windows Server Update Services (WSUS), which provides better reporting and dealing with rollups, superseded and expired updates.
Steve
Steven Murawski
Community Software Development Engineer @ Chef
Microsoft MVP - PowerShell
http://stevenmurawski.com
On June 16, 2015 at 12:34:24 AM, Maxime Brugidou (maxime.brugidou@gmail.com) wrote:
We use https://supermarket.chef.io/cookbooks/wsus-client
On Jun 16, 2015 5:59 AM, “Sean Farrow” seanfarrow1984@gmail.com wrote:
Hi,
Does anyone have or know of any code that allows the installing of windows updates using Chef?
Kind regards
Sean.
Agreed, we set up our WSUS servers with Chef too using the sibling
wsus-server cookbook.
On Jun 16, 2015 7:52 PM, "Steven Murawski" steven.murawski@gmail.com
wrote:
Chef is great for configuring Windows update settings (with the below
mentioned cookbook). I wouldn't look to use Chef to manage all the updates
being applied to a box. That's the point of Windows Server Update Services
(WSUS), which provides better reporting and dealing with rollups,
superseded and expired updates.Steve
Steven Murawski
Community Software Development Engineer @ Chef
Microsoft MVP - PowerShell
http://stevenmurawski.comOn June 16, 2015 at 12:34:24 AM, Maxime Brugidou (
maxime.brugidou@gmail.com) wrote:We use wsus-client versions
On Jun 16, 2015 5:59 AM, "Sean Farrow" seanfarrow1984@gmail.com wrote:Hi,
Does anyone have or know of any code that allows the installing of
windows updates using Chef?Kind regards
Sean.
@Steven_Murawski We’re trying to roll out a new toolchain based heavily on Chef and the windows update process is a hot topic of current debate. We’re trying to think through which tool will be responsible for which job. Our current workflow is highly manual and leverages SCCM and System Center for rolling out patches. The team that manages this also manages the update of VM templates in our VMWare infrastructure. Once a month a bunch of stuff happens on our live pets and VM templates and it’s largely a conceptual black box to the rest of the company.
In the new world we’re envisioning, template build out will be handled as scheduled job automated by Packer (using boxstarter, getting these templates into a fully updated state is fairly easy). Chef cookbook development would be distributed to the teams and development would be done on local hypervisors with Test Kitchen being the driving force. Once committed int our CI pipeline, integration testing would occur with environments provisioned on vSphere using the templates built by Packer.
The issues we’ve witnessed is Windows Features, Windows Updates as well as things like .NET version are all intermingled. In other words, after installing additional Windows Features, more updates are needed. A .NET version installed tomorrow via Chef might conflicts with Updates and vice versa. The typical rolling cycle is the latest .NET version is an out of band install, but the next OS version will have it available as a native Feature.
We’re trying to get out of a manual process and move towards a true CD pipeline managed by version controlled artifacts. I’m struggling to see how to decouple Windows Updates from Windows Features and .NET versions and where is the right place for Chef to take ownership. I see the potential pain for Chef owning all of this, but the incestuous nature of these things feels like Chef can’t own any of it. That seems to create a snowball effect that makes using Packer and having production-like box’s to use in Test Kitchen harder and harder. Or do we try to jam SCCM processing and patching into our Packer build process?
Any guidance would be appreciated.
@kbrowns there are two workflows you’ve described
- Building a golden image with Packer
- Maintaining running systems
For building an image, Chef can totally handle forcing windows update runs and that makes sense
Managing individual patches on running infrastructure is another thing altogether. In that case, you want to manage the windows update client and use WSUS for reporting and whitelisting patches to groups of servers. Otherwise, you would need to build into Chef recipes a way to store each patch applied, identify superceded patches, etc… That’s not what Chef is intended to do and would add way more processing to each Chef run than you want.