az-hop
az-hop copied to clipboard
Azure
automatic security updates
In what area(s)?
/area administration /area ansible /area autoscaling /area configuration /area cyclecloud /area documentation /area image /area job-scheduling /area monitoring /area ood /area remote-visualization /area user-management
Describe the feature
Many playbooks currently contain a task
- name: update packages for security
become: true
yum:
name: '*'
state: latest
exclude: cyclecloud*
Not only does this task slow down the playbooks, it also does not keep the systems up to date when you are not running playbooks.
There are ansible roles for this, such as https://github.com/geerlingguy/ansible-role-security that will install cronjobs (yum-cron for rhel-based, unattended-upgrades for debian-based systems) that periodically install security patches (and only security patches) to keep the VMs up to date at all times. I believe we should use them
I think it would probably be easier to do our own cron instead of relying on another repo. At the end it's just a cron running yum with security updates. Best would be to rely on the azure platform for managing security update globally see #1413 issue with azure update is that it only support a specific list of marketplace images and not custom images
