We tame WSUS with Ansible and not only


    Well, here it is time to make friends with Windows-updates with the world of Open Source. In this article, we diversify the life of Ansible integration with all possible sources of updates for Windows machines. Although the capabilities of the system are much wider than simply rolling updates to servers and workstations, you have to start somewhere.


    At the same time get rid of the annoying inconvenience WSUS, if you prefer the "old school".


    What we do not like WSUS


    I will not tell you about setting up Windows Server Update Services, since it’s trivial. Focus on the cons.



    The WSUS interface has remained almost unchanged throughout history.


    Impossibility of installation on demand . Indeed, for the normal work of WSUS fits well - the updates are quietly configured and put on the local network when computers are turned off. But if you need to urgently install security patches, you will have to get out with scripts and solutions to run these same scripts. This can help our material " 1000 ++ way to run commands on a remote computer ."


    The lack of a regular way to install updates to third-party software . If there is an update server, then it seems reasonable to use it not only for MS software updates, but for other solutions. For example, in the non-nightlife mentioned Adobe Flash Player vulnerabilities are with enviable regularity, and I would also like to please users with new features of FireFox. In order to adjust the installation of updates via WSUS, you have to use third-party solutions like WSUS Package Publisher . See the sample settings in the article “ Installing any software using WSUS - 2 ”.


    Using the built-in database Windows . With a standard installation, WSUS uses the WID - Windows Internal Database. In essence, this is a small embedded SQL Server with a database. In case of any problems or conflicts - for example, if you have the Remote Desktop Connection Broker and WSUS on one server, you have to repair this database, set up access rights and have fun in every way. Yes, and backup would not hurt. Fortunately, WSUS can use classic SQL. To migrate a WSUS database, you can use the Migrating the WSUS Database from WID to SQL instruction from Microsoft.


    Necessity of service and unevident setup of failed clients. As it happens with Microsoft products, sooner or later WSUS begins to slow down: customers can’t pick up on it for a long time and download updates. A collection of tips and optimizations is in the article " Accelerating the work of WSUS " and in the comments to it.


    Of course, you can live with these drawbacks, but you can make your life easier with other tools, using them together with or without WSUS.


    Install updates using Ansible


    Virtually any configuration management system can facilitate the work with updates. Let us analyze Ansible based example for installing updates on demand.


    To arrange a holivar, which is better from free systems - Ansible, Chef, Puppet or even Salt, there is not the slightest desire. Ansible is selected for the absence of the need to use agents and for easy setup. And, of course, because of Python: after all, this language is much easier to learn for beginner automators, unlike Ruby.

    It should be noted that in addition to solving the problem, it will be a good help to get acquainted with the principles of operation of such systems. Unless, of course, you have been entertained with the installation of Streisand , especially when something in the process goes wrong. And if you already use Ansible or other fashionable solutions, then you can easily install updates. With the basics of Ansible, I recommend to read the article " Manual on Ansible ", and below - step-by-step instructions on how to work with updates.


    To begin, let's prepare the Ansible server. Practically any GNU \ Linux distribution kit will do, but I’ll give examples of commands for Ubuntu Server (as it happened historically).


    First, install the package manager for Python applications:


    apt-get install python-pip
pip install --upgrade pip
pip install --upgrade virtualenv

    Then we need to install the pywinrm package to connect to Windows systems and directly to Ansible :


    sudo pip install pywinrm
sudo pip install ansible

    You can check the installation with the command ansible --version .



    Check installation.


    Instead of using the pywinrm theory, you can use any other tool to control Windows from a machine on Linux. Some of them are dismantled in the article " Cross-pollination: manage Linux from under Windows, and vice versa ."

    Now you need to allow connection to Windows via WinRM. For this, there is a ready-made ConfigureRemotingForAnsible.ps1 script available on GitHub . Well, you already know how to run scripts on remote machines.


    You can check the connection to Windows with the command:


    ansible windows -m win_ping


    Connection check successful.


    Now you can start creating a playbook. The fact that Ansible developers have already thought for us and made the win_updates module just for solving such problems will make life easier for us .


    A playbook is an “instruction” that tells the configuration management system what to do. Of course, step by step.

    Any playbook is a file in yml format and is a set of directives - each module has its own. The winupdate module allows you to use the following directives (default values ​​are bold):


    TitleValueDescription
    category_namesThe Application
    Connectors
    CriticalUpdates
    DefinitionUpdates
    DeveloperKits
    FeaturePacks
    Guidance
    SecurityUpdates
    ServicePacks
    the Tools
    UpdateRollups
    the Updates
    		The category of updates.
    whitelistUpdate number or name pattern.Directly the number of installed updates of the form KB01234 or the name pattern in the form of a regular PowerShell expression.
    blacklistUpdate number or name pattern.Directly the number of updates that do not need to be installed is of the form KB01234 or the name pattern in the form of a regular PowerShell expression.
    reboot yes
    no    		Whether reboot is required after update.
    reboot_timeoutseconds, 1200How much time to wait for the car after reboot.
    stateinstalled
    searched    		Whether to install updates, or just search.
    log_paththe path to the fileInstallation log, with the folder must exist.

    Thus, the following playbook will be suitable for installing certain updates:


    - name: Install specific updates based on the KBs for those updates
  win_updates:
    category_name:
    - SecurityUpdates
    whitelist:
    - KB4073819
    - KB4074228

    And if you just need to count how many updates are missing, the playbook will be like this:


      – name: Checkformissing updates
          win_updates: state=searched
          register: update_count

    To install all available updates with a subsequent reboot, there will be a similar playbook:


    - name: Install all criticalandsecurity updates
  win_updates:
    category_names:
    - CriticalUpdates
    - SecurityUpdates
    - UpdateRollups
    state: installed
  register: update_result
        - name: reboot host ifrequired
          win_reboot:
          when: update_result.reboot_required

    I recall that to work with the list of servers will need an inventory file. For example, such:


    [DCs]dc1.mydomain.localdc2.mydomain.local[AppServers]app1.mydomain.localapp2.mydomain.local[DBServers]db1.mydomain.localdb2.mydomain.local

    And now to install updates only on domain controllers you can use the playbook:


    - hosts: DCs
  tasks:
  - name: Choose which Windows updates to install
  win_updates:
    category_names:
      - SecurityUpdates
      - CriticalUpdates
      - UpdateRollups

    The team that does all these operations will be:


    ansible-playbook -i inventory.yml -s windowsupdates.yml

    The attentive reader may ask about the source of the downloaded updates. The source will be the one that is configured on the computer: be it Windows Update on the Internet or local WSUS. Even if the hands did not reach the WSUS setting, you can give a command to install the necessary urgent updates, especially if the Lego Circuits have already fallen out.


    It remains to add that it is not necessary to use Ansible. For example, for the configuration management system Chef, you can use the Wsus Client Cookbook or the more advanced boxstarter . Similar modules exist for Puppet. In general, almost any configuration management system can do something similar, including MS SCCM.


    Finally, I will give a few more tools that interested me.


    Other systems and solutions


    WSUS offline . A program that allows you to download the necessary updates in one package, if necessary, can be packaged in ISO. You can also put the package in a network folder and install the update scripts, without deploying a full WSUS.


    Comodo Patch Management . System install updates for Windows and other software. Unlike other solutions, it is free.



    Interface Comodo Patch Management.


    OPSI . Free, interesting system that supports the installation of not only updates, but also operating systems, along with an inventory.


    BatchPatch . The only paid system listed. It allows you to install software, update it, as well as Windows, and much more. It differs in the old-school design, and also in cost, not for the number of serviced hosts, but for the users of the program, that is, administrators. Perhaps this is one of the few solutions that position themselves as an analogue of WSUS. Price starts at $ 400.



    BatchPatch interface.


    In the comments add your favorite tools for working with updates and more.

    Tags:

    Also popular now: