Patch Management : The essentials for secure and efficient servers.
Patch management is an essential process in server administration to ensure security and stability. It involves the management and application of updates, also known as “patches”, which correct security flaws, bugs or improve system performance.
Following the opening up of the service offering for server deployment in the cloud, we decided for some years to use the managed services of cloud providers to carry out our operations.
However, cloud providers’ solutions may not always meet our needs, and bring with them a number of technical limitations (installation parameters / package exclusion, repo exclusion, supervision, server timezones, etc.).
We also encounter the problem of not being able to support all OSs (e.g. on Azure, which doesn’t support OSs that don’t have publisher support, such as Debian and Rocky Linux).
To address these limitations, we decided to upgrade our patch management solution: “Linux Maintenance Plan” bringing a few new features to our users.
Linux Maintenance Plan:
Linux Maintenance Plan is an in-house-developed patch management solution based on :
- PHP, Javascript, AJAX for the frontend
- Bash, Python for the backend
- Flaskit framework (Flask + Adeo overlay) for the API
- Golang for the agent deployed on servers
To date, here is the number of servers managed by LMP for patch management:
- 5300 OnPremise servers for the France and South Africa datacenters
- 2300 servers on GCP
- 80 servers on GCVE (Google Cloud VMware Engine)
Today, the Linux Maintenance Plan supports these OS versions :
- CentOS 6 / 7
- Redhat 5 / 6 / 7 / 8 / 9
- Rocky Linux 8 / 9
- Ubuntu 24.04 (POC in progress)
Here are the latest developments:
About system packages on repositories:
- We’re moving to a centralized repo solution (Jfrog Artifactory) that will be accessible from any datacenter / Cloud Provider in order to control package versions and installations instead of a vendor solution (Redhat Satellite).
About backend of Linux Maintenance Plan :
- We offer pre/post patch management email notifications.
- We provide users with the ability to patch in the server timezone.
- We have adapted our API to meet the needs of our users.
About frontend :
- Improved ergonomics users interface.
- More relevant and direct information (IP, servers owners, servers timezone).
About agent deployed on servers :
- We have developed an agent to be installed on servers that will trigger patch management on any type of OS by consuming the corresponding apis.
- The agent can overload the patch management schedule so that it can be triggered quickly.
- Agent retrieve and erase configuration if changed on server (as Puppet).
Solution architecture:
- Switch from monolithic architecture to microservices to make the solution Cloud Native.
Here’s a small diagram showing the architecture:
These developments will make it easier for us to follow the Cloud Agnostic and OpenSource first !
Conclusion:
In short, patch management is an essential pillar in guaranteeing the security and stability of your servers, particularly in a world where threats are constantly evolving and the cloud is making infrastructure management more complex. Whether by automating updates, adapting your processes to the cloud, or adopting a proactive approach, effective patch management will enable you to remain calm in the face of vulnerabilities.
It’s crucial to implement a rigorous, well-planned patch management strategy that respects test and production environments.
So remember: Patch & Chill: Secure, Update, Sleep easy !
With good patch management, you can keep your systems up to date and focus on what really matters, without stress.
