Monitoring Linux servers and desktops?

I'm trying to work out an easier way to keep a bunch of Linux boxes up to date. Roughly 10-15. Mostly Debian, but a couple of others too. Currently, most are done with ClusterSSH, and the remaining ones are done individually.

I think what I want is something that can list which machines need updating, and let me push a button to say to do it... Is there something (free & open) like that?

I did start trying to get my head around puppet, but it seemed like overkill for this task. Am I wrong in thinking that?

 

Puppet is the correct answer.

 

There I fixed that for you.

Salt Stack
Chef
Ansible
<add any number of other automation scripting/deployment systems>

What about monitoring?
Nagios
Munin
Ganglia
Zenoss
<heaps of others>

 

I wouldn't call this "monitoring". You're after patch management.

RedHat/CentOS/ScientificLinux/Fedora has "Spacewalk", which is the open source project that backs their commercial "RedHat Satellite":
http://spacewalk.redhat.com/
https://www.redhat.com/en/technologies/management/satellite

Ubuntu has their commercial-only "Landscape":
https://landscape.canonical.com/

These are all more akin to how patch management is done in Windows, with manual approvals and whatnot.

Alternatively, as others have mentioned, you can set up any number of management tools (Puppet/CFEngine/Chef/Ansible), and just tell them to keep packages up to date. If you stick to any sort of LTS distro, they won't upgrade to a new distro, but stay patched within an existing one.

We run Kubuntu LTS desktops, and a mix of Ubuntu LTS and CentOS servers. We use Puppet to keep them all under control, and tell it to keep packages up to date. I know some people still live in this legacy world of wanting to delay packages, but we don't. We subscribe to the same philosophy as places like the US Navy and DoD: better to have an outage from a bad patch, than to have an outage from a compromised system. The impact of the former is to roll back. The impact of the latter can be catastrophic if you can't tell what else on your network the compromise has given people access to.

 

Awesome... I'd come across almost every name you guys have listed, but at least now I know I'm coming across all the right things

I guess I just need to sit down and start trying stuff out. Hopefully I don't go too crazy

 

Dumb question. Could you go old-school with Cron-jo that pulls data locally approved apt-get mirror?

Windows. You have SCCM and other tools like PDQ inventory/deploy

 

You could, but you'd be reinventing the wheel. What happens when you add some Redhat boxes? How are you notified when updates fail? Configuration management has already solved these problems, as well as other problems we've not even considered.

 

the answer is Puppet and Spacewalk/Satellite

add Nagios/Zabbix for monitoring and reporting and walk away

 

APT and YUM both have config available for them to do this for you on a per-machine basis. No cron job required (but you can, if you want to).

Doing it via Puppet (or any other configuration management tool) means you're centralising the management, and not having to drop scripts on a dozen machines all the time (and every time you rebuild something). This is the smarter way, even for 10 machines.

The thing about Puppet is you start small and incremental. You put package/patch management in there. Then you decide you need to drop a few handy scripts on machines, update some auth settings, tell them all to point to a different time server or monitoring box, etc, etc, and before you know it you've got a few hundred lines of configuration that are all managed in one place, and make your deployment and/or management time a fraction of what it would be without.

And they all cost a fortune in licensing. The benefit to open source solutions is you pay for support, not for the product. So you can evaluate, test and roll these things out for free if you want to, and you can pay for support if you want to.

I've used both RHEL+Satellite in large commercial finance companies, and CentOS+Spacewalk in small start ups. Both work equally as well purely from a product/technical point of view, but you have the option for the expensive commercial support if you want it. And when you pay for support (rather than a product), you tend to get much better support, as that's their whole income generation focus, which means the vendor works hard for it.

I run two sites right now purely off $0 Ubuntu and Puppet. If we were to change that to Windows and SCCM over night, completely ignoring the upfront migration costs, the per-year licensing costs would be an order of magnitude more expensive to the business (even if you sacked all the Linux admins and replaced them with cheap Windows monkeys).

 

You don't use the enterprise support for Puppet?

Have you looked at the other solutions around (e.g. Chef, Saltstack) or was it just as much a case of familiarity with Puppet and didn't look any further?

I've been really impressed with some of the quality of the open source documentation for stuff recently, and with a recent investigation into possible document management systems, I've been leaning towards such options where possible.

 

Nope.

When I inherited the site in 2012, I was given 2 weeks to convert it from an unmanaged, mostly ad-hoc Windows network to a VFX-ready Linux network with no assistance. It was a hard deadline of a new job starting, and no slippage time. That included a lot more than just the OS - essentially the entire platform and application suite (which itself is a non-trivial and very long list of stuff).

I didn't have the luxury to investigate new tools at the time. Puppet was what I knew well from other jobs (CFEngine too, but I didn't like it), so it got put in with incredible haste.

I got the site built, the configuration in, and everything working as required. A week after deadline I had to fly to our Sydney office and do the same there in 3 working days.