feat: add group and batch patching

Author: rwaffen

lib/facter/os_patching.rb

@@ -302,5 +302,21 @@
       data['blocked_reasons'] = blocked_reasons
       data
     end
+
+    chunk(:group) do
+      data = {}
+      groupfile = os_patching_dir + '/group'
+      if File.file?(groupfile)
+        group = File.open(groupfile, 'r').to_a
+        line = group.last.chomp
+        matchdata = line.match(/^(.*)$/)
+        if matchdata[0]
+          data['group'] = matchdata[0]
+        end
+      else
+        data['group'] = 'default'
+      end
+      data
+    end
   end
 end

manifests/init.pp

@@ -96,6 +96,9 @@
 # @param ensure
 #   `present` to install scripts, cronjobs, files, etc, `absent` to cleanup a system that previously hosted us
 #
+# @param group
+#   The group to assign the node for patching purposes.
+#
 # @example assign node to 'Week3' patching window, force a reboot and create a blackout window for the end of the year
 #   class { 'os_patching':
 #     patch_window     => 'Week3',
@@ -106,6 +109,7 @@
 #         'end'   => '2019-01-15T23:59:59+10:00',
 #       },
 #     },
+#.    group            => 'patching01',
 #   }
 #
 # @example An example profile to setup patching, sourcing blackout windows from hiera
@@ -125,6 +129,7 @@
 #       patch_window     => $patch_window,
 #       reboot_override  => $reboot_override,
 #       blackout_windows => $full_blackout_windows,
+#       group            => 'patching01',
 #     }
 #   }
 #
@@ -165,6 +170,7 @@
   Integer[0,59] $patch_cron_min = fqdn_rand(59),
   Optional[String] $patch_window = undef,
   Optional[Hash] $blackout_windows = undef,
+  Optional[String[1]] $group = undef,
 ) {
   # None tunable
   $cache_dir = lookup('os_patching::cache_dir',Stdlib::Absolutepath,first,undef)
@@ -211,6 +217,10 @@
     fail('The patch window can only contain alphanumerics, space, underscore and dash')
   }
 
+  if ($group and $group !~ /^[A-Za-z0-9\-_ ]+$/ ) {
+    fail('The group can only contain alphanumerics, space, underscore and dash')
+  }
+
   file { $cache_dir:
     ensure => $ensure_dir,
     force  => true,
@@ -243,6 +253,11 @@
     default => 'absent'
   }
 
+  $group_ensure = ($ensure == 'present' and $group) ? {
+    true    => 'file',
+    default => 'absent',
+  }
+
   file { "${cache_dir}/patch_window":
     ensure  => $patch_window_ensure,
     content => $patch_window,
@@ -258,6 +273,11 @@
     notify => Exec[$fact_exec],
   }
 
+  file { "${cache_dir}/group":
+    ensure  => $group_ensure,
+    content => $group,
+  }
+
   $reboot_override_ensure = ($ensure == 'present' and $reboot_override) ? {
     true    => 'file',
     default => 'absent',
@@ -314,6 +334,7 @@
         "${cache_dir}/patch_window",
         "${cache_dir}/reboot_override",
         "${cache_dir}/blackout_windows",
+        "${cache_dir}/group",
       ],
     }
   }

plans/patch_after_healthcheck.pp

@@ -9,13 +9,12 @@
 ) {
   # Run an initial health check to make sure the target nodes are ready
 
-  $health_checks = run_task('puppet_health_check::agent_health',
-    $nodes,
+  $health_checks = run_task('puppet_health_check::agent_health', $nodes,
     target_noop_state      => $noop_state,
     target_service_enabled => true,
     target_service_running => true,
     target_runinterval     => $runinterval,
-    '_catch_errors'        => true,
+    _catch_errors          => true,
   )
 
   $nodes_to_patch = $health_checks.filter | $items | { $items.value['state'] == 'clean' }

plans/patch_batch.pp

@@ -0,0 +1,60 @@
+# @summary Patch nodes in a batch
+#
+plan os_patching::patch_batch (
+  Array $batch              = [],
+  Boolean $catch_errors     = true,
+  Boolean $noop_state       = false,
+  Boolean $run_health_check = false,
+  Boolean $service_enabled  = true,
+  Boolean $service_running  = true,
+  Integer $runinterval      = 1800,
+) {
+  out::message("patch_batch.pp: Patching batch of nodes: ${batch}")
+
+  $targets   = get_targets($batch)
+
+  if $run_health_check {
+    out::message('patch_batch.pp: Running health check before patching')
+    run_task('os_patching::health_check', $targets,
+      _catch_errors          => $catch_errors,
+      target_noop_state      => $noop_state,
+      target_runinterval     => $runinterval,
+      target_service_enabled => $service_enabled,
+      target_service_running => $service_running,
+    )
+
+    $nodes_to_patch = $health_checks.filter | $items | { $items.value['state'] == 'clean' }
+    $nodes_skipped  = $health_checks.filter | $items | { $items.value['state'] != 'clean' }
+
+    $skipped_nodes = $nodes_skipped.map | $value | { $value['certname'] }
+    $patchable_nodes = $nodes_to_patch.map | $value | { $value['certname'] }
+
+    $task_result = run_task('os_patching::patch_server', $patchable_nodes,
+      _catch_errors => $catch_errors,
+    )
+
+    $successful_patched_nodes = $task_result.ok_set.names
+    $failed_patched_nodes     = $task_result.error_set.names
+  } else {
+    out::message('patch_batch.pp: Health check is disabled.')
+    $task_result = run_task('os_patching::patch_server', $targets,
+      _catch_errors => $catch_errors,
+    )
+
+    log::debug("patch_batch.pp: Patching task result for ${targets}: ${task_result}")
+
+    $successful_patched_nodes = $task_result.ok_set.names
+    $failed_patched_nodes     = $task_result.error_set.names
+    $skipped_nodes            = [] # No skipped nodes if health check is not run
+  }
+
+  return(
+    {
+      targets      => $targets,
+      patched      => $successful_patched_nodes,
+      failed       => $failed_patched_nodes,
+      skipped      => $skipped_nodes,
+      health_check => $run_health_check,
+    }
+  )
+}

plans/patch_group.pp

@@ -0,0 +1,42 @@
+# @summary Patch nodes collected by a fact group
+#
+plan os_patching::patch_group (
+  String[1] $group,
+  Boolean $patch_in_batches = true,
+  Integer $batch_size       = 15,
+) {
+  $pql_query = puppetdb_query("inventory[certname] { facts.os_patching.group = '${group}'}")
+  $certnames = $pql_query.map |$item| { $item['certname'] }
+  $targets   = get_targets($certnames)
+
+  out::message("patch_group.pp: Patching group: ${group}")
+  out::message("patch_group.pp: Targets in group: ${targets}")
+
+  if $patch_in_batches {
+    out::message('patch_group.pp: Patching in batches is enabled')
+    out::message("patch_group.pp: Patching in batches of size: ${batch_size}")
+
+    $batches = slice($targets, $batch_size)
+    out::message("patch_group.pp: Patching batches created: ${batches}")
+
+    $batch_results = $batches.map |$batch| {
+      # out::message("patch_group.pp: Patching with nodes: ${batch}")
+      run_plan('os_patching::patch_batch', { batch => $batch })
+    }
+
+    # Merge all batch results into a single hash by combining arrays
+    $result = {
+      'targets'      => $batch_results.map |$r| { $r['targets'] }.flatten,
+      'patched'      => $batch_results.map |$r| { $r['patched'] }.flatten,
+      'failed'       => $batch_results.map |$r| { $r['failed'] }.flatten,
+      'skipped'      => $batch_results.map |$r| { $r['skipped'] }.flatten,
+      'health_check' => $batch_results[0]['health_check'],
+    }
+  } else {
+    out::message('patch_group.pp: Patching in batches is disabled')
+    out::message("patch_group.pp: Patching all targets at once: ${targets}")
+    $result = run_plan('os_patching::patch_batch', { batch => $targets })
+  }
+
+  return $result
+}

plans/patch_pql.pp

@@ -0,0 +1,21 @@
+# @summary Patch nodes collected by a PQL query
+#
+plan os_patching::patch_pql (
+  String[1] $pql_query      = 'inventory[certname] { facts.os.family = "redhat" }',
+  Boolean $patch_in_batches = true,
+  Integer $batch_size       = 15,
+) {
+  $pql_query = puppetdb_query($pql_query)
+  $certnames = $pql_query.map |$item| { $item['certname'] }
+  $targets   = get_targets($certnames)
+
+  if $patch_in_batches {
+    $batches = slice($targets, $batch_size)
+
+    $batches.each |$batch| {
+      $result = run_plan('os_patching::patch_batch', { batch => $batch })
+    }
+  } else {
+    $result = run_plan('os_patching::patch_batch', { batch => $targets })
+  }
+}