WSUS: Bloody Hell

Discussion in 'NZ Computing' started by Lawrence D'Oliveiro, Dec 14, 2009.

  1. Reading this description of how you manage Microsoft updates
    <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-infrastructure.ars/1>
    and I thought: what about the software from all the other vendors you have
    to deal with? Do you have to go through some version of this rigmarole for
    EVERY SINGLE ONE of them?

    No wonder Windows support costs are so high...
    Lawrence D'Oliveiro, Dec 14, 2009
    #1
    1. Advertising

  2. Lawrence D'Oliveiro

    Enkidu Guest

    Lawrence D'Oliveiro wrote:
    > Reading this description of how you manage Microsoft updates
    > <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-infrastructure.ars/1>
    > and I thought: what about the software from all the other vendors you have
    > to deal with? Do you have to go through some version of this rigmarole for
    > EVERY SINGLE ONE of them?
    >

    That's a far more complicated setup than most organisations would ever
    need. I suppose that you could do similar with a RedHat Satellite Server
    and a couple of Proxy Servers, but you'd probably need to do a bit of
    hand coding to make it work.

    Cheers,

    Cliff

    --

    The Internet is interesting in that although the nicknames may change,
    the same old personalities show through.
    Enkidu, Dec 14, 2009
    #2
    1. Advertising

  3. Lawrence D'Oliveiro

    Carnations Guest

    On Mon, 14 Dec 2009 21:05:51 +1300, Enkidu wrote:

    > Lawrence D'Oliveiro wrote:
    >> Reading this description of how you manage Microsoft updates
    >> <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-

    infrastructure.ars/1>
    >> and I thought: what about the software from all the other vendors you
    >> have to deal with? Do you have to go through some version of this
    >> rigmarole for EVERY SINGLE ONE of them?
    >>

    > That's a far more complicated setup than most organisations would ever
    > need. I suppose that you could do similar with a RedHat Satellite Server
    > and a couple of Proxy Servers, but you'd probably need to do a bit of
    > hand coding to make it work.


    Or perhaps you could set up a local repository on your network, point all the servers at that repository
    and stagger the times at which they pull their updates from the repository. That way you would be able
    to manage any software installed on those servers by packaging it with the RPM. :eek:)

    You would be able to check the success of the updates by checking the logs. A visual inspection of the
    relevant parts of the relevant log on the following morning should confirm that the updates were
    successful, or you could automate the checking process.

    I suppose it depends on how much money you want to pay, and how complicated you want the process
    to be, and how much effort you want to put in, and how many servers you need to look after. :eek:)

    I would have thought that using a local repository would mean you'll know exactly what you're installing
    onto those servers, and using a shell script to report the results of the update would be a fairly good
    way of knowing what is happening on those machines.


    --
    "Filtering the Internet is like trying to boil the ocean"
    Carnations, Dec 14, 2009
    #3
  4. Lawrence D'Oliveiro

    Craig Sutton Guest

    Re: Bloody Hell

    "Lawrence D'Oliveiro" <_zealand> wrote in message
    news:hg4q5m$nqp$...
    > Reading this description of how you manage Microsoft updates
    > <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-infrastructure.ars/1>
    > and I thought: what about the software from all the other vendors you have
    > to deal with? Do you have to go through some version of this rigmarole for
    > EVERY SINGLE ONE of them?
    >


    Nope, many programs have a check for update option in their menus
    Craig Sutton, Dec 14, 2009
    #4
  5. Re: Bloody Hell

    In message <hg50u2$rs0$>, Craig Sutton wrote:

    > "Lawrence D'Oliveiro" <_zealand> wrote in message
    > news:hg4q5m$nqp$...
    >
    >> Reading this description of how you manage Microsoft updates
    >> <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-infrastructure.ars/1>
    >> and I thought: what about the software from all the other vendors you
    >> have to deal with? Do you have to go through some version of this
    >> rigmarole for EVERY SINGLE ONE of them?

    >
    > Nope, many programs have a check for update option in their menus


    That’s what I mean—do you have to go through some version of this rigmarole
    for EVERY SINGLE third-party package or vendor?
    Lawrence D'Oliveiro, Dec 14, 2009
    #5
  6. In message <>, Carnations wrote:

    > Or perhaps you could set up a local repository on your network, point all
    > the servers at that repository and stagger the times at which they pull
    > their updates from the repository. That way you would be able to manage
    > any software installed on those servers by packaging it with the RPM. :eek:)


    One of the reader comments to the article explained how easy it was to do
    this. Every single Linux distro I’m aware of includes the tools for building
    packages and managing repositories in the distribution as standard. So not
    only can you maintain your own mirrors of the standard repositories, it’s
    easy enough to add custom repositories containing your own site-specific
    stuff, so that can be managed on the same basis. You can set policies like
    auto-approving security updates, while holding other, less-critical stuff
    back for manual vetting.

    > You would be able to check the success of the updates by checking the
    > logs.


    And do it remotely. And automatically.

    Another thing is how people seem to think Windows’s Group Policy system is
    such a wonderful thing: it’s not. It only works with software that’s
    designed to work with it. Which makes it useless as a security mechanism.
    Lawrence D'Oliveiro, Dec 14, 2009
    #6
  7. Lawrence D'Oliveiro

    Craig Sutton Guest

    Re: Bloody Hell

    "Lawrence D'Oliveiro" <_zealand> wrote in message
    news:hg553q$u6g$...
    > In message <hg50u2$rs0$>, Craig Sutton wrote:
    >
    >> "Lawrence D'Oliveiro" <_zealand> wrote in message
    >> news:hg4q5m$nqp$...
    >>
    >>> Reading this description of how you manage Microsoft updates
    >>> <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-infrastructure.ars/1>
    >>> and I thought: what about the software from all the other vendors you
    >>> have to deal with? Do you have to go through some version of this
    >>> rigmarole for EVERY SINGLE ONE of them?

    >>
    >> Nope, many programs have a check for update option in their menus

    >
    > That’s what I mean—do you have to go through some version of this
    > rigmarole
    > for EVERY SINGLE third-party package or vendor?


    What rigamorole? the app checks on it own if there is a newer version
    available and asks if you wish to download it. Or you can manually check for
    it in its own menu.

    Is that an issue for you?
    Craig Sutton, Dec 14, 2009
    #7
  8. Lawrence D'Oliveiro

    Richard Guest

    Re: Bloody Hell

    Craig Sutton wrote:
    >
    > What rigamorole? the app checks on it own if there is a newer version
    > available and asks if you wish to download it. Or you can manually check
    > for it in its own menu.
    >
    > Is that an issue for you?


    Except that the users should have no ability to install the update as
    they are users, not administrators.
    Richard, Dec 14, 2009
    #8
  9. Lawrence D'Oliveiro

    Richard Guest

    Lawrence D'Oliveiro wrote:
    > Reading this description of how you manage Microsoft updates
    > <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-infrastructure.ars/1>
    > and I thought: what about the software from all the other vendors you have
    > to deal with? Do you have to go through some version of this rigmarole for
    > EVERY SINGLE ONE of them?
    >
    > No wonder Windows support costs are so high...


    How would you handle sending updates out to 4 groups of linux machines
    so that they are updated staggered with new packaged from your source of
    choice? How do you approve the updates to go out to them?

    Im not being a dick, I actually would like to know as I am starting to
    get a few machines here, and while doing apt-get update and apt-get
    upgrade has not caused me too many issues so far I know its far from
    recommended.
    Richard, Dec 14, 2009
    #9
  10. Lawrence D'Oliveiro

    Malcolm Guest

    On Tue, 15 Dec 2009 04:27:34 +1300
    Richard <> wrote:

    > Lawrence D'Oliveiro wrote:
    > > Reading this description of how you manage Microsoft updates
    > > <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-infrastructure.ars/1>
    > > and I thought: what about the software from all the other vendors
    > > you have to deal with? Do you have to go through some version of
    > > this rigmarole for EVERY SINGLE ONE of them?
    > >
    > > No wonder Windows support costs are so high...

    >
    > How would you handle sending updates out to 4 groups of linux
    > machines so that they are updated staggered with new packaged from
    > your source of choice? How do you approve the updates to go out to
    > them?
    >
    > Im not being a dick, I actually would like to know as I am starting
    > to get a few machines here, and while doing apt-get update and
    > apt-get upgrade has not caused me too many issues so far I know its
    > far from recommended.

    Hi
    In openSUSE you can create a local repository of plain RPM's and then
    use smb or other transport methods via zypper running as a cron job to
    pull in updates.

    On SLES/SLED I'm just about to start using the SMT tool for this on my
    home network (currently use nagios to run a zypper check on the
    machines).

    I run VM's and check any updates that I'm not sure of the impact.

    --
    Cheers Malcolm °¿° (Linux Counter #276890)
    SUSE Linux Enterprise Desktop 11 (x86_64) Kernel 2.6.27.39-0.3-default
    up 10:59, 2 users, load average: 0.03, 0.08, 0.08
    GPU GeForce 8600 GTS Silent - CUDA Driver Version: 190.18
    Malcolm, Dec 14, 2009
    #10
  11. Lawrence D'Oliveiro

    AD. Guest

    On Dec 15, 4:27 am, Richard <> wrote:
    > Im not being a dick, I actually would like to know as I am starting to
    > get a few machines here, and while doing apt-get update and apt-get
    > upgrade has not caused me too many issues so far I know its far from
    > recommended.


    I'm curious: why is using apt-get "far from recommended"?


    --
    Cheers
    Anton
    AD., Dec 14, 2009
    #11
  12. Lawrence D'Oliveiro

    Enkidu Guest

    Carnations wrote:
    > On Mon, 14 Dec 2009 21:05:51 +1300, Enkidu wrote:
    >
    >> Lawrence D'Oliveiro wrote:
    >>> Reading this description of how you manage Microsoft updates
    >>> <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-
    >>>
    >>>

    > infrastructure.ars/1>
    >>> and I thought: what about the software from all the other vendors
    >>> you have to deal with? Do you have to go through some version of
    >>> this rigmarole for EVERY SINGLE ONE of them?
    >>>

    >> That's a far more complicated setup than most organisations would
    >> ever need. I suppose that you could do similar with a RedHat
    >> Satellite Server and a couple of Proxy Servers, but you'd probably
    >> need to do a bit of hand coding to make it work.

    >
    > Or perhaps you could set up a local repository on your network, point
    > all the servers at that repository and stagger the times at which
    > they pull their updates from the repository. That way you would be
    > able to manage any software installed on those servers by packaging
    > it with the RPM. :eek:)
    >

    In other words, you'd have to do some coding. Also your scheme does not
    allow for a testing phase. That's the reason for separating out some
    servers as 'DEV'. The Satellite and Proxy server provide the ability to
    have a local copy of the RedHat repositories on one of your systems and
    to schedule the pull down and/or distribution of packages, which your
    scheme is missing. A true 'local repository' would only contain your
    locally developed packages and would be additional to the standard
    software channels.
    >
    > You would be able to check the success of the updates by checking the
    > logs. A visual inspection of the relevant parts of the relevant log
    > on the following morning should confirm that the updates were
    > successful, or you could automate the checking process.
    >

    Installation is only part of the problem. Testing is crucial before you
    allow an update to go out and break one of your applications.
    >
    > I suppose it depends on how much money you want to pay, and how
    > complicated you want the process to be, and how much effort you want
    > to put in, and how many servers you need to look after. :eek:)
    >

    The solution described in the MS article would have been at least
    several hundred I'd guess. Up to a couple of hundred you'd likely need
    only one WSUS setup.
    >
    > I would have thought that using a local repository would mean you'll
    > know exactly what you're installing onto those servers, and using a
    > shell script to report the results of the update would be a fairly
    > good way of knowing what is happening on those machines.
    >

    You don't mean a 'local repository'. You're talking about something
    closer to a 'local mirror' of the distro repository. You have no control
    over how and when the updates would occur and you don't allow for
    testing for update. Satellite and Proxy allow for these extra facilities
    in a RedHat environment.

    Cheers,

    Cliff

    --

    The Internet is interesting in that although the nicknames may change,
    the same old personalities show through.
    Enkidu, Dec 14, 2009
    #12
  13. Lawrence D'Oliveiro

    Enkidu Guest

    Lawrence D'Oliveiro wrote:
    >
    > Another thing is how people seem to think Windows’s Group Policy system is
    > such a wonderful thing: it’s not. It only works with software that’s
    > designed to work with it. Which makes it useless as a security mechanism.
    >

    Hehehehehehehehe! Group Policy may be a pig, but it isn't 'security
    mechanism'. It's a control mechanism. Sure it can prevent you from doing
    things, based on security settings, but *it* doesn't provide the
    security. It also allows you to tailor the view of the system that the
    user gets to see, so that if you feel the need you could insist on the
    same desktop background for all users and prevent them changing it, to
    take a seriously trivial example.

    Cheers,

    Cliff

    --

    The Internet is interesting in that although the nicknames may change,
    the same old personalities show through.
    Enkidu, Dec 14, 2009
    #13
  14. Lawrence D'Oliveiro

    Enkidu Guest

    Richard wrote:
    > Lawrence D'Oliveiro wrote:
    >> Reading this description of how you manage Microsoft updates
    >> <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-infrastructure.ars/1>
    >>
    >> and I thought: what about the software from all the other vendors you
    >> have
    >> to deal with? Do you have to go through some version of this rigmarole
    >> for
    >> EVERY SINGLE ONE of them?
    >>
    >> No wonder Windows support costs are so high...

    >
    > How would you handle sending updates out to 4 groups of linux machines
    > so that they are updated staggered with new packaged from your source of
    > choice? How do you approve the updates to go out to them?
    >
    > Im not being a dick, I actually would like to know as I am starting to
    > get a few machines here, and while doing apt-get update and apt-get
    > upgrade has not caused me too many issues so far I know its far from
    > recommended.
    >

    I don't know of any system on Debian-type distros that provides the sort
    of control you can get with Satellite and Proxy servers on RedHat-type
    distros.

    Cheers,

    Cliff

    --

    The Internet is interesting in that although the nicknames may change,
    the same old personalities show through.
    Enkidu, Dec 14, 2009
    #14
  15. Lawrence D'Oliveiro

    AD. Guest

    On Dec 15, 9:42 am, Enkidu <> wrote:
    > I don't know of any system on Debian-type distros that provides the sort
    > of control you can get with Satellite and Proxy servers on RedHat-type
    > distros.


    There are pieces of the puzzle, but nothing as complete/integrated as
    the Redhat network stuff.

    Incidentally, spacewalk is the open source upstream of that code and
    there has been some preliminary work done on getting spacewalk to
    handle debs and support Debian machines.

    I haven't tried it yet, but this looks interesting:
    http://www.ibh.de/apt-dater/

    And if you don't mind paying money, there is also Canonicals landscape
    service for Ubuntu machines.

    --
    Cheers
    Anton
    AD., Dec 14, 2009
    #15
  16. Lawrence D'Oliveiro

    AD. Guest

    AD., Dec 14, 2009
    #16
  17. In message <hg5gv7$60l$>, Craig Sutton wrote:

    > "Lawrence D'Oliveiro" <_zealand> wrote in message
    > news:hg553q$u6g$...
    >>
    >> In message <hg50u2$rs0$>, Craig Sutton wrote:
    >>
    >>> "Lawrence D'Oliveiro" <_zealand> wrote in
    >>> message news:hg4q5m$nqp$...
    >>>
    >>>> Reading this description of how you manage Microsoft updates
    >>>> <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-infrastructure.ars/1>
    >>>> and I thought: what about the software from all the other vendors you
    >>>> have to deal with? Do you have to go through some version of this
    >>>> rigmarole for EVERY SINGLE ONE of them?
    >>>
    >>> Nope, many programs have a check for update option in their menus

    >>
    >> That’s what I mean—do you have to go through some version of this
    >> rigmarole for EVERY SINGLE third-party package or vendor?

    >
    > What rigamorole? the app checks on it own if there is a newer version
    > available and asks if you wish to download it. Or you can manually check
    > for it in its own menu.
    >
    > Is that an issue for you?


    You expect the staff to keep going round periodically to EVERY SINGLE
    machine to do that?
    Lawrence D'Oliveiro, Dec 14, 2009
    #17
  18. Lawrence D'Oliveiro

    Craig Sutton Guest

    "Lawrence D'Oliveiro" <_zealand> wrote in message
    news:hg6g9t$nq8$...
    > In message <hg5gv7$60l$>, Craig Sutton wrote:
    >
    >> "Lawrence D'Oliveiro" <_zealand> wrote in message
    >> news:hg553q$u6g$...
    >>>
    >>> In message <hg50u2$rs0$>, Craig Sutton wrote:
    >>>
    >>>> "Lawrence D'Oliveiro" <_zealand> wrote in
    >>>> message news:hg4q5m$nqp$...
    >>>>
    >>>>> Reading this description of how you manage Microsoft updates
    >>>>> <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-infrastructure.ars/1>
    >>>>> and I thought: what about the software from all the other vendors you
    >>>>> have to deal with? Do you have to go through some version of this
    >>>>> rigmarole for EVERY SINGLE ONE of them?
    >>>>
    >>>> Nope, many programs have a check for update option in their menus
    >>>
    >>> That’s what I mean—do you have to go through some version of this
    >>> rigmarole for EVERY SINGLE third-party package or vendor?

    >>
    >> What rigamorole? the app checks on it own if there is a newer version
    >> available and asks if you wish to download it. Or you can manually check
    >> for it in its own menu.
    >>
    >> Is that an issue for you?

    >
    > You expect the staff to keep going round periodically to EVERY SINGLE
    > machine to do that?



    STAFF?

    who mentioned staff? what are you talking about?
    Craig Sutton, Dec 15, 2009
    #18
  19. Lawrence D'Oliveiro

    AD. Guest

    On Dec 15, 4:57 pm, "Craig Sutton" <> wrote:
    > STAFF?
    >
    > who mentioned staff? what are you talking about?


    All those people who run tiered WSUS setups to keep their home PC up
    to date?

    --
    Cheers
    Anton
    AD., Dec 15, 2009
    #19
  20. In message <hg71fh$213$>, Craig Sutton wrote:

    > "Lawrence D'Oliveiro" <_zealand> wrote in message
    > news:hg6g9t$nq8$...
    >
    >> In message <hg5gv7$60l$>, Craig Sutton wrote:
    >>
    >>> "Lawrence D'Oliveiro" <_zealand> wrote in
    >>> message news:hg553q$u6g$...
    >>>>
    >>>> In message <hg50u2$rs0$>, Craig Sutton wrote:
    >>>>
    >>>>> "Lawrence D'Oliveiro" <_zealand> wrote in
    >>>>> message news:hg4q5m$nqp$...
    >>>>>
    >>>>>> Reading this description of how you manage Microsoft updates
    >>>>>> <http://arstechnica.com/business/news/2009/12/how-to-implement-and-maintain-a-tiered-wsus-infrastructure.ars/1>
    >>>>>> and I thought: what about the software from all the other vendors you
    >>>>>> have to deal with? Do you have to go through some version of this
    >>>>>> rigmarole for EVERY SINGLE ONE of them?
    >>>>>
    >>>>> Nope, many programs have a check for update option in their menus
    >>>>
    >>>> That’s what I mean—do you have to go through some version of this
    >>>> rigmarole for EVERY SINGLE third-party package or vendor?
    >>>
    >>> What rigamorole? the app checks on it own if there is a newer version
    >>> available and asks if you wish to download it. Or you can manually check
    >>> for it in its own menu.
    >>>
    >>> Is that an issue for you?

    >>
    >> You expect the staff to keep going round periodically to EVERY SINGLE
    >> machine to do that?

    >
    > STAFF?
    >
    > who mentioned staff? what are you talking about?


    RTFA.
    Lawrence D'Oliveiro, Dec 15, 2009
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. drg
    Replies:
    2
    Views:
    423
    catwalker63
    Jul 24, 2005
  2. neville

    BLOODY HELL

    neville, Jun 15, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    465
    Toolman Tim
    Jun 15, 2005
  3. nevillenevilleson

    bloody hell

    nevillenevilleson, Jun 24, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    477
    elaich
    Jun 25, 2005
  4. nevillenevillesonsnr

    Bloody Hell

    nevillenevillesonsnr, Jul 13, 2005, in forum: Computer Support
    Replies:
    3
    Views:
    496
    Render Me
    Jul 13, 2005
  5. Toolman Tim

    Re: Bloody Hell

    Toolman Tim, Jan 31, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    357
    Toolman Tim
    Jan 31, 2006
Loading...

Share This Page