General discussion about Chef

[chef] Re: Re: Re: Re: Re: Shellshock patching with Chef


Chronological Thread 
  • From: David Giesberg < >
  • To:
  • Subject: [chef] Re: Re: Re: Re: Re: Shellshock patching with Chef
  • Date: Tue, 30 Sep 2014 10:05:04 -0500
Morgan,

I can't speak to RH distros, but we (Union Metrics) are an Ubuntu shop. I put together some logic that *only* updates the bash package if the package version for that OS release is lower than the version detailed in the USN. This gist shows the whole rundown - hopefully it's useful to you and anyone else trying to figure out how to deal with updating these packages gracefully: https://gist.github.com/davidgiesberg/aa7116611737edee31e0

-David Giesberg

On Mon, Sep 29, 2014 at 5:48 PM, Morgan Blackthorne < " target="_blank"> > wrote:
I'd rather have a bit more control, and that doesn't help for our RH family boxen.

--
~*~ StormeRider ~*~

"Every world needs its heroes [...] They inspire us to be better than we are. And they protect from the darkness that's just around the corner."

(from Smallville Season 6x1: "Zod")

On why I hate the phrase "that's so lame"... http://bit.ly/Ps3uSS

On Mon, Sep 29, 2014 at 3:39 PM, Brian Pitts < " target="_blank"> > wrote:
Depending on your tolerance for automatic security upgrades, on ubuntu
and debian you could use
https://supermarket.getchef.com/cookbooks/unattended-upgrades

On Mon, Sep 29, 2014 at 5:32 PM, Morgan Blackthorne
< " target="_blank"> > wrote:
> We have our own mirror for ubuntu, but we don't force the latest version. I
> don't think we have RHEL or OL or Debian mirrors at the moment, though.
>
> Forcing the latest version might just be the simplest way to resolve it.
>
> --
> ~*~ StormeRider ~*~
>
> "Every world needs its heroes [...] They inspire us to be better than we
> are. And they protect from the darkness that's just around the corner."
>
> (from Smallville Season 6x1: "Zod")
>
> On why I hate the phrase "that's so lame"... http://bit.ly/Ps3uSS
>
> On Mon, Sep 29, 2014 at 3:26 PM, AJ Christensen
> < > wrote:
>>
>> yo,
>>
>> On Tue, Sep 30, 2014 at 11:23 AM, Morgan Blackthorne
>> < " target="_blank"> > wrote:
>> > I'm looking to see if there's a good way to help manage patching of
>> > vulnerabilities with Chef. This Shellshock one seems to be a great
>> > example
>> > of why Chef would be a helpful tool for the job, since it's just a
>> > package
>> > in need of upgrading (bash).
>> >
>> > My question is, what's the best way in Chef to say "for this
>> > distribution
>> > and release, ensure that this package is at least at version X" without
>> > potentially downgrading the package down the road? I want to set a
>> > minimum
>> > bar, but I don't wan't to permanently pin the version.
>>
>> I like pushing sec packages into a signed internal repository. Always
>> roll to latest. Makes the chef code simple(r), especially for managing
>> multiple edges.
>>
>> Some providers support pessimistic version specifications (~>). They
>> may be of use.
>>
>> --aj
>>
>> >
>> > Thoughts? Thanks!
>> >
>> > --
>> > ~*~ StormeRider ~*~
>> >
>> > "Every world needs its heroes [...] They inspire us to be better than we
>> > are. And they protect from the darkness that's just around the corner."
>> >
>> > (from Smallville Season 6x1: "Zod")
>> >
>> > On why I hate the phrase "that's so lame"... http://bit.ly/Ps3uSS
>
>



--
Brian Pitts
Web Operations Engineer



Archive powered by MHonArc 2.6.16.

§