如何使用不同的时间表管理多个AWS账户的补丁
[英]How to manage patching on multiple AWS accounts with different schedules
问题描述
I'm looking for the best way to manage patching Linux systems across AWS accounts with the following things to consider: 
我正在寻找考虑以下事项来管理跨AWS账户打补丁Linux系统的最佳方法:
- Separate schedules to roll patches through Dev, QA, Staging and Prod sequentially 单独的时间表按顺序通过Dev,QA,Staging和Prod滚动补丁
- Production patches to be released on approval, not automatic 生产补丁将在批准后发布,而不是自动发布
- No newer patches can be deployed to Production than what was already deployed to lower environments (as new patches come out periodically throughout the month) 与已经部署到较低环境的补丁程序相比,没有任何新的补丁程序可以部署到生产环境中(因为每个月都会定期发布新补丁程序)
We have started by caching all patches in all environments on the first Sunday of every month. 我们从每个月的第一个星期日在所有环境中缓存所有补丁开始。 The goal there was to then install patches from cache. 那里的目标是然后从缓存安装补丁。 This helps prevent un-vetted patches being installed in prod. 这有助于防止未经审核的补丁安装在产品中。
Most, not all, instances are managed by OpsWorks, but there are numerous OpsWorks stacks. 大多数(不是全部)实例由OpsWorks管理,但是有许多OpsWorks堆栈。 We have some other instances managed by Chef Server. 我们还有其他一些由Chef Server管理的实例。 Still others are not managed, but are just simple EC2 instances created from the EC2 console. 还有其他一些不受管理,只是从EC2控制台创建的简单EC2实例。 This means, using recipes means we have to kick off approved patches on a stack-by-stack basis or instance-by-instance basis. 这意味着,使用配方意味着我们必须逐个堆栈或逐个实例地启动已批准的补丁程序。 Not optimal. 不是最佳的。
More recently, we have looked at the new features of SSM using a central AWS account to manage instances. 最近,我们使用中央AWS账户管理实例,研究了SSM的新功能。 However, this causes problems with some applications because the AssumeRole for SSM adds credentials to the .aws/config file that interferes with other tasks we need to run. 但是,这会导致某些应用程序出现问题,因为SSM的AssumeRole将凭据添加到.aws / config文件中,这会干扰我们需要运行的其他任务。
We have considered other tools, such as Ansible, but we would like to explore staying within the toolset we currently have which is largely OpsWorks and Chef Server. 我们考虑了其他工具,例如Ansible,但我们希望探索保留在我们目前拥有的工具集中(主要是OpsWorks和Chef Server)的工具。 I'm looking for ideas that are more on a higher level, an architecture of how one would approach this scenario. 我正在寻找更高级的想法,即如何处理这种情况的体系结构。
Thanks for any thoughts or ideas. 感谢您的任何想法或想法。
1 个解决方案
解决方案1
-1 2018-04-06 16:02:07
This sounds like one of the exact scenarios RunCommand was designed for. 这听起来像是RunCommand设计的确切方案之一。
You can create multiple groups of servers with different schedules based on tags. 您可以基于标签创建具有不同计划的多组服务器。 More importantly, you don't need to rely on secret/keys being deployed anywhere. 更重要的是,您无需依赖部署在任何地方的秘密/密钥。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.