You should always patch your servers and keep them up to date. I’ve been tinkering with Azure’s built-in (albeit Preview feature at time of this writing) Update Management Center, and it’s a really great tool. On a test server I’ve had running, you can see the history of patching here:
These configurations will assess patches periodically and, on a schedule, download / install any updates needed. The above test server is Linux-based, and the updates can be to any package installed on the machine. A sample operation from above looks like this:
Tons of detail here. Thankfully everything so far has been green / successful, but I’m looking forward to seeing how it behaves with some sort of failed install.
To set this up yourself, you need to define an Azure “Maintenance Configuration“.
A sample of this is as follows.
The options under Maintenance Scope are:
- Host (dedicated / isolated infrastructure)
- OS Image (VMSS)
- Guest (Azure VM, Arc-enabled VMs/servers)
For a standard server you’ll choose the third option (Guest). On the ‘Update’ tab you can select which types of updates get installed:
Depending on the type of server (Windows or Linux), you may want to modify the types of patches get installed. By default, these are the type of patches that get installed in each OS:
In my testing I have an Ubuntu server, so I removed all Windows patches and added all the Linux machines. Azure uses an extension, installed on the server, to manage the communication and installation.
Back on the Update Management Center, you can get a pretty decent overview of the servers that are registered, the status of patches.
I have this now running against one of my production servers and will be watching to see how this evolves. I love not worrying about patch management, especially for Linux environments. The first time I get a failed patch installation though, I’ll document what it looks like.
One thought on “Automagical Server Patching”