1. Module Description - What the module does and why it is useful
2. Setup - The basics of getting started with package_updates
   • What package_updates affects
   • Setup requirements
   • Beginning with package_updates
3. Usage - Configuration options and additional functionality
4. Reference - An under-the-hood peek at what the module is doing and how
5. Limitations - OS compatibility, etc.

This module provides a Puppet Face to query available package updates from all package providers available on the system. The Face is able to query from over 12 package managers out of the box and more can be added by downloading modules from the Forge that include additional package providers, such as the chocolatey/chocolatey module for Windows.

In addition to the Puppet Face, the module provides a class that manages a cron job to scan for available package updates on a regular schedule. The cron job takes the output and generates a custom Facter fact so the package update status is always up to date in PuppetDB. Keeping the data in PuppetDB provides an easy interface to query for available updates and generate custom reports.

• A cron job in the root user's crontab
• A custom Facter fact with package update information

• Add the package_updates class to all node groups you want to monitor updates on

To have nodes scan for updates on a regular cadence and report the result as a custom fact, declare the package_updates class to any node or node group you'd like to monitor for updates.

After installing the module on the Puppet master, each Puppet agent will pluginsync the libraries to their local file systems. Once the sync happens, you can use the following command to get a list of all the packages that have updates available.

$ puppet package updates

You can also request the output be in JSON serialized format

$ puppet package updates --render-as json

The available package updates on the system can be retrieved as a structured custom fact. Since it can take several seconds to scan the system for updates, it's preferable to scan for updates at a regular cadence and cache the results for Facter to retrieve.

The package_updates class provides a way to set a schedule for the system to scan for package updates and caches the results for Facter.

You can use PuppetDB's API to query the patch state for different parts of the infrastructure. For example, to query for all production systems that have updates available, the following query can be used against the /pdb/query/v4/facts endpoint:

["and",
  ["=", "name", "package_updates"],
  ["=", "environment", "production"]
]

The following query will retrieve all updates for packages that's version is not being managed by Puppet

["and",
  ["=", "environment", "production"],
  ["in", "name",
    ["extract", "name",
      ["select-resources",
        ["and",
          ["=", "type", "package"],
          ["not",
            ["or",
              ["=", "ensure", "latest"],
              ["~", "ensure", "^(?:(\d+)\.)?(?:(\d+)\.)?(\*|\d+)$"]
            ]
          ]
        ]
      ]
    ]
  ]
]

You can use subqueries to construct more targeted queries.

Since the PuppetDB query outputs standard JSON, existing tools can be used to generate spreadsheet reports or custom interfaces can be built that renders the serialized data.

Suggested tools:

• Ruby - json2csv
• NodJS - json2csv

This tool currently only works with non-Windows systems. Once the interface can handle both cron and scheduled_task resources, Windows support for package management systems like Chocolatey can easily be added.