4 Replies Latest reply on Nov 24, 2012 4:54 PM by Bill Robinson

    Patch Exceptions - how in BladeLogic - if possible ?

      Hi

       

      BL novice here so please taje it easy on me, its my first post.

       

      Looking at BL i see that you can do hardening exceptions for servers (wintel in this case), is there a way to do this for software patches ?

       

      The reason being is that I dont want to install certain patches onto certain servers, but the BL scans always bring up the same patches.

       

      If I cant do this eg exclude certain patches to set servers, can anyone tell me how BL logic scans a wintel server for patches ? if it looks through the registry for example could i place false registry keys on the server so BL think it has the patch installed and then ignore it. Could this work.

       

      any advance would be grateful. 

       

      Note we use Bladelogic 8.0

       

      many thanks

       

      Tony

        • 1. Re: Patch Exceptions - how in BladeLogic - if possible ?

          Hi Tony,

           

          Have you looked in to using include and exclude lists to blacklist certain patches ?

           

          Say you have a patch catalog for windows 2003 and you dont want 10 patches installled from the latest patch update.

           

          You can create an black list smart group in the catalog which could have the names of the blacklisted patches in it ( add each patch to the smart group ).

           

          Then you would create a patching job and at the stage where you can specify what level of patching you want to do you can use include/exclude lists - add the smart group for hotfixes for the catalog ( BSA created one ) and then exlcude the blacklist smart group and also include the obsolete and irrelevant ones here.

           

          Then run as a Patch Analysis job.

           

          Hope this helps,

           

          Steve

          • 2. Re: Patch Exceptions - how in BladeLogic - if possible ?

            Hi Stev thanks for the quick reply.

             

            What I am after is to download all the MS patches (as we do now) say we have 500 servers I dont want to install one patch onto say 10 servers. I would really like to tell BL not to include these 10 servers not to scan/install against them 10 servers. Hope that makes sense.

             

            Being new to BL i shall try to read up on your suggestion - hope that works or by what i have asked for maybe done another way.

             

            many thanks

             

            Tony

            • 3. Re: Patch Exceptions - how in BladeLogic - if possible ?

              Hi Tony,

               

              So you have 500 servers and dont want to pacth 10 of them ?

               

              Create a server property in the property dictionary call _Windows_Patch which has Boolean values - if true you will patch it - if false you wont.

               

              Create a server smart group for all window servers were the server property of _Windows_Patch is True

               

              Run a patching job against this smart group as the targets.

               

              If you have several groups of servers to patch then us a _Patch_group property and split them how you want;

               

              _Patch_Group = Monday Night, Sunday Night etc....

               

              Then set up and run patching against these groups.

               

              Hope this helps,

               

              Kind regards,

               

              Steve

              • 4. Re: Patch Exceptions - how in BladeLogic - if possible ?
                Bill Robinson

                there's not currently an elegant way to do this in the tool - what tony wants is a per-server blacklist.  what you could do right now is create a patching job that runs against the 490 servers w/ all patches, then another job against the 10 servers and add the patch you want to the 'exclude' list.  i would also open a ticket w/ support and have them open a rfe for the per-server blacklist.