- 1 Manual Patching Is Dead. Here’s What We Do Instead.
- 2 Why We Switched (and Why You’ll Probably Have To)
- 3 The Tools We Actually Use
- 4 Our 4-Step Rollout Plan
- 5 Security Extras We Layer On
- 6 What We Watch Like a Hawk
- 7 Common Screw-Ups (and How We Dodge Them)
- 8 Quick Checklist (Print and Tape to Your Monitor)
- 9 Questions We Still Get
Manual Patching Is Dead. Here’s What We Do Instead.
Last month I woke up at 3 a.m. to a Slack ping that made my chest tight. One forgotten AlmaLinux box had a nasty OpenSSL bug. We patched it by hand. Took four hours, three coffees, and two teammates. The next morning my boss still asked, “Could this happen again?”
Short answer: yes—unless we stop patching like it’s 2005.
Below is the exact playbook my small team now uses to keep 300+ servers safe without ever SSH-ing in for routine fixes.
Why We Switched (and Why You’ll Probably Have To)
Think of your servers like a row of houses. Leaving the front door unlocked on even one house turns the whole street into a target.
- 60 % of breaches start with a known patch that no one installed yet.
- AI bots can scan every public IP for that missing patch in minutes.
- Regulations like GDPR want proof you updated on time, not a Post-it note saying “maybe next week.”
So we automated. Not because it’s trendy—because the math is brutal.
The Tools We Actually Use
We run a mix of RHEL, Ubuntu, and a few stubborn CentOS boxes. One size doesn’t fit all, so we picked three tools and glued them together.
- Ansible Automation Platform for the heavy lifting. It pushes patches, restarts services, and sends a Slack summary. Here’s the deep dive we followed.
- Livepatch on every Ubuntu host that can’t reboot (think customer-facing web nodes). Canonical’s docs got us going in 10 minutes.
- AWS Systems Manager for anything living in EC2. One dashboard shows patch status across regions.
Total monthly cost: less than one late-night page-out.
Our 4-Step Rollout Plan
1. Make a List (Not Fancy, Just Honest)
We dumped every box into a spreadsheet. Then tagged each row:
- “customer data”
- “dev playground”
- “can’t reboot without calling the CEO”
That last tag alone saved us from a 2 p.m. outage.
2. Build a Test Kitchen
Before touching prod we spin up disposable containers that look like prod. If the patch breaks anything, the container dies quietly. No humans harmed.
We stole the idea from baking shows: taste the batter before you bake the cake.
3. Roll in Waves
We update 5 % of hosts first. Then we watch. If Grafana stays green for 30 minutes, the next wave starts. One systemd timer handles the schedule:
[Timer] OnCalendar=*-*-* 03:00:00 Persistent=true
Three lines. Zero missed nights.
4. Keep a Big Red “Undo” Button
We snapshot every root volume with Btrfs. Bad patch? One command rolls back 30 seconds.
I’ve used it twice. Each time I sent a “never mind, we’re good” message before anyone noticed.
Security Extras We Layer On
- Every package must have a GPG signature. No signature, no install.
- OpenSCAP scans run nightly and email us a PDF report. Auditors love PDFs.
- We block any patch flagged “critical” from auto-installing until a human clicks “approve.” Humans still matter.
What We Watch Like a Hawk
Automation is not autopilot. We pipe logs into Loki and set two alerts:
- Patch failed.
- Patch succeeded but service health dropped.
Both hit Slack. If it’s 2 p.m. on a Tuesday, we mute the second alert. If it’s 2 a.m. on a Sunday, we wake up.
Common Screw-Ups (and How We Dodge Them)
- Ignoring firmware. We run
fwupdonce a week. A NIC with old microcode once cost us 10 Gbps of throughput. Never again. - Blind automation. Kernel bumps still get a 15-minute review. A junior engineer once typo’d “install” into “uninstall.” That manual gate caught it.
- Forgetting dev laptops. Developers hate reboots. We gave them Livepatch and scheduled reboots at lunch. They stopped complaining.
Quick Checklist (Print and Tape to Your Monitor)
- Inventory every box
- Test in containers
- Sign and verify updates
- Keep one-click rollback
- Log everything
- Update firmware too
That’s it. No magic, no buzzwords—just a quieter inbox and servers that patch themselves while we sleep.
Questions We Still Get
Q: Will automation break stuff?
Only if you skip testing. Think of testing as your seatbelt—not optional.
Q: What about edge devices on 3G?
We run a tiny agent called MicroMDM that queues patches until the link is idle. Works on Raspberry Pi 3s sitting on wind turbines.
Q: How do I prove compliance?
Export the OpenSCAP PDF and the Ansible run log. Done. Regulators smile, you move on.
If you’re still SSH-ing into boxes at midnight, grab this post, pick one tool, and patch five hosts tonight. Tomorrow morning you’ll already be ahead of the bots.
