Avoiding multiple restarts
I saw someone make reference to that if you detect AND stage that when it comes time to deploy the device will keep restarting until complete. Is this correct?
Im mostly patching servers which restart immediately with no notifications when deploying. Once again, this month, Im faced with having to deploy multiple times to complete. Im hopeful if I run a detect and stage in these that the servers will complete without multiple deploy schedules.
Just want to add what I have experienced and what I have been told through KACE training and at UserKon:
- Detect and Deploy: As @barchetta discovered is basically the sledge hammer of schedules. It is "brutal" but very handy. It runs a Detect for missing patches. The system then Deploys all non-rebooting patches first. If a patch is detected missing that requires a reboot, it will install it last, initiate the schedules reboot action, then run another Detect after reboot completes. If not, it will initiate another Detect without the reboot. In either case (reboot or not), the follow-up detect will check for further required patches and then deploy again. This will continue until:
- No patches are detected missing (system is up to date). Caveat would be patches that have repeatedly failed to install until the failure threshold has been met.
- Either Detect or Deploy action timeout is reached
- If configured, the End After timeout is reached
- Detect and Detect and Stage: Both schedule types Detect missing patches. The difference is that the detect and stage will then download those missing patches. One vitally important reason to detect frequently: If you configure KACE to only download patches detected as missing (best practice), KACE will not download patches it hasn't first detected as missing. Seems obvious but often overlooked. You separately configure a download schedule for patches. That download schedule downloads patches that have been detected as missing. Detecting frequently then accomplishes two things:
- As @Hobbsy stated, it gives you more accurate reporting/visibility of what is required by your systems.
- More importantly, your KACE system now knows patches are missing from devices that it needs to download in order to deploy.
- Deploy: First off, a deploy cannot run without first a detect. As stated above, the system will prioritize non-rebooting patches over those requiring reboot. It will install all patches it possibly can until the first reboot is required. Once a reboot is hit, it initiates the schedules reboot action and... done. Same thing if non-rebooting dependency patches were installed. The patches that required them will not install because a formal detect of the system has not executed. So, even if the system requires more patches, the deployment is complete. It also cannot, with full confidence, deploy multiple rebooting patches without a detect to verify the system. Now this schedule does, kinda, detect, but only that the patches it deployed were indeed installed.
Hope that helps and hopefully still correct. Happy patching!
I agree with all of this.. Sounds like KACE understands their own product now, at least when it comes to patching.. A step in the right direction. I should point out, be sure and have your end after timeout set, as you could wind up with servers restarting in the middle of the day without it . I cant talk about specifics of this right now, but trust me on this. Just set it for 3 hrs. Lastly, did anyone bring up the lunacy of the run now button with no verification dialog? Anyone who patches servers... you better mind yourself when editing schedules during the day.. the run now button is right next to it.. one wrong click and you may very well lose your job. - barchetta 9 months ago
Absolutely agree that the End After should always be configured. And I cannot tell you how often I've seen the phases maxed out at 6 hours. Please don't do that. If it takes 6 hours to detect or deploy in a single phase, there's a problem.
And yes, Run Now, right there, easy to hit by accident. Not a fan. If you hit it, it's a mad dash to the Agent queue to delete the patch tasks before they get to Deploy phase lol. - Techman D 9 months ago
Im not sure why you are seeing 6 hrs.. Im not going to debate because every environment is different. I use missing = true and status = active amungst others. But Im only doing MS server patching. My label for deploy and detect currently has 3 missing patches for 92 servers. So we are talking worst case 3 restarts.. In your case, Id recommend staging so your patch isnt taking 6 hrs.. Im noticing on servers around 2 hrs max right now. When I kicked this off, servers were missing a ton of them and then it maybe took 3-5 hrs.. But now my baseline is good and Im only applying last months patches essentially.. now on a new server, I just manually install when I build it so it doesnt take so long.
I cannot tell you how angry I am about the run now button, especially since I clicked it once about 2 months ago in the middle of the day. I got lucky, and I didnt have 33 servers restart in the middle of the day.. only because the catalog had not downloaded yet. And I see you know how to deal with it.. but you have to move very quickly.. if you staged, you wont beat it to the queue. Your restarts will begin immediately. - barchetta 9 months ago
Time was when all this was clear, but maybe a Quest guy can clarify? My understanding is that if you “Detect and Deploy” if multiple reboots are required, then they will happen one after the other. If you are “Deploy”ing only then the reboots are grouped together as a single reboot.
So from what you say if you “Detect and Stage” and the “Deploy only” the chances are you will reduce the number of reboots that have to happen.
My one word of warning is that “Detect and deploy” is really detect-deploy-detect so you get better information uploaded after the schedule, whereas “Deploy only” tends to need a follow up “Detect” to upload more accurate results.
That is why when configuring customer patching we tend to run regular “Detects” regardless of when we deploy as it gives us more accurate reporting.
I did my own testing and what I found was, if you want to get all patches installed in one swoop it is quite simple. A stage is not necessary #1. #2. simply do a detect and deploy. It is that simple. I checked my event logs and sure enough.. a dependent patch is installed, server reboots and the patches that needed that patch are applied and the server reboots.. EXACTLY what I wanted but KACE: I could be wrong, but the documentation does not indicate this.. Im not talking about some hidden KB, Im talking about Admin guide. What else do I not know about. The admin guide is terrible. I think we all know which kace team wrote it. Furthermore, when I opened a ticket I was told this wasnt impossble. Probably because kace tech is looking at same manual.
This is going to save me a lot of weekend screwing around.
I should note: the ONLY reason I wasnt doing a detect and deploy is because kace told me it was not best practice.
And another note: to avoid long deploys I am using a detect label of all MISSING updates.. Detect runs in about 5 seconds as a result.
Im not gonna do a stage because I run detect during business hours and I dont want all that traffic at that time. - barchetta 1 year ago