What are your experiences with patch detection (and deployment)?
So I've prepared patching on the K1000aaS; subscriptions, labels, tested it within IT to get a feel for the process, implemented it on servers. That part is fine.
When I first turned on detect for all computers, ~1150, the K1000 was getting crushed. The load average under Settings > Provisioning > Communication Settings was unbelievably high. 80 was the high score. On a scale of 10. I understand that the first detect generated a lot more data, and all of it hitting at once was probably not good, so I changed the schedule from a specific time, to be once every 24 hours, and now it's only reporting new missing patches, and the computers are naturally staggered throughout the day.
I was always told that detects are a very minor task, and doesn't require many resources, which is why I turned it on with a set schedule. (Users have never noticed anything.) Even though things have calmed down, I still see the load average above 10 or even 20, while the Security > Schedules page shows maybe 50 detects executing, give or take.
When I turn on patching, I plan on having it run at night, so it doesn't impact things during the workday.
The only other things I have running are Inventory and one service desk queue. No scripts, no installations, no provision schedules, no network discovery, no monitoring.
I have a ticket open with support, but they've only said they don't see anything wrong, and I don't feel like I'm getting much help from them.
Environment: K1000 as a service, version 6.3, replication shares in each remote office.
So my questions for anyone are:
Have you seen similar load while doing detects? Does this seem normal?
How are your detects/deploys staggered?
1 Comment
[ + ] Show comment
-
Hello KACE_Mary here from KACE Support. Can you please email me your Open ticket so I can provide further guidance? Mary_scherich@dell.com. - KACE_Mary 8 years ago
Answers (4)
Please log in to answer
Posted by:
rockhead44
8 years ago
I have no more than 500 computers at a time actively engaged in detect/deploy processes and have no issues. I manage this via patch schedules.
Comments:
-
Do you mean 500 computers targeted at once, or 500 computers executing at once? While 1000 computers might be targeted for a detect, the Executing column in the Patch Schedule view shows an average of 30-80 running at any given time. - ondrar 8 years ago
-
500 targeted at once - rockhead44 8 years ago
Posted by:
ondrar
8 years ago
In the end, I broke the Detect schedule up into staggered groups, which alleviated all the pressure on the K1.
Patching runs fine overnight, when users leave their computers on, at least, but that's another story.
Comments:
-
I did the same breaking down detection for patch groups such by patch vendor. We do not use the OS patching on KACE so it is just for 3rd party software and plug-ins. - bwilkerson 8 years ago
-
When you do your detect, do you have it filtered (the definitions) by label, or are you doing a detect all?
Ah users, if only the K1000 could manage them... - cmccracken 8 years ago-
We decided to defer patches by 7 days, so my patching label is for all patches where the release date is not within the last 7 days, and is not part of a label I created to mark patches that have given us problems. It's almost all of them.
As for targets, I broke our offices into 5 groups, and have a Detect run on one group each day of the week. - ondrar 8 years ago
Posted by:
BHC-Austin
8 years ago
We have roughly 4500 nodes, and our Patching generally works fine. We don't seem to notice any lag or massive increases in Load Average. A couple of things that contribute to this:
Our Inventory interval is 6 hours, with most everything else at 1 day.
We don't use patching for the OS, just Applications.
We detect and deploy for each product on a different schedule. (i.e. MS Office on the 1st, Adobe Reader on the 5th, Silverlight on the 3rd of the month, etc).
Comments:
-
That's certainly an option. I was hoping not to have to break it up, but I'll consider it if things get worse. - ondrar 8 years ago
Posted by:
Nico_K
8 years ago
this is far too high.
The first I would check: Settings > Provisioning > Communication settings
By default the settings are fine for a test box but not for a box with 1k clients.
Set it to much lower settings (Agent Inventory to 6hr (or 12hr) and Metering to 1day)
With this you may be able to run more smoothly.
At first I also would test the settings with a small group so you can be sure the patching works as you want it.
(ask 5 people and you will get 10 advises how to patch)
The first I would check: Settings > Provisioning > Communication settings
By default the settings are fine for a test box but not for a box with 1k clients.
Set it to much lower settings (Agent Inventory to 6hr (or 12hr) and Metering to 1day)
With this you may be able to run more smoothly.
At first I also would test the settings with a small group so you can be sure the patching works as you want it.
(ask 5 people and you will get 10 advises how to patch)
Comments:
-
The Agent Inventory was at 2 hours, but I had already throttled everything else back to 1 day. I'll try setting the inventory to a longer interval.
Patch deployment worked fine with servers, and with the entire IT department.
I know there are KACE customers with many more than 1000 clients, right? How does a company with 10,000 computers detect and patch?
The problem isn't crippling; it just makes the K1000 run a little slower from time to time.
Thanks for the response. - ondrar 8 years ago