none
WSUS patching and rebooting?

    Question

  • I've configured WSUS and the patching/rebooting for my cluster-nodes through the regular GPO channels.

    However, there isn't an option that works well for my requirements on the cluster:
      2 - Notify for download and notify for install
      3 - Auto download and notify for install
      4 - Auto download and schedule the install
      5 - Allow local admin to choose setting

    #2 won't work, since nobody uses the compute node's console.  #3 is better, but still won't work since we don't have a user on the console.  #4 won't work because this option reboots windows computers in the middle of the night -- this is annoying for an office worker, but a showstopper that makes scientific users very angry (think about a computer being automatically rebooted on day 13 of a 14 day simulation).  #5 won't work, since there's no local admin to speak of.

    I chose #3 for my nodes, but I have dozens of nodes that don't have all of the patches that they should.

    When rebooting manually GUI only gives me the option to "install patches and shutdown".  Shutdown /? doesn't say anything about installing patches.

    My questions are:
    1. Am I missing any implicit behaviors of Win2k8 or the HPC Pack?
    2. Is there a way to cause the patches to be updated when I reboot a node remotely for some other reason?
    3. Is there a better solution to the patches that require a reboot in this environment?

    Thanks,
    -Luke
    Wednesday, August 12, 2009 6:50 PM

Answers

  • Hi Luke
    I use the following process here:

    Group Policy sets the update behaviour of nodes as 3. Auto download and notify for install
    A node template 'Apply Updates' maintenance task (configured to install All updates rather than just critical) actions installation of all WSUS approved updates to nodes associated with the template. This is a pretty good way to operate as setting a node to Maintain requires that it is first set to Offline, which will drain jobs before any maintenance is carried out. As you say the last thing we want is a forced reboot interrupting cluster jobs.
    Of course this process is not fully automated - the admin needs to offline / maintain nodes - but it works well enough. It could probably be put into a powershell script with a little thought.
    There's a whole bunch of detail about updating nodes in the docs: http://technet.microsoft.com/en-us/library/cc718992(WS.10).aspx

    Cheers
    Dan
    Thursday, August 13, 2009 8:57 AM

All replies

  • Hi Luke
    I use the following process here:

    Group Policy sets the update behaviour of nodes as 3. Auto download and notify for install
    A node template 'Apply Updates' maintenance task (configured to install All updates rather than just critical) actions installation of all WSUS approved updates to nodes associated with the template. This is a pretty good way to operate as setting a node to Maintain requires that it is first set to Offline, which will drain jobs before any maintenance is carried out. As you say the last thing we want is a forced reboot interrupting cluster jobs.
    Of course this process is not fully automated - the admin needs to offline / maintain nodes - but it works well enough. It could probably be put into a powershell script with a little thought.
    There's a whole bunch of detail about updating nodes in the docs: http://technet.microsoft.com/en-us/library/cc718992(WS.10).aspx

    Cheers
    Dan
    Thursday, August 13, 2009 8:57 AM
  • I think your misunderstanding the way those settings interact with WSUS because our admins here misunderstood it originally as well.

    Option 3 is what you want. You do not need a user logged into the console to approve the install because WSUS is approving the install. So if you set auto download and notify for install the servers will auto download and in the event log you'll see a note that "Patches ready for install and will be installed at <whatever you set the deadline as in WSUS>". Once that time hits, the patches will auto install and reboot, no need for any interaction. The wording of the policy is deceiving though, I grant you that.

    Sunday, February 20, 2011 7:35 PM