Cockpit, ansible, or a little ssh script.
For weekly patching, I use a little ssh script. The simplicity is why.
Ansible and Cockpit need ssh configured anyway, so a little loop over all the DNS names or IPs in a list works fine. Regardless, you'll probably want to setup a "deployXYZ123" account on each system that allows ssh via ssh-keys and sudo without a password for apt-get update and apt-get full-upgrade, just to make life easy.
Code:
#!/bin/sh
CMD1="apt-get update"
CMD2="apt-get dist-upgrade"
ssh server1 "sudo $CMD1; sudo $CMD2;"
ssh server2 "sudo $CMD1; sudo $CMD2;"
....
ssh server99 "sudo $CMD1; sudo $CMD2;"
May want to setup a ~/.ssh/config file to fill in what "server32" means - userid, IP/hostname, non-standard port?
If you need special other things in the command on a box, add those too. I like to remove all excess snap package versions, for example, but only 3 of my systems have snaps loaded.
I like to force a youtube-dl update on 3 systems as well - not the same. The youtube-dl install isn't in the "deployXYZ123" account, it is in my personal account on those systems ... so I don't use the same "serverX" name, I use the real hostname, but the ssh romulus "youtube-dl -U" command does the right thing.
"KISS" - https://en.wikipedia.org/wiki/KISS_principle . Only make things as complex as necessary.
Sure, we can use all sorts of tools - F/LOSS, freeware, or paid for these things. But none are as easy as the simple ssh-script above, IMHO.
Bookmarks