Introduction
Managing patches across multiple operating systems in air-gapped environments is a complex and often overlooked challenge. In this project, we designed and implemented a cost-effective, fully automated patch management solutionfor a large infrastructure running RHEL, Ubuntu, Debian, and AIX, without internet access.
The Challenge
- Inconsistent patching across different systems and OS types
- Lack of central visibility into update status
- No access to public mirrors (air-gapped environment)
- Requirement to test patches first in non-production infrastructure
- Minimal budget – commercial patching platforms were not an option
The Solution
š§Architecture Design
- Centralized management via Ansible Automation Platform (AAP)
- Built-in support for:
- RHEL 7/8/9
- Ubuntu 20.04, 22.04
- Debian 10/11/12
- AIX 7.x
š ļøCustom Ansible Roles
- Created reusable roles with the following capabilities:
- OS detection and conditional patch logic
- Use of proxy if available
- Ability to patch only selected packages
- Generate human-readable reports after each run (HTML, CSV, JSON)
š§ŖStaged Testing Workflow
- Scheduled jobs in AAP to patch test infrastructure first
- Manual/automated approval for promotion to production
šPrivate Mirror Solution
- Developed a custom mirror system using Docker containers:
- RHEL: reposync via satellite
- Ubuntu/Debian: apt-mirror inside Docker
- AIX: NIM repository over NFS, containerized mirror with rsync
- MDATP and Microsoft repos mirrored locally
- Synchronization tasks via Ansible scheduler
šMonitoring & Reporting
- AAP job templates with tag-based execution
- Ansible facts + custom role for:
- Last patch date
- Kernel version changes
- Security update coverage
- Aggregated reports stored and exported via central logging
Results
| Feature | Before | After |
|---|---|---|
| Patch consistency | Manual, ad-hoc | Automated & policy-driven |
| OS support | Partial | RHEL, Ubuntu, Debian, AIX |
| Mirror strategy | None | Fully private & containerized |
| Internet dependency | High | Zero external access |
| Reporting | Non-existent | Detailed HTML/CSV reports |
| Testing flow | Missing | Staged patching process with test infrastructure |
Conclusion
This implementation delivered a complete patch management solution with:
- Zero reliance on internet
- Full automation across OSes
- Central control and real-time visibility
By combining Ansible Automation Platform with containerized mirror infrastructure, we enabled scalable patching at minimal cost ā tailored to both modern and legacy environments.
