linux-patcher

---
name: linux-patcher
description: Automated Linux server patching and Docker container updates. Use when the user asks to update, patch, or upgrade Linux servers, apply security updates, update Docker containers, check for system updates, or manage server maintenance across multiple hosts. Supports Ubuntu, Debian, RHEL, AlmaLinux, Rocky Linux, CentOS, Amazon Linux, and SUSE. Includes PatchMon integration for automatic host detection and intelligent Docker handling.
---

# Linux Patcher

Automate Linux server patching and Docker container updates across multiple hosts via SSH.

## ⚠️ Important Disclaimers

### Distribution Support Status

**Fully Tested:**
- ✅ **Ubuntu** - Tested end-to-end with real infrastructure

**Supported but Untested:**
- ⚠️ **Debian GNU/Linux** - Commands based on official documentation
- ⚠️ **Amazon Linux** - Supports both AL2 (yum) and AL2023 (dnf)
- ⚠️ **RHEL (Red Hat Enterprise Linux)** - Supports RHEL 7 (yum) and 8+ (dnf)
- ⚠️ **AlmaLinux** - RHEL-compatible, uses dnf
- ⚠️ **Rocky Linux** - RHEL-compatible, uses dnf
- ⚠️ **CentOS** - Supports CentOS 7 (yum) and 8+ (dnf)
- ⚠️ **SUSE/OpenSUSE** - Uses zypper package manager

**Testing Recommendation:**
Always test untested distributions in a non-production environment first. The script will warn you when running on untested distributions.

### Security Notice

This skill requires:
- **Passwordless sudo access** - Configured with restricted permissions
- **SSH key authentication** - No passwords stored or transmitted
- **PatchMon credentials** - Stored securely in user's home directory

**Read `SETUP.md` for complete security configuration guide.**

## Quick Start

### Automated (Recommended)

**Patch all hosts from PatchMon** (automatic detection):
```bash
scripts/patch-auto.sh
```

**Skip Docker updates** (packages only):
```bash
scripts/patch-auto.sh --skip-docker
```

**Preview changes** (dry-run):
```bash
scripts/patch-auto.sh --dry-run
```

### Manual (Alternative)

**Single host - packages only**:
```bash
scripts/patch-host-only.sh user@hostname
```

**Single host - full update**:
```bash
scripts/patch-host-full.sh user@hostname /path/to/docker/compose
```

**Multiple hosts from config**:
```bash
scripts/patch-multiple.sh config-file.conf
```

## Features

- **PatchMon integration** - Automatically detects hosts needing updates
- **Smart Docker detection** - Auto-detects Docker and Compose paths
- **Selective updates** - Skip Docker updates with `--skip-docker` flag
- **Passwordless sudo required** - Configure with `visudo` or `/etc/sudoers.d/` files
- **SSH key authentication** - No password prompts
- **Parallel execution** - Update multiple hosts simultaneously
- **Dry-run mode** - Preview changes without applying
- **Manual override** - Run updates on specific hosts without PatchMon

## Configuration

### Option 1: Automatic via PatchMon (Recommended)

Configure PatchMon credentials for automatic host detection:

```bash
cp scripts/patchmon-credentials.example.conf ~/.patchmon-credentials.conf
nano ~/.patchmon-credentials.conf
```

Set your credentials:
```bash
PATCHMON_URL=https://patchmon.example.com
PATCHMON_USERNAME=your-username
PATCHMON_PASSWORD=your-password
```

Then simply run:
```bash
scripts/patch-auto.sh
```

The script will:
1. Query PatchMon for hosts needing updates
2. Auto-detect Docker on each host
3. Apply appropriate updates (host-only or full)

### Option 2: Single Host (Quick Manual)

Run scripts directly with command-line arguments (no config file needed).

### Option 3: Multiple Hosts (Manual Config)

Create a config file based on `scripts/patch-hosts-config.example.sh`:

```bash
cp scripts/patch-hosts-config.example.sh my-servers.conf
nano my-servers.conf
```

Example config:
```bash
# Host definitions: hostname,ssh_user,docker_path
HOSTS=(
  "webserver.example.com,ubuntu,/opt/docker"
  "database.example.com,root,/home/admin/compose"
  "monitor.example.com,docker,/srv/monitoring"
)

# Update mode: "host-only" or "full"
UPDATE_MODE="full"

# Dry run mode (set to "false" to apply changes)
DRY_RUN="true"
```

Then run:
```bash
scripts/patch-multiple.sh my-servers.conf
```

## Prerequisites

### Required on Control Machine (where OpenClaw runs)

- [ ] **OpenClaw** installed and running
- [ ] **SSH client** installed (`ssh` command available)
- [ ] **Bash** 4.0 or higher
- [ ] **curl** installed (for PatchMon API)
- [ ] **jq** installed (for JSON parsing)
- [ ] **PatchMon** installed (required to check which hosts need updating)
  - Does NOT need to be on the OpenClaw host
  - Can be installed on any server accessible via HTTPS
  - Download: https://github.com/PatchMon/PatchMon

**Install missing tools:**
```bash
# Ubuntu/Debian
sudo apt install curl jq

# RHEL/CentOS/Rocky/Alma
sudo dnf install curl jq

# macOS
brew install curl jq
```

### Required on Target Hosts

- [ ] **SSH server** running and accessible
- [ ] **SSH key authentication** configured (passwordless login)
- [ ] **Passwordless sudo** configured for patching commands (see SETUP.md)
- [ ] **Docker** installed (optional, only for full updates)
- [ ] **Docker Compose** installed (optional, only for full updates)
- [ ] **PatchMon agent** installed and reporting (optional but recommended)

### PatchMon Setup (Required for Automatic Mode)

**PatchMon is required to automatically detect which hosts need patching.**

**Important:** PatchMon does NOT need to be installed on the same server as OpenClaw. Install PatchMon on a separate server (can be any server on your network), and OpenClaw will query it via API.

**Download PatchMon:**
- **GitHub:** https://github.com/PatchMon/PatchMon
- **Documentation:** https://docs.patchmon.net

**What you need:**
- [ ] PatchMon server installed on ANY accessible server (not necessarily the OpenClaw host)
- [ ] PatchMon agents installed on all target hosts you want to patch
- [ ] PatchMon API credentials (username/password)
- [ ] Network connectivity from OpenClaw host to PatchMon server (HTTPS)

**Architecture:**
```
┌─────────────────┐      HTTPS API      ┌─────────────────┐
│ OpenClaw Host   │ ──────────────────> │ PatchMon Server │
│ (this machine)  │    Query updates    │ (separate host) │
└─────────────────┘                     └─────────────────┘
                                                  │
                                                  │ Reports
                                                  ▼
                                         ┌─────────────────┐
                                         │ Target Hosts    │
                                         │ (with agents)   │
                                         └─────────────────┘
```

**Quick Start:**
1. Install PatchMon server on a separate server (see GitHub repo)
2. Install PatchMon agents on all hosts you want to patch
3. Configure OpenClaw to access PatchMon API:

```bash
cp scripts/patchmon-credentials.example.conf ~/.patchmon-credentials.conf
nano ~/.patchmon-credentials.conf  # Set PatchMon server URL
chmod 600 ~/.patchmon-credentials.conf
```

**Detailed setup:**
See `references/patchmon-setup.md` for complete installation guide.

**Can I use this skill without PatchMon?**
Yes! You can use manual mode to target specific hosts without PatchMon. However, automatic detection of hosts needing updates requires PatchMon.

### On Target Hosts

**Required:**
- SSH server running
- Passwordless sudo for the SSH user (for `apt` and `docker` commands)
- PatchMon agent installed and reporting (for automatic mode)

**For full updates:**
- Docker and Docker Compose installed
- Docker Compose files exist at specified paths

### Configure Passwordless Sudo

On each target host, create `/etc/sudoers.d/patches`:

```bash
# For Ubuntu/Debian systems
username ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/docker

# For RHEL/CentOS systems
username ALL=(ALL) NOPASSWD: /usr/bin/yum, /usr/bin/docker, /usr/bin/dnf
```

Replace `username` with your SSH user. Test with `sudo -l` to verify.

## Update Modes

### Host-Only Updates

Updates system packages only:
- Run `apt update && apt upgrade` (or `yum update` on RHEL)
- Remove unused packages (`apt autoremove`)
- **Does NOT** touch Docker containers

**When to use:**
- Hosts without Docker
- Security patches only
- Minimal downtime required

### Full Updates

Complete update cycle:
- Update system packages
- Clean Docker cache (`docker system prune`)
- Pull latest Docker images
- Recreate containers with new images
- **Causes brief service interruption**

**When to use:**
- Docker-based infrastructure
- Regular maintenance windows
- Application updates available

## Workflow

### Automatic Workflow (patch-auto.sh)

1. **Query PatchMon** - Fetch hosts needing updates via API
2. **For each host:**
   - SSH into host
   - Check if Docker is installed
   - Auto-detect Docker Compose path (if not specified)
   - Apply host-only OR full update based on Docker detection
3. **Report results** - Summary of successful/failed updates

### Host-Only Update Process

1. SSH into target host
2. Run `sudo apt update`
3. Run `sudo apt -y upgrade`
4. Run `sudo apt -y autoremove`
5. Report results

### Full Update Process

1. SSH into target host
2. Run `sudo apt update && upgrade && autoremove`
3. Navigate to Docker Compose directory
4. Run `sudo docker system prune -af` (cleanup)
5. Pull all Docker images listed in compose file
6. Run `sudo docker compose pull`
7. Run `sudo docker compose up -d` (recreate containers)
8. Report results

### Docker Detection Logic

When using automatic mode:
- **Docker installed + compose file found** → Full update
- **Docker installed + no compose file** → Host-only update
- **Docker not installed** → Host-only update
- **--skip-docker flag set** → Host-only update (ignores Docker)

## Docker Path Auto-Detection

When Docker path is not specified, the script checks these locations:

1. `/home/$USER/Docker/docker-compose.yml`
2. `/opt/docker/docker-compose.yml`
3. `/srv/docker/docker-compos

... (truncated)