Linux patch management
OpsFabric scans your entire Linux fleet for missing patches, security, kernel, userland, and lets you apply them in controlled rollouts.
One dashboard. Every distro. No guesswork.
Ubuntu, Rocky, Debian, Alma, SUSE + more
SSH into boxes one by one. Run apt list --upgradable. Paste into a spreadsheet. Forget which server you already did. Repeat next month.
Half your fleet is Ubuntu, a quarter is Rocky, and someone spun up a SUSE box three years ago. Every distro has different commands, different repos, different CVE feeds.
Auditor asks for patch status across all production hosts. You spend two days generating reports that are outdated by the time you hand them over.
What it does
Scan every host with one click. Full update detection or security-only. Per-host, per-group, or the entire fleet. Results stream in real-time as each host completes. Detects pending patches, security updates, kernel vs userland, and reboot requirements across apt, yum, dnf, and zypper automatically.
Run preflight checks (disk space, package locks, reboot status) before patching. Preview changes with dry-run. Roll back with apt --allow-downgrades or dnf history undo if something goes wrong.
Every pending patch is mapped to its CVEs with CVSS severity (critical, high, medium, low). Browse affected hosts per CVE, see fix-available status, and filter by severity.
Create one-time or recurring patch jobs with cron expressions. Scan, apply, dry-run, or rollback on a schedule. Target specific hosts, groups, or the whole fleet. Track job status and rerun failed jobs.
Daily compliance snapshots with trend charts over 7, 30, or 90 days. Per-host compliance status (compliant, warning, critical). Export reports for auditors. Full audit log of every action with user, timestamp, and details.
Pin package versions to prevent unwanted updates. Pinned packages are excluded from apply operations automatically. Centralized repository definitions with on-premise caching proxy through the gateway.
Organize hosts with regex-based auto-assignment rules. Match on hostname, OS, version, or tags. Run scan, preflight, dry-run, and apply operations on entire groups at once.
Each tenant gets isolated gateways, users, and host pools. Role-based access control with super admin, tenant admin, and user roles. No data leaks between tenants.
Live WebSocket push for gateway status, host online/offline events, scan completion, and apply progress. Results stream as each host finishes. Persistent notifications across page navigation.
Why it's fast
Most patch tools poll. OpsFabric pushes. Commands fan out to every host simultaneously and results stream back in real-time.
One scan fires across all your gateways in parallel. Each gateway fans out to its hosts simultaneously via the event bus. Two gateways, ten gateways - they all fire at the same time.
Results push through the event bus as each host completes. The UI updates instantly via WebSocket. No refresh buttons, no stale data, no wasted cycles.
Bulk scans and applies fire asynchronously. You get an instant acknowledgment, then progressive per-host results as they complete. No waiting for the slowest host to see anything.
The gateway makes a single call per operation. All package logic runs directly on the managed host. The gateway has zero OS awareness - it just relays.
Policy engine
Define when, what, and how patches get applied. OpsFabric enforces your policies server-side so nothing slips through.
Define maintenance windows per group with day-of-week and time slots. Jobs targeting a group outside its window are blocked with a 409 and told when the next window opens. No surprises during business hours.
web-servers: Sat 02:00 – 06:00 UTC
Automatically patch when qualifying updates exist. Configure severity filter, delay period, and reboot policy per group. Security-only at high severity with 24h delay? Done. Fully hands-off or as controlled as you need.
security only · max severity: high · 24h delay · reboot: if required
Set SLA targets per severity: critical patches within 48 hours, high within 7 days. OpsFabric tracks violations per host, generates daily compliance snapshots, and gives you trend data over 7, 30, or 90 days for auditors.
critical: 48h · high: 7d · medium: 30d · low: 90d
How it works
Download OpsFabric Gateway for your site. Unzip, run ./run.sh. The gateway connects to OpsFabric cloud over WebSocket. No inbound ports needed.
unzip opsfabric-gateway-acme.zip && cd opsfabric-gateway && ./run.sh
Start the gateway and it generates a one-liner install script for your tenant. Run it on any Linux host to install the agent. Accept keys from the dashboard. Hosts appear in seconds.
curl -sL https://<gateway-endpoint>/install | sh
Hit scan. See what's pending. Apply security patches to your whole fleet or pick specific packages on specific hosts. Track everything in the audit log.
Dashboard → Patches → Scan All → Apply Security Patches
Architecture
Each tenant runs an isolated gateway on-premise. The cloud handles the UI, API, and coordination. No inbound ports required on your network.
The dashboard
Everything you need on one screen: patch status, host compliance, job history. No 14-click workflows.
Best viewed on desktop. Tap any thumbnail to preview.
Under the hood
apt Debian / Ubuntudnf RHEL / Rocky / CentOS 9yum RHEL / CentOS 7-8zypper SUSEOpsFabric is launching soon. We're onboarding teams managing 50+ Linux hosts who are tired of spreadsheets and cron jobs.
You're on the list! We'll be in touch.