{ "schemaVersion": "1.0", "item": { "slug": "linux-patcher", "name": "Linux Patcher", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/JGM2025/linux-patcher", "canonicalUrl": "https://clawhub.ai/JGM2025/linux-patcher", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/linux-patcher", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=linux-patcher", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CONTRIBUTING.md", "README.md", "SETUP.md", "SKILL.md", "WORKFLOWS.md", "references/patchmon-setup.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/linux-patcher" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/linux-patcher", "agentPageUrl": "https://openagent3.xyz/skills/linux-patcher/agent", "manifestUrl": "https://openagent3.xyz/skills/linux-patcher/agent.json", "briefUrl": "https://openagent3.xyz/skills/linux-patcher/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Linux Patcher", "body": "Automate Linux server patching and Docker container updates across multiple hosts via SSH." }, { "title": "Distribution Support Status", "body": "Fully Tested:\n\n✅ Ubuntu - Tested end-to-end with real infrastructure\n\nSupported but Untested:\n\n⚠️ Debian GNU/Linux - Commands based on official documentation\n⚠️ Amazon Linux - Supports both AL2 (yum) and AL2023 (dnf)\n⚠️ RHEL (Red Hat Enterprise Linux) - Supports RHEL 7 (yum) and 8+ (dnf)\n⚠️ AlmaLinux - RHEL-compatible, uses dnf\n⚠️ Rocky Linux - RHEL-compatible, uses dnf\n⚠️ CentOS - Supports CentOS 7 (yum) and 8+ (dnf)\n⚠️ SUSE/OpenSUSE - Uses zypper package manager\n\nTesting Recommendation:\nAlways test untested distributions in a non-production environment first. The script will warn you when running on untested distributions." }, { "title": "Security Notice", "body": "This skill requires:\n\nPasswordless sudo access - Configured with restricted permissions\nSSH key authentication - No passwords stored or transmitted\nPatchMon credentials - Stored securely in user's home directory\n\nRead SETUP.md for complete security configuration guide." }, { "title": "Automated (Recommended)", "body": "Patch all hosts from PatchMon (automatic detection):\n\nscripts/patch-auto.sh\n\nSkip Docker updates (packages only):\n\nscripts/patch-auto.sh --skip-docker\n\nPreview changes (dry-run):\n\nscripts/patch-auto.sh --dry-run" }, { "title": "Manual (Alternative)", "body": "Single host - packages only:\n\nscripts/patch-host-only.sh user@hostname\n\nSingle host - full update:\n\nscripts/patch-host-full.sh user@hostname /path/to/docker/compose\n\nMultiple hosts from config:\n\nscripts/patch-multiple.sh config-file.conf" }, { "title": "Features", "body": "PatchMon integration - Automatically detects hosts needing updates\nSmart Docker detection - Auto-detects Docker and Compose paths\nSelective updates - Skip Docker updates with --skip-docker flag\nPasswordless sudo required - Configure with visudo or /etc/sudoers.d/ files\nSSH key authentication - No password prompts\nParallel execution - Update multiple hosts simultaneously\nDry-run mode - Preview changes without applying\nManual override - Run updates on specific hosts without PatchMon" }, { "title": "Option 1: Automatic via PatchMon (Recommended)", "body": "Configure PatchMon credentials for automatic host detection:\n\ncp scripts/patchmon-credentials.example.conf ~/.patchmon-credentials.conf\nnano ~/.patchmon-credentials.conf\n\nSet your credentials:\n\nPATCHMON_URL=https://patchmon.example.com\nPATCHMON_USERNAME=your-username\nPATCHMON_PASSWORD=your-password\n\nThen simply run:\n\nscripts/patch-auto.sh\n\nThe script will:\n\nQuery PatchMon for hosts needing updates\nAuto-detect Docker on each host\nApply appropriate updates (host-only or full)" }, { "title": "Option 2: Single Host (Quick Manual)", "body": "Run scripts directly with command-line arguments (no config file needed)." }, { "title": "Option 3: Multiple Hosts (Manual Config)", "body": "Create a config file based on scripts/patch-hosts-config.example.sh:\n\ncp scripts/patch-hosts-config.example.sh my-servers.conf\nnano my-servers.conf\n\nExample config:\n\n# Host definitions: hostname,ssh_user,docker_path\nHOSTS=(\n \"webserver.example.com,ubuntu,/opt/docker\"\n \"database.example.com,root,/home/admin/compose\"\n \"monitor.example.com,docker,/srv/monitoring\"\n)\n\n# Update mode: \"host-only\" or \"full\"\nUPDATE_MODE=\"full\"\n\n# Dry run mode (set to \"false\" to apply changes)\nDRY_RUN=\"true\"\n\nThen run:\n\nscripts/patch-multiple.sh my-servers.conf" }, { "title": "Required on Control Machine (where OpenClaw runs)", "body": "OpenClaw installed and running\n SSH client installed (ssh command available)\n Bash 4.0 or higher\n curl installed (for PatchMon API)\n jq installed (for JSON parsing)\n PatchMon installed (required to check which hosts need updating)\n\nDoes NOT need to be on the OpenClaw host\nCan be installed on any server accessible via HTTPS\nDownload: https://github.com/PatchMon/PatchMon\n\nInstall missing tools:\n\n# Ubuntu/Debian\nsudo apt install curl jq\n\n# RHEL/CentOS/Rocky/Alma\nsudo dnf install curl jq\n\n# macOS\nbrew install curl jq" }, { "title": "Required on Target Hosts", "body": "SSH server running and accessible\n SSH key authentication configured (passwordless login)\n Passwordless sudo configured for patching commands (see SETUP.md)\n Docker installed (optional, only for full updates)\n Docker Compose installed (optional, only for full updates)\n PatchMon agent installed and reporting (optional but recommended)" }, { "title": "PatchMon Setup (Required for Automatic Mode)", "body": "PatchMon is required to automatically detect which hosts need patching.\n\nImportant: PatchMon does NOT need to be installed on the same server as OpenClaw. Install PatchMon on a separate server (can be any server on your network), and OpenClaw will query it via API.\n\nDownload PatchMon:\n\nGitHub: https://github.com/PatchMon/PatchMon\nDocumentation: https://docs.patchmon.net\n\nWhat you need:\n\nPatchMon server installed on ANY accessible server (not necessarily the OpenClaw host)\n PatchMon agents installed on all target hosts you want to patch\n PatchMon API credentials (username/password)\n Network connectivity from OpenClaw host to PatchMon server (HTTPS)\n\nArchitecture:\n\n┌─────────────────┐ HTTPS API ┌─────────────────┐\n│ OpenClaw Host │ ──────────────────> │ PatchMon Server │\n│ (this machine) │ Query updates │ (separate host) │\n└─────────────────┘ └─────────────────┘\n │\n │ Reports\n ▼\n ┌─────────────────┐\n │ Target Hosts │\n │ (with agents) │\n └─────────────────┘\n\nQuick Start:\n\nInstall PatchMon server on a separate server (see GitHub repo)\nInstall PatchMon agents on all hosts you want to patch\nConfigure OpenClaw to access PatchMon API:\n\ncp scripts/patchmon-credentials.example.conf ~/.patchmon-credentials.conf\nnano ~/.patchmon-credentials.conf # Set PatchMon server URL\nchmod 600 ~/.patchmon-credentials.conf\n\nDetailed setup:\nSee references/patchmon-setup.md for complete installation guide.\n\nCan I use this skill without PatchMon?\nYes! You can use manual mode to target specific hosts without PatchMon. However, automatic detection of hosts needing updates requires PatchMon." }, { "title": "On Target Hosts", "body": "Required:\n\nSSH server running\nPasswordless sudo for the SSH user (for apt and docker commands)\nPatchMon agent installed and reporting (for automatic mode)\n\nFor full updates:\n\nDocker and Docker Compose installed\nDocker Compose files exist at specified paths" }, { "title": "Configure Passwordless Sudo", "body": "On each target host, create /etc/sudoers.d/patches:\n\n# For Ubuntu/Debian systems\nusername ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/docker\n\n# For RHEL/CentOS systems\nusername ALL=(ALL) NOPASSWD: /usr/bin/yum, /usr/bin/docker, /usr/bin/dnf\n\nReplace username with your SSH user. Test with sudo -l to verify." }, { "title": "Host-Only Updates", "body": "Updates system packages only:\n\nRun apt update && apt upgrade (or yum update on RHEL)\nRemove unused packages (apt autoremove)\nDoes NOT touch Docker containers\n\nWhen to use:\n\nHosts without Docker\nSecurity patches only\nMinimal downtime required" }, { "title": "Full Updates", "body": "Complete update cycle:\n\nUpdate system packages\nClean Docker cache (docker system prune)\nPull latest Docker images\nRecreate containers with new images\nCauses brief service interruption\n\nWhen to use:\n\nDocker-based infrastructure\nRegular maintenance windows\nApplication updates available" }, { "title": "Automatic Workflow (patch-auto.sh)", "body": "Query PatchMon - Fetch hosts needing updates via API\nFor each host:\n\nSSH into host\nCheck if Docker is installed\nAuto-detect Docker Compose path (if not specified)\nApply host-only OR full update based on Docker detection\n\n\nReport results - Summary of successful/failed updates" }, { "title": "Host-Only Update Process", "body": "SSH into target host\nRun sudo apt update\nRun sudo apt -y upgrade\nRun sudo apt -y autoremove\nReport results" }, { "title": "Full Update Process", "body": "SSH into target host\nRun sudo apt update && upgrade && autoremove\nNavigate to Docker Compose directory\nRun sudo docker system prune -af (cleanup)\nPull all Docker images listed in compose file\nRun sudo docker compose pull\nRun sudo docker compose up -d (recreate containers)\nReport results" }, { "title": "Docker Detection Logic", "body": "When using automatic mode:\n\nDocker installed + compose file found → Full update\nDocker installed + no compose file → Host-only update\nDocker not installed → Host-only update\n--skip-docker flag set → Host-only update (ignores Docker)" }, { "title": "Docker Path Auto-Detection", "body": "When Docker path is not specified, the script checks these locations:\n\n/home/$USER/Docker/docker-compose.yml\n/opt/docker/docker-compose.yml\n/srv/docker/docker-compose.yml\n$HOME/Docker/docker-compose.yml\nCurrent directory\n\nOverride auto-detection:\n\nscripts/patch-host-full.sh user@host /custom/path" }, { "title": "Example 1: Automatic update via PatchMon (recommended)", "body": "# First time: configure credentials\ncp scripts/patchmon-credentials.example.conf ~/.patchmon-credentials.conf\nnano ~/.patchmon-credentials.conf\n\n# Run automatic updates\nscripts/patch-auto.sh" }, { "title": "Example 2: Automatic with dry-run", "body": "# Preview what would be updated\nscripts/patch-auto.sh --dry-run\n\n# Review output, then apply\nscripts/patch-auto.sh" }, { "title": "Example 3: Skip Docker updates", "body": "# Update packages only, even if Docker is detected\nscripts/patch-auto.sh --skip-docker" }, { "title": "Example 4: Manual single host, packages only", "body": "scripts/patch-host-only.sh admin@webserver.example.com" }, { "title": "Example 5: Manual single host, full update with custom Docker path", "body": "scripts/patch-host-full.sh docker@app.example.com /home/docker/production" }, { "title": "Example 6: Manual multiple hosts from config", "body": "scripts/patch-multiple.sh production-servers.conf" }, { "title": "Example 7: Via OpenClaw chat", "body": "Simply ask OpenClaw:\n\n\"Update my servers\"\n\"Patch all hosts that need updates\"\n\"Update packages only, skip Docker\"\n\nOpenClaw will use the automatic mode and report results." }, { "title": "PatchMon Integration Issues", "body": "\"PatchMon credentials not found\"\n\nCreate credentials file: cp scripts/patchmon-credentials.example.conf ~/.patchmon-credentials.conf\nEdit with your PatchMon URL and credentials\nOr set PATCHMON_CONFIG environment variable to custom location\n\n\"Failed to authenticate with PatchMon\"\n\nVerify PatchMon URL is correct (without trailing slash)\nCheck username and password\nEnsure PatchMon server is accessible: curl -k https://patchmon.example.com/api/health\nCheck firewall rules\n\n\"No hosts need updates\" but PatchMon shows updates available\n\nVerify PatchMon agents are running on target hosts: systemctl status patchmon-agent\nCheck agent reporting intervals: /etc/patchmon/config.yml\nForce agent update: patchmon-agent report" }, { "title": "System Update Issues", "body": "\"Permission denied\" on apt/docker commands\n\nConfigure passwordless sudo (see Prerequisites section)\nTest with: ssh user@host sudo apt update\n\n\"Connection refused\"\n\nVerify SSH access: ssh user@host echo OK\nCheck SSH keys are configured\nVerify hostname resolution\n\nDocker Compose not found\n\nSpecify full path: scripts/patch-host-full.sh user@host /full/path\nOr install Docker Compose on target host\nAuto-detection searches: /home/user/Docker, /opt/docker, /srv/docker\n\nContainers fail to start after update\n\nCheck logs: ssh user@host \"docker logs container-name\"\nManually inspect: ssh user@host \"cd /docker/path && docker compose logs\"\nRollback if needed: ssh user@host \"cd /docker/path && docker compose down && docker compose up -d\"" }, { "title": "PatchMon Integration (Optional)", "body": "For dashboard monitoring and scheduled patching, see references/patchmon-setup.md.\n\nPatchMon provides:\n\nWeb dashboard for update status\nPer-host package tracking\nSecurity update highlighting\nUpdate history" }, { "title": "Security Considerations", "body": "Passwordless sudo is required for automation\n\nLimit to specific commands (apt, docker only)\nUse /etc/sudoers.d/ files (easier to manage)\n\n\nSSH keys should be protected\n\nUse passphrase-protected keys when possible\nRestrict key permissions: chmod 600 ~/.ssh/id_rsa\n\n\nReview updates before applying in production\n\nUse dry-run mode first\nTest on staging environment\n\n\nSchedule updates during maintenance windows\n\nUse OpenClaw cron jobs for automation\nCoordinate with team for Docker updates (brief downtime)" }, { "title": "Best Practices", "body": "Test first - Run dry-run mode before applying changes\nStagger updates - Don't update all hosts simultaneously (avoid full outage)\nMonitor logs - Check output for errors after updates\nBackup configs - Keep Docker Compose files in version control\nSchedule wisely - Update during low-traffic windows\nDocument paths - Maintain config files for infrastructure\nReboot when needed - Kernel updates require reboots (not automated)" }, { "title": "Reboot Management", "body": "The scripts do NOT automatically reboot hosts. After updates:\n\nCheck if reboot required: ssh user@host \"[ -f /var/run/reboot-required ] && echo YES || echo NO\"\nSchedule manual reboots during maintenance windows\nUse PatchMon dashboard to track reboot requirements" }, { "title": "Run Updates on Schedule", "body": "Create a cron job for automatic nightly patching:\n\ncron add --name \"Nightly Server Patching\" \\\n --schedule \"0 2 * * *\" \\\n --task \"cd ~/.openclaw/workspace/skills/linux-patcher && scripts/patch-auto.sh\"\n\nOr packages-only mode:\n\ncron add --name \"Nightly Package Updates\" \\\n --schedule \"0 2 * * *\" \\\n --task \"cd ~/.openclaw/workspace/skills/linux-patcher && scripts/patch-auto.sh --skip-docker\"" }, { "title": "Run Updates via Chat", "body": "Simply ask OpenClaw natural language commands:\n\nFull updates (packages + Docker containers):\n\n\"Update my servers\" ← Includes Docker by default\n\"Patch all hosts that need updates\"\n\"Update all my infrastructure\"\n\nPackages only (exclude Docker):\n\n\"Update my servers, excluding docker\"\n\"Update packages only, skip Docker\"\n\"Patch hosts without touching containers\"\n\nQuery status:\n\n\"What servers need patching?\"\n\"Show me hosts that need updates\"\n\nWhat happens automatically:\n\nWhen you say \"Update my servers\":\n\n✅ Queries PatchMon for hosts needing updates\n✅ Detects Docker on each host\n✅ Updates system packages\n✅ Pulls Docker images and recreates containers (if Docker detected)\n✅ Reports results with success/failure count\n\nWhen you say \"Update my servers, excluding docker\":\n\n✅ Queries PatchMon for hosts needing updates\n✅ Updates system packages only\n❌ Skips all Docker operations (containers keep running)\n✅ Reports results\n\nImportant: Docker updates are included by default for maximum automation. Use \"excluding docker\" to skip container updates." }, { "title": "Manual Override (Specific Hosts)", "body": "Target individual hosts without querying PatchMon:\n\n\"Update webserver.example.com\"\n\"Patch database.example.com packages only\"\n\"Update app.example.com with Docker\"\n\nOpenClaw will use the manual scripts for targeted updates." }, { "title": "Documentation Files", "body": "This skill includes comprehensive documentation:\n\nSKILL.md (this file) - Overview and usage guide\nSETUP.md - Complete setup instructions with security best practices\nWORKFLOWS.md - Visual workflow diagrams for all modes\nreferences/patchmon-setup.md - PatchMon installation and integration\n\nFirst time setup? Read SETUP.md first - it provides step-by-step instructions for secure configuration.\n\nWant to understand the flow? Check WORKFLOWS.md for visual diagrams of how the skill operates." }, { "title": "Supported Linux Distributions", "body": "DistributionPackage ManagerTestedStatusUbuntuapt✅ YesFully supportedDebianapt⚠️ NoSupported (untested)Amazon Linux 2yum⚠️ NoSupported (untested)Amazon Linux 2023dnf⚠️ NoSupported (untested)RHEL 7yum⚠️ NoSupported (untested)RHEL 8+dnf⚠️ NoSupported (untested)AlmaLinuxdnf⚠️ NoSupported (untested)Rocky Linuxdnf⚠️ NoSupported (untested)CentOS 7yum⚠️ NoSupported (untested)CentOS 8+dnf⚠️ NoSupported (untested)SUSE/OpenSUSEzypper⚠️ NoSupported (untested)\n\nThe skill automatically detects the distribution and selects the appropriate package manager." } ], "body": "Linux Patcher\n\nAutomate Linux server patching and Docker container updates across multiple hosts via SSH.\n\n⚠️ Important Disclaimers\nDistribution Support Status\n\nFully Tested:\n\n✅ Ubuntu - Tested end-to-end with real infrastructure\n\nSupported but Untested:\n\n⚠️ Debian GNU/Linux - Commands based on official documentation\n⚠️ Amazon Linux - Supports both AL2 (yum) and AL2023 (dnf)\n⚠️ RHEL (Red Hat Enterprise Linux) - Supports RHEL 7 (yum) and 8+ (dnf)\n⚠️ AlmaLinux - RHEL-compatible, uses dnf\n⚠️ Rocky Linux - RHEL-compatible, uses dnf\n⚠️ CentOS - Supports CentOS 7 (yum) and 8+ (dnf)\n⚠️ SUSE/OpenSUSE - Uses zypper package manager\n\nTesting Recommendation: Always test untested distributions in a non-production environment first. The script will warn you when running on untested distributions.\n\nSecurity Notice\n\nThis skill requires:\n\nPasswordless sudo access - Configured with restricted permissions\nSSH key authentication - No passwords stored or transmitted\nPatchMon credentials - Stored securely in user's home directory\n\nRead SETUP.md for complete security configuration guide.\n\nQuick Start\nAutomated (Recommended)\n\nPatch all hosts from PatchMon (automatic detection):\n\nscripts/patch-auto.sh\n\n\nSkip Docker updates (packages only):\n\nscripts/patch-auto.sh --skip-docker\n\n\nPreview changes (dry-run):\n\nscripts/patch-auto.sh --dry-run\n\nManual (Alternative)\n\nSingle host - packages only:\n\nscripts/patch-host-only.sh user@hostname\n\n\nSingle host - full update:\n\nscripts/patch-host-full.sh user@hostname /path/to/docker/compose\n\n\nMultiple hosts from config:\n\nscripts/patch-multiple.sh config-file.conf\n\nFeatures\nPatchMon integration - Automatically detects hosts needing updates\nSmart Docker detection - Auto-detects Docker and Compose paths\nSelective updates - Skip Docker updates with --skip-docker flag\nPasswordless sudo required - Configure with visudo or /etc/sudoers.d/ files\nSSH key authentication - No password prompts\nParallel execution - Update multiple hosts simultaneously\nDry-run mode - Preview changes without applying\nManual override - Run updates on specific hosts without PatchMon\nConfiguration\nOption 1: Automatic via PatchMon (Recommended)\n\nConfigure PatchMon credentials for automatic host detection:\n\ncp scripts/patchmon-credentials.example.conf ~/.patchmon-credentials.conf\nnano ~/.patchmon-credentials.conf\n\n\nSet your credentials:\n\nPATCHMON_URL=https://patchmon.example.com\nPATCHMON_USERNAME=your-username\nPATCHMON_PASSWORD=your-password\n\n\nThen simply run:\n\nscripts/patch-auto.sh\n\n\nThe script will:\n\nQuery PatchMon for hosts needing updates\nAuto-detect Docker on each host\nApply appropriate updates (host-only or full)\nOption 2: Single Host (Quick Manual)\n\nRun scripts directly with command-line arguments (no config file needed).\n\nOption 3: Multiple Hosts (Manual Config)\n\nCreate a config file based on scripts/patch-hosts-config.example.sh:\n\ncp scripts/patch-hosts-config.example.sh my-servers.conf\nnano my-servers.conf\n\n\nExample config:\n\n# Host definitions: hostname,ssh_user,docker_path\nHOSTS=(\n \"webserver.example.com,ubuntu,/opt/docker\"\n \"database.example.com,root,/home/admin/compose\"\n \"monitor.example.com,docker,/srv/monitoring\"\n)\n\n# Update mode: \"host-only\" or \"full\"\nUPDATE_MODE=\"full\"\n\n# Dry run mode (set to \"false\" to apply changes)\nDRY_RUN=\"true\"\n\n\nThen run:\n\nscripts/patch-multiple.sh my-servers.conf\n\nPrerequisites\nRequired on Control Machine (where OpenClaw runs)\n OpenClaw installed and running\n SSH client installed (ssh command available)\n Bash 4.0 or higher\n curl installed (for PatchMon API)\n jq installed (for JSON parsing)\n PatchMon installed (required to check which hosts need updating)\nDoes NOT need to be on the OpenClaw host\nCan be installed on any server accessible via HTTPS\nDownload: https://github.com/PatchMon/PatchMon\n\nInstall missing tools:\n\n# Ubuntu/Debian\nsudo apt install curl jq\n\n# RHEL/CentOS/Rocky/Alma\nsudo dnf install curl jq\n\n# macOS\nbrew install curl jq\n\nRequired on Target Hosts\n SSH server running and accessible\n SSH key authentication configured (passwordless login)\n Passwordless sudo configured for patching commands (see SETUP.md)\n Docker installed (optional, only for full updates)\n Docker Compose installed (optional, only for full updates)\n PatchMon agent installed and reporting (optional but recommended)\nPatchMon Setup (Required for Automatic Mode)\n\nPatchMon is required to automatically detect which hosts need patching.\n\nImportant: PatchMon does NOT need to be installed on the same server as OpenClaw. Install PatchMon on a separate server (can be any server on your network), and OpenClaw will query it via API.\n\nDownload PatchMon:\n\nGitHub: https://github.com/PatchMon/PatchMon\nDocumentation: https://docs.patchmon.net\n\nWhat you need:\n\n PatchMon server installed on ANY accessible server (not necessarily the OpenClaw host)\n PatchMon agents installed on all target hosts you want to patch\n PatchMon API credentials (username/password)\n Network connectivity from OpenClaw host to PatchMon server (HTTPS)\n\nArchitecture:\n\n┌─────────────────┐ HTTPS API ┌─────────────────┐\n│ OpenClaw Host │ ──────────────────> │ PatchMon Server │\n│ (this machine) │ Query updates │ (separate host) │\n└─────────────────┘ └─────────────────┘\n │\n │ Reports\n ▼\n ┌─────────────────┐\n │ Target Hosts │\n │ (with agents) │\n └─────────────────┘\n\n\nQuick Start:\n\nInstall PatchMon server on a separate server (see GitHub repo)\nInstall PatchMon agents on all hosts you want to patch\nConfigure OpenClaw to access PatchMon API:\ncp scripts/patchmon-credentials.example.conf ~/.patchmon-credentials.conf\nnano ~/.patchmon-credentials.conf # Set PatchMon server URL\nchmod 600 ~/.patchmon-credentials.conf\n\n\nDetailed setup: See references/patchmon-setup.md for complete installation guide.\n\nCan I use this skill without PatchMon? Yes! You can use manual mode to target specific hosts without PatchMon. However, automatic detection of hosts needing updates requires PatchMon.\n\nOn Target Hosts\n\nRequired:\n\nSSH server running\nPasswordless sudo for the SSH user (for apt and docker commands)\nPatchMon agent installed and reporting (for automatic mode)\n\nFor full updates:\n\nDocker and Docker Compose installed\nDocker Compose files exist at specified paths\nConfigure Passwordless Sudo\n\nOn each target host, create /etc/sudoers.d/patches:\n\n# For Ubuntu/Debian systems\nusername ALL=(ALL) NOPASSWD: /usr/bin/apt, /usr/bin/docker\n\n# For RHEL/CentOS systems\nusername ALL=(ALL) NOPASSWD: /usr/bin/yum, /usr/bin/docker, /usr/bin/dnf\n\n\nReplace username with your SSH user. Test with sudo -l to verify.\n\nUpdate Modes\nHost-Only Updates\n\nUpdates system packages only:\n\nRun apt update && apt upgrade (or yum update on RHEL)\nRemove unused packages (apt autoremove)\nDoes NOT touch Docker containers\n\nWhen to use:\n\nHosts without Docker\nSecurity patches only\nMinimal downtime required\nFull Updates\n\nComplete update cycle:\n\nUpdate system packages\nClean Docker cache (docker system prune)\nPull latest Docker images\nRecreate containers with new images\nCauses brief service interruption\n\nWhen to use:\n\nDocker-based infrastructure\nRegular maintenance windows\nApplication updates available\nWorkflow\nAutomatic Workflow (patch-auto.sh)\nQuery PatchMon - Fetch hosts needing updates via API\nFor each host:\nSSH into host\nCheck if Docker is installed\nAuto-detect Docker Compose path (if not specified)\nApply host-only OR full update based on Docker detection\nReport results - Summary of successful/failed updates\nHost-Only Update Process\nSSH into target host\nRun sudo apt update\nRun sudo apt -y upgrade\nRun sudo apt -y autoremove\nReport results\nFull Update Process\nSSH into target host\nRun sudo apt update && upgrade && autoremove\nNavigate to Docker Compose directory\nRun sudo docker system prune -af (cleanup)\nPull all Docker images listed in compose file\nRun sudo docker compose pull\nRun sudo docker compose up -d (recreate containers)\nReport results\nDocker Detection Logic\n\nWhen using automatic mode:\n\nDocker installed + compose file found → Full update\nDocker installed + no compose file → Host-only update\nDocker not installed → Host-only update\n--skip-docker flag set → Host-only update (ignores Docker)\nDocker Path Auto-Detection\n\nWhen Docker path is not specified, the script checks these locations:\n\n/home/$USER/Docker/docker-compose.yml\n/opt/docker/docker-compose.yml\n/srv/docker/docker-compose.yml\n$HOME/Docker/docker-compose.yml\nCurrent directory\n\nOverride auto-detection:\n\nscripts/patch-host-full.sh user@host /custom/path\n\nExamples\nExample 1: Automatic update via PatchMon (recommended)\n# First time: configure credentials\ncp scripts/patchmon-credentials.example.conf ~/.patchmon-credentials.conf\nnano ~/.patchmon-credentials.conf\n\n# Run automatic updates\nscripts/patch-auto.sh\n\nExample 2: Automatic with dry-run\n# Preview what would be updated\nscripts/patch-auto.sh --dry-run\n\n# Review output, then apply\nscripts/patch-auto.sh\n\nExample 3: Skip Docker updates\n# Update packages only, even if Docker is detected\nscripts/patch-auto.sh --skip-docker\n\nExample 4: Manual single host, packages only\nscripts/patch-host-only.sh admin@webserver.example.com\n\nExample 5: Manual single host, full update with custom Docker path\nscripts/patch-host-full.sh docker@app.example.com /home/docker/production\n\nExample 6: Manual multiple hosts from config\nscripts/patch-multiple.sh production-servers.conf\n\nExample 7: Via OpenClaw chat\n\nSimply ask OpenClaw:\n\n\"Update my servers\"\n\"Patch all hosts that need updates\"\n\"Update packages only, skip Docker\"\n\nOpenClaw will use the automatic mode and report results.\n\nTroubleshooting\nPatchMon Integration Issues\n\"PatchMon credentials not found\"\nCreate credentials file: cp scripts/patchmon-credentials.example.conf ~/.patchmon-credentials.conf\nEdit with your PatchMon URL and credentials\nOr set PATCHMON_CONFIG environment variable to custom location\n\"Failed to authenticate with PatchMon\"\nVerify PatchMon URL is correct (without trailing slash)\nCheck username and password\nEnsure PatchMon server is accessible: curl -k https://patchmon.example.com/api/health\nCheck firewall rules\n\"No hosts need updates\" but PatchMon shows updates available\nVerify PatchMon agents are running on target hosts: systemctl status patchmon-agent\nCheck agent reporting intervals: /etc/patchmon/config.yml\nForce agent update: patchmon-agent report\nSystem Update Issues\n\"Permission denied\" on apt/docker commands\nConfigure passwordless sudo (see Prerequisites section)\nTest with: ssh user@host sudo apt update\n\"Connection refused\"\nVerify SSH access: ssh user@host echo OK\nCheck SSH keys are configured\nVerify hostname resolution\nDocker Compose not found\nSpecify full path: scripts/patch-host-full.sh user@host /full/path\nOr install Docker Compose on target host\nAuto-detection searches: /home/user/Docker, /opt/docker, /srv/docker\nContainers fail to start after update\nCheck logs: ssh user@host \"docker logs container-name\"\nManually inspect: ssh user@host \"cd /docker/path && docker compose logs\"\nRollback if needed: ssh user@host \"cd /docker/path && docker compose down && docker compose up -d\"\nPatchMon Integration (Optional)\n\nFor dashboard monitoring and scheduled patching, see references/patchmon-setup.md.\n\nPatchMon provides:\n\nWeb dashboard for update status\nPer-host package tracking\nSecurity update highlighting\nUpdate history\nSecurity Considerations\nPasswordless sudo is required for automation\nLimit to specific commands (apt, docker only)\nUse /etc/sudoers.d/ files (easier to manage)\nSSH keys should be protected\nUse passphrase-protected keys when possible\nRestrict key permissions: chmod 600 ~/.ssh/id_rsa\nReview updates before applying in production\nUse dry-run mode first\nTest on staging environment\nSchedule updates during maintenance windows\nUse OpenClaw cron jobs for automation\nCoordinate with team for Docker updates (brief downtime)\nBest Practices\nTest first - Run dry-run mode before applying changes\nStagger updates - Don't update all hosts simultaneously (avoid full outage)\nMonitor logs - Check output for errors after updates\nBackup configs - Keep Docker Compose files in version control\nSchedule wisely - Update during low-traffic windows\nDocument paths - Maintain config files for infrastructure\nReboot when needed - Kernel updates require reboots (not automated)\nReboot Management\n\nThe scripts do NOT automatically reboot hosts. After updates:\n\nCheck if reboot required: ssh user@host \"[ -f /var/run/reboot-required ] && echo YES || echo NO\"\nSchedule manual reboots during maintenance windows\nUse PatchMon dashboard to track reboot requirements\nIntegration with OpenClaw\nRun Updates on Schedule\n\nCreate a cron job for automatic nightly patching:\n\ncron add --name \"Nightly Server Patching\" \\\n --schedule \"0 2 * * *\" \\\n --task \"cd ~/.openclaw/workspace/skills/linux-patcher && scripts/patch-auto.sh\"\n\n\nOr packages-only mode:\n\ncron add --name \"Nightly Package Updates\" \\\n --schedule \"0 2 * * *\" \\\n --task \"cd ~/.openclaw/workspace/skills/linux-patcher && scripts/patch-auto.sh --skip-docker\"\n\nRun Updates via Chat\n\nSimply ask OpenClaw natural language commands:\n\nFull updates (packages + Docker containers):\n\n\"Update my servers\" ← Includes Docker by default\n\"Patch all hosts that need updates\"\n\"Update all my infrastructure\"\n\nPackages only (exclude Docker):\n\n\"Update my servers, excluding docker\"\n\"Update packages only, skip Docker\"\n\"Patch hosts without touching containers\"\n\nQuery status:\n\n\"What servers need patching?\"\n\"Show me hosts that need updates\"\n\nWhat happens automatically:\n\nWhen you say \"Update my servers\":\n\n✅ Queries PatchMon for hosts needing updates\n✅ Detects Docker on each host\n✅ Updates system packages\n✅ Pulls Docker images and recreates containers (if Docker detected)\n✅ Reports results with success/failure count\n\nWhen you say \"Update my servers, excluding docker\":\n\n✅ Queries PatchMon for hosts needing updates\n✅ Updates system packages only\n❌ Skips all Docker operations (containers keep running)\n✅ Reports results\n\nImportant: Docker updates are included by default for maximum automation. Use \"excluding docker\" to skip container updates.\n\nManual Override (Specific Hosts)\n\nTarget individual hosts without querying PatchMon:\n\n\"Update webserver.example.com\"\n\"Patch database.example.com packages only\"\n\"Update app.example.com with Docker\"\n\nOpenClaw will use the manual scripts for targeted updates.\n\nDocumentation Files\n\nThis skill includes comprehensive documentation:\n\nSKILL.md (this file) - Overview and usage guide\nSETUP.md - Complete setup instructions with security best practices\nWORKFLOWS.md - Visual workflow diagrams for all modes\nreferences/patchmon-setup.md - PatchMon installation and integration\n\nFirst time setup? Read SETUP.md first - it provides step-by-step instructions for secure configuration.\n\nWant to understand the flow? Check WORKFLOWS.md for visual diagrams of how the skill operates.\n\nSupported Linux Distributions\nDistribution\tPackage Manager\tTested\tStatus\nUbuntu\tapt\t✅ Yes\tFully supported\nDebian\tapt\t⚠️ No\tSupported (untested)\nAmazon Linux 2\tyum\t⚠️ No\tSupported (untested)\nAmazon Linux 2023\tdnf\t⚠️ No\tSupported (untested)\nRHEL 7\tyum\t⚠️ No\tSupported (untested)\nRHEL 8+\tdnf\t⚠️ No\tSupported (untested)\nAlmaLinux\tdnf\t⚠️ No\tSupported (untested)\nRocky Linux\tdnf\t⚠️ No\tSupported (untested)\nCentOS 7\tyum\t⚠️ No\tSupported (untested)\nCentOS 8+\tdnf\t⚠️ No\tSupported (untested)\nSUSE/OpenSUSE\tzypper\t⚠️ No\tSupported (untested)\n\nThe skill automatically detects the distribution and selects the appropriate package manager." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/JGM2025/linux-patcher", "publisherUrl": "https://clawhub.ai/JGM2025/linux-patcher", "owner": "JGM2025", "version": "3.0.2", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/linux-patcher", "downloadUrl": "https://openagent3.xyz/downloads/linux-patcher", "agentUrl": "https://openagent3.xyz/skills/linux-patcher/agent", "manifestUrl": "https://openagent3.xyz/skills/linux-patcher/agent.json", "briefUrl": "https://openagent3.xyz/skills/linux-patcher/agent.md" } }