Are Red hat Download Plugins required on every single IEM Relay?

In our environment, we have 2 IEM 9.1 servers (with DSA-replication configured) with multi-tiered relay setup (total of 8 IEM relays). we have installed the Redhat download Plugin to the 2 IEM servers, and configured it to be working.

In our testing, we found out that the redhat clients connected directly to the IEM server are able to download Redhat patches without issue.

However, the clients connected to one of the 8 relays are NOT able to download any redhat patches.
We are trying to use fixlets from the “Patches for RHEL 6 - Native tools” / “Patches for RHEL 5 - Native tools” sites.

Does anyone know …

  • Does there need to be a Redhat Download plugin configured at all 8 of our IEM relays ?
  • If yes, then does this also mean that we need to provide internet access to all our 8 IEM relays too ?

As long as you have it on the core server (and all relays call to it to have their patches downloaded from the internet), having it on the core should be sufficient. The hiearchy always looks to its parent for its files unless otherwise specified in your custom settings.

Let me preface this response with the following … I am NOT a Linux Admin. I don’t even play one on TV, I just work with several of them.

I don’t believe the Redhat “Native Tools” content uses IEM download methods. It uses YUM to perform the download and install functions.

Your servers will either need Internet access themselves, or you will need to have a Satellite Server where the servers can download their patches from.

If you want the downloads to come through the normal IEM download channels, you need to use the non-“Native” content sites.

From what I’ve done in my own environment, the clients should follow their normal chain of command when it comes to acquiring content. Unfortunately I can’t give you a difinitive yes or no because to make sure we didn’t run into issues, we just put the plug-in on all our relays but I’m pretty sure the clients should call to the core for their patches and the plug-in on the core will acquire them.

Does anyone know …

  • Does there need to be a Redhat Download plugin configured at all 8 of our IEM relays ?
    A: NO only on the root server
  • If yes, then does this also mean that we need to provide internet access to all our 8 IEM relays too ?

If you’re using native tools approach the agent will use yum and the configured repos.
If you not using native tools then the plugin will download the patch through to the root server.

Make sure that you can download content of other types via this one relay to your target endpoints.

Thanks for all the response.
I’m getting conflicting answers from IBM support, so hope to get someone here who’s done it before.

@ jmaple, i believe what you’re saying is true for Windows patches. But for the “patches for RHEL X - native tools” fixlets, it seems to behave differently, or I’m doing something wrong.

@ TimRice & Gearoid - Yes i noticed that YUM commands were embedded inside the prefetch block of the actionscript for fixlets within the “Patches for RHEL X - Native tools” site.
We don’t have a RHEL statellite server/repo in my environment

Is there any IBM docs explaining the difference between the 3 sites:

  • Patches for RHEL 5
  • Patches for RHEL 5 - Native tools
  • Patches for RHEL 5 - Dependency resolution ?

I also notice for RHEL 6, there are only 2 sites instead of 3.

  • Patches for RHEL 6 - Native tools
  • Patches for RHEL 6 - Dependency resolution

I found some IBM pages explaining more about the dependency resolution site and the outdated sites.

https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Patch%20Management%20for%20Red%20Hat

Also found the announcement page about the Redhat native tools site.
https://www.ibm.com/developerworks/community/blogs/a1a33778-88b7-452a-9133-c955812f8910/entry/patches_for_rhel_5_and_rhel_6_gets_new_content_and_dependency_resolution_method?lang=en

However, it doesn’t explain that the native tools site only work if you have a local repo/Statellite ?

I haven’t tried this - but I think native tools can just use whatever repos your endpoint is registered with. If it’s registered with a satellite that’ll get used, if its registered directly with Red Hat that that’s what’ll be used. Reason I say this is because the native tools is just calling yum and yum is determining the repos.

So you’re saying Native tools can use etiher a repo, satellite, or the redhat download plugin ?
Has anyone here confirmed this ?
I’m gonna go run a few experiments of my own as well…

Native tools will use whatever repo has been configured on the endpoint - this can be a satellite or Red Hat’s own repos.

Native tools does not use the IEM download plug-in.

There’s tasks, IDs 13 and 14, in the Patching Support Site used toggle yum to use the configured repos.
Here’s a snippet from the task description:

Use this task to disallow YUM to perform the necessary downloads from the configured repositories on the endpoint. When custom repository support is disabled, the Fixlets start downloading the metadata and packages through the IBM Endpoint Manager infrastructure and stop YUM from downloading the necessary files.
1 Like

Hi All,
I am doing POC of IEM 9.2.3.68.For RHEL,I don’t have RHEL subscription id how to configure Redhat Download plugin configured ? subscription id is mandatory for this ?

Can you subscribe to the sites?

I am using yum to update the patches in system but i don’t have any RedHat account user to the RedHat Support site.

It must have a valid support identifier to download patches?

Yes. You need rhel support to access the patches and you need to provide your rhel support credentials to IEM for it to download the patches.

If i use a cloud provider like SL (SoftLayer), they don’t provide redhat access, but only yum repo access. Is it possible to make IEM work with yum repo in that case ?

Yes - use the native tools options. With this option yum on the computer downloads the packages from the repo.
Softlayer will configure your RHEL system to use its satellite. When I’ve used softlayer I have raised a support ticket to get this done, if it’s not done by default or already in the softlayer images.

You don’t have to configure any RHEL subscription in IEM.