BigFix 9.5 Patch 9 is now available

The BigFix team is pleased to announce the release of version 9.5 Patch 9 (9.5.9.62) of the BigFix Platform.

The main features included in this release are:

• Added signature to the Red Hat installation packages
  Starting from BigFix Version 9.5.9, the Red Hat RPM packages for Server, Agent and Relay are signed with a PGP key. Also the CentOS BigFix Agent and Relay use the same Red Hat binaries. The same applies to Oracle Linux BigFix Agent

• Ability for endpoints to constrain the download action if the client is not connected to the designated (preferred) relay
  BigFix 9.5.9 introduces the capability to prevent starting actions requiring downloads when the BigFix Agent is not connected to a preferred Relay. In such scenario, the user can avoid that actions are executed if the total size of the downloads associated to the action exceeds a configurable value

• Ability for Web Reports to restrict access to some properties
  BigFix Version 9.5.9 introduces a new client setting that allows to configure a list of properties that will be blacklisted for Web Reports. This will help to prevent reporting on large or privacy sensitive data as well as to limit memory usage

• Improved Relay scalability by supporting 5000 endpoints per Relay
  BigFix leaf relays for the Windows and Linux platforms can be configured now to manage up to 5000 endpoints. This 500% scalability improvement means reduced cost to deploy and manage IT assets, while maintaining the superior visibility and security that BigFix is known for

• Other Enhancements
  – Added support for IBM BigFix Agent and Relay on AIX 7.2 on Power 9
  – APAR and defect fixes
  – Security enhancements

See further details in the 9.5.9 Release Notes at: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/IBM%20BigFix%209.5.9%20Release%20Notes

See the full technical changelist at: https://support.bigfix.com/bes/changes/fullchangelist-95.txt

Pre-Upgrade Considerations:

• All BigFix Platform components are being released in this patch.
• Ensure to STOP the WebUI and any other active application connecting to the BigFix database BEFORE starting the upgrade
• A manual Server upgrade is required if you upgrade from a version earlier than 9.5.5. Refer to the 9.5.5 release notes for more information: https://www.ibm.com/developerworks/community/wikis/home/wiki/Tivoli%20Endpoint%20Manager/page/IBM%20BigFix%209.5.5%20Release%20Notes
• A Pre-Upgrade check Fixlet is available. The Fixlet performs a set of checks to verify if the IBM BigFix Server can be successfully upgraded to 9.5.9. A log file is created in the IBM BigFix Server directory containing details about the executed steps.

Useful links:

IBM BigFix downloads and release information: http://support.bigfix.com/bes/release/9.5/patch9

Upgrade documentation in IBM Knowledge Center:

• BigFix Server on Linux: https://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Installation/c_upgrading1_linux.html
• BigFix Server on Windows: https://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Installation/c_upgrading1.html

It has been a long time waiting for this scalability improvement!

Be sure to follow the links to the Capacity Planning Guide, as there are OS configurations around TCP tuning needed to accomplish the higher capacity.

I’m curious to see how this is implemented. Does installing the relay automatically adjust the OS configurations (TCP tuning on Windows, nofiles limits on linux)? Or is there content available in BigFix that does this post-install?

Yeah I love this Future

Hmm. If the content were there it should be part of the BES Support site, and we’d see it regardless of version.

I’m pretty sure I posted some Windows TCP tuning to bigfix.me some years back. If Bigfix.me were responding I’d look for it.

We were hoping APAR IJ03325 would have been included in this one.

Right. Was there an update in the BES Relay v9.5.9 application that now scales for 5000 endpoints or was it just a confirmation that any BES Relay version running with hardware of 4 core/8GB RAM is cable of supporting 5000 clients?

Really need to read the Optimization & Performance Guide on this one. I think it’s more that the Relay can support 5000 endpoints given the cores/RAM, AND you’ve applied the OS tuning for the relay (shortening the TCP TIME_WAIT delay, increasing the range of Ephemeral ports, etc.)

FWIW, I’ve already relays running up to 2000 clients per each, having applied most of the OS tuning several years ago. It’s not a recommended configuration, but it’s always been “possible” though your mileage may vary of course.

I think there’s also stuff in the guide about tuning reporting frequency on the clients, batch counts on the relays, etc.

Can’t IBM provide a BES Support site fixlet that does that tuning?

What does this mean for relay-to-relay numbers? For our 3k relays, we have top level relays hosting between 92-144 site relays. I would love to remove some of my 27 top level data center relays.

I think the answer is it should be smaller.

There is a blog post which explains the approach to use:
BigFix Blog: Scaling Relays Up, and Bringing Costs Down

If I’m reading it right, the diagram shows an implementation of 125,000 end points using 25 leaf nodes reporting to 5 top level relays, which are reporting to a false root.

I think the Capacity Planning guide was updated for the new Relay to endpoint ratios, and it shows each top level relay managing a maximum of 40,000 total endpoints or 120 relays, whichever comes first. The diagram in the blog post represents an architecture where each top level relay is managing 25,000 endpoints through 5 relays.

Nice summary Boyd!

A big part of our relay scalability improvement has been driving sufficient workloads and failure modes that we can have confidence this will “stand up” in the field and deploy at scale. There are definitely content and health improvements we would like to make to further reduce management cost, but wanted this improvement out asap as the benefits are significant. There is more we want to do.

In terms of OS configuration, it is very workload dependent and much more typical on Linux. We also want to do a deeper dive on Tiny Core Linux in this scenario, and expect to publish on our results/recommendations.

I like the TCL relays, I have a handful in my environment and in my DMZ. Though the process in creating a template via the download from TCL, from BigFix, and the instructions, it would be nicer to just have a single virtual appliance that one could download from BigFix already to go. Just import into your VI and answer a few questions at startup.

WOW!! This is terrific!!

–Mark

I’m pretty sure that already exists:
https://www.ibm.com/support/knowledgecenter/en/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Installation/c_tiny_core_introduction.html

Nope. If you see the instructions, you need to download the relay ISO from IBM, then the TCL ISO from where ever, then build a template. As I said, it’s not difficult and the directions are good, but I rather just download a single virtual appliance from IBM all ready to go…

My Pre-upgade check failes, on "move “{parameter “installDir” & “\preupgrade.out”}” “{parameter “installDir” & “\preupgrade-9.5.9.out”}”

the log reads

Command failed (Move of ‘D:\preupgrade.out’ to ‘D:\preupgrade-9.5.9.out’ failed (2 - File error “class FileNotFoundError” on “D:\preupgrade.out” : “Windows Error 0x2%: The system cannot find the file specified.”)) move “D:\preupgrade.out” “D:\preupgrade-9.5.9.out” (action:26660)

but the

parameter “installDir” = “{parent folder of folder (value of setting “_BESRelay_HTTPServer_ServerRootPath” of client)}”

should be correct since if i look at the client setting it reads D:\wwwrootbes\

I’m having a hard time finding documentation on what has actually changed. The release notes indicate that something on the relays improved – did something actually change in the relay software or is IBM just now willing to support customers creating larger relays (2-4 core, 4-8gb RAM)?