Bigfix on Ubuntu not recognizing package has been deleted

RichCampbell · April 27, 2021, 8:12pm

For reason I don’t want to go into, we need to uninstall our Splunkforwarders and then reinstall them. We are alson in the process of moving from Puppet to Bigfix. So we setup Puppet to uninstall splunk and then plan to use Bigfix to install the new version and environment. However, Bigfix on our Ubuntu systems don’t seem to recognize that splunk has been uninstalled.

apt purge splunkforwarder

Reading package lists… Done
Building dependency tree
Reading state information… Done
Package ‘splunkforwarder’ is not installed, so not removed
0 upgraded, 0 newly installed, 0 to remove and 75 not upgraded.

/opt/BESClient/bin/qna

Default masthead location, using /etc/opt/BESClient/actionsite.afxm
Q: (version of it) of packages whose (name of it contains “splunkforwarder”) of debianpackages
A: 7.3.3
T: 600559

As you can see, debianpackages is still reporting that the splunkforwarder is install, when it has been deleted from the system. Anyone seen this behavior?

cmcannady · April 28, 2021, 3:31pm

Have you tried restarting the BESClient on these Ubuntu systems and then retrying your relevance query? I’m wondering if debianpackages has a cache that may be leading to this specific scenario.

RichCampbell · April 28, 2021, 6:22pm

I rebooted the system and same results yesterday. This morning run the local QNA showed the package was no longer reported by debianpackages but the FIxlet relevance to install the new version did not show the system as applicable. I just tried restarting the BESClient but so far no go.

cmcannady · April 29, 2021, 5:35pm

Given your results, you’ll want to open a support case with L2 to dig into this further. Perhaps with some besclientdebug logging or other troubleshooting steps, they’ll be able to identify why the debianpackages query appears to have cached this data.

RichCampbell · May 6, 2021, 7:35pm

This has been interesting. For reference, see also Where does 'exists base package "X" of debianpackage' look?

But basically Debian/Ubuntu records all packages the system has even seen, even if they have been uninstalled. So if the package was never installed, the relevance will return False. Once it is installed, it will return True and after its uninstalled it may still return True. So vendors may have their packages totally erase themselves from the apt database, but you can’t depend on that. So the relevance I really wanted is.

Q: exists packages “splunkforwarder” whose(currently installed of it) of debianpackages
A: False
T: 390128

and not

Q: exists packages “splunkforwarder” of debianpackages
A: True
T: 438164

jgstew · May 7, 2021, 8:30pm

I have a related answer here:

Where does 'exists base package "X" of debianpackage' look?