Oracle Linux 8 - ELEA*, ELBA* and ELSA* weirdness

Usage and Config Patch
1

Hello,

Can tell me what the status is on BigFix and Oracle Linux 8?
I’m having issues getting BigFix Oracle 8 clients to process the ELEA* ELBA* and ELSA* security patches. The BigFix server lists them as relevant, but the client doesn’t install them properly as reflected in the logs. They then remain relevant.

Your help is greatly appreciated!

Here’s the log of one of the Oracle Linux 8 clients when I push out an update. This issue is consistent across all our oracle linux 8 clients.

At 12:16:14 -0400 -
GatherHashMV command received.
At 12:16:14 -0400 - mailboxsite (http://mybigfixserver:52311/cgi-bin/bfgather.exe/mailboxsite1085291712)
Downloaded ‘http://mybigfixserver:52311/mailbox/files/2f/9c/2f9c1a2b17c882de06d104693ec8a85b492929da’ as 'Action 1458.fxf’
Gather::SyncSiteByFile adding files - count: 1
At 12:16:14 -0400 -
Successful Synchronization with site ‘mailboxsite’ (version 24) - 'http://mybigfixserver:52311/cgi-bin/bfgather.exe/mailboxsite1085291712
Processing action site.
At 12:16:14 -0400 - mailboxsite (http://mybigfixserver:52311/cgi-bin/bfgather.exe/mailboxsite1085291712)
Relevant - ELBA-2022-1816 - Oracle Linux new module: container-tools:4.0 - Oracle Linux 8 x86_64 (fixlet:1458)
At 12:16:15 -0400 -
ActionLogMessage: (action:1458) Action signature verified for Execution
ActionLogMessage: (action:1458) starting action
At 12:16:15 -0400 - actionsite (http://mybigfixserver:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded parameter “sitefolder” = “/var/opt/BESClient/__BESData/Patches for Oracle Linux 8” (action:1458)
Command succeeded parameter “EDR_DeployDataDir” = “/var/opt/BESClient/EDRDeployData/” (action:1458)
Command succeeded parameter “cwd” = “/var/opt/BESClient/EDRDeployData/” (action:1458)
Command succeeded parameter “fixletid” = “22181601” (action:1458)
Command succeeded parameter “t0” = “” (action:1458)
Command succeeded parameter “t1” = “” (action:1458)
Command succeeded parameter “t2” = “” (action:1458)
Command succeeded parameter “t3” = “” (action:1458)
Command succeeded parameter “t4” = “” (action:1458)
Command succeeded parameter “t5” = “” (action:1458)
Command succeeded parameter “t6” = “” (action:1458)
Command succeeded parameter “t7” = “containers-common-1-28.0.1.module+el8.6.0+20653+f0833761.x86_64” (action:1458)
Command succeeded parameter “t8” = “” (action:1458)
Command succeeded parameter “t9” = “” (action:1458)
Command succeeded parameter “t10” = “” (action:1458)
Command succeeded parameter “t11” = “” (action:1458)
Command succeeded parameter “t12” = “” (action:1458)
Command succeeded parameter “t13” = “” (action:1458)
Command succeeded parameter “t14” = “” (action:1458)
Command succeeded parameter “t15” = “” (action:1458)
Command succeeded parameter “t16” = “” (action:1458)
Command succeeded parameter “t17” = “” (action:1458)
Command succeeded parameter “t18” = “” (action:1458)
Command succeeded parameter “t19” = “” (action:1458)
Command succeeded parameter “t20” = “” (action:1458)
Command succeeded parameter “t21” = “” (action:1458)
Command succeeded parameter “t22” = “” (action:1458)
Command succeeded parameter “t23” = “” (action:1458)
Command succeeded parameter “t24” = “” (action:1458)
Command succeeded parameter “t25” = “” (action:1458)
Command succeeded parameter “t26” = “” (action:1458)
Command succeeded parameter “t27” = “” (action:1458)
Command succeeded parameter “t28” = “” (action:1458)
Command succeeded parameter “t29” = “” (action:1458)
Command succeeded parameter “t30” = “” (action:1458)
Command succeeded parameter “t31” = “” (action:1458)
Command succeeded parameter “packages” = " containers-common-1-28.0.1.module+el8.6.0+20653+f0833761.x86_64 " (action:1458)
Command started - wait /bin/bash “/var/opt/BESClient/__BESData/Patches for Oracle Linux 8/InstallPackages.sh” -f “22181601” -l “/var/opt/BESClient/EDRDeployData/” containers-common-1-28.0.1.module+el8.6.0+20653+f0833761.x86_64 (action:1458)
At 12:16:15 -0400 -
Report posted successfully
At 12:16:17 -0400 - actionsite (http://mybigfixserver:52311/cgi-bin/bfgather.exe/actionsaite)
Command succeeded (Exit Code=1) wait /bin/bash “/var/opt/BESClient/__BESData/Patches for Oracle Linux 8/InstallPackages.sh” -f “22181601” -l “/var/opt/BESClient/EDRDeployData/” containers-common-1-28.0.1.module+el8.6.0+20653+f0833761.x86_64 (action:1458)
At 12:16:17 -0400 -
ActionLogMessage: (action:1458) ending action
At 12:16:17 -0400 - mailboxsite (http://mybigfixserver:52311/cgi-bin/bfgather.exe/mailboxsite1085291712)
Not Relevant - ELBA-2022-1816 - Oracle Linux new module: container-tools:4.0 - Oracle Linux 8 x86_64 (fixlet:1458)

Here’s the EDRlog:

[Fri Jul 29 12:16:15 EDT 2022] Install containers-common-1-28.0.1.module+el8.6.0+20653+f0833761.x86_64 :
[Fri Jul 29 12:16:17 EDT 2022] 22181601 Install Failure: dnf -y install containers-common-1-28.0.1.module+el8.6.0+20653+f0833761.x86_64 - Error:
[Fri Jul 29 12:16:17 EDT 2022] 22181601 ____ Last metadata expiration check: 3:47:54 ago on Fri 29 Jul 2022 08:28:22 AM EDT.
All matches were filtered out by modular filtering for argument: containers-common-1-28.0.1.module+el8.6.0+20653+f0833761.x86_64
Error: Unable to find a match: containers-common-1-28.0.1.module+el8.6.0+20653+f0833761.x86_64
[Fri Jul 29 12:16:17 EDT 2022] 22181601 ____ Failed to test install the following packages:
[Fri Jul 29 12:16:17 EDT 2022] 22181601 ____ containers-common-1-28.0.1.module+el8.6.0+20653+f0833761.x86_64

2

I think you should open a support ticket on this. It looks like the package is installed as part of a module stream and may need to be patched differently (I’m afraid I’m not terribly familiar with module streams and how they need to be updated)

3

This link is for Fedore, but OEL should be very similar https://docs.fedoraproject.org/en-US/modularity/using-modules/#:~:text=Modular%20filtering%20will%20automatically%20filter,enable%20the%20correct%20module%20stream.

4

Here’s what ended up being the solution.

Modifying the /etc/yum.repos.d/oracle-linux-ol8.repo file as follows:

  1. Enable hotfixes
    vi /etc/yum.repos.d/oracle-linux-ol8.repo
    add module_hotfixes=true to the last line of each enabled repo (in our case, ol8_baseos_latest, ol8_appstream and ol8_addons) in the repo file.

Example:

Before edit:

[ol8_baseos_latest]
name=Oracle Linux 8 BaseOS Latest ($basearch)
baseurl=https://yum$ociregion.$ocidomain/repo/OracleLinux/OL8/baseos/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1

After edit:

name=Oracle Linux 8 BaseOS Latest ($basearch)
baseurl=https://yum$ociregion.$ocidomain/repo/OracleLinux/OL8/baseos/latest/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1
module_hotfixes=true

  1. Enable ol8_addons repo
    vi /etc/yum.repos.d/oracle-linux-ol8.repo
    change “enable=0” to "enabled=1** within the o8_addons section of the repo file.

Before edit:

[ol8_addons]
name=Oracle Linux 8 Addons ($basearch)
baseurl=https://yum$ociregion.$ocidomain/repo/OracleLinux/OL8/addons/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=0

After Edit:

[ol8_addons]
name=Oracle Linux 8 Addons ($basearch)
baseurl=https://yum$ociregion.$ocidomain/repo/OracleLinux/OL8/addons/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1