Has anyone experienced issues with Site - Patching for Ubuntu 2204? Or another question would be, is anyone successfully using patches from that site in a baseline? There are over 100 packages applicable to our VM’s from that site, but we can’t seem to get them patched using BigFix. I can successfully patch our VM’s manually.
While compiling the patches in a baseline and pushing them to a VM, they’ll never complete. The baseline action status will be stuck on pending downloads for days. Or even while deploying some single Fixlet actions we experience issues with them showing error or failed. Some patches will complete while others show completed in the action info. but their status shows failed. There’s no consistency with these patches.
I believe our VM templates for Ubuntu are in order, but maybe not. We’ve never had this type of issue with Windows or CentOS. Our BigFix server has the sites below added to the whitelist.txt. What are we missing for these patches to go through?
Before you can deploy Ubuntu Fixlets, the BigFix server must be subscribed to the Patching Support site. After gathering the site, select the below task based on your deployment and run the task.
Task ID: 65 Setup Download Whitelist for Ubuntu (Windows Server)
This task is applicable to Windows servers.
Task ID: 66 Setup Download Whitelist for Ubuntu (Linux Server)
This task is applicable to Linux servers.
You must run the task, otherwise, you might encounter the following error: “The requested URL does not pass this deployment’s download whitelist.”
Ubuntu uses dynamic download while fetching the packages. As a security measure, the server blocks every dynamic download request except the ones with URLs that match the patterns in the white list file. Aside from the endpoints, ensure that the BigFix relay server is subscribed.
Please remember that the Patches will be downloaded from the BigFix Server itself.
Also, we do have both URL’s in our whitelist.txt file. See attached screenshot of the completed action to "Setup Download Whitelist for Ubuntu (Windows Server). I’ve verified both URL’s are in our whitelist.
Our BigFix server and Relays are Windows so I’m not sure subscribing our relays to the site would work since the site is looking for Linux Ubuntu 22.04.
I’m going to revert these test VM’s to their original state to start from scratch. I’ll push a small baseline of only 13 updates\components in it. It’ll take a while, so I’ll gather the logs once there’s some status changes and post them here.
Yes, “All Computers” are subscribed to the “Patching support” External site which includes all of our relays. We’re not having issues across the board, only with patches from site “Patches for Ubuntu 2204”.
Exclude it and wait for the updated package to be available in BigFix.
Unspecified - Libpam-Cap - Ubuntu 22.04 (amd64)
This package was hanging our systems causing them to go into a bad state. There’s an interactive question (screenshot below) when installing manually which I believe was causing this. The common command plus -Y or -N in it would not work for this. After attempting this patch via BigFix, the VM’s would not be patchable, not even manually using the “apt-get install” commands.
First you have to get rid of the “cache lock” ( Waiting for cache lock: Could not get lock /var/lib/dpkg/lock-frontend. It is held by process 38695 (apt-get)) either by killing the process removing the files or rebooting. Then you’d have to reinstall the Libpam-Cap package and run “sudo dpkg --configure -a’” in order to get the VM back to a healthy state and patchable. We’re going to leave the Libpam-Cap package out of the baselines for now. But I did find a “DEBIAN_FRONTEND” command that I believe will work in a Custom Action to install this update. I’ll do some further testing to ensure our “/etc/pam.d/common-auth” files aren’t overwritten.
USN-6365-1 - Open Vm Tools Vulnerability - Ubuntu 22.04 (amd64)
