Redhat patching via bigfix

This topic has been discussed number of time. I apologize if I am asking the same silly question.

We have 10K rel (5/6/7) server which are getting patched via redhat satellite using the yum. The puppet fact in every host kick off the “patching script” and it patches the server depend on the maintenance schedule via yum.

if we use the bigfix for patching, can the same process be replicated ? where server kicks off the “patching script” and patch the server using yum . And server connects the bigfix to download the patches…Registering 10K server to redhat is not doable.

I have a similar setup. A large collection of Red Hat servers registered with a Satellite server.
We kick off patching using BigFix to run the YUM command.

One of our Linux Admin’s wrote a script that actually kicks off the YUM command then saves/rotates the Yum Log so we can use an Analysis to look for servers that had errors installing any patches.

The Admin’s get an email from the Web Report server telling them which servers need some manual attention.

2 Likes

I want eliminate the satellite complete off the picture.there is no point of having bigfix and satellite to do the same work. And let the yum talk to bigfix to patch the server.

In the current case bigfix doesn’t patch or hosting any repos… yum talk to satellite and patch the server.

If you have internal patch repositories, you can configure the BigFix endpoints to use them with the “Manage custom repositories” dashboard.

Otherwise, in the default configuration you would use the RHSM Download Plugin to have your BigFic root server automatically download packages from Red Hat Subscription Manager when the clients request them.

Only the root server needs access to RHSM, and downloads are cached and distributed through the normal relay hierarchy.

Tens of thousands of clients shouldn’t be a problem, we can definitely handle that kind of scale. There are some manual configuration steps you need to take to register your RHSM entitlement certificates for the plugin on the root server. Let us know if you can’t find the documentation and we can help with links.

I am thinking what will be flow of execution of the patching. if bigfix has RHSM plugin configured.

we have cronjob which depend on the maintenance windows which in the end run “yum update” if any patches are available.
##Puppet Name: Monthly maintenance: patch & restart instance
3 23 8-14 * * [ $(date +%A) == ‘Wednesday’ ] && /usr/local/scripts/monthlyMaint.sh

we do have internal repo (/etc/yum.repos.d/xyz.repo).
we can’t change that flow of execution from the server. Where the bigfix fits in this picture?

Historically, you’d select the fixlets from one of the “Patches for RHEL” sites, create baselines from them, and in that way specify which patches to install.

The easier way now would be to use Patch Policies (in WebUI) to automatically send actions (based on your criteria for severity, category, etc. and executed on the schedule you specify, on the machine groups you target, etc.)

The way to most directly do what you’re doing now would be to action the “Run yum command with RHSM Plugin” or “Run yum command” (to use your internal repo) task and give it parameters “-y update” to update everything available.

I don’t think it can doable with bigfix. we can’t change anything regarding the patching process the way its laid out right now.

The only thing i am trying to eliminate from the picture is replace satellite with bigfix/rhsm

cron script need to stay there. we can’t move away from that process. we can’t take action on the bigfix fixlext etc either to patch the server.

patching has to be initiate from the client via cron using “monthlyMaint.sh

Well that’s a pretty limited solution space then.

What you may need is BIFF. Check out https://dilbert.com/strip/1995-05-28