RedHat Patching

Hi Guys,

I"m trying to get my head around RedHat Patching. My understanding is most of the patch content is reliant on YUM so if a server isn’t registered it can’t get content. Additionally unless I create a custom repository on every subnet my relay infrastructure for Patching is useless. Am I missing something? Either way this has next to zero documentation that I can find. Any advise or help would be greatly appreciated.

I’m getting this error in the bigfix console

Invalid action content: the action script contains a syntax error.
This action has been applied 1 time and will not be applied again.

and Thu Jul 30 10:26:37 EDT 2015] 15148301 Yum Dependency Resolution Failure:
[Thu Jul 30 10:26:37 EDT 2015] 15148301 ____ Yum Output:
Loaded plugins: yum-iemplugin
No package libuser-0.60-7.el7_1.x86_64 available.
Error: Nothing to do

on the client ERD log.

Thanks,

Peter

Hi Peter,

Which RHEL site are you using and which Fixlet did you run? Have you registered a download plug-in?
It might be that the custom repo was configured but the patch isn’t there or the YUM repo wasn’t configured correctly.
If you can pass the logs from the client, that’d be great so we can figure out what happened.

The Patches for RHEL guide is found here:
http://www-01.ibm.com/support/knowledgecenter/SS6MER_9.2.0/com.ibm.tem.patch.doc_9.2/Patch_Man/Patch_Man_RH/c_introduction.html

The YUM section is found here:
http://www-01.ibm.com/support/knowledgecenter/SS6MER_9.2.0/com.ibm.tem.patch.doc_9.2/Patch_Man/Patch_Man_RH/c_managing_yum_transactions.html

Kind regards.

Do you know what is the site name and the fixlet id?

Hi Chuxin,

One fixlet id is ID 15159801 but it is anything in Current Version 31 http://sync.bigfix.com/cgi-bin/bfgather/patchesforrhel7 named Site Patches for RHEL 7.

FYI Centos and RedHat 6 Patches are fine.

Thanks,

Peter

I’m running into this same problem. Patching Red Hat with BigFix is new to us. I’ve not seen anything that I missed thus far in the guides. Were you able to get this resolved?

The Red Hat plugin is registered correctly.

EDR_DeploymentResults.txt is below.

cat /var/opt/BESClient/EDRDeployData/EDR_DeploymentResults.txt
[Thu Oct 1 16:55:30 EDT 2015] 15184001 Yum Dependency Resolution Failure:
[Thu Oct 1 16:55:30 EDT 2015] 15184001 ____ Yum Output:
Loaded plugins: yum-iemplugin
No package openldap-2.4.39-7.el7_1.x86_64 available.
Error: Nothing to do
[Thu Oct 1 17:26:08 EDT 2015] 15184001 Yum Dependency Resolution Failure:
[Thu Oct 1 17:26:08 EDT 2015] 15184001 ____ Yum Output:
Loaded plugins: yum-iemplugin
No package openldap-2.4.39-7.el7_1.x86_64 available.
Error: Nothing to do
[Thu Oct 1 21:13:56 EDT 2015] 15184001 Yum Dependency Resolution Failure:
[Thu Oct 1 21:13:56 EDT 2015] 15184001 ____ Yum Output:
Loaded plugins: yum-iemplugin
No package openldap-2.4.39-7.el7_1.x86_64 available.
Error: Nothing to do

My BES Client Log shows an exit code=1 when the install tries to execute.

[root@localhost ~]# tail -f /var/opt/BESClient/__BESData/__Global/Logs/20151001.log
Command succeeded parameter “t2” = “” (action:265504)
Command succeeded parameter “t3” = “” (action:265504)
Command succeeded parameter “t4” = “” (action:265504)
Command succeeded parameter “t5” = “” (action:265504)
Command succeeded parameter “t6” = “” (action:265504)
Command succeeded parameter “packages” = " openldap-2.4.39-7.el7_1.x86_64 " (action:265504)
Command succeeded parameter “EDR_PackageList” = " openldap-2.4.39-7.el7_1.x86_64 " (action:265504)
Command started - wait /bin/bash “/var/opt/BESClient/__BESData/Patches for RHEL 7/InstallPackages.sh” -f “15184001” -m “/var/opt/BESClient/__BESData/Patch es for RHEL 7/EDR_PackageMapping_15184001” -r “/var/opt/BESClient/__BESData/Patches for RHEL 7/EDR_YumResolveOutput_15184001” -g “/var/opt/BESClient/__BESDat a/Patches for RHEL 7/EDR_YumConfig_15184001” -e “/var/opt/BESClient/__BESData/Patches for RHEL 7” -l “/var/opt/BESClient/__BESData/Patches for RHEL 7/…/…/E DRDeployData/” openldap-2.4.39-7.el7_1.x86_64 (action:265504)
At 21:53:12 -0400 -
Encryption: optional encryption with no certificate; reports in cleartext
Report posted successfully
At 21:53:12 -0400 - actionsite (http://172.16.0.32:52311/cgi-bin/bfgather.exe/actionsite)
Command succeeded (Exit Code=1) wait /bin/bash “/var/opt/BESClient/_BESData/Patches for RHEL 7/InstallPackages.sh" -f “15184001” -m "/var/opt/BESClient/ _BESData/Patches for RHEL 7/EDR_PackageMapping_15184001” -r “/var/opt/BESClient/__BESData/Patches for RHEL 7/EDR_YumResolveOutput_15184001” -g “/var/opt/BESC lient/__BESData/Patches for RHEL 7/EDR_YumConfig_15184001” -e “/var/opt/BESClient/__BESData/Patches for RHEL 7” -l “/var/opt/BESClient/__BESData/Patches for RHEL 7/…/…/EDRDeployData/” openldap-2.4.39-7.el7_1.x86_64 (action:265504)
Command succeeded delete “/var/opt/BESClient/__BESData/Patches for RHEL 7/EDR_YumConfig_15184001” (action:265504)
Command succeeded delete “/var/opt/BESClient/__BESData/Patches for RHEL 7/EDR_YumRepos_15184001” (action:265504)
Command succeeded delete “/var/opt/BESClient/__BESData/Patches for RHEL 7/EDR_RepodataSpec_15184001” (action:265504)
Command succeeded delete “/var/opt/BESClient/__BESData/Patches for RHEL 7/EDR_PackageSpec_15184001” (action:265504)
Command succeeded delete “/var/opt/BESClient/__BESData/Patches for RHEL 7/EDR_PackageMapping_15184001” (action:265504)
Command succeeded delete “/var/opt/BESClient/__BESData/Patches for RHEL 7/EDR_YumResolveOutput_15184001” (action:265504)
Command succeeded delete “/var/opt/BESClient/__BESData/Patches for RHEL 7/EDR_YumFilelists_15184001” (action:265504)
At 21:53:12 -0400 -
ActionLogMessage: (action:265504) ending action
At 21:53:12 -0400 - mailboxsite (http://172.16.0.32:52311/cgi-bin/bfgather.exe/mailboxsite8334962)
Not Relevant - RHSA-2015:1840 - Openldap Security Update - Red Hat Enterprise Linux 7 (x86_64) (fixlet:265504)

On the action page within the console, did it say it cached all the necessary patches for this?

Pasted image718×260 3.81 KB

My example is for a Splunk upgrade I’m doing but it tells me all necessary files for the action were cached on the core server.

I see the Downloads status from the first time I deployed the action. Subsequent attempts at deployment do not show the Downloads section in the action.

I noticed that my Red Hat box did not have bzip2 to I installed that (though its not mentioned in the documentation as a requirement). No difference.

It clearly seems as though it can’t find the file but I’m not sure how this Red Hat Plugin works. Is the main BES server or Relay actually downloading the file? Or is it the client that is initiating the download? Based on what I see in the client log it seems as though the download plugin is executing on the client. That makes sense as each client needs to be registered with the Red Hat Network.

Did you check the log for the plug-in and see if there are any errors?

Hmm. So the plugin is installed on the Main Bigfix Server. The plugin log is supposed to be in \BES Server\DownloadPlugins\RedHatProtocol\logs. The logs folder (BES Server\DownloadPlugins\RedHatProtocol\logs) exists, but there is no log file in the folder.

Maybe something is wrong with my Plugin. I’ve tried unregistering and re-registering the plugin but that didn’t seem to make a difference.

Edit:
So we found this line in the action script:

if {not exists setting "_BESClient_RHEL_AllowYumDownloads" whose (value of it = "1") of client}
    execute prefetch plug-in "/bin/bash" "{parameter "sitefolder"}/SelectRepoFiles.sh" -m "{parameter "EDR_RepodataManifest"}" -s "{parameter "EDR_RepodataSpec"}" -r "{parameter "EDR_YumRepos"}"

_BESClient_RHEL_AllowYumDownloads was not set on the client. We set it, then re-deployed the fixlet and it worked this time.

I haven’t seen any other reference to _BESClient_RHEL_AllowYumDownloads. We’ll have to look into that setting. It seems to be something related to using custom repositories, which we’re not doing.

Thanks for your help.

Red Hat patching can be used two ways.

1st uses the plug-in. With this you need a subscription with Red Hat with access to their patches. The plugin on the BigFix server downloads the patch from Red Hat. When an endpoint goes to patch it gets the patch files from the BigFix server.

2nd is called Native tools. With this there’s no need for the plugin. When an endpoint goes to patch it just calls yum. Yum uses whatever repos it’s registered with and and gets the patches from those. It’s not going through the BigFix server.

Thank you for the reply. I understand the two methods that are available.

I’ve registered the plugin expecting that I would be making use of the first method but it did not seem to work for us as expected. The client always reported that downloads were not available.

We found that the task “Enable Custom Repository - Red Hat Enterprise Linux” sets the client setting “_BESClient_RHEL_AllowYumDownloads” so we deployed that setting to all of our Linux hosts that we’ll be patching. When this setting is enabled Yum is using its configured repos as you mentioned in the 2nd option for Native Tools – this works for us but it doesn’t sound like we’re making use of the BigFix relay infrastructure.

The system we’re testing with is registered with the Red Hat Network directly. This is a RHEL 7 box.

Red Hat 7 does not appear to have a “Native Tools” site like RHEL 5 and 6 do:

Correct with this config you’re not using BigFix server or relay to cache or distribute patches.
On another thread a similar error to your one about no package available was due to the credentials used in the RedHat plugin not being one that had the correct subscriptions to Red Hat’s content.
– Update—
I should have added if you do want to use the BigFix server and relays you need to disable the custom repository.