Tiny Core Relay

I was originally under the impression that there was going to be a BigFix Relay Virtual Appliance available in 9.5.3. That would have been great. Looking into the Tiny Core, it looks like you have to install the OS first, reference a “Setup Tiny Core Linux Template” PDF which I’ve yet to locate, install the Relay from the ISO, then create a template. That sure isn’t a virtual appliance… Maybe I’m missing something?

I personally set up my Linux relays with a kickstart file, and in that, it downloads a shell script via wget, then runs the script to install the BES agent. After that, you either have some automatic policy settings that installs the relay agent and set other affiliation advertisement list settings.

That would be a fun paper to write up. If you have any general questions on how to get that going, let me know.

All of the stuff I have seen is that IBM is providing instructions on creating a virtual appliance with TCL – i haven’t actually seen a virtual appliance yet

This does a lot of that for the client: https://github.com/jgstew/tools/blob/master/bash/install_bigfix.sh

It doesn’t take much more to make it a relay from there, especially if your relays follow a naming convention, then a policy action could do it for you.

I’m really talking about making relays easier, not using a Tiny Core Relay specifically.

I run the BigFix Client in a docker container for testing using the script above. It should be possible to run a BigFix relay in a docker container as well, though I haven’t tried it.

Now that I have read over the TCL relay instructions, automating a relay on docker seems easier.

Here is the documentation on BigFix Relay on TCL: http://www.ibm.com/support/knowledgecenter/SS6MER_9.5.0/com.ibm.bigfix.doc/Platform/Installation/c_tiny_core_introduction.html

I added it to the release post as well: BigFix 9.5 Patch 3 is now available

It seems like these instructions are how to do this from scratch, but there is also an ISO available for download here: http://support.bigfix.com/bes/release/9.5/patch3/

Specifically here: http://software.bigfix.com/download/bes/95/BesInstaller-9.5.3.211-tc.i686.iso

Well now that I read further, it seems the ISO is just the installers for use within TCL.

You can play with TCL on Windows using QEMU very easily: http://willhaley.com/blog/simple-portable-linux-qemu-vm-usb/

Thanks everyone (and thanks for the doc link!). Yes, that same ISO you reference is what I was referencing yesterday. I was expecting an OVF template that would install a fully functional relay. The import template would ask the user for host name, IP address, size of drive to store relay cache, and masthead file. I understand that deploying a Linux based relay isn’t all that difficult, but a “true” virtual appliance as I described just seems like a no-brainer to offer. You would basically be promoting BigFix Admins, that may not be too familiar with Linux, to use a more efficient relay.

@jgstew I never knew they made such a write-up. I have to admit, I have a real problem with this, there are no patch sites for this distro. Yes by having a “minimal” install, you reduce the footprint of vulnerabilities, but without a good way to patch, vulnerabilities will still exist. Just installing Linux and calling it “good” without accepting that you WILL need to patch them isn’t acceptable in my mind.

@AlexaVonTess As someone who administers 3000+ Linux relays, do NOT use Tiny Core Linux. If you’re looking free, go CentOS. It would be nice if there was an appliance, but I wouldn’t touch it with a 10-foot pole if it wasn’t supported in BigFix patch.

2 Likes

@AlexaVonTess, @masonje thank you very much for the feedback about the relay on TinyCore.

The development of a true virtual appliance was one option we considered while designing this feature. But we heard some contrasting requirements from customers.
Some customers wanted a very streamlined operating system, with the only services listening on a TCP/IP port being the BigFix agent and relay. Others were interested in installing at least the ssh server. Still others wanted the ability to customize the OS including additional packages, like monitoring components, in order to be able to monitor the health of the relay.

For this reason we decided to deliver a more open solution, that allows to create a relay VM template with just few steps. But also allows more experienced users to add additional package and retain control of the content of the VM - usually appliances are quite closed systems.

From the patching point of view, the TinyCore OS includes a very minimal set of packages, and the default installation has no services, besides the BigFix ones. This should, on one side, reduce the number of security exposures affecting it, while on the other side should allow a very simple patching process. While we are still discussing about possible future improvements, we currently plan to release a sample script that will allow to generate an upgrade fixlet for the TinyCore OS components.

Again, thanks for the feedback, that will help us driving future decisions.

2 Likes

Thank you for that response! I did go through the process of building the template and it was straightforward (good documentation as well). I haven’t actually deployed it yet, but will soon.

1 Like

It isn’t possible to patch TCL as it runs entirely in RAM from an image. You don’t patch it, you instead swap out the image that loads TCL, then it loads extensions (BigFix, others) from storage. It is a very different model of operation that is much closer to how Docker can be used, but on a self hosted image.

1 Like