Frequently asked questions
To better understand Patch Management for SUSE Linux™ Enterprise, read the following questions and answers.
- The Manage Download Plug-ins dashboard is not reflecting any data. What do I do?
- Here are some steps you can do to troubleshoot the issue:
- Gather the latest Patching Support site.
- Activate the Download Plug-in Versions analysis, available from the Patching Support site.
- Clear the BigFix console cache.
- What are superseded patches?
- Superseded Fixlets are Fixlets that contain outdated packages. If a Fixlet® is superseded, then a newer Fixlet® exists with newer versions of the packages. The newer Fixlet® ID can be found in the description of the superseded Fixlet®.
- How do I deal with missing patches?
- HCL only provides Fixlet content for patches that are available in Novell Patch Finder and in the supported repositories. For details, see Supported Novell repositories.
- Is there a certain level of Zypper that is needed to use SLE 11 or SLE 12 with the Native tool site?
- No - any version of the installed Zypper works.
- Is there a minimum version of Zypper to install security patches using the CVE number?
- Yes, you must at least use Zypper version 1.5.3-3.2.
- What packages do I need to install on the clients before patching?
- The prerequisite packages that must be installed on the endpoints are zlib and zypper.
- If I have registered the latest plug-ins, why do downloads still fail?
- For product versions 8.0.627, upgrade to the latest version of BigFix to resolve the issue on dynamic downloads whitelist.
- What do I do when action reports back with an 'EDR Plugin failure, Invalid set of initially installed packages?'
- There is at least one conflict between the packages that exist on the system. The resolver will not work until the conflicting packages are removed.
- Why is there XML in the deployment results?
- The XML is from the error output of the resolver when the resolver fails to produce a solution. You can look at the description in the 'errorType tag to gain a better understanding of why the failure occurred.
- What do I do when the deployment results display a 'Dependency Resolver Failure, noSolution?'
- If the resolver finds that there is no solution, the system cannot install all targets and dependencies because of a conflict between these files and the endpoint files.
- What should I consider when using the Endpoint dependency resolution (EDR)?
- The EDR method uses a dependency resolution tool that requires the system to be compliant before it can do calculations. It requires dependencies of all of the installed packages on the system to be satisfied. Some dependency requirements cannot be determined by Fixlet relevance. In some cases, multiple levels of dependencies or conflicting third-party packages can prevent the installation of a Fixlet content. Hence, it is recommended to minimize the number of third-party packages installed on the system.
- If the resolver finds that there is no solution, the system cannot install all targets and dependencies because of a conflict between these files and the endpoint files.
- Dependency graphs are generated every Monday, Wednesday, and Friday.
- Why does the resolver function select a lower priority package over a higher priority one?
- The resolver does not select a preferred package if by selecting that package creates a conflict with another package. Therefore, it is possible for a lower priority package to be selected.
- What do I do when an action reports back with an installation failure?
- Check to see if the conflict is caused by a vendor-acquired package. These must be removed for the installation to occur.
- I am locked out from my Novell account. What do I do?
- One possible reason for an account lock out is due to invalid credentials. Ensure that you use the mirror server configuration from Novell when you register or configure the download plug-in. Account lockouts are common but temporary. Contact Novell Support if you get locked out of your account.
- Why is my action reporting back as a failed download?
- Make sure you update the download plug-in to the latest version and register it with the correct credentials.
- The client logs contains a prefetch plug-in error that prevents the Fixlet from completing successfully. What is causing the error? What should I do?
- The ActionScript that was running on the endpoint might have been blacklisted, causing the prefetch plug-in issue.
- I am not able to patch an Fixlets on endpoints with the /var directory
mounted as
noexec
. What do I do? - For the workaround, see Error when /var is mounted as noexec.
- How do I verify if the SCC download plug-in was registered correctly?
- Run a Fixlet® with an action task to verify if the download plug-in is registered correctly. Verify that the patch download is successful. Otherwise, you might need to unregister the download plug-in and register it again.
- How do I register a download plug-in? Do I use the register download plug-in task or the Manage Download Plug-in dashboard?
- To register a download plug-in, you must use the Manage Download Plug-in dashboard in the
Patching Support site. Existing register download plug-in tasks are being deprecated. To learn more
about plug-in registration, see Registering the SUSE download plug-in or Registering the SCC download plug-in. Note: You must also use the Manage Download Plug-in dashboard to unregister and configure download plug-ins. For more information about the dashboard, see the topic on Manage Download Plug-ins dashboard in the BigFix content in HCL Knowledge Base.
- I was expecting the password to be obfuscated, but it's still in clear text. Why is that?
- Check if your download plug-in version is earlier than 2.0. If so, you are still using an old version of the download plug-in that stores credentials in clear text. To encrypt credentials, upgrade your download plug-in to version 2.0 or later from the Manage Download plug-ins dashboard in the Patching Support site.
- Which file could tell me why the mirror server is not working?
- To check whether the issue is due to an incorrect URL or mirror server credentials, check the
plugin.ini
file at <BES Server directory>/DownloadPlugins/SCCProtocol. - Can I configure the SCC Download Plug-in to only use the extended repository list?
- Yes, you can by setting the
onlyUseExtendedRepoListFile
flag in theplugin.ini
to yes. - I am not able to install any packages since I upgraded to the SCC Plug-in. All tasks result in the following line: Failed add prefetch item {concatenation " ; " of lines of file (parameter "EDR_PkgRequest")}. What is wrong?
- The BigFix Enhanced Security option -requireSHA256Downloads or Require SHA-256 Downloads option in the BigFix Administration tool might be enabled. This option configures all download verification to use only the SHA-256 algorithm. The SCC download plug-in might fail due to certain SUSE repository metadata, which do not contain SHA-256 values for the packages in the repository, that are used by the plug-in.
- Where should I save the extended repository list file?
- The file can be stored in any location the download plug-in has access to. You must ensure that the BigFix Server has permissions to access the location.
- I have a subscription for extension products, such as the SUSE Linux Enterprise Software Developer Kit 12, can I configure the SCC Download Plug-in to access their assigned repositories?
- Yes, you can. For more information, see Extending the SCC download plug-in.
- What happens if I edit the
DLSuSERepoList.json
file with more repositories? - The changes that you make will be deleted when BigFix refreshes the Patching Support site as the file will be overwritten.
- Can I reconfigure the SCC download plug-in proxy after registration?
- Yes, you can update the proxy settings and mirror credentials by configuring the download plug-in from the Manage Download Plug-ins dashboard.
- Will the SCC download plug-in configuration file (
plugin.ini
) be overwritten when there is a newer version of the download plug-in? - No, the configuration file will not be overwritten. The only time the configuration file is overwritten is when the download plug-in is reconfigured.
- Where can I find the log for the SCC Download Plug-in? What are the possible log levels
- Logging is controlled by the
plugin.ini
file. It is located with the download plug-in executable. By default, it is located in %PROGRAM FILES%\BigFix Enterprise\BES Server\DownloadPlugins\SCCProtocol on Windows systems. On Linux system, it is in /var/opt/BESServer/DownloadPlugins/SCCProtocol. The log file is rotated on a daily basis, which means that a new log file is created and the old log file is renamed with the date that it is created from. - Can I set the log level for the SCC Download Plug-in?
- You can set the download plug-in to generate log messages depending on level of information that
you need.
The logging level determines the amount of detail that the SCC download plug-in writes to the log files. Set the logging level in the %PROGRAM FILES%\BigFix Enterprise\BES Server\DownloadPlugins\SCCProtocol\plugin.ini file.
Note: Logging level values are case-sensitive.The following logging levels are listed in order of increasing amount of information logged:
- ERROR
- Contains errors related to the execution of the download plug-in, which might indicate an impending fatal error.
- WARNING
- Contains information about failed downloads, and reasons for failure.
- INFO
- Contains general information outlining the progress and successful downloads, with minimal tracing information.
- DEBUG
- Contains fine-grained information used for troubleshooting issues. This is the most verbose
level available.Note: Setting the logging level to DEBUG increases the amount of information to log, which might have an impact on performance. You must only increase the logging level to DEBUG when investigating an issue.
- When troubleshooting, what do the exit codes mean?
- Exit codes 251 and 252 require you to contact HCL BigFix Support as the nature of the issue is unexpected and might be unique to your environment. Ensure that you provide the appropriate download plug-in log from %PROGRAM FILES%\BigFix Enterprise\BES Server\DownloadPlugins\SCCProtocol and the deployment log from /var/opt/BESClient/EDRDeployData.
- Is there a way to keep the EDR logs from being deleted?
- Edit the actionscript of the Fixlet and set
debug_level
in the action to 10 to keep the logs.
- An action failed and the EDR logs do not give any information about the failing action. How do I troubleshoot?
- In the Fixlet action, set the
debug_level
to 10 to retrieve more information for debugging, and rerun the Fixlet.
- An action failed and the logs contain Zypper-specific errors. How do I troubleshoot?
- For more information about Zypper and errors that are related to it, see the Zypper documentation at http://www.suse.com and the Zypper-related articles in the Novell Customer Center.
- How can I improve the download speed when I download packages with the download plug-in?
- You can improve the package download speed in the following ways:
- Your local mirror must follow this URL
structure: <localmirror_server>/repo/$RCE/<name_of_the_repo>
For more information about how to create mirrors, see https://www.suse.com/documentation/smt11/book_yep/data/smt_mirroring.html
- Use the Novell mirror server, which is at the nu.novell.com directory. Credentials for this mirror server can be obtained from Novell Customer Center. For more information, see https://www.suse.com/documentation/smt11/book_yep/data/smt_mirroring_getcredentials.html
- Your local mirror must follow this URL
structure: <localmirror_server>/repo/$RCE/<name_of_the_repo>
- What must I do if I see an error similar to the following error message?
-
Hard failure exit code 'execute prefetch plug-in' "/bin/bash" "{parameter "sitefolder"}/ResolveDependencies.sh"...." (action 159317) Exited with exit code of 2
- What are the configuration settings that Zypper use?
- The SUSE Fixlet sites use all the Zypper settings in /etc/zypp/zypp.conf.
- Which versions of BigFix support custom repositories for SUSE?
- BigFix V8.2 and later support custom repositories for SUSE Linux Enterprise Desktop and SUSE Linux Enterprise Server versions 11 and 12.
- What is a custom repository?
- The term custom repository refers to any software repository that is not natively supported by the Novell Customer Center. Custom repositories give you the benefit of being able to control exactly what is in the repository. In the SLE Custom Repository Management dashboard, the term custom repository can refer to a repository or the Subscription Management Tool (SMT).
- What is the purpose of a repository?
- A repository is a storage location that contains a collection of packages and metadata for the available packages. These repositories can be on online servers, CDs, DVDs, or on other media.
- What is SMT?
- SMT stands for Subscription Management Tool. It provides a repository and registration target that is synchronized with Novell Customer Center. With the SMT, enterprise customers are able to optimize the management of SUSE Linux Enterprise software updates and subscription entitlements. For more information about SMT, see https://www.suse.com/documentation/smt11/.
- What are the logs that I can use to troubleshoot the SLE Custom Repository Management dashboard?
- You can refer to the following log files to troubleshoot the dashboard:
- /var/opt/BESClient/EDRDeployData/register-repo.log
- /var/opt/BESClient/EDRDeployData/register-SMT.log
- /var/opt/BESClient/EDRDeployData/unregister-repo.log
- /var/opt/BESClient/EDRDeployData/unregister-SMT.log
- What version of Zypper is required to use the SLE Custom Repository Management dashboard?
- No minimum requirement. All Zypper versions that are used in SUSE Linux Enterprise version 11 works.
- How do I create a repository?
- To learn about creating repositories, see the SUSE documentation:
- SUSE Linux Enterprise Desktop 11 Deployment Guide at https://www.suse.com/documentation/sled11/book_sle_deployment/data/sec_y2_sw_instsource.html
- SUSE Linux Enterprise Server 11 Deployment Guide at https://www.suse.com/documentation/sles11/book_sle_deployment/data/sec_y2_sw_instsource.html
- SUSE Linux Enterprise Desktop 12 Deployment Guideat https://www.suse.com/documentation/sled-12/book_sle_deployment/data/book_sle_deployment.html
- SUSE Linux Enterprise Server 12 Deployment Guide at https://www.suse.com/documentation/sles-12/book_sle_deployment/data/book_sle_deployment.html
- Can I deploy patches using the native tools method and the custom repository at the same time? Can the two methods co-exist?
- The two methods can exist together. However, when you deploy patches for single clients, you must choose between using the native tools or through the custom repository method. The two methods cannot co-exist on a single client.
- Can I reconfigure a repository that I previously configured?
- Yes, you can reconfigure a previously configured repository by using the
clientSetup4SMT.sh
script. It is provided with SMT to configure endpoints to use the SMT server or to reconfigure it to use a different SMT server.
- From the logs, can I tell if I am using the normal Zypper process to the SMT or repository in the log?
- Yes, the log indicates if the normal Zypper process is used for either a standard repository or SMT.
- What is the difference between registering a repository and importing a repository?
- Use the import feature if you have existing repositories that are not included in the Repositories list in the dashboard. Use the register feature if you already have a repository in the Repository list, but you still need to link the repository with the endpoint.
- What happens when the repository does not contain the package?
- When a package is not found, the Fixlet fails. You can troubleshoot from /var/opt/BESClient/EDRDeployData/EDR_DeploymentResults.txt, which is where the Zypper output is logged.
- What happens if there are issues with the custom repository solution?
- You can revert to the standard BigFix server solution by running the Disable custom repository support - SUSE Linux Enterprise task.
- How are dependencies resolved?
- Dependencies are resolved by Zypper.
- Are the repositories that are listed in the second table of the Endpoints tab in the SLE Custom Repository Management dashboard used in sequence?
- There is no sequence in the repositories that are listed in the Endpoints tab, even if you specified the priority as an extra note when you registered the repository. When Zypper queries the repositories, the repository that first gets the fetch query replies, including the package and its dependencies.
- Through the SLE Custom Repository Management dashboard, I deployed a patch by using a custom repository that is not a mirror of the vendor site. The deployment action failed and the logs indicate that the files cannot be opened. What must I do?
- When you use a custom repository that is not a mirror of the vendor site, it is possible that the default gpgcheck is being done as part of the installation. The GPG signature files might not be included in the repository. The files are not checked for authenticity and might cause the installation to fail. To resolve this issue, ensure that when you register the endpoints in the SLE Custom Repository Management dashboard, you add gpgcheck=0 to Additional Fields.
- Can I install several custom packages using the installation tasks?
- Yes, you can install several custom packages with the available tasks. Use a space to separate the package names.
- Is bandwidth throttling available in a custom repository architecture?
- Bandwidth throttling is not supported in a custom repository architecture because it is outside the BigFix infrastructure.
- I tried deploying Fixlets from a custom site, but it failed. Why is that? What should I do?
- The Fixlet site name is hardcoded in the relevance of the Fixlets because the relevance can only accept one value. Therefore, if you want to deploy custom Fixlets, ensure that your endpoints are subscribed to the original Fixlet site so that they can grab all the relevant site files.
- How can I install custom packages that are on the custom repository?
- You can use the Install packages by using Zypper task that is in the Patching Support site.
- If I update Zypper to 1.5.3-3.2 or later on SUSE Linux Enterprise 11.0, can I install patches using the CVE number?
- Yes, if you are using zypper-1.5.3-3.2 then you can install patches using the CVE number.
- What versions of SUSE Linux Enterprise are supported in the SLE Custom Repository Management dashboard?
- The SLE Custom Repository Management dashboard supports SUSE Linux Enterprise Desktop and Linux Enterprise Server versions 11 and 12.
- For SUSE Linux Enterprise 12, why do I need to unregister the repository or SMT before registering an endpoint to a new SMT?
- The new registration information does not overwrite the old registration information for SUSE Linux Enterprise 12, hence you must unregister the endpoint by using the SLE Custom Repository Management dashboard before registration.
- For SUSE Linux Enterprise 12, do I need to delete any files before registering an endpoint to a new SMT?
- You must delete the following files if you do not use the SLE Custom Repository Management
dashboard when unregistering the endpoints:
- /etc/SUSEConnect
- /etc/zypp/credentials.d/*
- Can I perform a rollback on systems with mixed file systems such as ext3 and btrfs?
- The SLE Btrfs Snapshot Management dashboard supports Btrfs file systems
only. Mixed files systems such as
.ext3
and btrfs cannot be rolled back.
- Where can I find information about the Exclude /var/opt/BESClient/* Directory From Snapshots task?
- The log file is located in the directory /etc/snapper/filters/logfiles.txt.
- Which log can I use to troubleshoot the snapshot rollback feature?
- Use the
snapper_rollback.log
file located in the directory var/opt/BESClient/EDRDeployData.
- Which directories need to be excluded from the snapshots to enable rollback?
- To enable the rollback feature from the SLE Btrfs Snapshot Management dashboard, the /var/opt/BESClient/* directories must not be included when taking snapshots.
- Where can I find more information about snaphots?
- See the SUSE Documentation at https://www.suse.com/documentation/sles11/book_sle_admin/data/cha_snapper.html.
- SUSE Linux Enterprise 12 endpoints are not displayed in the SLE Btrfs Snapshot Management dashboard. Why is that?
- The agents for SUSE Linux Enterprise Server or Desktop version 12 are currently available only in BigFix V9.2. Ensure that you are using the specified version.
- The baseline that I ran with the multiple-package installation task completed successfully, but why does it still show as relevant.
- It might be due to the Fixlet components that failed to install the packages with broken dependencies. The Multiple-Package Baseline Installation task, by default, ignores broken dependencies to allow packages without dependency issues to successfully be applied on the target endpoint.
- I ran a baseline with the Multiple-Package Baseline Installation task. How can I view the list of Fixlets that failed in that baseline?
-
You can monitor of the overall progression of the deployment of the baseline and view the status of each sub-action in detail by using the View Action Info dialog.
To access this dialog:
- Click the Action icon in the navigation tree.
- Select an action in the Actions List Panel.
- Select the Computers tab in the Work Area.
- Right-click any computer in the list.
- Either select Show Action Info from the context menu or select Show Action Info from the Edit menu.
- When deploying multiple Fixlets in a baseline, is it possible to skip the broken dependencies and continue with the installation for the rest of the packages?
- The Multiple-Package Baseline Installation task skips packages with
broken dependencies whenever possible. Packages with dependency issues with a SUSE product, such as
SLED-12-0.x86_64, cannot be skipped. Another scenario where packages are not skipped is when
dependency errors occur during installation, as indicated by the following error message:
File conflicts happen when two packages attempt to install files with the same name but different contents
. In such cases, the installation is canceled and no patches will be installed on the endpoints.
- What are the possible causes of failure using the multiple-package baseline installation method?
- The Fixlets might have failed to install due to the following reasons:
- A custom site contained multiple baselines with the multiple-package baseline installation task running at the same time.
- Two or more Fixlets required an update to multiple versions of the same package.
- Two or more Fixlets required an update to the same package dependencies.
- A Fixlet was immediately deployed after a baseline ran the multiple-package installation method. Not enough time was allowed to complete all zypper transactions and refresh the status on the endpoints for the multiple-package installation.
- The zypper tool have not been patched, but a SUSE release package is included in the baseline.
- The Enable the Multiple-Package Baseline Installation feature task must be in the same baseline as the rest of the content. It should be added before the patch Fixlets and multiple-package installation tasks.
- The Multiple-Package Baseline Installation feature only works when both the enable and installation tasks exist in the same baseline. For more information, see Installing multiple packages in a baseline.
- The Enable the Multiple-Package Baseline Installation feature task must be added after any of these cleanup tasks: Delete SUSE 11 Package List File for Multiple-Package Baseline Installation or TROUBLESHOOTING: SUSE 11 Patching Deployment Logs - Cleanup.
- The installation task with the correct SUSE distribution, operating system version, service pack level, and architecture must be added at the end of the baseline.
- My endpoints are on air-gapped environment, how should I configure BigFix to patch these endpoints?
- For air-gapped environments, ensure to mirror the supported SUSE repositories that host the
packages needed to patch the endpoints. To do this, use the SCC download cacher to build the local
repository on a location which the BigFix server has access to. This location is known as the local
cache.Note: The local cache must contain all the required repositories to avoid dependency resolution issues.
Configure the download plug-in configuration file,
plugin.ini
, to use the local cache when downloading files during deployment. Follow these steps:- Set the local cache configuration,
localCache
, to the location of the files that were downloaded using the download cacher tool.Note: This location must be accessible to the BigFix server. - Set the
localCacheOnly
flag toyes
. to download files from the download cache only and not from the vendor site.
- Set the local cache configuration,
- What to do when Fixlets fail to install with the following message in the EDR log? "Warning: Nothing to install. Please check if you are using the latest kernel."
- This message appears only in case of Fixlets that deploy kernel packages. A kernel Fixlet
becomes relevant if the endpoint does not have the target kernel package installed or if the
endpoint's active kernel is at a lower version than the target kernel package. An endpoint is
still considered subject to kernel vulnerabilities even if it has the latest kernel installed
but not using it
actively.
To remediate the issue, restart the endpoint and ensure it is using the latest kernel available.