Frequently asked questions

To better understand Patch Management for SUSE Linux Enterprise, read the following questions and answers.

The Manage Download Plug-ins dashboard is not reflecting any data. What do I do?
Here are some steps you can do to troubleshoot the issue:
  • Gather the latest Patching Support site.
  • Activate the Download Plug-in Versions analysis, available from the Patching Support site.
  • Clear the BigFix console cache.
What are superseded patches?
Superseded Fixlets are Fixlets that contain outdated packages. If a Fixlet® is superseded, then a newer Fixlet® exists with newer versions of the packages. The newer Fixlet® ID can be found in the description of the superseded Fixlet®.
How do I deal with missing patches?
HCL only provides Fixlet content for patches that are available in Novell Patch Finder and in the supported repositories. For details, see Supported Novell repositories.
Is there a certain level of Zypper that is needed to use SLE 11 or SLE 12 with the Native tool site?
No - any version of the installed Zypper works.
Is there a minimum version of Zypper to install security patches using the CVE number?
Yes, you must at least use Zypper version 1.5.3-3.2.
What packages do I need to install on the clients before patching?
The prerequisite packages that must be installed on the endpoints are zlib and zypper.
If I have registered the latest plug-ins, why do downloads still fail?
For product versions 8.0.627, upgrade to the latest version of BigFix to resolve the issue on dynamic downloads whitelist.
For product versions later than 8.0.627, verify your existing download plug-in configuration. Verify that the Novell credentials, proxy settings, and mirror server settings are valid.
What do I do when action reports back with an 'EDR Plugin failure, Invalid set of initially installed packages?'
There is at least one conflict between the packages that exist on the system. The resolver will not work until the conflicting packages are removed.
Why is there XML in the deployment results?
The XML is from the error output of the resolver when the resolver fails to produce a solution. You can look at the description in the 'errorType tag to gain a better understanding of why the failure occurred.
What do I do when the deployment results display a 'Dependency Resolver Failure, noSolution?'
If the resolver finds that there is no solution, the system cannot install all targets and dependencies because of a conflict between these files and the endpoint files.
What should I consider when using the Endpoint dependency resolution (EDR)?
The EDR method uses a dependency resolution tool that requires the system to be compliant before it can do calculations. It requires dependencies of all of the installed packages on the system to be satisfied. Some dependency requirements cannot be determined by Fixlet relevance. In some cases, multiple levels of dependencies or conflicting third-party packages can prevent the installation of a Fixlet content. Hence, it is recommended to minimize the number of third-party packages installed on the system.
If the resolver finds that there is no solution, the system cannot install all targets and dependencies because of a conflict between these files and the endpoint files.
Dependency graphs are generated every Monday, Wednesday, and Friday.
Why does the resolver function select a lower priority package over a higher priority one?
The resolver does not select a preferred package if by selecting that package creates a conflict with another package. Therefore, it is possible for a lower priority package to be selected.
What do I do when an action reports back with an installation failure?
Check to see if the conflict is caused by a vendor-acquired package. These must be removed for the installation to occur.
I am locked out from my Novell account. What do I do?
One possible reason for an account lock out is due to invalid credentials. Ensure that you use the mirror server configuration from Novell when you register or configure the download plug-in. Account lockouts are common but temporary. Contact Novell Support if you get locked out of your account.
Why is my action reporting back as a failed download?
Make sure you update the download plug-in to the latest version and register it with the correct credentials.
The client logs contains a prefetch plug-in error that prevents the Fixlet from completing successfully. What is causing the error? What should I do?
The ActionScript that was running on the endpoint might have been blacklisted, causing the prefetch plug-in issue.
To resolve this issue, restart the BigFix client to clear the blacklist. To prevent the script from being blacklisted, set the _BESClient_ActionManager_PrefetchPlugInTimeoutSeconds client configuration setting with sufficient time to process the patch. For more information, see Prefetch plug-in error.
I am not able to patch an Fixlets on endpoints with the /var directory mounted as noexec. What do I do?
For the workaround, see Error when /var is mounted as noexec.
How do I verify if the SCC download plug-in was registered correctly?
Run a Fixlet® with an action task to verify if the download plug-in is registered correctly. Verify that the patch download is successful. Otherwise, you might need to unregister the download plug-in and register it again.
How do I register a download plug-in? Do I use the register download plug-in task or the Manage Download Plug-in dashboard?
To register a download plug-in, you must use the Manage Download Plug-in dashboard in the Patching Support site. Existing register download plug-in tasks are being deprecated. To learn more about plug-in registration, see Registering the SUSE download plug-in or Registering the SCC download plug-in.
Note: You must also use the Manage Download Plug-in dashboard to unregister and configure download plug-ins. For more information about the dashboard, see the topic on Manage Download Plug-ins dashboard in the BigFix content in HCL Knowledge Base.
I was expecting the password to be obfuscated, but it's still in clear text. Why is that?
Check if your download plug-in version is earlier than 2.0. If so, you are still using an old version of the download plug-in that stores credentials in clear text. To encrypt credentials, upgrade your download plug-in to version 2.0 or later from the Manage Download plug-ins dashboard in the Patching Support site.
Which file could tell me why the mirror server is not working?
To check whether the issue is due to an incorrect URL or mirror server credentials, check the plugin.ini file at <BES Server directory>/DownloadPlugins/SCCProtocol.
Can I configure the SCC Download Plug-in to only use the extended repository list?
Yes, you can by setting the onlyUseExtendedRepoListFile flag in the plugin.ini to yes.
I am not able to install any packages since I upgraded to the SCC Plug-in. All tasks result in the following line: Failed add prefetch item {concatenation " ; " of lines of file (parameter "EDR_PkgRequest")}. What is wrong?
The BigFix Enhanced Security option -requireSHA256Downloads or Require SHA-256 Downloads option in the BigFix Administration tool might be enabled. This option configures all download verification to use only the SHA-256 algorithm. The SCC download plug-in might fail due to certain SUSE repository metadata, which do not contain SHA-256 values for the packages in the repository, that are used by the plug-in.
Consider disabling the Require SHA-256 Downloads option to successfully deploy a patch. Security and package integrity is not compromised as another layer of checking and verification is done using the GPG signature of the package. For more information about the download option, refer to BigFix Platform Installation Guide.
Where should I save the extended repository list file?
The file can be stored in any location the download plug-in has access to. You must ensure that the BigFix Server has permissions to access the location.
I have a subscription for extension products, such as the SUSE Linux Enterprise Software Developer Kit 12, can I configure the SCC Download Plug-in to access their assigned repositories?
Yes, you can. For more information, see Extending the SCC download plug-in.
What happens if I edit the DLSuSERepoList.json file with more repositories?
The changes that you make will be deleted when BigFix refreshes the Patching Support site as the file will be overwritten.
Can I reconfigure the SCC download plug-in proxy after registration?
Yes, you can update the proxy settings and mirror credentials by configuring the download plug-in from the Manage Download Plug-ins dashboard.
Will the SCC download plug-in configuration file (plugin.ini) be overwritten when there is a newer version of the download plug-in?
No, the configuration file will not be overwritten. The only time the configuration file is overwritten is when the download plug-in is reconfigured.
Where can I find the log for the SCC Download Plug-in? What are the possible log levels
Logging is controlled by the plugin.ini file. It is located with the download plug-in executable. By default, it is located in %PROGRAM FILES%\BigFix Enterprise\BES Server\DownloadPlugins\SCCProtocol on Windows systems. On Linux system, it is in /var/opt/BESServer/DownloadPlugins/SCCProtocol. The log file is rotated on a daily basis, which means that a new log file is created and the old log file is renamed with the date that it is created from.
Can I set the log level for the SCC Download Plug-in?
You can set the download plug-in to generate log messages depending on level of information that you need.

The logging level determines the amount of detail that the SCC download plug-in writes to the log files. Set the logging level in the %PROGRAM FILES%\BigFix Enterprise\BES Server\DownloadPlugins\SCCProtocol\plugin.ini file.

Note: Logging level values are case-sensitive.

The following logging levels are listed in order of increasing amount of information logged:

ERROR
Contains errors related to the execution of the download plug-in, which might indicate an impending fatal error.
WARNING
Contains information about failed downloads, and reasons for failure.
INFO
Contains general information outlining the progress and successful downloads, with minimal tracing information.
DEBUG
Contains fine-grained information used for troubleshooting issues. This is the most verbose level available.
Note: Setting the logging level to DEBUG increases the amount of information to log, which might have an impact on performance. You must only increase the logging level to DEBUG when investigating an issue.
When troubleshooting, what do the exit codes mean?
Exit codes 251 and 252 require you to contact HCL BigFix Support as the nature of the issue is unexpected and might be unique to your environment. Ensure that you provide the appropriate download plug-in log from %PROGRAM FILES%\BigFix Enterprise\BES Server\DownloadPlugins\SCCProtocol and the deployment log from /var/opt/BESClient/EDRDeployData.
The other exit codes are based on the official Zypper exit codes. To view the definition, run zypper man from the command prompt.
Is there a way to keep the EDR logs from being deleted?
Edit the actionscript of the Fixlet and set debug_level in the action to 10 to keep the logs.
An action failed and the EDR logs do not give any information about the failing action. How do I troubleshoot?
In the Fixlet action, set the debug_level to 10 to retrieve more information for debugging, and rerun the Fixlet.
The last six lines of the deployment and test actions are intended to delete the temporary files that were created during the action execution. If the deployment logs do not give information about the reason for the failure, delete the following two lines to troubleshoot:
  • To see the Zypp configuration that is used during the action, delete {parameter "EDR_ZyppConfig"}
  • To see the Zypper output that is generated during the dependency resolution, delete {parameter "EDR_ZypperResolveOutput"}
When these two lines are deleted, the following files are placed in the site folder:
  • EDR_ZyppConfig_<Fixlet_id>
  • EDR_ZypperResolveOutput_<Fixlet_id>
An action failed and the logs contain Zypper-specific errors. How do I troubleshoot?
For more information about Zypper and errors that are related to it, see the Zypper documentation at http://www.suse.com and the Zypper-related articles in the Novell Customer Center.
How can I improve the download speed when I download packages with the download plug-in?
You can improve the package download speed in the following ways:
What must I do if I see an error similar to the following error message?
Hard failure exit code 'execute prefetch plug-in' "/bin/bash" 
"{parameter "sitefolder"}/ResolveDependencies.sh"...." 
(action 159317) Exited with exit code of 2
You must complete the following steps:
  1. Open the mentioned bash script and add the following after line 2 of the script:
    set -x
    logpath=/path/of/your/choice
    exec >$logpath 2>&1
  2. Deploy the action immediately after you update the script.
    Note: The client might override the file, so do not to wait too long between updating the script and deploying the action.
This procedure creates the file that is mentioned in the log path, with a line-by-line detailed output for the script.
What are the configuration settings that Zypper use?
The SUSE Fixlet sites use all the Zypper settings in /etc/zypp/zypp.conf.
The following Zypper configuration settings are set to values that come from another file, which is dynamically created during Fixlet execution:
  • cachedir
  • configdir
  • metadatadir
  • packagesdir
  • reposdir
  • repo.add.probe
  • repo.refresh.delay
  • solvfilesdir
Which versions of BigFix support custom repositories for SUSE?
BigFix V8.2 and later support custom repositories for SUSE Linux Enterprise Desktop and SUSE Linux Enterprise Server versions 11 and 12.
What is a custom repository?
The term custom repository refers to any software repository that is not natively supported by the Novell Customer Center. Custom repositories give you the benefit of being able to control exactly what is in the repository. In the SLE Custom Repository Management dashboard, the term custom repository can refer to a repository or the Subscription Management Tool (SMT).
What is the purpose of a repository?
A repository is a storage location that contains a collection of packages and metadata for the available packages. These repositories can be on online servers, CDs, DVDs, or on other media.
What is SMT?
SMT stands for Subscription Management Tool. It provides a repository and registration target that is synchronized with Novell Customer Center. With the SMT, enterprise customers are able to optimize the management of SUSE Linux Enterprise software updates and subscription entitlements. For more information about SMT, see https://www.suse.com/documentation/smt11/.
What are the logs that I can use to troubleshoot the SLE Custom Repository Management dashboard?
You can refer to the following log files to troubleshoot the dashboard:
  • /var/opt/BESClient/EDRDeployData/register-repo.log
  • /var/opt/BESClient/EDRDeployData/register-SMT.log
  • /var/opt/BESClient/EDRDeployData/unregister-repo.log
  • /var/opt/BESClient/EDRDeployData/unregister-SMT.log
What version of Zypper is required to use the SLE Custom Repository Management dashboard?
No minimum requirement. All Zypper versions that are used in SUSE Linux Enterprise version 11 works.
How do I create a repository?
To learn about creating repositories, see the SUSE documentation:
Can I deploy patches using the native tools method and the custom repository at the same time? Can the two methods co-exist?
The two methods can exist together. However, when you deploy patches for single clients, you must choose between using the native tools or through the custom repository method. The two methods cannot co-exist on a single client.
Can I reconfigure a repository that I previously configured?
Yes, you can reconfigure a previously configured repository by using the clientSetup4SMT.sh script. It is provided with SMT to configure endpoints to use the SMT server or to reconfigure it to use a different SMT server.
From the logs, can I tell if I am using the normal Zypper process to the SMT or repository in the log?
Yes, the log indicates if the normal Zypper process is used for either a standard repository or SMT.
What is the difference between registering a repository and importing a repository?
Use the import feature if you have existing repositories that are not included in the Repositories list in the dashboard. Use the register feature if you already have a repository in the Repository list, but you still need to link the repository with the endpoint.
What happens when the repository does not contain the package?
When a package is not found, the Fixlet fails. You can troubleshoot from /var/opt/BESClient/EDRDeployData/EDR_DeploymentResults.txt, which is where the Zypper output is logged.
What happens if there are issues with the custom repository solution?
You can revert to the standard BigFix server solution by running the Disable custom repository support - SUSE Linux Enterprise task.
How are dependencies resolved?
Dependencies are resolved by Zypper.
Are the repositories that are listed in the second table of the Endpoints tab in the SLE Custom Repository Management dashboard used in sequence?
There is no sequence in the repositories that are listed in the Endpoints tab, even if you specified the priority as an extra note when you registered the repository. When Zypper queries the repositories, the repository that first gets the fetch query replies, including the package and its dependencies.
Through the SLE Custom Repository Management dashboard, I deployed a patch by using a custom repository that is not a mirror of the vendor site. The deployment action failed and the logs indicate that the files cannot be opened. What must I do?
When you use a custom repository that is not a mirror of the vendor site, it is possible that the default gpgcheck is being done as part of the installation. The GPG signature files might not be included in the repository. The files are not checked for authenticity and might cause the installation to fail. To resolve this issue, ensure that when you register the endpoints in the SLE Custom Repository Management dashboard, you add gpgcheck=0 to Additional Fields.
Can I install several custom packages using the installation tasks?
Yes, you can install several custom packages with the available tasks. Use a space to separate the package names.
Is bandwidth throttling available in a custom repository architecture?
Bandwidth throttling is not supported in a custom repository architecture because it is outside the BigFix infrastructure.
I tried deploying Fixlets from a custom site, but it failed. Why is that? What should I do?
The Fixlet site name is hardcoded in the relevance of the Fixlets because the relevance can only accept one value. Therefore, if you want to deploy custom Fixlets, ensure that your endpoints are subscribed to the original Fixlet site so that they can grab all the relevant site files.
If you do not want to stay subscribed to the original Fixlet site but be able to deploy custom Fixlets successfully, complete the following steps:
  1. Make a custom copy of the necessary site files.
  2. Host the site files either in your own custom site or online.
  3. Modify the custom Fixlet appropriately.
How can I install custom packages that are on the custom repository?
You can use the Install packages by using Zypper task that is in the Patching Support site.
For more information, see Installing packages from a custom repository.
If I update Zypper to 1.5.3-3.2 or later on SUSE Linux Enterprise 11.0, can I install patches using the CVE number?
Yes, if you are using zypper-1.5.3-3.2 then you can install patches using the CVE number.
What versions of SUSE Linux Enterprise are supported in the SLE Custom Repository Management dashboard?
The SLE Custom Repository Management dashboard supports SUSE Linux Enterprise Desktop and Linux Enterprise Server versions 11 and 12.
For SUSE Linux Enterprise 12, why do I need to unregister the repository or SMT before registering an endpoint to a new SMT?
The new registration information does not overwrite the old registration information for SUSE Linux Enterprise 12, hence you must unregister the endpoint by using the SLE Custom Repository Management dashboard before registration.
For SUSE Linux Enterprise 12, do I need to delete any files before registering an endpoint to a new SMT?
You must delete the following files if you do not use the SLE Custom Repository Management dashboard when unregistering the endpoints:
  • /etc/SUSEConnect
  • /etc/zypp/credentials.d/*
Can I perform a rollback on systems with mixed file systems such as ext3 and btrfs?
The SLE Btrfs Snapshot Management dashboard supports Btrfs file systems only. Mixed files systems such as .ext3 and btrfs cannot be rolled back.
Where can I find information about the Exclude /var/opt/BESClient/* Directory From Snapshots task?
The log file is located in the directory /etc/snapper/filters/logfiles.txt.
Which log can I use to troubleshoot the snapshot rollback feature?
Use the snapper_rollback.log file located in the directory var/opt/BESClient/EDRDeployData.
Which directories need to be excluded from the snapshots to enable rollback?
To enable the rollback feature from the SLE Btrfs Snapshot Management dashboard, the /var/opt/BESClient/* directories must not be included when taking snapshots.
Where can I find more information about snaphots?
See the SUSE Documentation at https://www.suse.com/documentation/sles11/book_sle_admin/data/cha_snapper.html.
SUSE Linux Enterprise 12 endpoints are not displayed in the SLE Btrfs Snapshot Management dashboard. Why is that?
The agents for SUSE Linux Enterprise Server or Desktop version 12 are currently available only in BigFix V9.2. Ensure that you are using the specified version.
The baseline that I ran with the multiple-package installation task completed successfully, but why does it still show as relevant.
It might be due to the Fixlet components that failed to install the packages with broken dependencies. The Multiple-Package Baseline Installation task, by default, ignores broken dependencies to allow packages without dependency issues to successfully be applied on the target endpoint.
I ran a baseline with the Multiple-Package Baseline Installation task. How can I view the list of Fixlets that failed in that baseline?

You can monitor of the overall progression of the deployment of the baseline and view the status of each sub-action in detail by using the View Action Info dialog.

To access this dialog:

  1. Click the Action icon in the navigation tree.
  2. Select an action in the Actions List Panel.
  3. Select the Computers tab in the Work Area.
  4. Right-click any computer in the list.
  5. Either select Show Action Info from the context menu or select Show Action Info from the Edit menu.
For more details about the failed Fixlets, check the client log on the target endpoints at /var/opt/BESClient/__BESData/__Global/Logs.
When deploying multiple Fixlets in a baseline, is it possible to skip the broken dependencies and continue with the installation for the rest of the packages?
The Multiple-Package Baseline Installation task skips packages with broken dependencies whenever possible. Packages with dependency issues with a SUSE product, such as SLED-12-0.x86_64, cannot be skipped. Another scenario where packages are not skipped is when dependency errors occur during installation, as indicated by the following error message: File conflicts happen when two packages attempt to install files with the same name but different contents. In such cases, the installation is canceled and no patches will be installed on the endpoints.
What are the possible causes of failure using the multiple-package baseline installation method?
The Fixlets might have failed to install due to the following reasons:
  • A custom site contained multiple baselines with the multiple-package baseline installation task running at the same time.
  • Two or more Fixlets required an update to multiple versions of the same package.
  • Two or more Fixlets required an update to the same package dependencies.
  • A Fixlet was immediately deployed after a baseline ran the multiple-package installation method. Not enough time was allowed to complete all zypper transactions and refresh the status on the endpoints for the multiple-package installation.
  • The zypper tool have not been patched, but a SUSE release package is included in the baseline.
  • The Enable the Multiple-Package Baseline Installation feature task must be in the same baseline as the rest of the content. It should be added before the patch Fixlets and multiple-package installation tasks.
  • The Multiple-Package Baseline Installation feature only works when both the enable and installation tasks exist in the same baseline. For more information, see Installing multiple packages in a baseline.
  • The Enable the Multiple-Package Baseline Installation feature task must be added after any of these cleanup tasks: Delete SUSE 11 Package List File for Multiple-Package Baseline Installation or TROUBLESHOOTING: SUSE 11 Patching Deployment Logs - Cleanup.
  • The installation task with the correct SUSE distribution, operating system version, service pack level, and architecture must be added at the end of the baseline.
My endpoints are on air-gapped environment, how should I configure BigFix to patch these endpoints?
For air-gapped environments, ensure to mirror the supported SUSE repositories that host the packages needed to patch the endpoints. To do this, use the SCC download cacher to build the local repository on a location which the BigFix server has access to. This location is known as the local cache.
Note: The local cache must contain all the required repositories to avoid dependency resolution issues.

Configure the download plug-in configuration file, plugin.ini, to use the local cache when downloading files during deployment. Follow these steps:

  1. Set the local cache configuration, localCache, to the location of the files that were downloaded using the download cacher tool.
    Note: This location must be accessible to the BigFix server.
  2. Set the localCacheOnly flag to yes. to download files from the download cache only and not from the vendor site.
What to do when Fixlets fail to install with the following message in the EDR log? "Warning: Nothing to install. Please check if you are using the latest kernel."
This message appears only in case of Fixlets that deploy kernel packages. A kernel Fixlet becomes relevant if the endpoint does not have the target kernel package installed or if the endpoint's active kernel is at a lower version than the target kernel package. An endpoint is still considered subject to kernel vulnerabilities even if it has the latest kernel installed but not using it actively.

To remediate the issue, restart the endpoint and ensure it is using the latest kernel available.