Configuring the advanced CentOS Download Plug-in R2 settings

For advanced configurations, manually edit the CentOS Download Plug-in R2 configuration file called plugin.ini.

The plugin.ini file is automatically created when the download plug-in is registered from the Manage Download Plug-in dashboard. It contains the settings for logging and caching, as well as custom configurations for extending the repository list file.

On Linux systems, the file is in the root directory tree occupied by the download plug-in. For example, /var/opt/BESServer/DownloadPlugins/CentOSR2Protocol.

On Windows systems, the file is in the BigFix server installation directory. For example, %PROGRAM FILES%\BigFix Enterprise\BES Server\DownloadPlugins\CentOSR2Protocol.

Figure 1. Example of the CentOS Download Plug-in R2 configuration file

[Logger]
file = logs/CentOSPluginR2.log
level = INFO

[UA]
proxy                = 
proxyUser            = 
proxyPass            = 

primaryRepoListFile  = C:\Program Files (x86)\BigFix Enterprise\BES Server\
       GatherDBData\gather\Patching Support\CurrentSiteData\DLCentOSRepoList.json

extendedRepoListFile = 
onlyUseExtendedRepoListFile = no

localCache =
localCacheOnly = no

Note: The plugin.ini is divided into sections, which are denoted by square brackets. Ensure that the options are under the correct sections. Moving the options to a different section might result in errors.

Either an absolute path or relative path can be used in the options that require a path: file, primaryRepoListFile, extendedRepoListFile, and localCache. Relative paths are relative to the download plug-in executable directory. By default, the executable file is in the DownloadPlugins\CentOSR2Protocol folder.

Setting the logging level

The logging level determines the amount of detail that is written to the CentOSPluginR2.log file.

The available logging levels are as follows:

ERROR: Contains errors related to the execution of the download plug-in, which might indicate an impending fatal error.
WARNING: Contains information about failed downloads, and reasons for failure.
INFO: Contains general information outlining the progress and successful downloads, with minimal tracing information.
DEBUG: Contains fine-grained information used for troubleshooting issues. This is the most verbose level available.

You can change the logging level option from the [Logger] section of the plugin.ini file.

[Logger]
file = logs/CentOSPluginR2.log
level = INFO

For example, if the logging is set to INFO, the logger outputs any logs for that level and any level above it. In this case, it outputs the INFO, WARNING, and ERROR logs.

Note: Setting the logging level to DEBUG increases the amount of information to log, which might impact performance. Only increase the logging level to DEBUG when investigating an issue, and switch back to INFO or WARNING after the issue is resolved.

Adding an extended repository list file

The CentOS Download Plug-in R2 can be configured to work with repositories that are not officially supported by BigFix, if required.

For more information about configuring the download plug-in to support such repositories, see Extending the CentOS Download Plug-in R2.

Setting the download cache

You can use the download cacher tool to download the packages and repository metadata to a location that you specify.

There are three possible scenarios in which you can configure the download cacher for.

Sha1 download capability on air-gapped environments: The download cacher tool is mainly designed to be used for air-gapped environments, which require secure networks and therefore do not have access to the internet to download the files directly from the vendor site.; The sha1 download capability improves performance by caching the packages directly on the BigFix server's sha1 folder.; For information, see Using the CentOS Download Cacher R2 for air-gapped environments.
Sha1 download capability on an internet-enabled BigFix server: This method is considered best practice for caching packages on environments with a BigFix server that is internet-enabled. The sha1 download capability improves performance by caching the packages directly on the BigFix server's sha1 folder.; For information, see Caching packages on the sha1 folder.
Without the sha1 download capability on an internet-enabled BigFix server: If for some reason you choose not to use the sha1 download capability to cache packages on the BigFix server's sha1 folder, you can use the local cache. For information, see Caching packages on the local cache folder.

Additional validation for download URLs in CentOS download plug-in due to security constraints

Default allowlist file generation

The CentOS download plug-in generates an allowlist.ini file with the following default content.

[DomainNames]

[FileTypes]
rpm = yes
xml = yes

Default file extensions allowed

By default, the CentOS download plug-in permits the download of files with .rpm and .xml extensions. All other file extensions are blocked unless explicitly added to the allowlist.ini file. For example, to allow downloading .txt files, the following entry must be added to the allowlist.ini file:

[DomainNames]

[FileTypes]
rpm = yes
xml = yes
txt = yes

Domain validation

The CentOS download Plug-in allows downloads if the URLs are available in either the primaryRepoListFile (such as DLCentOSRepoList.json) or the extendedRepoListFile. For example, if the downloaded URL includes the domain name as localhost, then the following entry should be added to the allowlist.ini file to allow the download:

[DomainNames]
localhost = yes

[FileTypes]
rpm = yes
xml = yes
txt = yes