Patch Management Solution

 View Only

 Linux Patch Management

--'s profile image
-- posted Aug 30, 2021 08:08 AM
Hi Experts,

How is dependency packages handled with the Linux patch deployment?

As I understand the the dependency packages are downloaded and made available at run time. Is there a way to track this or has this been changed in newer releases?

i.e. policy containing CESA-2021:3158 may require dependancy of apache

Kind Regards,
Rufus
Arthur Prosso's profile image
Broadcom Employee Arthur Prosso
Hello Sterling !

On SLES we use zypper, on RHEL and CentOS we use yum and dnf (for RHEL >=8) to resolve the dependencies on CLIENT SIDE.
Those rpms that are initially missing on the server are downloaded dynamically and  propagated to package servers and the agent which requires them and finally agent downloads all the required stuff .
In theory for N client machines one may have N different sets of rpms that will be installed in the scope of the same policy, thus it makes the tracking part very challenging.  Even without dependencies in a policy there might be M updates and only K of  them will be installed and K may be different on each client.

On each client you may somehow see what was downloaded and installed from the agent logs (probably more verbosity needs to be added), but this is not a user friendly approach...

We do not have reports showing  "what was installed due to policy X rollout on agent Y"  in the latest release as well. 
You may see the list of installed rpms on agent X in the "Software" section of a Computer view (Manage->Computers) 



Please clarify what  you mean by tracking and how do you envision displaying this tracking info.

Regards,
Artur





--'s profile image
--
Hi Arthur,

Thank you for the response.

We are looking to track if the deployment failed due to missing dependencies. We have a use case where we want to patch ±8000 linux (Red hat) with Symantec patch management for linux and have tested this, in a controlled environment it works fine, but I need guidance as to for full environment as when we deploy to production most will fail to install, now if I can track to say it is due to a timeout in getting the dependancies or any other dependency related failure it will help me greatly.

Is there a possibility that if the yum has access to the internet that dependancies will be downloaded via the internet instead of waiting for NS?

Kind Regards,
Rufus
Arthur Prosso's profile image
Broadcom Employee Arthur Prosso
Hi Sterling!

>  I need guidance as to for full environment as when we deploy to production most will fail to install, now if I can track to say it is due to a timeout in getting the dependancies or any other dependency related failure it will help me greatly.

Installation failures:
* First find that "policy X failed on client Y" via "Linux Software update Delivery Summary" report.
* SSH to client  Y and look for ERROR level message in the Agent logs:
                "Failed to process Yum transaction ... <detailed YUM/DNF error will be here>" 


>  Is there a possibility that if the yum has access to the internet that dependancies will be downloaded via the internet instead of waiting for NS?
It is impossible in the Patch Solution - it does not require internet connectivity from agents in general. However NS downloads the package files only once . Then all the 8000 agents will not have to download it from Red Hat.

Regards
Artur
--'s profile image
--
Hi Arthur,

Thanks for the info.

Do you know if we use multiple patch policies targeted to different devices how the dependancies is handled then? i.e. 5 policies (some same bulletins some not) targeted to 5 different servers running at the same time. the Linux team wants their own admins to schedule their own policies for their own servers.


and what the default timeout is for this i.e. 2 hours timeout then failing the update and moving on to the next one.

Kind Regards,
Rufus
Arthur Prosso's profile image
Broadcom Employee Arthur Prosso
Hi Sterling!

>  if we use multiple patch policies targeted to different devices how the dependencies is handled then?
Will try to answer , however I do not completely understand what aspect of "dependencies handling" is asked here.
There are 2 phases of policies "activities" when they arrive
a) RPMs applicability and Download phase - occurs immediately upon policy arrival
b) Execution phase - occurs according to patch cycle schedule or individual policy execution schedule

At phase (a) each device runs its own assessment (based on yum/dnf commands) of what rpm files are needed to be run in a transaction to install the APPLICABLE updates from the patch policy.
The "rpm download request" handling is transparent from agent perspective  - it does not know whether RPM is available on NS/package servers or it must YET be  downloaded from RedHat to NS/package servers.  In either case the download timeout (time after which an  agent refuses to wait for the package to be ready) is 2 weeks.
If 2 agents have requested the same rpm which is currently missing on NS then NS will NOT process the 2nd request until the status of the 1 st download request becomes clear. Once package is ready from NS standpoint for the 1st agent it will be also ready for the 2nd one (let's omit the complexity of package servers topology  for now) .

At the moment I cannot tell exactly "what will happen at phase (b) if not all the required rpms  have downloaded yet"  - as I have no corresponding environment at my disposal at the moment - was it your major question?  

Typically admins enable the policies during the working hours, the policy will arrive to clients within the following hour. The patch cycle (unless custom) is scheduled to run (execute the installation commandline)  at night.  So there should be several hours available for downloading the missing dependencies from RedHat to NS and propagating them to PSes.  


Regards,
Artur





 
--'s profile image
--
Hi Artur,

Apologies for spelling you name incorrectly after it is visible on the post  :-|

At the moment I cannot tell exactly "what will happen at phase (b) if not all the required rpms  have downloaded yet"  - as I have no corresponding environment at my disposal at the moment - was it your major question?  YES this is the major question

The steps is clear as you explained, there are some use cases where the admins need to patch the server as soon as possible, now this is where some problems creeps in,  and if we could track or just baseline an expected value for the time needed for the dependencies to download ( I know that internet speed will also impact this)

I'll test some scenarios  to try and see if I can come up with some a baseline.

This is something that if task based patching was available like we have with windows might assist.

Thanks for all your input. if you have any visibility on the backline and coming features for Linux patch management please let me know, or let me know where I could possibly get some.

Cheers,
Rufus