ibm endpoint manager: patch management for suse linux enterprise … · 2015-07-28 · 4 ibm...

IBM Endpoint ManagerVersion 9.2

Patch Management for SUSE LinuxEnterpriseUser's Guide

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 61.

This edition applies to version 9, release 2, modification level 0 of IBM Endpoint Manager (product number5725-C45) and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2003, 2015.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. Overview . . . . . . . . . 1What's new in this update release . . . . . . . 1Supported platforms and updates . . . . . . . 2Supported packages . . . . . . . . . . . . 3Site subscription . . . . . . . . . . . . . 4Download plug-ins . . . . . . . . . . . . 4SUSE Download cacher . . . . . . . . . . . 4Patching methods. . . . . . . . . . . . . 5

Chapter 2. Manage Download Plug-insdashboard overview . . . . . . . . . 9Registering the SUSE download plug-in . . . . . 10Unregistering the SUSE download plug-in . . . . 13Configuring the SUSE download plug-in . . . . 14Migrating the SUSE download plug-in . . . . . 16Upgrading the SUSE download plug-in . . . . . 18

Chapter 3. Custom repositoriesmanagement . . . . . . . . . . . . 21SLE Custom Repository Management dashboard . . 22Adding a repository or SMT. . . . . . . . . 23Registering endpoints to a repository or SMT . . . 25Unregistering endpoints from a repository or SMT 26Deleting repositories or SMTs . . . . . . . . 27Importing repositories or SMTs . . . . . . . . 27Installing packages from a custom repository . . . 28

Chapter 4. Using Patch Managementfor SUSE Linux Enterprise . . . . . . 31Patching using Fixlets . . . . . . . . . . . 31Viewing deployment results . . . . . . . . . 35Manage Preference Lists . . . . . . . . . . 37Using the Preference Lists Dashboard . . . . . 37Retrieving installed RPM package information. . . 43

Chapter 5. SLE Btrfs snapshotmanagement . . . . . . . . . . . . 45SLE Btrfs Snapshot Management dashboardoverview . . . . . . . . . . . . . . . 45Rolling back a snapshot . . . . . . . . . . 47

Appendix A. Support. . . . . . . . . 49

Appendix B. Troubleshooting . . . . . 51

Appendix C. Frequently askedquestions . . . . . . . . . . . . . 55

Notices . . . . . . . . . . . . . . 61Trademarks . . . . . . . . . . . . . . 63Terms and conditions for product documentation. . 64

© Copyright IBM Corp. 2003, 2015 iii

iv IBM Endpoint Manager: Patch Management for SUSE Linux Enterprise User's Guide

Chapter 1. Overview

The IBM Endpoint Manager for Patch Management solution, which includesdeploying a multi-purpose, lightweight agent to all endpoint devices, supports awide variety of device types ranging from workstations and servers to mobile andpoint-of-sale (POS) devices.

What's new in this update releaseThis release of IBM Endpoint Manager for Patch Management contains several newfeatures and enhancements.

Table 1. What's new

Enhancement or Feature Description Resources

Package installation task Custom repositories can give you the flexibility to controlwhat you can deploy on the endpoints in yourenvironment. For example, you can deploy customsoftware that you are hosting in your custom repositories.

Use the Install packages by using zypper task to installsoftware that is in your custom repositories. This task isenhanced to allow you to update all the packages on theendpoint and to install packages based on CVE number.

The Install packages by using zypper task is available onthe Patching Support site.

Chapter 3, “Customrepositories management,”on page 21

“Installing packages froma custom repository” onpage 28

SLE Btrfs SnapshotManagement

Manage Btrfs filesystem snapshots for endpoints that areusing SUSE Linux Enterprise versions 11 SP2 and later.

IBM Endpoint Manager provides the SLE Btrfs SnapshotManagement dashboard to allow you to manage rootsnapshots with the rollback feature to restore to a previoussystem state.

The SLE Btrfs Snapshot Management dashboard isavailable on the Patching Support site.

Chapter 5, “SLE Btrfssnapshot management,”on page 45

“SLE Btrfs SnapshotManagement dashboardoverview” on page 45

“Rolling back a snapshot”on page 47

SLE Custom RepositoryManagement dashboardenhancements

The repository registration feature in the SLE CustomRepository Management dashboard now allows you toenable autorefresh and URI checks.

“Registering endpoints toa repository or SMT” onpage 25


© Copyright IBM Corp. 2003, 2015 1

Previous updates

Table 2. Previous updates

Enhancement or Feature Description Resources

Custom repository support IBM Endpoint Manager now supports custom repositoriesand the Subscription Management Tool (SMT) forpatching SUSE Linux Enterprise Desktop and SUSE LinuxEnterprise Server version 11 endpoints.

Support for custom repositories for patch managementuses existing local repository mirrors and extendedsupport channels to download patches. This solution canalso be used to deliver custom software through IBMEndpoint Manager. For more information, see Chapter 3,“Custom repositories management,” on page 21.


Package manager nativecommand-line interfacesupport

Zypper, which is the default package manager for SLE,replaces the Endpoint Dependency Resolver (EDR)utilities that Patch Management for SLE previously used.

Zypper gives you more flexibility in terms of patchdeployment and provides results that are in parallel withSLE solutions. Use the Patches for SLE 11 Native Toolssite to patch SLE 11 systems because Zypper reducesdependency issues, improves performance, and is morereliable in terms of installing security patches. For moreinformation, see “Patching methods” on page 5.

“Patching methods” onpage 5

Supported platforms and updatesIBM® Endpoint Manager for Patch Management supports a wide range of SUSELinux Enterprise platforms and updates.

Endpoint Manager provides Fixlet content for Novell updates that are undergeneral support. If you acquired the Long Term Service Pack Support (LTSS) andrequire such content, contact IBM Professional Services.

Table 3. Supported platforms and patches for the Patch Management for SUSE

Fixlet Site Name Supported Platform Type of Update

Patches for SLE10 SUSE Linux Enterprise Desktop10 SP3 and SP4 (x86, x86_64)

v Mandatory

v Recommended

v OptionalSUSE Linux Enterprise Server 10SP3 and SP4 (x86, x86_64)

Patches for SLE11 SUSE Linux Enterprise Desktop11 SP1, SP2, and SP3 (x86,x86_64)

SUSE Linux Enterprise Server 11SP1, SP2, and SP3 (x86, x86_64)

Patches for SLE10System Z

SUSE Linux Enterprise Server 10SP3 and SP4 (s390x)

Patches for SLE11System Z

SUSE Linux Enterprise Server 11SP1, SP2, and SP3 (s390x)

2 IBM Endpoint Manager: Patch Management for SUSE Linux Enterprise User's Guide

Table 3. Supported platforms and patches for the Patch Management for SUSE (continued)

Fixlet Site Name Supported Platform Type of Update

Patches for SLE 11Native Tools

SUSE Linux Enterprise Desktop11 SP1, SP2, and SP3 (x86,x86_64)

See “Supported packages” toview the list of Novellrepositories that contain thesupported packages.SUSE Linux Enterprise Server 11

SP1, SP2, and SP3 (x86, x86_64)

Linux RPM Patching Previously listed supportedplatform versions.

Previously listed updates.

Note: Endpoint Manager no longer releases new content Fixlets for SUSE LinuxEnterprise Desktop (SLED) 10 and SUSE Linux Enterprise Server (SLES) 10 sinceNovell ended their general support on July 31, 2013. However, Endpoint Managerstill supports the content Fixlets that were released before this date. If you acquiredextended support with Novell and require Fixlets for the SLES and SLED 10updates, contact IBM Professional Services.

To install x86 or x86_64 SUSE patches, subscribe to the Patches for SLE10, Patchesfor SLE11, and Linux RPM Patching sites. To install SUSE patches for System Z(s390x) endpoints, subscribe to the Patches for SLE10 System Z, Patches for SLE11System Z and Linux RPM Patching sites.

Important: A download plug-in for SUSE must be registered before deployingpatches from the Endpoint Manager console. For more information aboutregistering the download plug-in, see “Registering the SUSE download plug-in” onpage 10.

Supported packagesPatch Management for SUSE Linux Enterprise supports the packages in severalNovell repositories.

The following table lists the repositories that contain the supported packages forthe Patches for SLE 11 Native Tools site.

Table 4. Supported Novell repositories and packages

Operating System and Service Pack Level Repository Name

SUSE Linux Enterprise Server 11 SP3 SLES11-SP3-PoolSLES11-SP3-Updates

SUSE Linux Enterprise Server 11 SP2 SLES11-SP1-PoolSLES11-SP1-UpdatesSLES11-SP2-CoreSLES11-SP2-Updates

SUSE Linux Enterprise Server 11 SP2 SLES11-SP1-PoolSLES11-SP1-Updates

SUSE Linux Enterprise Server 11 SLES11-PoolSLES11-UpdatesSLES11-Extras

SUSE Linux Enterprise Desktop 11 SP3 SLED11-SP3-PoolSLED11-SP3-Updates

Chapter 1. Overview 3

Table 4. Supported Novell repositories and packages (continued)

Operating System and Service Pack Level Repository Name

SUSE Linux Enterprise Desktop 11 SP2 SLED11-SP1-PoolSLED11-SP1-UpdatesSLED11-SP2-CoreSLED11-SP2-Updates

SUSE Linux Enterprise Desktop 11 SP1 SLED11-SP1-PoolSLED11-SP1-Updates

SUSE Linux Enterprise Desktop 11 SLED11-PoolSLED11-UpdatesSLED11-Extras

Site subscriptionSites are collections of Fixlet® messages that are created internally by you, by IBM,or by vendors.

Subscribe to a site to access the Fixlet messages to patch systems in yourdeployment.

You can add a site subscription by acquiring a masthead file from a vendor orfrom IBM or by using the License Overview Dashboard. For more informationabout subscribing to Fixlet sites, see the IBM Endpoint Manager Installation Guide.

For more information about sites, see the IBM Endpoint Manager Console Operator'sGuide.

Download plug-insDownload plug-ins are executable programs that download a specified patch fromthe website of the patch vendor. To ease the process of caching, Fixlets have anincorporated protocol that uses download plug-ins.

For the Fixlet to recognize the protocol, the related download plug-in must beregistered. You must use the Manage Download Plug-ins dashboard to register thedownload plug-in. After you register the plug-in, you can run the Fixlets todownload, cache, and deploy patches from the IBM Endpoint Manager console.

If you already registered the plug-in, you can use the Manage Download Plug-insdashboard to run the update. You must use the dashboard also to unregister andconfigure the download plug-in. For more information about the dashboard, seethe topic on Manage Download Plug-ins dashboard overview.

Note: If you install the download plug-in on relays, it is recommended that youalso install it on the server.

SUSE Download cacherThe SUSE Download Cacher is command-line tool that is designed toautomatically download and cache SUSE patches on the IBM Endpoint Managerserver to facilitate the deployment of SUSE Fixlets.

Important: Use the download cacher tool only if you are using an air-gappedenvironment or if the total number of packages is too large. You can also use the


tool if you want to cache all the downloads for faster execution of actions.Otherwise, use the download plug-in. The preferred method of SUSE patchcaching is to register the SUSE Download Plug-in from the Manage DownloadPlug-ins dashboard. For more information about registration, see “Registering theSUSE download plug-in” on page 10.

The tool uses FTP to download large .zip files and by default, stores them in thesha1 cache folder. You can also choose to store the files in a different existingdirectory. Your environment must be configured to accept FTP use.

You can access the tool by downloading and running it manually. For moreinformation, see the technote in http://www-01.ibm.com/support/docview.wss?uid=swg21506059.

Patching methodsIBM Endpoint Manager offers more flexibility to the patch management solutionby providing patching options that cater to your needs.

IBM Endpoint Manager provides several different methods to manage patches forSUSE Linux Enterprise.

Patching by using the Endpoint Dependency Resolution (EDR)method

Endpoint dependency resolution (EDR) is an approach to UNIX patching wheredependencies for bulletins are calculated dynamically during an action run time.Packages are patched regardless of which packages are already installed on theendpoints.

The following sites use the EDR method:v Patches for SLE10

v Patches for SLE11

v Patches for SLE10 System Z

v Patches for SLE11 System Z

The EDR method uses a dependency resolution tool that requires dependencies ofall of the installed packages on the system to be satisfied. To view the EDR results,see the EDR_DeploymentResults.txt file that is located in the directory <clientfolder>\EDRDeployData\.

With this approach, you can deploy preference lists to endpoints from thePreference Lists Dashboard in the Linux RPM Patching site. For more informationabout preference lists, see “Manage Preference Lists” on page 37.

When dependencies are resolved on the endpoints, there might be multiple validsets of dependencies that satisfy the requirements of the targets. Preference listshelp to decide which requirements to satisfy in these situations. For moreinformation about the dashboard, see “Using the Preference Lists Dashboard” onpage 37.

Patching by using the native tools (Zypper) method

Note: This method applies to patch management for SUSE Linux Enterprise Server11 and SUSE Linux Enterprise Desktop 11 environments only.


http://www-01.ibm.com/support/docview.wss?uid=swg21506059


Zypper is the default package manager for SUSE Linux Enterprise. It gives youmore flexibility in terms of patch deployment and in providing results that aresuitable for SUSE Linux Enterprise solutions. It uses a command-line interface andsimplifies the process of installing, uninstalling, updating, and querying softwarepackages. It is based on ZYpp, also known as libzypp. For more information aboutZypper, see the documentation at http://www.suse.com or see the Novell Supportwebsite at https://www.novell.com/support/.

Zypper reduces dependency issues, improves performance, and is more reliable interms of installing security patches. This method also enables you to use customrepositories for patching. For more information on custom repository support, seeChapter 3, “Custom repositories management,” on page 21.

The Zypper approach is introduced to replace the EDR utilities that PatchManagement for SUSE Linux Enterprise previously used. Subscribe to the Patchesfor SLE 11 Native Tools site to use the Zypper method.

The Zypper native tools implementation has an external dependency on the expectutility. Endpoint Manager provides a task to install the expect utility on systemsthat are configured with Zypper repositories. Task ID 101: Install expect isavailable from the Patches for SLE 11 Native Tools site.

Zypper utility configuration settings

The Patches for SLE 11 Native Tools site uses all the settings in/etc/zypp/zypp.conf.

The following Zypper configuration settings are set to values that comefrom another file, which is dynamically created during Fixlet execution:v cachedir

v configdir

v metadatadir

v packagesdir

v reposdir

v repo.add.probe

v repo.refresh.delay

v solvfilesdir

Identifying file relevance with Native tools content

The native tools captures file relevance in the same way as EDR. Bothmethods check for the relevance clause exist lower version of apackage, but not exist higher version of it. If both tools are applied tothe same deployment, the relevance results are the same.

Patching method matrix

The following table lists the applicable sites and features for each of the patchingmethods that are available for managing your SUSE Linux Enterprise endpoints.

Patching method Applicable sites Applicable features

Endpoint DependencyResolution (EDR)

v Linux RPM Patching

v Patches for SLE10

v Patches for SLE11

v Download Plug-ins

v RPM Deployment

v Preference List


http://www.suse.com

https://www.novell.com/support/

Patching method Applicable sites Applicable features

Native tools (Zypper) v Patching Support

v Patches for SLE 11 NativeTools

v Download Plug-ins

v Custom RepositorySupport


Chapter 2. Manage Download Plug-ins dashboard overview

Use the Manage Download Plug-ins dashboard to oversee and manage downloadplug-ins in your deployment.

You can use the Manage Download Plug-ins dashboard to register, unregister,configure, and upgrade the download plug-ins for different patch vendors. Formore information about these features, see the following topics.

Note: For Windows 2008 and Windows 2012 R2, you must install the latest versionof Shockwave Flash Object to ensure that the dashboard displays properly.

You must subscribe to the Patching Support site to gain access to this dashboard.To view the Manage Download Plug-ins dashboard, go to Patch Managementdomain > All Patch Management > Dashboards > Manage Download Plug-ins.

The dashboard displays all the servers and windows-only relays in yourdeployment. Select a server or relay to view all the plug-ins for that computer. Thedashboard shows you also the version and status for each plug-in in oneconsolidated view.

Figure 1. Patch Management navigation tree


A plug-in can be in one of the following states:v Not Installedv New Version Availablev Up-To-Datev Not Supported

Note: CentOS and SUSE Linux download plug-ins are not supported in relays.

The dashboard has a live keyword search capability. You can search based on thenaming convention of the servers, relays, and plug-ins.

Registering the SUSE download plug-inUse the Manage Download Plug-ins dashboard to register the download plug-infor SUSE Linux.

Before you begin

Note: SUSE Linux download plug-ins are not supported in relays.

You must complete the following tasks:

Figure 2. Manage Download Plug-ins dashboard


v Subscribe to the Patching Support site to gain access to the Manage DownloadPlug-ins dashboard.

v Enable the Encryption for Clients Fixlet on servers and relays for which youwant to register the download plug-in.

v Activate the Encryption Analysis for Clients analysis and Download Plug-inVersions analysis.

When you register the download plug-in on a computer without the plug-in, theplug-in is automatically installed and the configuration file is created.

If a download plug-in is already installed on the computer, the configuration file isoverwritten.

Procedure1. From the Patch Management domain, click All Patch Management >

Dashboards > Manage Download Plug-ins dashboard.2. From the Servers and Relays table, select the server or relay on which the

download plug-in is to be registered.3. From the Plug-ins table, select SUSE Plug-in.4. Click Register. The Register SUSE Plug-in wizard displays.

Chapter 2. Manage Download Plug-ins dashboard overview 11

5. Enter the Novell credentials that you use to log on to the Novell CustomerCenter.

Novell UsernameYour Novell account user name to the Novell Customer Center. Itmust have a valid support identifier to download patches.

Novell PasswordYour Novell account password to the Novell Customer Center.

Confirm Novell PasswordYour Novell account password for confirmation.

Large amounts of downloads through this channel might lock you out of yourNovell account. Use the mirror server to prevent a temporary lock out fromhappening.

6. Optional: Enter the mirror parameters if you want the plug-in to downloadfrom a mirror server.

Figure 3. Register SUSE download plug-in wizard


Mirror URLThe URL of your mirror server. It must be a well-formed URL, whichcontains a protocol and a host name. Leave the field blank to use theNovell mirror server: https://nu.novell.com.

Note: Ensure that you enter your Novell mirror server credentials. If youleave the following fields blank, the download plug-in uses the credentials forthe Novell Customer Center instead.

Mirror UsernameYour proxy user name if your mirror server requires authentication. Itis usually in the form of domain\username.

Mirror PasswordYour proxy password if your mirror server requires authentication.

Confirm Mirror PasswordYour mirror password for confirmation.

7. Optional: Enter the proxy parameters if the downloads must go through aproxy server.

Proxy URLThe URL of your proxy server. It must be a well-formed URL, whichcontains a protocol and a host name. The URL is usually the IPaddress or DNS name of your proxy server and its port, which isseparated by a colon. For example: http://192.168.100.10:8080.

Proxy UsernameYour proxy user name if your proxy server requires authentication. Itis usually in the form of domain\username.

Proxy PasswordYour proxy password if your proxy server requires authentication.

Confirm Proxy PasswordYour proxy password for confirmation.

8. Click OK. The Take Action dialog displays.9. Select the target computer.

10. Click OK.

Results

You successfully registered the SUSE download plug-in.

Unregistering the SUSE download plug-inUse the Manage Download Plug-ins dashboard to unregister the download plug-infor SUSE Linux.



download plug-in is to be unregistered.3. From the Plug-ins table, select SUSE Plug-in.4. Click Unregister.


The Take Action dialog displays.5. Select the target computer.6. Click OK.

Results

You successfully unregistered the SUSE download plug-in.

Configuring the SUSE download plug-inUse the Manage Download Plug-ins dashboard to configure the download plug-infor SUSE.

About this task

You might want to take note of your existing configuration for the downloadplug-in. Existing configurations are overwritten when you configure the downloadplug-in.



download plug-in is to be configured.3. From the Plug-ins table, select SUSE Plug-in.4. Click Configure. The Configure SUSE Plug-in wizard displays.

Figure 4. Unregister the SUSE download plug-in


5. Enter the Novell credentials that you use to log on to the Novell CustomerCenter.

Novell UsernameYour Novell account user name to the Novell Customer Center. Itmust have a valid support identifier to download patches.

Novell PasswordYour Novell account password to the Novell Customer Center.


Large amounts of downloads through this channel might lock you out of yourNovell account. Use the mirror server to prevent a temporary lock out fromhappening.


Figure 5. Configure SUSE download plug-in wizard


Mirror URLThe URL of your mirror server. It must be a well-formed URL, whichcontains a protocol and a host name. Leave the field blank to use theNovell mirror server: https://nu.novell.com.

Note: Ensure that you enter your Novell mirror server credentials. If youleave the following fields blank, the download plug-in uses the credentials forthe Novell Customer Center instead.









8. Click OK. The Take Action dialog displays.9. Select the target computer.

10. Click OK.

Results

You successfully configured the SUSE download plug-in.

Migrating the SUSE download plug-inYou must migrate the SUSE Linux download plug-in if the plug-in version isearlier than 2.0.0.0. You only need to do this once. The download plug-in isupgraded to the latest version after migration.

About this task

You might want to take note of your existing configuration for the downloadplug-in. Existing configurations are overwritten when you migrate the downloadplug-in.




download plug-in is to be migrated.3. From the Plug-ins table, select SUSE Plug-in.4. Click Migrate. The Migrate SUSE Plug-in wizard displays.

5. Enter the Novell credentials that you use to log on to the Novell Support site.

Novell UsernameYour Novell account user name to the Novell Support site. It musthave a valid support identifier to download patches.

Figure 6. Migrate SUSE download plug-in wizard


Novell PasswordYour Novell account password to the Novell Support site.



Mirror URLThe URL of your mirror server. It must be a well-formed URL, whichcontains a protocol and a host name. Leave the field blank to use theNovell mirror servers.









8. Click OK. The Take Action dialog displays.9. Select the target computer on which the download plug-in is to be upgraded.

10. Click OK.

Results

You successfully migrated and upgraded the SUSE download plug-in.

Upgrading the SUSE download plug-inUse the Manage Download Plug-ins dashboard to upgrade the download plug-infor SUSE Linux.



download plug-in is to be upgraded.


3. From the Plug-ins table, select SUSE Plug-in.4. Click Upgrade. The Take Action dialog displays.5. Select the target computer.6. Click OK.

Results

You now have the latest version of the SUSE download plug-in installed.


Chapter 3. Custom repositories management

You can set up your custom repositories and Subscription Management Tool (SMT)to manage patches for SUSE Linux Enterprise version 11 and later. This solutionallows for multiple repositories and SMTs on the entire deployment.

With the custom repository support, the Fixlets in the Patches for SLE 11 NativeTools site can use Zypper to directly download packages from custom repositoriesinstead of going through the Novell Customer Center. Bandwidth throttling is notsupported in a custom repository architecture.

Using custom repositories can give you the flexibility to control what can bedeployed to the endpoints in your deployment. For example, you can deploycustom software that you are hosting in your custom repositories. Use the Installpackages by using Zypper task from the Patching Support site to install softwarethat are in your custom repositories. For more information, see “Installingpackages from a custom repository” on page 28.

Integrating your custom repository or SMT solutions is made easy with the use ofthe SLE Custom Repository Management dashboard.

Differentiating between repository types

The custom support covers both repository and SMT. You can register endpoints toa repository or to an SMT server.

Note: The SLE Custom Repository Management dashboard refers to SMT as oneof the repository types for identification purposes only. The dashboard does notaffect how SMT works.

Ensure that both types of repository are updated. Actions might fail if the packagesare not available.

RepositoryThis type refers to standard software repositories, which are storagelocations that contain a collection of packages and metadata. Theserepositories can be on online servers, CDs, DVDs, or on other media.

The SLE Custom Repository Management dashboard does not add physicalrepositories; you must do this action separately.

SMT With the SMT, enterprise customers can optimize the management of SUSELinux Enterprise software updates and subscription entitlements. SMTprovides a repository and registration target that is synchronized with theNovell Customer Center.

For more information about SMT, see the SUSE documentation athttps://www.suse.com/documentation/smt11/.


https://www.suse.com/documentation/smt11/

SLE Custom Repository Management dashboardUse the SLE Custom Repository Management dashboard to easily integrate yourexisting custom repository or Subscription Management Tool (SMT) solutions withthe IBM Endpoint Manager patch management solution. Only endpoints on SUSELinux Enterprise Desktop and Linux Enterprise Server versions 11 and 12 aresupported in this dashboard.

The SLE Custom Repository Management dashboard allows the Fixlets in thePatches for SLE 11 Native Tools site to use Zypper for downloads instead of usingthe standard IBM Endpoint Manager downloading infrastructure. The dashboardalso allows you to register your custom repositories to use the Zypper commandswhen installing packages on the endpoints.

To access the dashboard, subscribe to the Patching Support site. From the PatchManagement domain, click All Patch Management > Dashboards > SLE CustomRepository Management. Activate the Repository Configuration - SUSE LinuxEnterprise analysis to view the content in the dashboard.

Important: Your custom repositories must be pre-configured with the requiredmetadata and headers before you use the dashboard.

Use the SLE Custom Repository Management dashboard to perform the followingactions for patch management:v Register and unregister endpoints to a repository (custom repositories or SMT

servers)v Add, delete, and import custom repositories and SMT servers to the repository

dashboard list


Note: The SLE Custom Repository Management dashboard does not support thecreation of a physical repository server or SMT. You must create the repositoryseparately. For more information about creating repositories, see the followingresources:v SUSE Linux Enterprise Desktop 11 SP3 Deployment Guide at https://

www.suse.com/documentation/sled11/book_sle_deployment/data/sec_y2_sw_instsource.html

v SUSE Linux Enterprise Server 11 SP3 Deployment Guide at https://www.suse.com/documentation/sles11/book_sle_deployment/data/sec_y2_sw_instsource.html

v SUSE Linux Enterprise Desktop 12 Deployment Guideat https://www.suse.com/documentation/sled-12/book_sle_deployment/data/book_sle_deployment.html

v SUSE Linux Enterprise Server 12 Deployment Guide at https://www.suse.com/documentation/sles-12/book_sle_deployment/data/book_sle_deployment.html

Adding a repository or SMTAdd a custom repository or a Subscription Management Tool (SMT) server into thedashboard repository list so that you can register and connect it to endpoints.

Before you beginv Activate the Repository Configuration - SUSE Linux Enterprise analysis.v Run the Enable custom repository support - SUSE Linux Enterprise task.

Procedure1. From the SLE Custom Repository Management dashboard, click the

Repositories tab.

Figure 7. SLE Custom Repository Management dashboard

Chapter 3. Custom repositories management 23

https://www.suse.com/documentation/sled11/book_sle_deployment/data/sec_y2_sw_instsource.html



https://www.suse.com/documentation/sles11/book_sle_deployment/data/sec_y2_sw_instsource.html


https://www.suse.com/documentation/sled-12/book_sle_deployment/data/book_sle_deployment.html

https://www.suse.com/documentation/sled-12/book_sle_deployment/data/book_sle_deployment.html

https://www.suse.com/documentation/sles-12/book_sle_deployment/data/book_sle_deployment.html

https://www.suse.com/documentation/sles-12/book_sle_deployment/data/book_sle_deployment.html

2. Click Add.3. From the Add a New Repository dialog, select the repository type that you

want to add.

Note: Ensure that the repository settings match the repository serverconfiguration.v If you are adding a standard repository, enter values for the following fields:

– Repository Name

– Repository URL

v If you are adding an SMT server, enter values for the following fields:– SMT Server Name

– SMT Server URL

– clientSetup4SMT script URL

Note: When you enter the SMT Server URL, the clientSetup4SMT script URL isgenerated automatically. This script is provided with SMT to configureendpoints to use the SMT server or to reconfigure it to use a different SMTserver.

Figure 8. Adding a repository

Figure 9. Adding an SMT


4. Click Save.

What to do next

To connect the added repository to an endpoint, see “Registering endpoints to arepository or SMT.”

If you want to add all the known existing repositories of an endpoint, both SMTsand standard repositories, to the dashboard list, use the Import feature. For moreinformation, see “Importing repositories or SMTs” on page 27.

Registering endpoints to a repository or SMTUse the SLE Custom Repository Management dashboard to connect yourrepositories and SMTs to endpoints.

Before you beginv Ensure that the repository settings match the repository server configuration.v Activate the Repository Configuration - SUSE Linux Enterprise analysis.v Run the Enable custom repository support - SUSE Linux Enterprise task.


Endpoints tab.2. Select the endpoints that you want to register to a repository or SMT from the

first table. The repositories or SMTs of the selected endpoints are listed in thesecond table.

Note: When a repository is named as unspecified, it means that it is not listedin the Repository list of the dashboard.

3. Click Register a new repository.4. From the Register a New Repository dialog, select a repository or an SMT and

click Next.

Note: An endpoint can be registered to only one SMT at a time. If an endpointis already registered to an SMT, registering a different SMT overrides theregistration with the existing SMT.v If you selected a repository, you can add more configuration information

from the available options.

Probe given URIChecks the given repository upon registration.

Figure 10. Registering an endpoint to a repository


Enable autorefresh of the repositoryAutomatically refreshes the repository before reading the metadatafrom the database.

Additional FieldsUse the field to add more configuration information for therepository. For example, if you use a repository that is not a mirrorof the vendor site, enter gpgcheck=0 to prevent a patch from failingbecause the files cannot be opened.

v If you selected an SMT, enter the location of the clientSetup4SMT Script.5. Click Save. This information is saved in the Zypper configuration files.6. From the Take Action dialog, select the computers and click OK to deploy the

action.

Unregistering endpoints from a repository or SMTUse the SLE Custom Repository Management dashboard to unregister endpointsfrom repositories or SMTs that are no longer relevant.

Before you beginv Activate the Repository Configuration - SUSE Linux Enterprise analysis.v Run the Enable custom repository support - SUSE Linux Enterprise task.

About this task

When you unregister a repository, the Zypper services and repositories from theendpoint that you selected are removed.

The Zypper configuration file is not deleted, but disabled when an endpoint isunregistered from a standard or SMT repository.

If you unregister an endpoint from an SMT repository, you must log in to the SMTserver and delete the selected computer manually.

Figure 11. Additional configuration fields when registering endpoints to a repository



Endpoints tab.2. Select the endpoints that you want to unregister a repository from.3. Click Unregister a new repository.4. From the Unregister a New Repository dialog, select a repository and click

Save.5. From the Take Action dialog, select the computers and click OK to deploy the

action.

Deleting repositories or SMTsTo manage the dashboard repository list more easily, delete the repositories orSMTs that no longer exist in your deployment.

About this task


Repositories tab.2. Select the repositories that you want to delete and click Delete. A delete

confirmation dialog displays.3. Click Yes to confirm and proceed with the deletion of the selected repositories.

Results

The selected repositories are removed from the list.

Importing repositories or SMTsUse the Import feature of the SLE Custom Repository Management dashboard toadd all the known existing repositories of an endpoint to the list of repositories inthe dashboard.

Before you begin

Activate the Repository Configuration - SUSE Linux Enterprise analysis.


Repositories tab.2. Click Import.3. From the Import Existing Repositories dialog, select the repositories or SMTs

that you want to add in the dashboard repository list.4. Enter a name for the repository.5. Click Save.

Results

The repositories or SMTs are now imported and added to the list in the dashboard.


Installing packages from a custom repositoryIBM Endpoint Manager provides a task to easily install and update packages onSUSE Linux Enterprise version 11 and later endpoints that are registered to customrepositories.

Before you beginv Subscribe to the Patching Support site to access the installation task named as

Install packages by using zypper.v Configure a custom repository from the SLE Custom Repository Management

dashboard. For more information, see Chapter 3, “Custom repositoriesmanagement,” on page 21.

v Ensure that the configured repository is up-to-date and contains the requiredpackages and metadata.

About this task

Use the Install packages by using zypper task to install or update the packages onendpoints.

You can use the package name or Common Vulnerabilities and Exposures (CVE)ID number to specify the selected packages for installation.

You can also update all the installed packages on the endpoint with later availableversions that are in your custom repository.

The Zypper commands for each of the available actions are as follows:

zypper install <package_name1> <package_name2>Updates or installs a package with a specific name. Multiple package update orinstallation is acceptable. Use a space to separate the package names.

zypper updateUpdates all the installed packages on the endpoint.

zypper patch --cve=<cve_number>Updates a package with a specific CVE ID number. The task fails if no CVE IDnumber is specified and it only accepts a single CVE reference.

This action requires Zypper version 1.5.3-3.2.

Command options are supported as extra flags for the zypper install and zypperupdate commands only. For detailed usage information, see the zypper man page.

This task also provides actions to test the packages for installation, withoutinstalling the packages on the endpoints.

Procedure1. From the Patch Management domain, click All Patch Management > Fixlets

and Tasks.2. Select the Install packages by using zypper task to install custom packages on

endpoints.3. In the Task pane, review the description and follow the instructions in the

Actions box to deploy an action.4. Depending on the action that you selected, provide the necessary information

and click OK.


Note: To update all installed packages on the endpoint, select the action toinstall packages, but do not specify any package name.

5. In the Take Action pane, select the endpoints on which the packages are to beinstalled or updated.

6. Click OK.


Chapter 4. Using Patch Management for SUSE LinuxEnterprise

Use the Fixlets on the Linux RPM Patching and the various Patches for SUSELinux Enterprise Fixlet sites to apply patches to your deployment.

For information about the available Fixlet sites for SUSE Linux Enterprise, see“Supported platforms and updates” on page 2.

Patch content caching must be done through the download plug-in unless you areusing an air-gapped environment or a custom repository. For more information, seethe following topics:v Download plug-in registrationv Download cacher

IBM Endpoint Manager provides several different methods to manage patches forSUSE Linux Enterprise. For more information, see “Patching methods” on page 5.

Patching using FixletsYou can apply SUSE Linux patches to your deployment by using the Fixlets on theLinux RPM Patching and Patches for SLE sites.

Before you beginv Register the SUSE download plug-in. For more information about download

plug-ins, see Download plug-ins.v Subscribe to the appropriate sites.v Activate the necessary analysis from the subscribed sites.v If you are not using the Patches for SLE 11 Native Tools site to patch your

systems, activate the Endpoint Dependency Resolution - Deployment Resultsanalysis to view the patch deployment results. For more information, see“Viewing deployment results” on page 35.

v If you are using the Patches for SLE 11 Native Tools site to patch your systems,run the Install expect task (ID #101) to install the expect utility on systems thatare configured with the Zypper utility.

Note: This only applies to the endpoints that do not have the expect utilityinstalled.

About this task

The possible actions that you can make on a Fixlet depend on the patch type. Forexample, patch Fixlets provide an option to deploy a test run prior to applying thepatch. Kernel updates provide the option to upgrade or install all kernel packages.The default behavior for kernel updates is to install packages side by side.Additionally, each kernel update Fixlet provides the ability to test each of theseoptions.

Note: The upgrade option in Kernel updates replaces existing kernel packageswith later versions. The install option installs the later kernel packages next to theprevious versions.


http://www-01.ibm.com/support/knowledgecenter/SS6MER_9.2.0/com.ibm.tem.patch.doc_9.2/shared/c_manage_download_plug-ins_suse.html

Procedure1. From the Patch Management domain, click OS Vendors > SUSE Linux

Enterprise, and navigate to the patch content using the domain nodes.

2. In the content that is displayed in the list panel, select the Fixlet that you wantto deploy. The Fixlet opens in the work area.

3. Click the tabs at the top of the window to review details about the Fixlet.4. Click Take Action to deploy the Fixlet.

v You can start the deployment process.

Figure 12. Patch Management navigation tree


v You can deploy a test run prior to applying the patch. View the DeploymentResults analysis to determine if the dependencies have been successfullyresolved and if an installation is successful.

Figure 13. Take action to start the deployment process

Chapter 4. Using Patch Management for SUSE Linux Enterprise 33

v You can view the Novell bulletin for a particular Fixlet, select the Click hereto view the patch page action to view the patch page.

Figure 14. Take action to deploy a test


You can also click the appropriate link in the Actions box5. You can set more parameters in the Take Action dialog.

For detailed information about setting parameters with the Take Action dialog,see the IBM Endpoint Manager Console Operator's Guide.

6. Click OK.7. Enter your Private Key Password when necessary.

Viewing deployment resultsThe results of a successful action for Fixlet content with endpoint dependencyresolution are written in a log file on the endpoint. You must activate an analysisto view the results.

Procedure1. From the Patch Management domain, click OS Vendors > SUSE Linux

Enterprise.2. Navigate to the analysis by clicking the Analyses node and select Endpoint

Dependency Resolution - Deployment Results.

Figure 15. Take action to view patch page


3. Click Activate.

4. Click the Results tab in the Analysis window that is displayed after youactivate the analysis.

Figure 16. Analyses in the navigation tree

Figure 17. List of analyses


5. Optional: You can limit the length of the output by running the EndpointDependency Resolution – Set deployment results analysis report length task.To access this task, click OS Vendors > SUSE Linux Enterprise >Configuration.

Note: The default analysis report length is 100 entries.

What to do next

When you review the properties of an endpoint, you can view the currentdeployment information on that system. To view this data, navigate on the AllContent domain and select the Computers node. Select the computer that youwant to inspect in the work area. Scroll down to the Deployment Results.

Manage Preference ListsPreference lists are lists of packages that affect the dependencies that are installedfor systems patched by content with endpoint dependency resolution.

Preference lists have the following characteristics:v Packages included in forbidden preference lists are forbidden when dependencies

are resolved.v Packages included in preferred preference lists are preferred over packages not in

the list when dependencies are resolved.v Packages included higher in the preference lists are preferred over packages

lower in the lists. You can manage these preference lists by using the PreferenceLists Dashboard.

Using the Preference Lists DashboardUse the Preference List Dashboard to create preference lists.

Figure 18. Results tab

Figure 19. Endpoint Dependency Resolution - Deployment Results


You can navigate to the dashboard by expanding the Linux RPM Patching nodeand selecting the Endpoint Dependency Resolution - Preference Lists dashboard.

To create new Forbidden package lists, click New Forbidden Package List.

In the next dialog, you select a site for the preference lists. Endpoints subscribed tothis site are relevant to this preference list. Choose a site and click next.

Figure 20. Endpoint Dependency Resolution - Preference Lists dashboard in the navigationtree

Figure 21. New Forbidden Package List


After entering a name for the list, you can begin populating your preference listwith packages. Type the name in the Package to Add field and click Add. As youtype, autocomplete suggestions are shown. These suggestions are populated usingtarget packages from the selected site. After completing your list, click Save, clickOK, and enter your Private Key Password. A task that deploys this preference listis displayed in the navigation tree.

To edit a preference list, click edit for that particular list.

Figure 22. Create new Forbidden Package List

Figure 23. Add package


This opens the same dialog as before and allows you to edit the name andpackages in the list. Click Save. To edit the task, click Edit. To redeploy the latestversion of this list to all systems that already have the list, click Edit and Redeploy.Then click OK and enter your Private Key Password.

To create a copy of a preference list, click copy for that particular list.

A dialog is created with a nearly identical set of data populated throughout thefields. The Name field has the word copy at the end. Click Save to create the newtask. To delete a preference list, click delete for that particular list.

Figure 24. Edit button

Figure 25. Edit dialog

Figure 26. Copy button


To delete the task, click Delete. To delete the task and issue an action to remove thepreference list from all endpoints that have the list, click Delete and Update.

Preferred package lists can be created and managed in the same way as forbiddenpackages lists. The controls are listed under the Preferred Package Lists tab of thePreference Lists Dashboard.

Packages are ordered from top to bottom in preference lists. Drag and droppackages to specify priority.

Figure 27. Delete button

Figure 28. Delete dialog

Figure 29. Preferred Package Lists tab


You can view deployed preference lists and their associated metadata by activatingan analysis. Navigate to the analysis by clicking the Analyses node and selectingEndpoint Dependency Resolution - Preference Lists. Click the analysis and selectActivate from the right-click menu.

Click the Results tab in the Analysis window that is displayed after you activatethe analysis.

Figure 30. Sort priority

Figure 31. List of analyses


When you review an endpoint's properties, you can view the current preferencelist information on that system.

To remove a preference list from an endpoint, run either the Remove EndpointDependency Resolution – Remove preferred list or the Remove Endpoint DependencyResolution – Remove forbidden list tasks.

Retrieving installed RPM package informationThe list of installed RPM packages on SUSE Linux Enterprise endpoints can beretrieved by activating analysis on the IBM Endpoint Manager console.

About this task

The Installed RPM Package List - SuSE Linux Enterprise analysis provides thenumber of packages that are installed and the actual names of the packages. It isavailable on the Linux RPM Patching site.

Viewing the installed RPM packages from the console helps to reduce the need fora system administrator to log on to the actual endpoints.

Procedure1. From the Patch Management domain, All Patch Management > Analyses.2. Click the Installed RPM Package List - SuSE Linux Enterprise analysis.3. Click Activate.4. View the package information from the Results tab.

Figure 32. Results tab

Figure 33. Available Fixlets to remove a preference list


Chapter 5. SLE Btrfs snapshot management

View and manage SLE Btrfs snapshots from the IBM Endpoint Manager console.Snapshot management uses Snapper's ability to roll back Btrfs file systemsnapshots. This feature works with SUSE Linux Enterprise version 11 SP2 and later.

Btrfs is a new copy-on-write file system that supports file system snapshots ofsubvolumes. Subvolumes can be in the form of one or more separately-mountablefile systems within each physical partition. A snapshot is a copy of the state of asubvolume at a certain time. It is essentially a clone of the subvolume. For moreinformation about Snapper, see the SUSE product documentation athttps://www.suse.com/documentation/sles11/book_sle_admin/data/cha_snapper.html.

Note: For SUSE Linux Enterprise version 11 SP2 systems, snapshots can be takenonly if the partitions are subvolumes and contain the snapper configuration.

SLE Btrfs Snapshot Management dashboard overviewUse the SLE Btrfs Snapshot Management dashboard to manage Btrfs file systemsnapshots for SLE endpoints in your deployment.

Note: You must use IBM Endpoint Manager client version 9.2.1 or later to be ableto use this dashboard.

Endpoint Manager provides the SLE Btrfs Snapshot Management dashboard toview the list of Btfrs file system snapshots of an endpoint from the console. Therollback feature allows you to reset the system to the state at which a snapshot wastaken.

Consider the following scenario to better understand what the rollback featuredoes. Patching the application server on the endpoint that hosts your webapplication is a good practice. After a typical day of patching, you started noticingsome issues with the system. These issues occurred only after a particular patchwas deployed. Using the dashboard, you can easily roll back the system to anearlier state that does not have such issues.

To access the dashboard, subscribe to the Patching Support site. From the PatchManagement domain, click All Patch Management > Dashboards > SLE BtrfsSnapshot Management.

Activate the SLE Btrfs Snapshots analysis to retrieve the endpoints and the Btrfsfile system snapshot information and display them on the dashboard. This analysisis also used to generate a log, which records the results of the rollbacks that aretaken in the SLE Btrfs Snapshot Management dashboard. The log is located in thedirectory /var/opt/BESClient/EDRDeployData.

The dashboard lists endpoints and their corresponding snapshot history. Eachsnapshot displays the following metadata:

Snapshot IDUnique ID number of the snapshot.


https://www.suse.com/documentation/sles11/book_sle_admin/data/cha_snapper.html


Snapshot Date and TimeStart date and time of the snapshot in coordinated universal time (UTC).

Type The type of snapshot. There are three different types of snapshots: pre,post, and single.

Pre Snapshot NumberThis metadata is applicable only to post snapshot type. It specifies thenumber of the corresponding pre snapshot.

CleanupAlgorithm to clean up old snapshots. There are three different cleanupalgorithms: number, time line, and empty-pre-post.

DescriptionA description of the snapshot.

Note: Ensure that you provide a meaningful description during thesnapshot creation. This helps to identify the purpose of the snapshot.

For information about the snapshot metadata, see the topic about ManuallyCreating and Managing Snapshots in the SUSE product documentation.

The dashboard also offers filtering options to ease searching by using the computername.

Figure 34. SLE Btrfs Snapshot Management dashboard


https://www.suse.com/documentation/sles11/book_sle_admin/data/sec_snapper_manage.html

https://www.suse.com/documentation/sles11/book_sle_admin/data/sec_snapper_manage.html

To enable the rollback feature, ensure that /var/opt/BESClient/* directories areexcluded from the snapshots by running the Exclude Client Directories FromSnapshots task.

Rolling back a snapshotUse the rollback option in the SLE Btrfs Snapshot Management dashboard torestore endpoints to a previous system state. The rollback feature allows you toreset system files of an endpoint that were not configured correctly by rolling backto a different snapshot.

Before you begin

Ensure that you meet the following requirements:v Use Endpoint Manager server and console version 9.0 or later.v Use Endpoint Manager client version 9.2.1 or later.v Use SUSE Linux Enterprise Desktop and Server 11 SP2 or later.v Subscribe to the Patching Support site.v Exclude /var/opt/BESClient/* directories from the snapshots. To exclude data

directories when taking snapshots, run the Exclude Client Directories FromSnapshots task. This task creates the necessary directories and files to excludethe /var/opt/BESClient/* directories when taking snapshots.

About this task

Consider the following limitations of the rollback feature:v Configuration changes in the directory on the bootloader cannot be rolled back.v Kernel installations require manual deletion of the boot entry for a Kernel.

Hence, complete rollback is not possible for Kernel installations.v Excluded mount points and ext3 file systems cannot be rolled back.


Dashboards > SLE Btrfs Snapshot Management.2. Select the endpoint whose snapshot history you want to view.3. Select the snapshot that you want to roll back and click Rollback.

Note: Completely reverting to the pre-snapshot affects the changes made byprocesses other than YaST or Zypper. Therefore, review the changes betweenthe current system state and a snapshot before starting the rollback.The Rollback Up To Snapshot window opens.

4. Optional: You can specify file names as additional parameters for the rollback.Click Apply.

Note: If you do not specify any file names, all changed files are restored.5. From the Take Action window, select the computer and click OK to run the

action.

What to do next

To verify the rollback, check the snapper_rollback.log file located at/var/opt/BESClient/EDRDeployData.

Chapter 5. SLE Btrfs snapshot management 47

Appendix A. Support

For more information about this product, see the following resources:v IBM Knowledge Centerv IBM Endpoint Manager Support sitev IBM Endpoint Manager wikiv Knowledge Basev Forums and Communities


http://www-01.ibm.com/support/knowledgecenter/SS63NW_9.2.0/com.ibm.tivoli.tem.doc_9.2/welcome/IEM92_landing.html

http://www.ibm.com/support/entry/portal/Overview/Software/Tivoli/Tivoli_Endpoint_Manager

https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/Home


http://www.ibm.com/developerworks/forums/category.jspa?categoryID=506

Appendix B. Troubleshooting

When problems occur, you can determine what went wrong by viewing messagesin the appropriate log files that provide information about how to correct errors.

Log files

The following log files can be found in the client folder in the directory/var/opt/BESClient/EDRDeployData.

EDR_DeploymentResults.txtLists the results of the EDR deployment and the Zypper output. The log fileindicates if the normal Zypper process is used for either a standard repositoryor SMT.

register-repo.logLists the results of the repository registration action of the SLE CustomRepository Management dashboard.

register-SMT.logLists the results of the SMT registration action of the SLE Custom RepositoryManagement dashboard.

unregister-repo.logLists the results of the unregister repository action of the SLE CustomRepository Management dashboard.

unregister-SMT.logLists the results of the unregister SMT action of the SLE Custom RepositoryManagement dashboard.

snapper_rollback.logLists Btrfs snapshot rollback feature that is available from the SLE BtrfsSnapshot Management dashboard.

pkg_upgrade_output.txtLists the results of the Check Available Package updates - Solaris 11 task.

Understanding dependency failures

Some dependency requirements cannot be determined by Fixlet relevance. In somecases, multiple levels of dependencies or conflicting third-party packages canprevent the installation of a Fixlet content.

You can manually review these details by using the EDR_DeploymentResults.txtfile, which is written locally on an endpoint in the client folder by the EDRPlug-in. You can also review the analysis Endpoint Dependency Resolution -Deployment Results (ID# 14) in the Linux RPM Patching site.

The EDR_DeploymentResults.txt file is a text file that contains several lines for eachFixlet that runs on the system. Each line contains a date or time stamp and theassociated Fixlet ID number. The log shows the type and status of the installation,whether or not it was a test run and if it was successful or failed.

If the deployment was successful, the log lists out the packages that weresuccessfully installed or upgraded during the action.


If the deployment failed, the log shows the error output from the EDR Plug-in.

Common <type> tag errors found in theEDR_DeploymentResults.txt file

The most common <type> tag errors that are found in theEDR_DeploymentResults.txt file are as follows:

No solution (noSolution)This error means that the requested target packages cannot be installed on thesystem, because there are conflicts between the target packages and theexisting packages on the system.

Incomplete baseline (incompleteBaseline)This error might appear if third-party packages are fulfilling dependencies andare not recognized by the resolver.

If the <type>incompleteBaseline</type> tag is found in theEDR_DeploymentResults.txt file and <name>name of RPM</name> tag is NOT inthe /var/opt/BESClient/EDR_UnsupportedPackages.txt file, then you mustinstall the RPM separately.

However, if the RPM is in the EDR_DeploymentResults.txt file, you mustdowngrade to a version that is supported. You can use the <sanityCheckError>tag from the EDR_DeploymentResults.txt file to identify what version of RPMis supported. You can only proceed with patching the system when thesupported RPM version is installed.

Forbidden package list error (packageInForbiddenList)This error is caused by a package on the target, which is listed in the forbiddenpackage list. You must remove the package from the forbidden package list tosuccessfully run the Fixlet.

Empty solution (EmptySolution)This error means that the resolver cannot find a solution with the given set ofinformation. For example, the packages that are installed on the system or thepackages that it is trying to install. To resolve this error, it is often better tohave the system as standard as possible. Installing additional third-partysoftware and removing packages from the base operating system can make thismore difficult for the resolver to resolve all dependencies. It is suggested tomove toward using the Native Tools site instead.

Bash script error

If you get an error similar to the following error message:Hard failure exit code ’execute prefetch plug-in’ "/bin/bash""{parameter "sitefolder"}/ResolveDependencies.sh" ......."(action 159317) Exited with exit code of 2

You must complete the following steps:1. Open the mentioned bash script and add the following after line 2 of the script:

set -xlogpath=</path/of/your/choice>exec >$logpath 2>&1

2. Deploy the action immediately after you update the script.

Note: The client might override the file, so do not to wait too long betweenupdating the script and deploying the action.


This procedure creates the file that is mentioned in the log path, with a line-by-linedetailed output for the script.

Issues when the custom repository is not a mirror of the vendor

When you use a custom repository that is not a mirror of the vendor site, it ispossible that the default gpgcheck is being done as part of the installation. TheGPG signature files might not be included in the repository. The files are notchecked for authenticity and might cause the installation to fail.

To resolve this issue, ensure that when you register the endpoints in the SLECustom Repository Management dashboard, you add gpgcheck=0 to AdditionalFields.

Mirror server is not working

To check whether the issue is due to an incorrect URL or mirror server credentials,check the plugin.ini file in the directory<BES Server directory>/DownloadPlugins/SuseProtocol.

Novell account lockout

One possible reason for an account lock out is due to invalid credentials.

Ensure that you use the mirror server configuration from Novell when you registeror configure the download plug-in. Account lockouts are common but temporary.Contact Novell Support if you get locked out of your account.

Error deploying Fixlets from custom sites

The Fixlet site name is hardcoded in the relevance of the Fixlets because therelevance can only accept one value. When you deploy Fixlets from a custom site,the Fixlets would fail because they are still referencing to the original Fixlet site. Toresolve this issue, ensure that your endpoints are subscribed to the original Fixletsite so that they can grab all the relevant site files.

If you do not want to stay subscribed to the original Fixlet site, but be able todeploy custom Fixlets successfully, do the following steps:1. Make a custom copy of the necessary site files.2. Host the site files either in your own custom site or online.3. Modify the custom Fixlet appropriately.

Appendix B. Troubleshooting 53

Appendix C. Frequently asked questions

To better understand Patch Management for SUSE Linux Enterprise, read thefollowing questions and answers.

What are superseded patches?Superseded Fixlets are Fixlets that contain outdated packages. If a Fixlet issuperseded, then a newer Fixlet exists with newer versions of thepackages. The newer Fixlet ID can be found in the description of thesuperseded Fixlet.

How do I deal with missing patches?IBM only provides patches for bulletins that are listed on the Novellwebsite for supported configurations. These bulletins can be found inNovell Patch Finder: Patch Finder

Why is my action reporting back as a failed download?Make sure you update the download plug-in to the latest version andregister it with the correct credentials.

If I have registered the latest plug-ins, why do downloads still fail?For product versions 8.0.627, upgrade to the latest version of IBM EndpointManager to resolve the issue on dynamic downloads whitelist.

For product versions later than 8.0.627, verify your existing downloadplug-in configuration. Verify that the Novell credentials, proxy settings,and mirror server settings are valid.

What do I do when action reports back with an “EDR Plugin failure, Invalid setof initially installed packages? ”

There is at least one conflict between the packages that exist on the system.The resolver will not work until the conflicting packages are removed.

Why is there XML in the deployment results?The XML is from the error output of the resolver when the resolver fails toproduce a solution. You can look at the description in the “errorType” tagto gain a better understanding of why the failure occurred.

What do I do when the deployment results display a “Dependency ResolverFailure, noSolution? ”

If the resolver finds that there is no solution, the system cannot install alltargets and dependencies because of a conflict between these files and theendpoint files.

If the resolver finds that there is no solution, the system cannot install all targetsand dependencies because of a conflict between these files and the endpointfiles. Dependency graphs are generated every Monday, Wednesday, and Friday.

What do I do when an action reports back with an installation failure?Check to see if the conflict is caused by a vendor-acquired package. Thesemust be removed for the installation to occur.

Why does the resolver function select a lower priority package over a higherpriority one?

The resolver does not select a preferred package if by selecting thatpackage creates a conflict with another package. Therefore, it is possible fora lower priority package to be selected.


http://download.novell.com/patch/finder/

How do I verify if the download plug-in was registered correctly?Run a Fixlet with an action task to verify if the download plug-in isregistered correctly. Verify that the patch download is successful.Otherwise, you might need to unregister the download plug-in andregister it again.

How do I register a download plug-in? Do I use the register download plug-intask or the Manage Download Plug-in dashboard?

To register a download plug-in, you must use the Manage DownloadPlug-in dashboard in the Patching Support site. Existing register downloadplug-in tasks are being deprecated. To learn more about plug-inregistration, see “Registering the SUSE download plug-in” on page 10.

Note: You must also use the Manage Download Plug-in dashboard tounregister, configure, and upgrade download plug-ins. The existingunregister and edit download plug-in tasks are being deprecated. For moreinformation about the dashboard, see the topic on Manage DownloadPlug-ins dashboard in the IBM Endpoint Manager Knowledge Center.

I was expecting the password to be obfuscated, but it's still in clear text. Why isthat? Check if your download plug-in version is earlier than 2.0. If so, you are

still using an old version of the download plug-in that stores credentials inclear text. To encrypt credentials, upgrade your download plug-in toversion 2.0 or later from the Manage Download plug-ins dashboard in thePatching Support site.

Is there a certain level of Zypper that is needed to use SLE 11 with the Nativetool site?

No - any version of the installed Zypper works.

An action failed and the EDR logs do not give any information about the failingaction. How do I troubleshoot?

The last six lines of the deployment and test actions are intended to deletethe temporary files that were created during the action execution. If thedeployment logs do not give information about the reason for the failure,delete the following two lines to troubleshoot:v To see the Zypp configuration that is used during the action, delete

{parameter "EDR_ZyppConfig"}

v To see the Zypper output that is generated during the dependencyresolution, delete {parameter "EDR_ZypperResolveOutput"}

When these two lines are deleted, the following files are placed in the sitefolder for the Patches for SLE 11 Native Tools site:v EDR_ZyppConfig_<Fixlet_id>

v EDR_ZypperResolveOutput_<Fixlet_id>

An action failed and the logs contain Zypper-specific errors. How do Itroubleshoot?

For more information about Zypper and errors that are related to it, see theZypper documentation at http://www.suse.com and the Zypper-relatedarticles in the Novell Customer Center.

How can I improve the download speed when I download packages with thedownload plug-in?

You can improve the package download speed in the following ways:v Your local mirror must follow this URL

structure: <localmirror_server>/repo/$RCE/<name_of_the_repo>


http://www-01.ibm.com/support/knowledgecenter/SS6MER_9.2.0/com.ibm.tem.patch.doc_9.2/welcome/iem_patch92_welcome.html

http://www.suse.com

For more information about how to create mirrors, seehttps://www.suse.com/documentation/smt11/book_yep/data/smt_mirroring.html

v Use the Novell mirror server, which is at the nu.novell.com directory.Credentials for this mirror server can be obtained from Novell CustomerCenter. For more information, see https://www.suse.com/documentation/smt11/book_yep/data/smt_mirroring_getcredentials.html

What are the configuration settings that Zypper use?The Patches for SLE 11 Native Tools site uses all the Zypper settings in/etc/zypp/zypp.conf.

The following Zypper configuration settings are set to values that comefrom another file, which is dynamically created during Fixlet execution:v cachedir

v configdir

v metadatadir

v packagesdir

v reposdir

v repo.add.probe

v repo.refresh.delay

v solvfilesdir

Which versions of IBM Endpoint Manager support custom repositories forSUSE?

IBM Endpoint Manager V8.2 and later support custom repositories forSUSE Linux Enterprise Desktop and SUSE Linux Enterprise Server version11.

What is a custom repository?The term custom repository refers to any software repository that is notnatively supported by the Novell Customer Center. Custom repositoriesgive you the benefit of being able to control exactly what is in therepository. In the SLE Custom Repository Management dashboard, theterm custom repository can refer to a repository or the SubscriptionManagement Tool (SMT).

What is the purpose of a repository?A repository is a storage location that contains a collection of packages andmetadata for the available packages. These repositories can be on onlineservers, CDs, DVDs, or on other media.

What is SMT?SMT stands for Subscription Management Tool. It provides a repositoryand registration target that is synchronized with Novell Customer Center.With the SMT, enterprise customers are able to optimize the managementof SUSE Linux Enterprise software updates and subscription entitlements.For more information about SMT, see https://www.suse.com/documentation/smt11/.

What version of Zypper is required to use the SLE Custom RepositoryManagement dashboard?

No minimum requirement. All Zypper versions that are used in SUSELinux Enterprise version 11 works.

How do I create a repository?To learn about creating repositories, see the SUSE documentation:

Appendix C. Frequently asked questions 57

https://www.suse.com/documentation/smt11/book_yep/data/smt_mirroring.html

https://www.suse.com/documentation/smt11/book_yep/data/smt_mirroring.html

https://www.suse.com/documentation/smt11/book_yep/data/smt_mirroring_getcredentials.html





v SUSE Linux Enterprise Desktop 11 SP3 Deployment Guide athttps://www.suse.com/documentation/sled11/book_sle_deployment/data/sec_y2_sw_instsource.html

v SUSE Linux Enterprise Server 11 SP3 Deployment Guide athttps://www.suse.com/documentation/sles11/book_sle_deployment/data/sec_y2_sw_instsource.html

Can I deploy patches using the existing method and the custom repository at thesame time? Can the two methods co-exist?

The two methods can exist together. However, when you deploy patchesfor single clients, you must choose between using the native tools orthrough the custom repository method. The two methods cannot co-existon a single client.

Can I reconfigure a repository that I previously configured?Yes, you can reconfigure a previously configured repository by using theclientSetup4SMT.sh script. It is provided with SMT to configure endpointsto use the SMT server or to reconfigure it to use a different SMT server.

From the logs, can I tell if I am using the normal Zypper process to the SMT orrepository in the log?

Yes, the log indicates if the normal Zypper process is used for either astandard repository or SMT.

What is the difference between registering a repository and importing arepository?

Use the import feature if you have existing repositories that are notincluded in the Repositories list in the dashboard. Use the register featureif you already have a repository in the Repository list, but you still need tolink the repository with the endpoint.

What happens when the repository does not contain the package?When a package is not found, the Fixlet fails. You can troubleshoot from/var/opt/BESClient/EDRDeployData/EDR_DeploymentResults.txt, which iswhere the Zypper output is logged.

What happens if there are issues with the custom repository solution?You can revert to the standard IBM Endpoint Manager server solution byrunning the Disable custom repository support – SUSE Linux Enterprisetask.

How are dependencies resolved?Dependencies are resolved by Zypper.

Are the repositories that are listed in the second table of the Endpoints tab inthe SLE Custom Repository Management dashboard used in sequence?

There is no sequence in the repositories that are listed in the Endpoints tab,even if you specified the priority as an extra note when you registered therepository. When Zypper queries the repositories, the repository that firstgets the fetch query replies, including the package and its dependencies.

Through the SLE Custom Repository Management dashboard, I deployed apatch by using a custom repository that is not a mirror of the vendor site. Thedeployment action failed and the logs indicate that the files cannot be opened.What must I do?

When you use a custom repository that is not a mirror of the vendor site,it is possible that the default gpgcheck is being done as part of theinstallation. The GPG signature files might not be included in therepository. The files are not checked for authenticity and might cause the






installation to fail. To resolve this issue, ensure that when you register theendpoints in the SLE Custom Repository Management dashboard, you addgpgcheck=0 to Additional Fields.

Which file could tell me why the mirror server is not working?To check whether the issue is due to an incorrect URL or mirror servercredentials, check the plugin.ini file at <BES Server directory>/DownloadPlugins/SuseProtocol.

I am locked out from my Novell account. What do I do?One possible reason for an account lock out is due to invalid credentials.Ensure that you use the mirror server configuration from Novell when youregister or configure the download plug-in. Account lockouts are commonbut temporary. Contact Novell Support if you get locked out of youraccount.

Can I install several custom packages using the installation tasks?Yes, you can install several custom packages with the available tasks. Use aspace to separate the package names.

Is bandwidth throttling available in a custom repository architecture?Unfortunately, bandwidth throttling is not supported in a customrepository architecture since it is outside of the IBM Endpoint Managerinfrastructure.

I tried deploying Fixlets from a custom site, but it failed. Why is that? Whatshould I do?

The Fixlet site name is hardcoded in the relevance of the Fixlets becausethe relevance can only accept one value. Therefore, if you want to deploycustom Fixlets, ensure that your endpoints are subscribed to the originalFixlet site so that they can grab all the relevant site files.

If you do not want to stay subscribed to the original Fixlet site but be ableto deploy custom Fixlets successfully, do the following steps:1. Make a custom copy of the necessary site files.2. Host the site files either in your own custom site or online.3. Modify the custom Fixlet appropriately.

How can I install custom packages that are on the custom repository?You can use the Install packages by using Zypper task that is in thePatching Support site.

For more information, see “Installing packages from a custom repository”on page 28.

What versions of SUSE Linux Enterprise are supported in the SLE CustomRepository Management dashboard?

The SLE Custom Repository Management dashboard supports SUSE LinuxEnterprise Desktop and Linux Enterprise Server versions 11 and 12.

Can I perform a rollback on systems with mixed file systems such as ext3 andbtrfs? The SLE Btrfs Snapshot Management dashboard supports Btrfs file

systems only. Mixed files systems such as .ext3 and btrfs cannot be rolledback.

Where can I find information about the Exclude /var/opt/BESClient/* DirectoryFrom Snapshots task?

The log file is located in the directory /etc/snapper/filters/logfiles.txt.

Appendix C. Frequently asked questions 59

Which log can I use to troubleshoot the snapshot rollback feature?Use the snapper_rollback.log file located in the directoryvar/opt/BESClient/EDRDeployData.

Which directories need to be excluded from the snapshots to enable rollback?To enable the rollback feature from the SLE Btrfs Snapshot Managementdashboard, the /var/opt/BESClient/* directories must not be includedwhen taking snapshots.

Where can I find more information about snaphots?See the SUSE Documentation at https://www.suse.com/documentation/sles11/book_sle_admin/data/cha_snapper.html.

SUSE Linux Enterprise 12 endpoints are not displayed in the SLE Btrfs SnapshotManagement dashboard. Why is that?

The agents for SUSE Linux Enterprise Server or Desktop version 12 arecurrently available only in IBM Endpoint Manager v9.2. Ensure that youare using the specified version.

Is there a minimum version of Zypper to install security patches using the CVEnumber?

Yes, you must at least use Zypper version 1.5.3-3.2.

If I update Zypper to 1.5.3-3.2 or later on SUSE Linux Enterprise 11.0, can Iinstall patches using the CVE number?

Yes, if you are using zypper-1.5.3-3.2 then you can install patches using theCVE number.




Notices

This information was developed for products and services that are offered in theUSA.

IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785United States of America

For license inquiries regarding double-byte character set (DBCS) information,contact the IBM Intellectual Property Department in your country or sendinquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM websites are provided forconvenience only and do not in any manner serve as an endorsement of those


websites. The materials at those websites are not part of the materials for this IBMproduct and use of those websites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:


This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment toIBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. The sampleprograms are provided "AS IS", without warranty of any kind. IBM shall not beliable for any damages arising out of your use of the sample programs.

Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:

Portions of this code are derived from IBM Corp. Sample Programs.

© Copyright IBM Corp. _enter the year or years_. All rights reserved.

TrademarksIBM, the IBM logo, and ibm.com are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the web at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of TheMinister for the Cabinet Office, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java™ and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Notices 63

http://www.ibm.com/legal/us/en/copytrade.shtml

http://www.ibm.com/legal/us/en/copytrade.shtml

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in theUnited States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo aretrademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the followingterms and conditions.

Applicability

These terms and conditions are in addition to any terms of use for the IBMwebsite.

Personal use

You may reproduce these publications for your personal, noncommercial useprovided that all proprietary notices are preserved. You may not distribute, displayor make derivative work of these publications, or any portion thereof, without theexpress consent of IBM.

Commercial use

You may reproduce, distribute and display these publications solely within yourenterprise provided that all proprietary notices are preserved. You may not makederivative works of these publications, or reproduce, distribute or display thesepublications or any portion thereof outside your enterprise, without the expressconsent of IBM.

Rights

Except as expressly granted in this permission, no other permissions, licenses orrights are granted, either express or implied, to the publications or anyinformation, data, software or other intellectual property contained therein.

IBM reserves the right to withdraw the permissions granted herein whenever, in itsdiscretion, the use of the publications is detrimental to its interest or, asdetermined by IBM, the above instructions are not being properly followed.

You may not download, export or re-export this information except in fullcompliance with all applicable laws and regulations, including all United Statesexport laws and regulations.

IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESEPUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUTWARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDINGBUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY,NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.


��

Product Number: 5725-C45

Printed in USA

ibm endpoint manager: patch management for suse linux enterprise … · 2015-07-28 · 4 ibm...

Documents