Altiris™ Patch Management Solution for Linux 7.0 SP2 from Symantec Release Notes

Article:DOC1987  |  Created: 2009-11-26  |  Updated: 2010-03-24  |  Article URL http://www.symantec.com/docs/DOC1987
Article Type
Documentation

Description



Build number 7.0.4059

This document contains the following topics:

Introduction

Altiris™ Patch Management Solution for Linux lets you scan Red Hat and Novell Linux computers for security vulnerabilities, report on the findings, and automate the downloading and distribution of needed errata or software updates. This solution downloads the required patches and provides wizards to help you deploy them. During configuration, you can set up an automatic patch update schedule to ensure that managed computers are up-to date and protected on an ongoing basis. Only SUSE updates are supported for Novell.

This product is part of the following suites:

  • Altiris™ Client Management Suite from Symantec
    For release notes, see knowledgebase article 49644.
  • Altiris™ Server Management Suite from Symantec
    For release notes, see knowledgebase article 50400.
  • Altiris™ IT Management Suite from Symantec
    For release notes, see knowledgebase article 51492.

Back to top

New features

The new features of this release are as follows:

Support for Symantec Management Platform 7.0 SP4

This product can be installed on Symantec Management Platform 7.0 SP4.

Performance and reliability improvements

Performance of the Software Update Plug-in, reports, and patch management import task has been improved

Back to top

Installation and upgrade

Prerequisites

  • Symantec Management Platform 7.0 SP4. See knowledgebase article 49811.
  • Patch Core Services 7.0 SP2
  • Altiris Agent for UNIX, Linux and Mac 7.0 SP4

Required components are installed automatically when you use Symantec Installation Manager to install this product.

Supported platforms

Patch Management Solution for Linux supports the following platforms:

  • SUSE Linux Enterprise Server 9 (with SP4 only) x86, x86_64
  • SUSE Linux Enterprise Server 10 x86, x86_64
  • SUSE Linux Enterprise Desktop 10 x86, x86_64
  • Red Hat Enterprise Linux AS/WS/ES 3,4 x86, x86_64
  • Red Hat Enterprise Linux Server 5 x86, x86_64
  • Red Hat Enterprise Linux Desktop 5 x86, x86_64
  • Red Hat Enterprise Linux 5.1, 5.2 and 5.3

Note: SLES 9 computers can only be registered successfully by Patch Management Solution for Linux if the suse_register tool (from the suseRegister rpm package) is installed. The tool is available in SLES 9 SP4 but is not installed by default. After registering SUSE Linux managed computers, you should assign the proper activation code for the registered computers in the NCC ASAP and rerun the Update Agent Discovery Task.

New installation

You can install this product by using the Symantec Installation Manager. You can download the installation files directly to your server or you can create offline installation packages.
For more information, see the Symantec Management Platform Installation Guide (see knowledgebase article 45732).

Upgrade

You can upgrade this product by using the Symantec Installation Manager. You can download the installation files directly to your server or you can create offline installation packages.
For more information, see the Symantec Management Platform Installation Guide (see knowledgebase article 45732).

After you upgrade the product, you must upgrade the Altiris Agent for UNIX, Linux, and Mac and the Software Update Plug-in that are installed on the target computers.

Data migration from 7.0

All the data in Patch Management Solution for Linux 7.0 is supported in 7.0 SP2 without the need for data migration.

Installation and Upgrade issues

The following issues are known issues related to installing and upgrading this product. If additional information about an issue is available, click the Article ID link.

Issue Article ID
Core Service page settings not migrated after upgrade from 7.x

The Software Update Package Location and Download from staging location settings on the Core Services pages are not migrated and set to their default values. You can customize the settings after the upgrade.

 
Software Update Plug-in policies settings are not migrated

The settings in the Software Update Plug-in Uninstall, and Upgrade policies are not migrated during upgrade from 7.x to this version of Patch Management Solution for Linux.

 
Update Agent Discovery Task settings are not migrated

After the upgrade, configure the Update Agent Discovery Task settings.

 
Automation policies settings are not migrated after upgrade from 7.x

The query parameters in the automation policies (Item Status Changed After PM Import, Maintain Retired Machine Historical data, Software Update Advertisement Disabled, Software Update Policy Failed) are not migrated during an upgrade from 7.x to this version of Patch Management Solution.

 
Default Novell/Red Hat Inventory Policy targets are not migrated after upgrade from 7.x

The targets in the Applied to section are reset to default after an upgrade.

 
Software Update policy targets are not migrated after upgrade from 7.x

The targets in the Applied to section are reset after an upgrade. The targets are reset to the target value that is indicated in the Default Software Update Plug-in Settings policy.

 
Custom severity with non-latin characters is not migrated after upgrade from 7.x

Sometimes custom severity with non-latin characters is not migrated.

 

Back to top

Fixed Issues in this Release

The following are previous issues that were fixed in this release. If additional information about an issue is available, click the Article ID link.

Issue Article ID
The default Package Distribution settings on the Novell and Red Hat pages do not work.

On the Policy and Package Settings tab on the Novell and Red Hat pages, the default Package Distribution settings are as follows:

  • Allow Package Server Distribution is checked.
  • Assign Package To is set to Package Servers Individually.

The packages are not distributed to the package servers as expected.

Workaround: Change the settings on both pages in either of the following ways:

  • Check Allow Package Server Distribution and in Assign Package To, select All Package Servers.
  • Uncheck Allow Package Server Distribution.
 

Back to top

Things to know

The following are things to know about this release. If additional information about an issue is available, click the Article ID link.

Things to know Article ID
About hierarchy and data replication

Patch Management Solution for Linux supports the hierarchy and replication features of the Symantec Management Platform. These features let you create settings, schedules, and other data at the top-level Notification Server computer and replicate them to child-level Notification Server computers.

The following items are replicated by the default Notification Server replication schedule with no custom replication rules:

Item Replication direction
All the Server Tasks settings and schedules (Red Hat Import task, Novell Import task) Down
Red Hat and Novell vulnerability analysis policy settings Down

Red Hat and Novell Vendor settings

Note: RHN and NCC access credentials are not overwritten on the child computer. The child can work with different RHN and Novell accounts than the parent.

Down
Default Software Update Plug-in settings Down
Software Update Plug-in installation job settings and schedule Down
Software Update Plug-in upgrade and uninstall policy settings Down
Software Update Policies execution details Up

The following items are replicated with custom replication rules:

Item Replication direction Description
Software Channels credentials information Up This information is replicated when the "Channel Resource Replication Rule" is enabled. This replication lets the parent Notification Server computer download patch data for the child Notification Server computers whose clients are subscribed to software channels that are not subscribed to by the parent's clients.
Software Channels Subscription info Up The parent Notification Server computer uses this information to decide how to replicate patch data and software update policies down to the child computer. The child Notification Server computer gets only the patch data that it needs to manage its clients (see below).
Software Update Policies Down This information is replicated when the "Patch Management Software Distribution Replication for Red Hat /Novell" rule is enabled. If a child Notification Server computer provided the list of subscribed software channels of the client computers before, then the software update policies on the child only include the updates that are related to the supported software channels
Patch Management Data Import Down This information is replicated when the 'Patch Management Import Data Replication for Red Hat/Novel' rule is enabled. Only the updates and bulletins that are associated with the child computer's supported software channels are replicated.
 
Understanding Patch Remediation Center right-click actions

On the Patch Remediation Center page, you can right-click a bulletin and select a report. The following right-click actions are available:

Action Description
View Targeted Computers Displays the computers that the Software Update Policy, in which this bulletin is included, is targeting. You must create a Software Update Policy to view targeted computers.
View Applicable Computers Displays the computers to which the selected bulletin applies.
View Installed Computers Displays the computers on which the selected bulletin is installed.
View Vulnerable Computers Displays the computers that do not have the selected bulletin installed.
 
About Patch Management security roles

You can assign the following security roles to Symantec Management Console users:

  • Patch Management Administrators
  • Patch Management Rollout

Users with Patch Management Administrators role have full access to Patch Management Solution functionality, but no access to the rest of the Symantec Management Console.

Users with Patch Management Rollout role have limited access to the following Patch Management Solution functionality:

  • Software Update policies
  • Reports
  • Patch Remediation Center page

And can perform the following actions:

  • Enable/disable/change settings in the software update policies
  • View reports
 

Back to top

Known Issues in this Release

The following are known issues for this release. If additional information about an issue is available, click the Article ID link.

Issue Article ID
The download of child channel software updates might fail

On the Red Hat Errata Import Task page, under Select software channels for import, you can select the operating system channels to download updates for. Base channels that have no subscribed clients are not available for import. When you select a base channel for import, all its child channels are also imported regardless of whether they have any subscribed clients. After the import, the errata of the child channels appear in the reports and the remediation center. However, when you stage an errata that belongs to a child channel that has no subscribed clients, the staging fails.

 
The Terminate after setting on the Novell and Red Hat pages does not work

On the Programs tab on the Novell and Red Hat pages, when you set a value in Terminate after, the setting does not work. The default value of 60 minutes is always used.

 
Staging Red Hat and Novell patches from an alternate location is not possible

When you specify an alternate download location for Red Hat and Novell patches, the download fails. This setting is under Settings > Software > Patch Management, on the Core Services page, on the Languages and Locations tab.

 
The Patch Administrator cannot edit the default targets in the Patch Management configuration policies

A user who belongs to the Patch Management Administrators role cannot edit default targets in the following policies:

  • Patch Management for Novell Configuration Policy
    You access this policy from Settings > Software > Patch Management > Novell Settings > Novell.
  • Patch Management for Red Hat Configuration Policy
    You access this policy from Settings > Software > Patch Management > Red Hat Settings > Red Hat.

Workaround: On the configuration policy's page, delete the default targets, and then add the appropriate custom targets.

 
Novell registration may fail

Sometimes SUSE registration tools may register client computers in the Novell Customer Center, but they will not configure the computers properly. In order for SUSE computers to work with Patch Management Solution for Linux, users must manually subscribe the computer to software catalogs using the “run sub” command.

 
Problems with SUSE computer registration may occur

The following problems may occur when attempting SUSE registration:

  1. After “suse_register” is called, the registration confirmation arrives late or may not arrive at all. The update service hangs in a “pending” state for extended periods and, in some cases, will hang indefinitely.
  2. "Run catalog” output lists may update the catalog without indicating that the client computer is “subscribed”. “Yes” is not printed in the first column of the output table.

To work around the problems, repeat the client registration by either running the Software Update Rollout Job or manually registering from the client computer.

 
Task details do not show the cause of the Red Hat Errata Import Task or the Novell Updates Import Task failing due to lack of free space on the Notification Server computer

When there is no free space on the Notification Server computer, the Red Hat Errata Import Task and Novell Updates Import Task fail. When you open the task details in the Task Status table, no mention is made of the lack of free space causing the task to fail.

 
Uncheck "incremental import" to import SUSE service packs updates

For SUSE operating systems, different software update channels are used for service packs. When "incremental import" is checked on the Novell Updates Import Task page, the new service pack update channels are not imported. Because of that, no updates are available for the newly discovered computers that have a SUSE operating system with a service pack.

To import Novell updates for a service pack, uncheck the "incremental import" option, and then run the import task.

 
About Red Hat Errata Import task performance

After the Red Hat Errata Import task completes, it takes some time for Notification Server to update inventory rules that are used to detect applicable updates on clients. Depending on the Notification Server performance, it can take up to 1 hour until inventory rules are downloaded to clients and evaluation process starts.

 
Software updates import task status is incorrect

When a Novell Updates Import Task or Red Hat Errata Import Task is running, the "Pending" status is displayed in the Task Status section of the task page. This status is not correct. In order to view the correct status of the task, click the task instance and open the task instance details.

 
Software update details page does not work

In Resource Manager, the Summaries > Software Bulletin Details or Summaries > Software Update Details pages do not work.

 
Computers with software update plug-in drill-down shows incorrect results

On the Novell/Red Hat Software Update Compliance Portal page, the Computers with software update plug-in report shows the number of all computers that have the Software Update Plug-in installed. The drill-down report shows the number of plug-ins that were installed in the last 30 days.

 
The Software Update Tasks Delivery Summary web part shows executed tasks as incomplete

In the Red Hat/Novell Software Update Tasks Delivery Summary web part, the tasks that were executed more than 30 days ago are shown as Incomplete.

 
Reports can show incorrect data

The Novell/Red Hat Compliance by Update report can show incorrect amount of computers on which updates have been installed. For example, this happens when the same update belongs to two different channels. Such update is displayed as if it was installed on two computers. To work around this issue, use the report's parameters section to filter the results by operating system or software channel.

 
Hierarchy and replication issues  
Software channels from multiple child servers are excluded from replication.

Because software channel resources from different child servers do not merge, only one child Notification Server computer per one parent Notification Server computer is supported for Patch Linux hierarchy.

 
Red Hat bulletins that contain updates for different operating system versions cannot be distributed from child Notification Server computers to client computers that have only one operating system installed.

The Patch Management Import Data Replication For Red Hat rule replicates only the updates that are required by the child Notification Server clients. The updates that are not applicable to the child Notification Server clients are not replicated, but associations to these updates are still created for the bulletins. For example, some Red Hat bulletins contain updates for different Red Hat versions (RHEL 3 x86, RHEL 3 x86_64) and you might want to replicate such bulletins to a child Notification Server computer that has clients with only one Red Hat version installed.

In this situation, the following errors can occur:

  • The bulletin staging on the child Notification Server computer fails and shows that not all the updates were downloaded.
  • It is not possible to create a software update policy for such bulletins on the child Notification Server computer.
  • The Advanced tab in the software update policy that is replicated from the parent Notification Server computer displays the following error:
    "All associated bulletins are disabled, please enable at least one bulletin before proceeding to the 'Advanced' Tab"

Workaround: To avoid this problem, make sure that all the child Notification Server computers that belong to the hierarchy have clients with the same collection of Red Hat operating system versions installed.

 
Using the "Complete" replication mode in certain replication rules can result in non-functional update rollout policies.

Do not set the Replication Mode to Complete in the following replication rules:

  • Patch Management Software Distribution Replication For Red Hat
  • Patch Management Software Distribution Replication For Novell

If the Complete replication mode is used, it can result in non-functional update rollout policies on the child Notification Server computers. Be sure to use the Differential mode instead.

To edit the replication rules

  1. In the Symantec Management Console, on the Settings menu, click All Settings.
  2. In the left pane, click Settings > Hierarchy > Hierarchy Management.
  3. On the Hierarchy Management page, click the Replication tab, and then expand the Resources section.
  4. Under Resources, click the rule, and then click the Edit symbol (pencil).

The Replication Mode setting is in the edit dialog box.

 
Packages are not replicated to child immediately

When you manually replicate data to a child Notification Server on the Settings > Notification Server > Hierarchy page using the right-click Replicate To command, the software update policies are replicated, but the update packages are not created on the child.

In order to recreate packages on the child, run the Patch Management Import Data Replication For Novell/Red Hat rule in Complete mode. To do this, either: a) turn on this rule and run full complete replication or b) choose complete replication mode in the rule settings and specify custom schedule.

 
Right-click Replicate Now option does not work

The Replicate Now feature is not supported for Software Update policies. In order to replicate Patch Management Solution Software Update policies to child-level Notification Servers, use the Patch Management Import Data Replication For Novell/Red Hat replication rules.

 
Replicating data between different versions of Patch Management is not supported

Although some items may replicate between different versions of Patch Management Solution that are installed on parent and child Notification Servers, we do not recommend doing this. If you want to use hierarchy and replication, Patch Management Solution versions must be the same on the parent and child.

 

Back to top

Where to get more information

The product installation includes the following documentation:

Document Description Location

User Guide

Information about how to use this product, including detailed technical information and instructions for performing common tasks.

This information is available in PDF format.

Help

Information about how to use this product. This information is the same as in the User's Guide.

Help is available at the solution level and at the suite level.

This information is available in HTML help format.

The Documentation Library, which is available in the Symantec Management Console on the Help menu.

Context-sensitive help is available for most screens in the Symantec Management Console.

You can open context-sensitive help in the following ways:

  • The F1 key.
  • The Context command, which is available in the Symantec Management Console on the Help menu.

For more information, you can use the following resources:

Resource Description Location

Implementation Guide

Information about how to install, configure, and implement this product.

This information is available in PDF format.

Symantec Management Platform Release Notes

Information about new features and important issues in the Symantec Management Platform.

This information is available as an article in the knowledgebase.

https://kb.altiris.com/article.asp?article=45141&p=1

You can also search for the product name under Release Notes.

Installing the Symantec Management Platform products

Information about using Symantec Installation Manager to install the Symantec Management Platform products.

This information is available as an article in the knowledgebase.

https://kb.altiris.com/article.asp?article=45732&p=1

Altiris 7 Planning and Implementation Guide

Information about capacity recommendations, design models, scenarios, test results, and optimization best practices to consider when planning or customizing an Altiris 7 Infrastructure for your organization.

This information is available as an article in the knowledgebase.

https://kb.altiris.com/article.asp?article=45803&p=1

Knowledge Base

Articles, incidents, and issues about this product.

http://kb.altiris.com/

Symantec Connect (formerly the Altiris Juice)

An online magazine that contains best practices, tips, tricks, and articles for users of this product.

http://www.symantec.com/connect/endpoint-management-virtualization

Online Forums

Forums for users of this product.

http://forums.altiris.com/

Back to top



Legacy ID



50351


Article URL http://www.symantec.com/docs/DOC1987


Terms of use for this information are found in Legal Notices