Deployment of Modular Fixlet on RHEL8

This topic describes how to delpoy a modular Fixlet on RHEL8.

  1. Overview on RHEL AppStream

    In RHEL-8 AppStream repository contains content packages in two ways:

    • Individual RPM Packages: Traditional RPM packages available for immediate installation.
    • Modules:
      1. A module is a set of RPM packages that represent a component and are usually installed together. A typical module contains packages with an application, packages with the application-specific dependency libraries, packages with documentation for the application, and packages with helper utilities. These packages are built, tested, and released together.
      2. The YUM package management tool is now based on the DNF technology, and it adds support for the new modular features. Usage of YUM has not been changed when handling individual RPM packages. For handling the modular content, the yum module command has been added.
      3. Yum module commands are required to selects the appropriate combination of modules and streams to enable installation of logical sets of packages for convenient usage.
      1. Module Streams:
        1. Module streams are filters that can be imagined as virtual repositories in the AppStream physical repository. Module streams represent versions of the AppStream components. Each of the streams receives updates independently.
        2. Module streams can be active or inactive. Active streams give the system access to the RPM packages within the particular module stream, allowing installation of the respective component version.
        3. Streams are active either if marked as default or if they are explicitly enabled by a user action.
        4. Only one stream of a particular module can be active at a given point in time. Thus only one version of a component can be installed on a system. Different versions can be used in separate containers.
        5. Each module can have a default stream. Default streams make it easy to consume RHEL packages the usual way without the need to learn about modules. The default stream is active, unless the whole module has been disabled or another stream of that module enabled.
  2. Problem statement

    Deployment of Module Stream Fixlets fails on RHEL 8 endpoints because they appear as false positive. Currently, the existing Modular Fixlets do not check for specific module steam which is enabled on client. If the fixlet is targeting a stream that is not enabled on the device, the deployment fails even if the fixlet is relevant for that device.

  3. Existing functionality
    • Module stream Fixlet are generated as usual and they appear as applicable even for the different stream versions. This is because our relevance is dependent on installed version of the package on the endpoint but not on the modular stream version on the endpoint.
    • Existing Modular Fixlet do not have the relevance to check whether version of the modular stream is enabled or not. All the modular Fixlet are getting applicable on the endpoint and getting failed during deployment of Modular Fixlet on the endpoint. To avoid this False positive, temporary solution is as follows:
      • False relevance is added to all modular Fixlet to avoid False positive. By default, all the modular Fixlet are not applicable on the endpoint. End user must remove FALSE relevance to make it applicable.
      • Developed the Fixlet “dnf module commands with RHSM download plugin - RHEL 8 - x86_64.bes” which is used to enable or disable the modular streams version on the endpoint.
      • User must remove FALSE relevance and enable the module stream version before deploying Modular Fixlet on the endpoint.
  4. Proposed solution:
    1. Assumption
      • Modular streams must be enabled on client before deploying the Modular Fixlet.
      • Modular stream can be enabled on the endpoint using fixlet “dnf module commands with RHSM download plugin - RHEL 8 - x86_64.bes” or by manually running dnf module commands (reset, enable) on endpoint (this commands will run successfully only when the client is registered with subscription manager).
    2. Solution design

      The solution consists of two parts. The first part includes the logic that includes the module stream check in the relevance part of the fixlet; the second part is required to update all the existing fixlet to include the updated relevance.

      1. Include Module Stream Check in fixlet relevance
        • We have a new Prerequisite Fixlet: “List enabled modules to file using RHSM Download Plugin - RHEL 8 (Prerequisite).bes” which will execute “dnf module list” command on the end point. The output of this command (which is stored in a text file) list all combinations of module and streams and indicates which is enabled (or default) on the endpoint. These Fixlet should be deployed first, before deploying modular Fixlet on client. As a good practise, this fixlet should be deployed before the modular fixlet are deployed, in order to have a fresh picture of the module and streams enabled on each endpoint (this would reduce the risk of false positive).
        • Once the above Prerequisite Fixlet is deployed, the same fixlet will be re-deployed automatically once a day to read information about modular streams. To stop re-deployement, the user has to click on STOP Action in Bigfix Console.
        • If the modular stream version has been changed by user on endpoint, and if the above prerequisite filxet has deployed before, User has to STOP Action and then deploy the prerequisite fixlet again.
        • We have relevance check in modular Fixlet which will read enabled modular stream version from text file to check whether modular stream version is enabled or not. If it is enabled, then modular Fixlet will be applicable on end point otherwise modular Fixlet will not be applicable on the endpoint.
        • So, if the modular fixlets are applicable then we can deploy modular fixlets on end point, If its not applicable then we need to enable modular stream version on endpoint and rerun our Prerequisite fixlet.
      2. Update existing modular fixlets
        • All the existing modular fixlets for RHEL-8 will be updated and re-published.
        • The new version of the fixlets will include in the relevance section of the new check of the modules streams.
  5. Example

    Below are the steps to be followed to deploy the modular fixlet “RHBA-2021:1911 Containers-Tools2.0 Bug Fix and Enhancement Update.bes.

    1. Initial configuration
      The filxet “RHBA-2021:1911 Containers-Tools2.0 Bug Fix and Enhancement Update.bes” is not applicable because containers-tools version of 2.0 is not enabled on the endpoint as shown in the following figure:
      Figure 1. Fixlet is not relevant


      Figure 2. Container-tools 2.0 (disabled)


      To enable containers-tools modular stream version of 2.0 we have to deploy the fixlet “dnf module commands with RHSM download plugin - RHEL 8 - x86_64.bes” as shown in the following screenshots:
      Figure 3. Reset command on container-tools module


      Figure 4. Enable container-tools module with stream 2.0


    2. List module and stream on the device:
      Fixlet “List enabled modules to file using RHSM Download Plugin - RHEL 8 (Prerequisite).bes” should be deployed before deploying the modular fixlet. Once it is deployed, the make modular fixlet become relevant on the client where container-tools 2.0 has been enabled, as shown in the following screenshot:
      Figure 5. Relevant Fixlet


    3. Now, modular Fixlet “RHBA-2021:1911 Containers-Tools2.0 Bug Fix and Enhancement Update.bes” is applicable and can be deployed on the client.
      Note: Modular fixlets for Perl and Nodejs will continue to have FALSE relevance as we have seen errors while deploying those. Once the deployment issue is resolved, FALSE relevance will be removed and required relevance will be added.
      Please refer to the following links for more details related to modular steams: