Best practices for upgrading the Symantec Management Agent and the software update plug-in to 8.1 and applying scheduled software update policies during a single Maintenance window

book

Article ID: 184978

calendar_today

Updated On:

Products

Patch Management Solution for Linux Management Platform (Formerly known as Notification Server)

Issue/Introduction

NB! Symantec does not recommend upgrading the Symantec Management Agent and the software update plug-in to 8.1 and applying scheduled software update policies during a single maintenance window. While this combination of upgrade and update installation in one maintenance window is possible, the main risk is as follows:

  • After dependency resolving is complete, Notification Server needs time to download additional packages from vendors and distribute them to a package server. If you have multiple software update policies, not all policies may be processed and not all packages may be upgraded until the end of the maintenance window.

Best practice is to upgrade the Symantec Management Agent and the software update plug-in, and then in a maintenance window, apply scheduled software update policies.

However, if you still need to perform all these activities during one maintenance window, because the maintenance window opens rarely (ex., once in a month) and lasts for a short period of time (ex., 8 hours), follow the steps described in this article.

Environment

  • Symantec Management Platform 8.0.
  • Patch Management Solution 8.0 installed as part of IT Management Suite, Client Management Suite, or Server Management Suite.
  • Package Server (Windows or Linux).
  • Linux client computers with the Symantec Management Agent 8.0 and the software update plug-in 8.0.
  • The Symantec Management Agent and solution plug-ins are upgraded during maintenance windows only.
  • Linux client computers are patched during maintenance window only.

Resolution

Phase 1. Prepare Notification Server and client computers for patching

  1. Complete the Red Hat and SUSE software channels import for relevant Linux client computer channels.
    For more information, see the help topic Downloading the software updates catalog.
  2. Ensure that the system assessment scan for the Linux client computers is completed, and view the list of updates and their applicability for the client computers in compliance reports.
    For more information, see the help topic Configuring the system assessment scan interval.
  3. Configure the maintenance window policy and apply it to the Linux client computers.
    For example, the scheduled time for a maintenance window is 8 hours (from 10 P.M. to 6 A.M.) and the target includes only selected computers.
    For more information, see the help topic Configuring maintenance window policies.
  4. Configure software updates installation settings on the Default Software Update Plug-in Settings page as follows:
    • On the Installation Schedules tab, do not check the option Override the maintenance window settings when installing updates.
    • Set the start time for the software update policy execution approximately 1.5 hours later than the start time of the defined maintenance window.
      For example, if your maintenance window is active from 10 P.M. to 6 A.M., the software update policy execution should start at 11:30 P.M.
      This way the software update policy execution starts when the upgrade of the Symantec Management Agent and the software update plug-in to version 8.1 is finished and the dependency resolving is completed.
    • On the Notification tab, use the default setting 1 minute for the message to be displayed before a task is run.
      For more information, see the help topic Configuring software updates installation settings.
  5. Configure the distribution settings for Linux software updates to schedule the Patch Filter Update Interval in the middle of the maintenance window. This configuration leaves more time between the upgrade of the Symantec Management Agent and the software update plug-in and dependency resolving / additional package download.
    For more information, see the help topic Configuring Linux remediation settings.
  6. Ensure that defined maintenance window settings and software updates installation settings reach relevant 8.0 client computers.
  7. Create a software update policy.
  8. Make the software update policy reach relevant 8.0 client computers faster by manually executing the scheduled task NS.Red Hat Patch Remediation Settings.{<GUID>} or NS.SUSE Patch Remediation Settings.{<GUID>}.
    When the policy has reached the client computer, it is present in Pending state inside the defined maintenance window, waiting for the scheduled start.


     

Phase 2. Upgrade the 8.0 Notification Server to 8.1

Phase 3. Perform post-upgrade steps

  1. Run the Red Hat and SUSE software channels incremental import for relevant Linux client computer channels.
    For more information, see the help topic Downloading the software updates catalog.
  2. (Optional) Manually execute the scheduled task NS.Package.Refresh and the subsequent package refresh requested from your Package Server.
    NB! You do not need to upgrade the Symantec Management Agent and the software update plug-in on the Package Server immediately.
  3. Configure the Symantec Management Agent Upgrade policy.
    When you specify the policy schedule, on the policy page, under Schedule, in the Run drop-down list, select Once at next maintenance window.
    For more information, see the help topic Configuring the Symantec Management Agent Upgrade and Uninstall policies.
  4. Configure the Software Update Plug-in Upgrade policy.
    When you specify the policy schedule, on the policy page, under Schedule, in the Run drop-down list, select Once ASAP.
    For more information, see the help topic Upgrading the software update plug-in.
  5. Speed up the upgrade of the Symantec Management Agent and the software update plug-in as follows:
    • Customize Targeted Agent Settings to make the Symantec Management Agent request new policies more often.
      For example, on the Targeted Agent Settings page, on the General tab, under Download new configuration, set the interval to 15 minutes instead of the default 1 hour.
      For more information, see the help topic Configuring the targeted agent settings.
    • Run the Update Client Configuration task to force the Symantec Management Agent on client computers to update its current configuration and request new policy information from Notification Server.
      For more information, see the help topic Sample tasks, jobs, and scripts provided by Task Management.
      NB! As soon as the maintenance window opens, the client computers should be able to upgrade the Symantec Management Agent and the software update plug-in during 15 minutes to start dependency resolving ASAP.
  6. Speed up Package Server synchronization that is initiated by the request for policy refresh from the package server. You perform it the same way as for the upgrade of the Symantec Management Agent and the software update plug-in. The package server should request new policy information from Notification Server every 5-10 minutes to obtain additionally downloaded packages in time.

Phase 4. View the processes scheduled in the maintenance window

As soon as the maintenance window opens, the following processes occur in order:

  1. Upgrade of the Symantec Management Agent to 8.1.
  2. Upgrade of the software update plug-in to 8.1.
  3. Dependency resolving and download of additional packages.
    When the software update plug-in upgrade finishes, the system assessment scan runs and subsequent dependency resolving for the Linux client computers is performed. The software update policy stays in the Waiting for repositories state until the system assessment scan starts. The policy changes its state to Pending when dependency resolving is in progress.
    NB! After dependency resolving is complete, Notification Server needs time to download additional packages from vendors and distribute them to the Package Server.
  4. Software update policy execution.
    The software update policy triggers the native tools YUM for Red Hat and Zypper for SUSE to install all the required updates.

To create a software update policy

  1. In the Symantec Management Console, on the Actions menu, click Software > Patch Remediation Center.
  2. In the right pane, in the Show drop-down box, click SUSE Compliance by Computer or Red Hat Compliance by Computer, set the last 1 month for the Release Date interval, and then click the Refresh symbol.
  3. Drill-down into the computer that you want to patch, and then select all the patches that you want to distribute by holding down the Shift or Ctrl key.
  4. Right-click the selected bulletins, and then click Distribute Packages.


     
  5. On the first Distribute Software Updates wizard page, ensure that the option Run (other than agent default) is unchecked, and then click Next.


     
  6. Enable the software update policy. Click the colored circle and then click On.
  7. Click Distribute software updates.

To manually run Task Scheduler tasks

  1. On the Notification Server computer, in the taskbar, click Start > Administrative Tools > Task Scheduler.
  2. On the Task Scheduler page, in the left pane, click Task Scheduler Library.
  3. In the central pane, right-click the task that you want to run, and then click Run.

Attachments