Solved

Linux OS patches for FREL


Userlevel 3
Badge +6

Hi,

What are the plans for adding OS patches to the Commvault software repository? Same as hyperscale?

i know there is a CMR for it for a while. We want to prevent that we need to redeploy the FREL’s each time or do manual actions on the FREL for regular basis.

 

thanks

icon

Best answer by Gopinath 10 May 2021, 21:31

View original

24 replies

Userlevel 1
Badge

Hello M,

This feature is beyond CMR stage and being worked on. You can expect it within a future feature release.

 

-Evan

Userlevel 5
Badge +8

Hi, yes, that is planned for future feature release. Till that time, please use ‘automatic OS updates’ option part of FREL deployment which has internet connection to get os updates.

https://documentation.commvault.com/11.23/expert/32011_deploying_vmware_file_recovery_enabler_for_linux.html

Regards

Gopinath

Userlevel 3
Badge +6

Hi @Evan@Commvault  @Gopinath:

what is the FR number plan for this? Will this be 25?

 

In our environment that won’t work because these FREL are in a secure zone without any internet access. That the reason that we want to have this embedded within the Commvault software repository 

 

Userlevel 5
Badge +8

Hi @M Scheepers,

Team is actively working on this feature to make it in future FRs but not committed to FR25 or so. At this point as CentOS EOL by end of 2021, team is checking on other flavor OS options like Oracle (OEL) or other for FREL. When feature is fully available on any FR, will update you and in release notes as well.

Please wait for further update from team on this.

 

Regards

Gopinath

HI Team, @Gopinath @Evan@Commvault , @Mike Struening 

 

Do you have any latest update on this topic? we are facing same issue where our frels are not connected with internet and we are pushed to remediate PKEXE vulnerability - can you suggest how do we patch the frels in CentOS? does only redeploy works?

 

Appreciate your respond. 

Thankyou!

Userlevel 7
Badge +23

I’ll defer to @Gopinath and reach out internally!

Userlevel 5
Badge +8

Hi Ashok,

For PKEXE vulnerability, you can update polkit from download it separate and copying to to FRELs or from mounting your local repo on to FREL and use in updating that polkit package.

Regards

Gopinath

Badge +3

we have updated FREL from 11.20.85 to 11.24.29. We have many OS vulnerabilites. So we are planning for re-deploying FREL with new OVA (11.24) provided by Commvault, so that it will have updated OS (CentOS 8.4 I guess with security patches). This will clear up all our vulnerabilities. 

 

I have manually updated Commvault version on FREL from 11.20.85  to 11.24.29. But OS patches still needs to be applied. If Commvault can make available all FREL related patches on Commvault software repository which will help us to manually download and install it on our FREL. This would be great help and great improvement. 

 

 

 

 

Userlevel 5
Badge +8

@Arvind Satyanarayan Bingi FR 11.20 FREL is CentOS 7.x based and FR 11.24 FREL is OEL 8.4 based, yes it will cover most vulnerabilities. This needs a re-deploying as you planned, which also has XFS 5 file system support that required for RHEL/CentOS/OEL 8.x VM’s live file browse.

yes, OS updates with CV software cache is on road map for future FRs which will be good enhancement.

 

Regards

Gopinath

 

Badge +3

Thanks Gopinath for the update and clarification. 
We all are waiting for this new improvement. Great going.

Badge +3

CV  Team,

 

We have raised FREL re-deployment ticket to get new  OVA for 11.24 deployed . That is providing OEL 8.4. Before 11.24 it was CentOS i guess.

 

 

Is there any plan to change OS again in any of the feature released ? 

Is there any chance to get OS patches included in 11.24 software repository ? 

This for us to fix any future OS vulnerabilities. So keeping OS vulnerabilities in mind is Commvault taking any preventive measures ?

 

 

Userlevel 5
Badge +8

Hi,

From FR24 onwards it will be OEL based only, OS will not be changed in future FRs. Adding OS updates with CV software cache is on road map for future FRs not possible with old FRs.

 

Regards

Gopinath

Badge +3

Ok. Please keep us posted as soon as you will have  any further updates on it.

Badge +3

@Gopinath 

Can we get our FREL OS regularly patched ? 

This will  require BigFix  agent installation and its connectivity to BigFix. 

So can we install BigFix agent too on our FREL to get it reported to BigFix console so that it can be regularly patched ?

 

Userlevel 3
Badge +6

@Gopinath@Mike Struening 

are there any updates on this? 

Just tried in a customer environment the new deploy feature for the FREL. But now get with the offline methode been configured that it still try to download the FREL OVA from internet. It would be intresting if a new “re-deploy” feature will be added to this lifecycle a FREL in case of big changes in OS what can’t be done easily with linux updates.

Userlevel 5
Badge +8

Hi,

 

Adding OS updates with CV software cache is on road map for future FR.

 

Regards

Gopinath

Badge +1

Hi,

 

Adding OS updates with CV software cache is on road map for future FR.

 

Regards

Gopinath

hello

any chance to get the at least some timeframe?

 

yours

josef

Userlevel 5
Badge +8

Hi,

we can not commit on specific FR but mostly around Dec 2022 release timeframe, if all dev/test efforts and other complete by that time.

 

Regards

Gopinath

Badge +1

and progess on this?

 

regards

josef

Userlevel 7
Badge +19

@cheese see the releases notes of FR2023 → https://documentation.commvault.com/2023/essential/148771_newsletter_for_new_features_in_commvault_platform_release_2023.html#updating-os-for-linux-access-node-file-recovery-enabler-for-linux-or-frel

Badge +1

any progress with “Adding OS updates with CV software cache is on road map for future FR”

 

Userlevel 7
Badge +19

I though it was added to FR30 and the documentation/releases notes also mention it, but only as of FR32 there is real documentation see: https://documentation.commvault.com/2023e/essential/156304_updating_os_for_linux_frel_clients.html

I just created a topic on the community as I opted back in the past to instead of introducing a OS update function to introduce an automated FREL appliances refresh option that basically redeploys a FREL with a newer version while preserving the current configuration using a one-button approach. This makes the appliances remain a standardized and secured appliance. See also: 

 

Badge +1

I though it was added to FR30 and the documentation/releases notes also mention it, but only as of FR32 there is real documentation see: https://documentation.commvault.com/2023e/essential/156304_updating_os_for_linux_frel_clients.html

I just created a topic on the community as I opted back in the past to instead of introducing a OS update function to introduce an automated FREL appliances refresh option that basically redeploys a FREL with a newer version while preserving the current configuration using a one-button approach. This makes the appliances remain a standardized and secured appliance. See also: 

 

thanks for your quick answer. we already installed FREL with Version 32 and noticed that it tried to connect to an external site to get OS-Updates, which is - in our case - not allowed as we dont want systems to connect to external sites neither directly without a proxy, nor indirect - with a standard-http-proxy. we would have preferred the last option, that commcell has the os-updates,  too. our commcell can connect to those extern site, but this was some kind of a hazzle to get allowed.

Userlevel 7
Badge +19

I would prefer monthly or bi-monthly refreshes of the OVA template to be released on a repository that can be pulled it automatically or manually. This way Commvault can fully grant and preserve the security and stability of the FREL OVA appliance. I think in the end if customers would embrace this that it would really benefit the overall user experience for each and every customer. 

Reply