Does the role need to create and update catalogs as well as deploy patches?
No, creating and updating catalogs will be done by BLAdmin.
The role needs to
1. Create Patch Analysis jobs
2. Run patch analysis jobs
3. Download, package patches
4. Create Patch deploy jobs
5. Run Patch Deploy jobs
I opened a ticket about this. right now it looks like you need:
Now, the one I'm confirming is Software.Modify.
I think that's about it.
As the patch manager user, when I run a patch remediation job and click on the show results and click on job run (which failed), i get the following
message: Job run with id 0 not found.
I tried to run a patch download instead of trying the whole patch remediation and the job runs through. I see the following messages in the log:
Executing work item Patch Download Job WorkItem (batch 1) on application server: acsdallin102.acs-inc.com Payload sucessfully downloaded for: Windows6.1-2008-R2-KB971468-x64.msu-MS10-012-en-WINDOWS SERVER 2008 R2 STANDARD (X64)-GOLD Failed to update Windows Hotfix: Windows6.1-2008-R2-KB971468-x64.msu-MS10-012-en-WINDOWS SERVER 2008 R2 STANDARD (X64)-GOLD Patches downloaded: 1 Patches failed to be downloaded: 0 The job 'Download Test' has succeeded
Is there a way to redownload a patch i.e. force the download of a patch if it is already downloaded?
Delete the file off the patch repo
Oh, I think that the user will need read and maybe browse to the patch helper server.
OK...as you mentioned in one of your previous post, it seems the user and the catalog need windowssoftware.modify.
Audit trail on the patch in catalog shows windowssoftware.modify failed for that user but passed for BLAdmin.
Testing it now.
Oh, if you need to run the download job then you'll need more acls. I have the patches already downloaded by my catalogs so I don't need to do that.
I gave the user and the catalog everything except
I also gave everything in
except .*, .delete
PatchSubscription is from 7.3 I think, I don't think we need it anymore, but who knows
I don't think they need the patchrepositorydepotgroup.
I am able to download the patch now and create the remediation job. The remediation job runs successfully and creates the deploy job.
The deploy job fails in the simulate job with the following message:
[27 Jul 2010 12:48:09,040] [WorkItem-Thread-44] [INFO] [support4:GLO-DCP-Windows-20:] [Deploy] Executing work item Deploy Dry Run Job:Deploy Job Test - KB974431-pitdsethp01-22092771 @ 2010-07-27 12-42-15-099-0500; Server:pitdsethp01; on application server: acsdallin102.acs-inc.com
[27 Jul 2010 12:48:12,574] [WorkItem-Thread-44] [INFO] [support4:GLO-DCP-Windows-20:] [Deploy] executing command bltargetjobmanager -start -cmd "bldeploy fd7bb5e2221535c6b4709fe52abe3cf7 -N="/tmp/stage/fd7bb5e2221535c6b4709fe52abe3cf7" -P=pitdsethp01 -Q=params.txt -DryRun -Xr -V1 -Xp -js0 -jr1 -jc0 " -me "fd7bb5e2221535c6b4709fe52abe3cf7" -mp -sp -ps -h60 on server pitdsethp01
[27 Jul 2010 12:48:28,865] [WorkItem-Thread-44] [ERROR] [support4:GLO-DCP-Windows-20:] [Deploy] DRYRUN failed for server pitdsethp01. Exit code = -5005
[27 Jul 2010 12:48:28,895] [WorkItem-Thread-44] [ERROR] [support4:GLO-DCP-Windows-20:] [Deploy] Deploy Job Test - KB974431-pitdsethp01-22092771 @ 2010-07-27 12-42-15-099-0500->Deploy Job Test - KB974431-pitdsethp01-22092771 @ 2010-07-27 12-42-15-099-0500 failed on server pitdsethp01 exit code = -5005
[27 Jul 2010 12:48:28,952] [Job-Execution-3] [INFO] [support4:GLO-DCP-Windows-20:] [Deploy] Phase: Dry-run completed with errors for target: pitdsethp01
[27 Jul 2010 12:48:29,169] [Job-Execution-3] [INFO] [support4:GLO-DCP-Windows-20:] [Deploy] The job 'simulate' has failed
The agent we were deploying to had 220.127.116.111 agent on it and it was a 64 bit server. Not compatible with 8.0 SP4 Application server. Resolved now.
I ended up giving plenty of authorizations to the patch management user