Fixes/updates for Java are not applied using the Ansible module ibm.power_aix.flrtvc

[edrendar]

Symptom Currently me and my team are active users of your Ansible Galaxy Collection "ibm.power_aix" project, specifically we are using the module "ibm.power_aix.flrtvc". I'm trying to apply patches for Java, but the "ibm.power_aix.flrtvc" ansible module perform all the job right (look for the fix, download the fix) but in the installation part, is not performing anything.

Snip from the ansible controller

-bash-4.2$ ansible-playbook -i inventory demo_flrtvc.yml -vvv --user root -k --ask-vault-pass
ansible-playbook [core 2.11.2]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/emontes/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  ansible collection location = /home/emontes/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.6.8 (default, Aug 13 2020, 07:46:32) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
  jinja version = 3.0.1
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
SSH password:
Vault password:
host_list declined parsing /home/emontes/AIX_Tools/inventory as it did not pass its verify_file() method
script declined parsing /home/emontes/AIX_Tools/inventory as it did not pass its verify_file() method
auto declined parsing /home/emontes/AIX_Tools/inventory as it did not pass its verify_file() method
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
Parsed /home/emontes/AIX_Tools/inventory inventory source with ini plugin
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: demo_flrtvc.yml **********************************************************************************************************************************
1 plays in demo_flrtvc.yml

PLAY [AIX Playbook for Patching Security vulnerabilities] **************************************************************************************************
META: ran handlers

TASK [Downloading and Installing] **************************************************************************************************************************
task path: /home/emontes/AIX_Tools/demo_flrtvc.yml:12
<9.11.91.57> ESTABLISH SSH CONNECTION FOR USER: root
<9.11.91.57> SSH: EXEC sshpass -d9 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/emontes/.ansible/cp/bcdeabfbbc 9.11.91.57 '/bin/sh -c '"'"'echo ~root && sleep 0'"'"''
<9.11.91.57> (0, b'/\n', b'')
<9.11.91.57> ESTABLISH SSH CONNECTION FOR USER: root
<9.11.91.57> SSH: EXEC sshpass -d9 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/emontes/.ansible/cp/bcdeabfbbc 9.11.91.57 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /.ansible/tmp `"&& mkdir "` echo /.ansible/tmp/ansible-tmp-1651080539.9315712-16680-229831951876744 `" && echo ansible-tmp-1651080539.9315712-16680-229831951876744="` echo /.ansible/tmp/ansible-tmp-1651080539.9315712-16680-229831951876744 `" ) && sleep 0'"'"''
<9.11.91.57> (0, b'ansible-tmp-1651080539.9315712-16680-229831951876744=/.ansible/tmp/ansible-tmp-1651080539.9315712-16680-229831951876744\n', b'')
<9.11.91.57> Attempting python interpreter discovery
<9.11.91.57> ESTABLISH SSH CONNECTION FOR USER: root
<9.11.91.57> SSH: EXEC sshpass -d9 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/emontes/.ansible/cp/bcdeabfbbc 9.11.91.57 '/bin/sh -c '"'"'echo PLATFORM; uname; echo FOUND; command -v '"'"'"'"'"'"'"'"'/usr/bin/python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.9'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.8'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.5'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/libexec/platform-python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/bin/python3'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python'"'"'"'"'"'"'"'"'; echo ENDFOUND && sleep 0'"'"''
<9.11.91.57> (0, b'PLATFORM\nAIX\nFOUND\n/usr/bin/python\n/usr/bin/python2.7\n/usr/bin/python3\n/usr/bin/python\nENDFOUND\n', b'')
<9.11.91.57> Python interpreter discovery fallback (unsupported platform for extended discovery: aix)
Using module file /home/emontes/.ansible/collections/ansible_collections/ibm/power_aix/plugins/modules/flrtvc.py
<9.11.91.57> PUT /home/emontes/.ansible/tmp/ansible-local-16661fzr3__ln/tmpj5k2d1ja TO /.ansible/tmp/ansible-tmp-1651080539.9315712-16680-229831951876744/AnsiballZ_flrtvc.py
<9.11.91.57> SSH: EXEC sshpass -d9 sftp -o BatchMode=no -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/emontes/.ansible/cp/bcdeabfbbc '[9.11.91.57]'
[WARNING]: sftp transfer mechanism failed on [9.11.91.57]. Use ANSIBLE_DEBUG=1 to see detailed information
<9.11.91.57> SSH: EXEC sshpass -d9 scp -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/emontes/.ansible/cp/bcdeabfbbc /home/emontes/.ansible/tmp/ansible-local-16661fzr3__ln/tmpj5k2d1ja '[9.11.91.57]:/.ansible/tmp/ansible-tmp-1651080539.9315712-16680-229831951876744/AnsiballZ_flrtvc.py'
<9.11.91.57> (0, b'', b'')
<9.11.91.57> ESTABLISH SSH CONNECTION FOR USER: root
<9.11.91.57> SSH: EXEC sshpass -d9 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/emontes/.ansible/cp/bcdeabfbbc 9.11.91.57 '/bin/sh -c '"'"'chmod u+x /.ansible/tmp/ansible-tmp-1651080539.9315712-16680-229831951876744/ /.ansible/tmp/ansible-tmp-1651080539.9315712-16680-229831951876744/AnsiballZ_flrtvc.py && sleep 0'"'"''
<9.11.91.57> (0, b'', b'')
<9.11.91.57> ESTABLISH SSH CONNECTION FOR USER: root
<9.11.91.57> SSH: EXEC sshpass -d9 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/emontes/.ansible/cp/bcdeabfbbc -tt 9.11.91.57 '/bin/sh -c '"'"'/usr/bin/python /.ansible/tmp/ansible-tmp-1651080539.9315712-16680-229831951876744/AnsiballZ_flrtvc.py && sleep 0'"'"''
<9.11.91.57> (0, b'\r\n{"msg": "exit on download only", "invocation": {"module_args": {"extend_fs": true, "protocol": null, "filesets": "Java8", "check_only": false, "download_only": true, "save_report": true, "clean": false, "path": "/tmp", "force": false, "csv": null, "apar": "sec", "verbose": true}}, "meta": {"0.report": ["Fileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL|CVSS Base Score|Reboot Required|Last Update|Fixed In", "java8_64.jre|8.0.0.636|sec||NOT FIXED - Multiple vulnerabilities in IBM Java SDK affect AIX|<8.0.0.700|CVE-2021-35560 / CVE-2021-35586 / CVE-2021-35578 / CVE-2021-35564 / CVE-2021-35559 / CVE-2021-35556 / CVE-2021-35565 / CVE-2021-41035 / CVE-2021-2341|https://aix.software.ibm.com/aix/efixes/security/java_feb2022_advisory.asc|https://aix.software.ibm.com/aix/efixes/security/java_feb2022_fix.tar|CVE-2021-35560:7.5 CVE-2021-35586:5.3 CVE-2021-35578:5.3 CVE-2021-35564:5.3 CVE-2021-35559:5.3 CVE-2021-35556:5.3 CVE-2021-35565:5.3 CVE-2021-41035:7.7 CVE-2021-2341:3.1|NO|02/23/2022|See advisory", "java8_64.sdk|8.0.0.636|sec||NOT FIXED - Multiple vulnerabilities in IBM Java SDK affect AIX|<8.0.0.700|CVE-2021-35560 / CVE-2021-35586 / CVE-2021-35578 / CVE-2021-35564 / CVE-2021-35559 / CVE-2021-35556 / CVE-2021-35565 / CVE-2021-41035 / CVE-2021-2341|https://aix.software.ibm.com/aix/efixes/security/java_feb2022_advisory.asc|https://aix.software.ibm.com/aix/efixes/security/java_feb2022_fix.tar|CVE-2021-35560:7.5 CVE-2021-35586:5.3 CVE-2021-35578:5.3 CVE-2021-35564:5.3 CVE-2021-35559:5.3 CVE-2021-35556:5.3 CVE-2021-35565:5.3 CVE-2021-41035:7.7 CVE-2021-2341:3.1|NO|02/23/2022|See advisory"], "1.parse": ["https://aix.software.ibm.com/aix/efixes/security/java_feb2022_fix.tar"], "messages": [], "4.1.reject": [], "2.discover": [], "3.download": [], "4.2.check": []}, "changed": false}\r\n', b'Shared connection to 9.11.91.57 closed.\r\n')
<9.11.91.57> ESTABLISH SSH CONNECTION FOR USER: root
<9.11.91.57> SSH: EXEC sshpass -d9 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/home/emontes/.ansible/cp/bcdeabfbbc 9.11.91.57 '/bin/sh -c '"'"'rm -f -r /.ansible/tmp/ansible-tmp-1651080539.9315712-16680-229831951876744/ > /dev/null 2>&1 && sleep 0'"'"''
<9.11.91.57> (0, b'', b'')
[WARNING]: Platform aix on host 9.11.91.57 is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python
interpreter could change the meaning of that path. See https://docs.ansible.com/ansible/2.11/reference_appendices/interpreter_discovery.html for more
information.
ok: [9.11.91.57] => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "invocation": {
        "module_args": {
            "apar": "sec",
            "check_only": false,
            "clean": false,
            "csv": null,
            "download_only": true,
            "extend_fs": true,
            "filesets": "Java8",
            "force": false,
            "path": "/tmp",
            "protocol": null,
            "save_report": true,
            "verbose": true
        }
    },
    "meta": {
        "0.report": [
            "Fileset|Current Version|Type|EFix Installed|Abstract|Unsafe Versions|APARs|Bulletin URL|Download URL|CVSS Base Score|Reboot Required|Last Update|Fixed In",
            "java8_64.jre|8.0.0.636|sec||NOT FIXED - Multiple vulnerabilities in IBM Java SDK affect AIX|<8.0.0.700|CVE-2021-35560 / CVE-2021-35586 / CVE-2021-35578 / CVE-2021-35564 / CVE-2021-35559 / CVE-2021-35556 / CVE-2021-35565 / CVE-2021-41035 / CVE-2021-2341|https://aix.software.ibm.com/aix/efixes/security/java_feb2022_advisory.asc|https://aix.software.ibm.com/aix/efixes/security/java_feb2022_fix.tar|CVE-2021-35560:7.5 CVE-2021-35586:5.3 CVE-2021-35578:5.3 CVE-2021-35564:5.3 CVE-2021-35559:5.3 CVE-2021-35556:5.3 CVE-2021-35565:5.3 CVE-2021-41035:7.7 CVE-2021-2341:3.1|NO|02/23/2022|See advisory",
            "java8_64.sdk|8.0.0.636|sec||NOT FIXED - Multiple vulnerabilities in IBM Java SDK affect AIX|<8.0.0.700|CVE-2021-35560 / CVE-2021-35586 / CVE-2021-35578 / CVE-2021-35564 / CVE-2021-35559 / CVE-2021-35556 / CVE-2021-35565 / CVE-2021-41035 / CVE-2021-2341|https://aix.software.ibm.com/aix/efixes/security/java_feb2022_advisory.asc|https://aix.software.ibm.com/aix/efixes/security/java_feb2022_fix.tar|CVE-2021-35560:7.5 CVE-2021-35586:5.3 CVE-2021-35578:5.3 CVE-2021-35564:5.3 CVE-2021-35559:5.3 CVE-2021-35556:5.3 CVE-2021-35565:5.3 CVE-2021-41035:7.7 CVE-2021-2341:3.1|NO|02/23/2022|See advisory"
        ],
        "1.parse": [
            "https://aix.software.ibm.com/aix/efixes/security/java_feb2022_fix.tar"
        ],
        "2.discover": [],
        "3.download": [],
        "4.1.reject": [],
        "4.2.check": [],
        "messages": []
    },
    "msg": "exit on download only"
}
META: ran handlers
META: ran handlers

PLAY RECAP *************************************************************************************************************************************************
9.11.91.57                 : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Snip from AIX client

(0) root @ teff9: /tmp/work
# ls -ltr
total 2047760
-rw-------    1 root     system   1048320000 Feb 23 08:03 java_feb2022_fix.tar
-rw-------    1 root     system        15513 Apr 27 10:29 FLRTVC-latest.zip
-rw-------    1 root     system       109864 Apr 27 10:29 lslpp.txt
-rw-------    1 root     system            0 Apr 27 10:29 emgr.txt
drwx------    2 root     system          256 Apr 27 11:42 tardir

(0) root @ teff9: /tmp/work
# ls -ltr tardir
total 0

Environment

• OS: Red Hat Enterprise Linux Server 7.9
• Python Version: 3.6.8
• OpenSSH Version: 7.4p1
• Ansible Version: 2.11.2
• AIX Collection Version: ibm.power_aix 1.4.0

[jdejoya17]

hi @edrendar ,

could you double check if the ibm.power_aix.flrtvc playbook has the parameter download_only not set to true?

based from the snippet, it says download_only: true that might be the case why it only downloads and not install

    "changed": false,
    "invocation": {
        "module_args": {
            "apar": "sec",
            "check_only": false,
            "clean": false,
            "csv": null,
            "download_only": true,
            "extend_fs": true,
            "filesets": "Java8",
            "force": false,
            "path": "/tmp",
            "protocol": null,
            "save_report": true,
            "verbose": true
        }
    },    "changed": false,

[pvtorres]

This was recreated in our test systems. Investigating.

[pvtorres]

Further debugging into the problem shows that the module did not find any efixes (ifixes) to install in the compress file. The flrtvc module uses the flrtvc command to download High Impact pervasive threats (apar: hiper), Security Vulnerabilities (apar: sec) or all (apar: all) which is both. This last option is the default.

The ifixes are temporary fixes specific which lock the files they are fixing and do not allow for other ifix to be installed on top. The idea is that once the official fix is delivered, the user can remove the ifixes and update the O.S with the formal fix. This ifixes are installed using the emgr command, this means that it is expecting that the fixes packed in the epkg.Z format.

In this case, the flrtvc module downloads the security fixes for Java. This fixes are in a compress file /usr/sys/inst.images/work/java_feb2022_fix.tar (This was my chosen folder for the fixes). The module then check the contents of the compress file and realizes there are no epkg.Z fixes in there. This is the content of the compressed file: Advisory.asc Advisory.asc.sig java7_32_installp_7.0.0.700.tar.gz java7_32_installp_7.0.0.700.tar.gz.sig java7_64_installp_7.0.0.700.tar java7_64_installp_7.0.0.700.tar.gz.sig java7r1_32_installp_7.1.0.500.tar.gz java7r1_32_installp_7.1.0.500.tar.gz.sig java7r1_64_installp_7.1.0.500.tar.gz java7r1_64_installp_7.1.0.500.tar.gz.sig java8_32_installp_8.0.0.700.tar.gz java8_32_installp_8.0.0.700.tar.gz.sig java8_64_installp_8.0.0.700.tar.gz java8_64_installp_8.0.0.700.tar.gz.sig

Even compressed individual files will not have any packages in the epkg.Z format. Now the module should have give a message to the user that there are no efixes to be install for this release.

Now, the user can go to the folder and manually install the updated version for Java, in this case: gunzip java8_64_installp_8.0.0.700.tar.gz ; tar -xvf java8_64_installp_8.0.0.700.tar ; intuoc .; installp -aXYqgd . all

I understand it is not the ideal way to do it, but the flrtvc module only takes care of ifixes, while the suma module takes care of updates.