Troubleshooting
Problem
High Availability (HA) pair fails to apply a software update with the following message in patches.log:
The issue described in this technical note is officially reported in APAR IJ12252.
[ERROR] Copied patch file to standby host, but MD5 sums do not match.The issue described in this technical note is officially reported in APAR IJ12252.
Symptom
Look for similar messages in /var/log/setup-<QRadar_version>/patches.log:
Copying file /storetmp/732_QRadar_interimfix-7.3.2.20190522204210-IF02-20190710135412.sfs to host /storetmp:/storetmp/732_QRadar_interimfix-7.3.2.20190522204210-IF02-20190710135412.sfs
cp: cannot create regular file 'root@/storetmp:/storetmp/732_QRadar_interimfix-7.3.2.20190522204210-IF02-20190710135412.sfs/732_QRadar_interimfix-7.3.2.20190522204210-IF02-20190710135412.sfs': No such file or directory
[ERROR] Couldn't copy patch file FILE to host /storetmp.
[ERROR] Copied patch file to standby host, but MD5 sums do not match.
[ERROR](a-i-has-testmode) HOSTNAME-secondary : patch test failed.
[ERROR](a-i-has-testmode) Patching can not continue
Patch Report for IP-ADDRESS, appliance type: 1828
HOSTNAME-primary : patch test succeeded.
Copied patch file to standby host, but MD5 sums do not match.Cause
This error message is generated when an SFS or ISO file is deleted from disk before the administrator unmounts the file from /media/updates/. Deleting the software without typing the unmount command leaves the mount point active on the appliance and can cause future software update errors.
Diagnosing The Problem
- Using SSH, log in to the QRadar high-availability appliance that failed to update as the root user.
- To determine whether duplicate mount point exists for /media/updates, type:
mount | grep media - Review the output to determine whether multiple mount points are commented as "(deleted)
on /media/updates".
For example, administrators might see multiple mounts to /media/updates:
[root@qradar-example.lab]# mount | grep media
/storetmp/732_QRadar_interimfix-7.3.2.20190522204210-IF02-20190710135412.sfs (deleted) on /media/updates type squashfs (ro,relatime)
/storetmp/732_QRadar_interimfix-7.3.2.20190522204210-IF02-20190710135412.sfs (deleted) on /media/updates type squashfs (ro,relatime)
Resolving The Problem
To resolve the issue, the administrator must to use the unmount command to remove deleted mount points in QRadar.
- To remove the deleted mounts, type:
umount /media/updates
CAUTION: Do NOT attempt to use all_servers.sh to unmount files from servers if software updates are in progress in the QRadar deployment. - Optional. To unmount a file from all QRadar appliances and secondaries from the QRadar Console, type:
/opt/qradar/support/all_servers.sh -C -k "umount /media/updates" - To verify that deleted volumes are removed, type:
mount | grep media - If mount multiple points continue to display (deleted), repeat step 1.
Results
After all deleted mounts are removed from the primary and secondary appliance, the administrator can mount the SFS or ISO and type /installer to continue the software update. For a list of QRadar software versions and release notes, see: https://ibm.biz/qradarsoftware.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"High Availability","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
07 January 2021
UID
ibm11072998