Updating FIM to Run with Xenial Stemcells

Page last updated:

Pivotal Platform products and tiles that are released after July 2018 require Ubuntu Xenial stemcells instead of Ubuntu Trusty stemcells. You might have to modify your Pivotal File Integrity Monitoring (FIM) deployment if you use Pivotal Platform products running on Xenial.

This topic describes how to determine if your existing deployment of FIM can monitor VMs that run on Xenial.

This topic also explains how to update your FIM deployment if it does not support Xenial.

Follow the instructions on this page if you use FIM with any Pivotal Platform products or tiles that use Xenial stemcells. For more information, see Product Tiles that Use Xenial Stemcells below.

Do I Need to Modify FIM?

FIM v1.2.22 and later can run correctly on Xenial-based VMs if the FIM runtime config includes the ubuntu-xenial property.

Review the following table and make any required changes before you upgrade to Xenial stemcells.

If you use this version of FIM… do the following…
1.2.23+ Verify that your runtime config file, fim.yml, includes:
  - name: fim-trusty
    include:
      stemcell:
      - os: ubuntu-trusty

  - name: fim-xenial
    include:
      stemcell:
      - os: ubuntu-xenial
If the fim.yml file does not include the above, then follow the steps in Add the Xenial Stemcell Property to FIM below.
v1.2.22 Follow the steps in Add the Xenial Stemcell Property to FIM below.
v1.2.17 or earlier Install FIM v1.2.23 or later. For instructions, see Installing File Integrity Monitoring.

If you use FIM without adding the ubuntu-xenial property to the runtime config, the VMs running on Xenial are not being monitored for file integrity.

If you add the ubuntu-xenial property but do not upgrade FIM to v1.2.22 or later, then the FIM processes use excessive CPU.

Product Tiles that Use Xenial Stemcells

Ensure that you have added the ubuntu-xenial property to the FIM runtime config before you install any product tiles that use Xenial stemcells.

For a list of Pivotal Platform tile releases that now use Xenial, see Tiles Using Xenial Stemcells in Pivotal Platform.

Add the Xenial Stemcell Property to FIM

If you use FIM v1.2.22 or v1.2.23 without the stemcell property in the fim.yml, then you must add the stemcell properties to your existing fim.yml and redeploy:

  1. SSH in to the Pivotal Operations Manager VM. For how to do this, see SSH into Ops Manager.

  2. To retrieve and save FIM runtime config, run:

    bosh -e BOSH-ENVIRONMENT runtime-config –name fim > /tmp/fim.yml
    

    Where BOSH-ENVIRONMENT is the alias you set for the BOSH Director.

    For example:

    $ bosh -e my-env runtime-config –name fim > /tmp/fim.yml 
  3. Edit the fim.yml file:

    addons:
    - name: fim-trusty
      jobs:
      - name: fim
        release: fim
        properties: {}
      include:
        stemcell:
        - os: ubuntu-trusty
    - name: fim-xenial
      jobs:
      - name: fim
        release: fim
        properties:
          fim:
            dirs:
              # System binaries and configuration
              - /bin
              - /etc
              - /lib
              - /lib32
              - /lib64
              - /opt
              - /sbin
              - /srv
              - /usr
              - /var/lib
    
              # BOSH agent
              - /var/vcap/bosh
              - /var/vcap/monit/job
    
              # BOSH releases
              - /var/vcap/data/packages
              - /var/vcap/data/jobs
      include:
        stemcell:
        - os: ubuntu-xenial
    

    Note: If you customized your Trusty VMs configuration, you need to manually add the /lib32 directory to your fim.yml file.

  4. To update the runtime config, run the following command:

    bosh -e BOSH-ENVIRONMENT update-runtime-config --name=fim /tmp/fim.yml
    

    For example:

    bosh -e my-env update-runtime-config --name=fim /tmp/fim.yml
  5. Navigate to the Installation Dashboard in Ops Manager.

  6. Click Review Pending Changes. For more information about this Ops Manager page, see Reviewing Pending Product Changes.

  7. Click Apply Changes.