14 Replies Latest reply on Jul 6, 2016 3:23 PM by Bill Robinson

    NSH Automate Windows Patching with Scheduled remediation

    Steve Abercrombie

      BLAdmins,

       

      I've been searching for a way to schedule an NSH script to run on a monthly basis that sets the commit date or an already run PatchingJob that has staged the patches already.  I already have a WindowsPatchingJob that runs with the remediation options that I need, I just need to be able to grab the Deploy Jobs that get created from it and change the commit date to the Third Tuesday of every month.  It would be nice if there was an option inside of the remediation options that would allow for the phasing and scheduling to choose recurring options on each of the phases (simulate, stage, and commit) just like you can with Batch Jobs to pick every third Tuesday of every month.  Ideas on what the best way to accomplish this would be using blcli?

       

      Steve

        • 1. Re: NSH Automate Windows Patching with Scheduled remediation
          Bill Robinson

          The attached will do some of that.  it updates a dummy bldeploy job w/ the deploy times and then applies that 'template' to the remediation options and then schedules the patching job to run.

          1 of 1 people found this helpful
          • 2. Re: NSH Automate Windows Patching with Scheduled remediation
            Steve Abercrombie

            Bill,

             

            I found out another way to do this but it was kind of ugly, it'll work but what you have provided will be a better option.  Thanks for the solution!  I have another question and if you want I can create a new thread.  I'm wondering how you'd approach with a script running a patch remediation job that'll go through all of the steps.  Then when it completes, it loops through and runs a patch analysis and checks to see if there are more patches.  If there are more patches, then it runs another patch remediation job to patch again.  The script would then continue this process until there are no more patches showing in the patch analysis job.

             

            Steve

            • 3. Re: NSH Automate Windows Patching with Scheduled remediation
              Bill Robinson

              can you run the deploy jobs immediately after analysis or you do you need to schedule them in the future ?  you should be able to do something like run the patching job + auto-remediation, call it again - and check the results until there are no missing patches.  there's a couple Unreleased blcli commands and documentation  that will let you get the count of servers w/ missing patches and also one in the utility namespace to dump out the results that you could text-process for the count.

               

              i'll see if i can work up an example.

              • 4. Re: NSH Automate Windows Patching with Scheduled remediation
                Steve Abercrombie

                Yes, I can run the deploy jobs immediately after analysis.  Were you able to get an example put together?

                 

                Thanks,

                 

                Steve

                • 5. Re: NSH Automate Windows Patching with Scheduled remediation
                  Bill Robinson

                  sorry about the delay - something like the below should work.  the patching job should already be setup for auto-remediation and the 'execute now' set in the deploy options in the patching job.

                   

                  so it will run the job, generate remediation artifacts and deploy them, then check if there were servers missing patches.  if there were, it re-runs the job.  if no patches are missing then no remediation artifacts are generated, otherwise it keeps doing that.  i put a limit on how many times that loop happens.

                   

                  blcli_setjvmoption -Dcom.bladelogic.cli.execute.quietmode.enabled=true

                  blcli_setoption serviceProfileName defaultProfile

                  blcli_setoption roleName BLAdmins

                  blcli_connect

                   

                  patchingJob="/Workspace/Patching Jobs/WindowsPatchingJob"

                  #dummyDeployJob="/Workspace/DummyDeploy"

                   

                  runAnalysis()

                  {

                  blcli_execute PatchingJob getDBKeyByGroupAndName "${patchingJob%/*}" "${patching                                                 Job##*/}"

                  blcli_storeenv jobKey

                  blcli_execute Job executeJobAndWait ${jobKey}

                  blcli_storeenv jobRunKey

                  }

                   

                   

                   

                  getResults()

                  {

                          missingServers=""

                          missingCount=0

                          blcli_execute JobRun jobRunKeyToJobRunId ${jobRunKey}

                          blcli_storeenv patchingJobRunId

                          blcli_execute JobRun findPatchingJobChildrenJobsByRunKey ${patchingJobRu                                                 nId}

                          blcli_execute JobRun getJobRunId

                          blcli_execute Utility setTargetObject

                          blcli_execute Utility listPrint

                          blcli_storeenv patchAnalysisJobRunIds

                          for jobRunId in ${patchAnalysisJobRunIds}

                                  do

                                  blcli_execute JobRun findById ${jobRunId}

                                  blcli_execute JobRun getType

                                  blcli_storeenv jobRunType

                                  if [[ ${jobRunType} != 7033 ]]

                                          then

                                          blcli_execute PatchAnalysisResult findJobResultByAnalysi                                                 sJobRunId ${jobRunId}

                                          blcli_execute JobResult getResultId

                                          blcli_storeenv patchAnalysisJobResultId

                                          blcli_execute PatchAnalysisResult findServersWithMissing                                                 Patches ${patchAnalysisJobResultId}

                                          blcli_execute SDeviceHeader getName

                                          blcli_execute Utility setTargetObject

                                          blcli_execute Utility listPrint

                                          blcli_storeenv missingServers

                                          missingServers=(${missingServers})

                                          missingCount=$((${missingCount}+${#missingServers[@]}))

                                  fi

                          done

                  }

                   

                   

                   

                  missingCount=1

                  i=0

                  while [[ ${missingCount} -gt 0 ]] && [[ ${i} -lt 5 ]]

                          do

                          let i+=1

                          runAnalysis

                          getResults

                          echo "missingPatchCount: ${missingCount}"

                          echo "i=${i}"

                  done

                  1 of 1 people found this helpful
                  • 6. Re: NSH Automate Windows Patching with Scheduled remediation
                    Steve Abercrombie

                    This will do the trick, thanks again!

                    • 7. Re: NSH Automate Windows Patching with Scheduled remediation
                      Steve Abercrombie

                      Bill,

                       

                      One more thing, I'm running into the problem where my PreCmd and PostCmd commands are failing due to my Antivirus software blocking them.  How do I change the Deployment Path properties when I create the dummy job?

                       

                      Thanks,

                       

                       

                      Steve

                      • 8. Re: NSH Automate Windows Patching with Scheduled remediation
                        Bill Robinson

                        If the dummy job doesn’t override the options for the pre- and post- script location you can just set it directly in the deploy options in the patching job

                        • 10. Re: NSH Automate Windows Patching with Scheduled remediation
                          Bill Robinson

                          I don’t believe you can set those options in the blcli.  once they are set in the gui they should stay set.  i thought all you were doing is running the analysis/auto-remediation, re-running analysis and looking for when there are no missing patches ?

                          • 11. Re: NSH Automate Windows Patching with Scheduled remediation
                            Steve Abercrombie

                            I'm wanting to remove the interactive aspect to the process so I can rely on the job that I've created to create it properly with all of the parameters that I need set.  It would be nice to be able to set that Deployment path so I don't have to add another component to the job to handle the Pre and Post scripts.

                            • 12. Re: NSH Automate Windows Patching with Scheduled remediation
                              Bill Robinson

                              yeah - the issue is that not all of the options are inherited from the dummy and you can't edit all the options in the template deploy job inside the patching job.

                               

                              so what settings do you need to have set in the generated deploy?  just 'execute now' and the pre- post- path ?  any others ?

                              • 14. Re: NSH Automate Windows Patching with Scheduled remediation
                                Bill Robinson

                                changing the pre/post install command will increment the dbkey of the template deploy.  there's no way to update the remediation job and patching job w/ the new association.  similar thing w/ the execute now.