1 2 3 Previous Next 41 Replies Latest reply on Oct 2, 2009 12:25 PM by Alex Y

    Windows Auto Patching Scripts

    Anthony Bove

      In OM version 7.4.5 and lower it is not possible to "auto-remediate" Windows servers needing MS hotfixes via the patch analysis job. It requires that the analysis be performed, then a "deploy all missing patches" action be submitted against the analysis results after they complete. The attached nsh scripts have been created using blcli commands to perform the patch analysis and remediation into one step. This has been extremely useful for users that would like to include patching within a post-provisioning batch job stream, as well as simplifying the process for end-users who need to patch groups of servers.

       

      Message was edited by:

      tony bove

        • 1. Re: Windows Auto Patching Scripts

          Having some issues getting this working in our environment, can I validate my settings with you, not sure I'm using the correct context.

           

          These are the parameters for the AutoPatch NSH Job:

           

          target_group = /Servers/Windows/Patching/AutoPatchServers

          job_group = /Servers/Windows/Patching/AutoPatchJobs

          depot_group = /Servers/Windows/Patching/AutoPatchPkgs

          whitelist = /appserver/Depot/Windows/Patches/Scripts/whitelist

          blacklist = /appserver/Depot/Windows/Patches/Scripts/blacklist

          job_timeout = 240

          job_part_timeout = 60

          deploy_options_instance = Class://SystemObject/DeployOptions/WIN_AUTOPATCH_DEFAULTS

          appserver = %h

           

           

          here is the error I'm getting, I'm sure it's just something with my context:

          Command execution failed. com.bladelogic.mfw.util.NotFoundException: Could not find server group with name : /Servers/Windows/Patching/AutoPatchServers and type : 5003

           

          I attached a snapshot of our server folder, so you can see the server group I'm using.

           

          Any help would greatly be appreciated and we really appreciate the work you put into this script, I'm hoping this helps with our use of BL as a strong patch management tool. We are trying to move off of Shavlik.

           

          Thanks.

          • 2. Re: Windows Auto Patching Scripts
            Bill Robinson

            You are pointing the script at a 'Smart Group' and the blcli commands in the nsh script are expecting a 'StaticGroup' (type 5003)

            • 3. Re: Windows Auto Patching Scripts

              In my snapshot, I thought you can see I am using a static group, not a dynamic group. Look at AutoPatchServers, that should be a static group, with the following servers below it:

              BLDLOGICTST1

              BLDLOGICTST4

              BLDLOGICTST5

              BLDLOGICTST6

               

              Am I thinking something wrong about the type of groups?

               

              Alex

              • 4. Re: Windows Auto Patching Scripts
                Bill Robinson

                I didn't even look at the png, sorry.

                 

                Take the '/Servers' out of your path.

                 

                Also check the other paths - i think they should be like:

                 

                target_group = /Windows/Patching/AutoPatchServers

                job_group = /Windows/Patching/AutoPatchJobs

                depot_group = /Windows/Patching/AutoPatchPkgs

                 

                 

                for these:

                whitelist = /appserver/Depot/Windows/Patches/Scripts/whitelist

                blacklist = /appserver/Depot/Windows/Patches/Scripts/blacklist

                 

                This is the filesystem path to the files?

                • 5. Re: Windows Auto Patching Scripts

                  I made your suggested changes and it is getting MUCH farther, it's creating the analyze jobs, but the next step it dies, when it's trying to create the Patch packages from the analyze jobs. Here is the error message:

                  Command execution failed. com.bladelogic.mfw.util.NotFoundException: Could not find group with name : /Windows/Patching/AutoPatchPkgs and type : 5001

                   

                  Any ideas? If you refer to that PNG (but take out the /Servers from the items and I fixed the NSH path for the white/blacklist's) you can tell how I have everything configured.

                   

                  I can send you more information if you think it will help.

                   

                  Attached is another snap shot but of the Jobs tree, so you can see I have the folders created and ready to be used (AutoPatchJobs folder is populated with the autoanalyze jobs)

                   

                  Thanks again for all the help!

                  • 6. Re: Windows Auto Patching Scripts
                    Bill Robinson

                    can you send a pic of the depot tree?

                    • 7. Re: Windows Auto Patching Scripts

                      Attached is a quick snap of our Depot tree, let me know if you need all branches expanded or if this is enough?

                       

                      Thanks again for all the assistance.

                      • 8. Re: Windows Auto Patching Scripts
                        Bill Robinson

                        I think this path is not there:

                         

                        /Windows/Patching/AutoPatchPkgs

                        • 9. Re: Windows Auto Patching Scripts

                          You were correct, after creating the proper folder, the process worked. The last part that doesn't seem to be working properly is the pre-defined template instance. I followed the configuration as defined in the document, but it doesn't seem to use these settings within the jobs created in the batch that includes all the individual servers to be patched. I ran through this a few times and every time it just uses the default DeployOptions, not the instance I defined. I'll attach the setting I used and a snapshot of the instance I configured.

                           

                          Thanks again for your time and help.

                           

                          Class://SystemObject/DeployOptions/WIN_AUTOPATCH_DEFAULTS

                           

                          P.S. you can refer to the early picture of the settings I used for the parameters for the NSH job.

                          • 10. Re: Windows Auto Patching Scripts
                            Anthony Bove

                            Hi Alex - the deploy options template is only applied to the patch analysis job that is created. It will not be set on the patch deploy job that is generated from the "deploy missing patches" step of the script, if that is the job you were referring to.

                             

                            Regards, Tony

                            • 11. Re: Windows Auto Patching Scripts
                              Bill Robinson

                              but you could set default 'deployoptions' in the PropertyDictionary, though that would affect all DeployJobs

                              • 12. Re: Windows Auto Patching Scripts

                                OK, so after digging into the script some more I see what you are referring, which is a shame since it's key for our admins to not only patch, but also reboot those servers and there are a few other options that would be nice to set on the deployment options.

                                 

                                I understand we can change them for all deploy jobs, but that would be dangerous, especially if we set the reboot option so it always reboots at the end of a job. (Ignore item defined reboot settings and reboot at end of job)

                                 

                                Do you or anyone else know of a way we can add the "Deploy Options" to the patch jobs via the BLI?

                                 

                                Here is the last part of the script, which I hope we can squeeze in a method to add that deploy instance.

                                 

                                1. deploy missing patches

                                blcli_execute PatchDeploy deployAllMissingPatchesOnAllTargets $DEPLOY_NAME $GROUP_ID_DEPLOY_JOB $GROUP_ID_REMEDIATION_PKG true true true $RUN_ID $DEPOT_PKG

                                 

                                1. retrieve deploy job key

                                2. blcli_execute DeployJob getDBKeyByGroupAndName $JOB_GROUP $DEPLOY_NAME

                                3. blcli_storeenv DEPLOY_KEY

                                4. echo "Deploy Job ID is: "$DEPLOY_KEY

                                 

                                1. retrieve patch pkg key

                                2. blcli_execute DepotObject getDBKeyByTypeStringGroupAndName BLPACKAGE $DEPOT_GROUP $DEPOT_PKG

                                3. blcli_storeenv PKG_KEY

                                4. echo "Patch Package ID is: "$PKG_KEY

                                 

                                1. set deploy job and remediation package "auto generated" property values to "true"

                                2. blcli Job setPropertyValue NAMED_OBJECT=$DEPLOY_KEY AUTO_GENERATED True

                                3. blcli DepotObject setPropertyValue NAMED_OBJECT=$PKG_KEY AUTO_GENERATED True

                                 

                                *********************************

                                 

                                from the above I would imagine you could uncomment the extraction of the package/job ID's and then set the job property, like it does for the analyze job (lines 66-70)

                                 

                                blcli Job setPropertyValue NAMED_OBJECT=$DEPLOY_KEY DEPLOY_OPTIONS_INSTANCE_FOR_REMEDIATION $OPTIONS

                                 

                                Am I on the right track? Or what I'm asking for not doable?

                                • 13. Re: Windows Auto Patching Scripts
                                  Bill Robinson

                                  look in the unreleased blcli and i think you can add the options on the deploy jobs after they get created - there's a bunch of commands like:

                                   

                                  setAllowReboot

                                  setBlPatchKeys

                                  setCheckTargetStagingDiskSpace

                                  setCommitAfterStaging

                                  setCommitEnabled

                                  setCommitScheduleId

                                  setConnectionTimeout

                                  setCopyLockedFiles

                                  setDeleted

                                  setDeployJobPostCmd

                                  setDeployJobPostCmdMustPass

                                  setDeployJobPreCmd

                                  setDeployJobPreCmdMustPass

                                  setDeployJobScheduleForAdvancePhaseExecution

                                  setDeployJobUndoPostCmd

                                  setDeployJobUndoPostCmdMustPass

                                  setDeployJobUndoPreCmd

                                  setDeployJobUndoPreCmdMustPass

                                  setDeployType

                                  setDepotObjectKey

                                  setDepotSoftwarePartList

                                  setDescription

                                  setDescription

                                  setExecuteByPhase

                                  setFollowSymlinks

                                  setGroupId

                                  setIgnoreCopyOnBoot

                                  setItemReconfigureRebootModeSetting

                                  setLogLevel

                                  setMaxWaitTime

                                  setName

                                  setNotificationList

                                  setOptionValue

                                  setOptionValue

                                  setOptionValue

                                  setOptionValue

                                  setOverriddenParameterValue

                                  setOverwriteReadOnlyFiles

                                  setPackageStagingCheck

                                  setPackageStagingCheckPhase

                                  setPackageStagingCheckPhaseByString

                                  setParallelProcs

                                  setPostCmd

                                  setPostCmdMustPass

                                  setPreCmd

                                  setPreCmdMustPass

                                  setPreserveDeployStagingDirOnFailure

                                  setRebootSetting

                                  setRebootSetting

                                  setReconfigureRebootJobSetting

                                  setRegComComponents

                                  setResetOnFailure

                                  setRollbackAllowed

                                  setRollbackOnFailure

                                   

                                  in the DeployJob namespace.

                                  • 14. Re: Windows Auto Patching Scripts
                                    Anthony Bove

                                    The problem with the deploy missing patches command is that it creates the job & does the patch deploy in the same step, so you don't have the opportunity to change the default settings before the deploy happens.

                                    1 2 3 Previous Next