1 2 Previous Next 16 Replies Latest reply on Mar 2, 2013 10:17 AM by Bill Robinson

    Running an nsh script as remediation for component template compliance

    Chris Haars

      I spent days creating a nice "clean up c drive" nsh script for Windows, since nsh uses many unix-like commands that make file management easy, like "find" and "ls -dt" and "tail".

       

      I then spent days creating a component template that weeded out the Windows servers that had less than 10% C drive space free.

       

      Imagine my surprise when I went to the remediation tab of my compliance rule, and could only use a BLPackage for remediation! Is there anything I can do to get this nsh script run for servers that don't comply? I've read community posts about installing NSH on each server, using BLCLI and creds. I don't want to rewrite this script in DOS and have to deploy and run it. NSH worked so well.

       

      -chris

        • 1. Re: Running an nsh script as remediation for component template compliance
          Ashitosh Wagh

          Hi Chris,

           

          You can add external commands in BLPackage. Which will get executed in deploying BLPackage.

           

          Thanks

          Ashitosh

          • 2. Re: Running an nsh script as remediation for component template compliance
            Chris Haars

            I understand that I can run external commands in a BLPackage, but I want to run an nsh script that has to be run from the app server. I know that I can copy the nsh script to each server and run it, but I don't have nsh installed on each agent (and I don't know if I want to). Ideally, I'd like to use an NSH script from the app server, or run a NSH script job to remediate the compliance issue.

             

            -chris

            • 3. Re: Running an nsh script as remediation for component template compliance
              Bill Robinson

              right now it's not possible to call a nsh script as a remediation.

              • 4. Re: Running an nsh script as remediation for component template compliance
                Joe Piotrowski

                Chris, what was your remediation solution if your hard drive had less than 10% disk space left? Perhaps we can help you accomplish the same thing with different Compliance Rules and a BLPackage remediation based on your criteria.

                • 5. Re: Running an nsh script as remediation for component template compliance
                  Chris Haars

                  If a hard drive were to have 10% free C disk space or less, I would run a NSH script that I have written. As Bill mentions, it is not possible to remediate compliance with a NSH script at this time. I know I could write a DOS batch file, then deploy it and run it with a BLPackage, but DOS batch files don't give me the power of the UNIX-like commands in NSH. My compliance rules work fine. I'm all ears with respect to a different way to do it. Right now, it looks like I just run it against all my servers periodically.

                   

                  -chris

                  • 6. Re: Running an nsh script as remediation for component template compliance
                    Bill Robinson

                    What does your nsh script do specifically ?

                    • 7. Re: Running an nsh script as remediation for component template compliance
                      Chris Haars

                      Here's the script. I know I could install nsh on each server. I know I could install UNIX tools on every server. But dammit, I don't want to!

                       

                      <<

                      #

                      # clean_c.nsh

                      # Author: Chris Haars

                      # Date: 2013-Jan-18

                      # cleans up unneeded files on c drive

                      #

                       

                       

                      OSVERSION=$1

                      WINDIR=$2

                       

                       

                      # delete tivoli storage manager install leftovers

                      echo "Removing leftover tsm_images install folders..."

                      rm -fr /c/tsm_images

                      rm -fr /c/temp/tsm_images

                       

                       

                      # delete broadcom software and driver install leftovers

                      echo "Removing leftover Broadcom driver install folders..."

                      rm -fr /c/[Bb][Cc][Oo][Mm]

                       

                       

                      # delete shadow copies

                      # WARNING: currently hangs the script

                      #echo "Removing shadow copies using wmic..."

                      #nexec -e cmd /c "wmic shadowcopy delete"

                       

                       

                      # delete c:\adsm.sys\vss_staging\%COMPUTERNAME%

                      # per https://www-304.ibm.com/support/docview.wss?uid=swg1IC55612

                      echo "Removing leftover TSM files in the vss_staging folder..."

                      nexec -e cmd /c "rd /s /q c:\adsm.sys\vss_staging\%COMPUTERNAME%"

                       

                       

                      # delete two-day old SystemExcludeCache* files in c:\adsm.sys

                      # Fractional 24-hour periods are truncated, so "find -mtime +1"

                      # says to match files modified two or more days ago. "-maxdepth 0"

                      # indicates that only the top level should be processed.

                      echo "Removing two day-old SystemExcludeCache* files in C:\\\adsm.sys..."

                      find /c/adsm.sys/SystemExcludeCache* -maxdepth 0 -mtime +1 | while read ADSMSTUFF

                      do

                                rm -fr "$ADSMSTUFF"

                      done

                       

                       

                      # delete week-old dsmcrash.dmp files from baclient folder

                      # Fractional 24-hour periods are truncated, so "find -mtime +6"

                      # says to match files modified seven or more days ago. "-maxdepth 0"

                      # indicates that only the top level should be processed.

                      echo "Removing week-old dsmcrash.dmp files from baclient folder..."

                      find "/c/program files/tivoli/tsm/baclient/dsmcrash.dmp" -mtime +6 | while read CRASHSTUFF

                      do

                                echo "$CRASHSTUFF"

                                rm -fr "$CRASHSTUFF"

                      done

                       

                       

                      # remove any backup files created during the installation of a service pack

                      # on Windows 2008 only.

                      if [[ $OSVERSION == *2008* ]]

                      then

                                echo "Removing backup files created during the installation of a service pack on Windows 2008..."

                                nexec -e dism /Online /Cleanup-Image /spsuperseded

                      fi

                       

                       

                      # remove files and dirs from /c/windows/temp

                      echo "Removing files from c:\\\windows\\\temp..."

                      rm -fr /c/windows/temp/*

                       

                       

                      # remove files and dirs from /c/temp, except /c/temp/stage

                      # WARNING: this does not delete directories or files with spaces in them,

                      # see next section

                      #TEMPCONTENTS=$(ls /c/temp | grep -Evi 'stage')

                      #for TEMPSTUFF in $TEMPCONTENTS

                      #do

                      #          rm -fr "/c/temp/$TEMPSTUFF"

                      #done

                       

                       

                      # remove files and dirs from /c/temp, except /c/temp/stage

                      # you can add more exceptions by adding a pipe and additional filters in the grep,

                      # like this: 'grep -Evi "stage|dontdelete" '

                      echo "Removing files from c:\\\temp, except the BladeLogic stage directory..."

                      ls /c/temp | grep -Evi "stage" | while read TEMPSTUFF

                      do

                                rm -fr "/c/temp/$TEMPSTUFF"

                      done

                       

                       

                      # remove week-old memory.dmp from the Windows directory, using the BladeLogic WINDIR parameter.

                      find $WINDIR/memory.dmp -mtime +6 | while read MEMORYDMP

                      do

                                rm -fr "$MEMORYDMP"

                      done

                       

                       

                      # remove contents from /c/RECYCLER or /c/$RECYCLE.BIN that are seven or more days old.

                      # Uses the OSVERSION variable provided by BladeLogic.

                      # Fractional 24-hour periods are truncated, so "find -mtime +6"

                      # says to match files modified seven or more days ago. "-maxdepth 0"

                      # indicates that only the top level should be processed.

                      if [[ $OSVERSION == *2003* ]]

                      then

                                echo "Removing week-old contents of C:\\\RECYCLER..."

                                find /c/RECYCLER/* -maxdepth 0 -mtime +6 | while read RECYCLERSTUFF

                                do

                                          rm -fr "$RECYCLERSTUFF"

                                done

                      elif [[ $OSVERSION == *2008* ]]

                      then

                                echo "Removing week-old contents of C:\\\$RECYCLE.BIN..."

                                find /c/\$RECYCLE.BIN/* -maxdepth 0 -mtime +6 | while read RECYCLERSTUFF

                                do

                                          rm -fr "$RECYCLERSTUFF"

                                done

                      fi

                       

                       

                       

                      exit 0

                      >>

                      • 8. Re: Running an nsh script as remediation for component template compliance
                        Bill Robinson

                        Why don’t you just run the nsh script as a scheduled job on a periodic basis?  Why bother basing it on a compliance check ?

                        • 9. Re: Running an nsh script as remediation for component template compliance
                          Chris Haars

                          Agreed. I even said it one of my replies..."Right now, it looks like I just run it against all my servers periodically".

                           

                          Truth is that the script scares me a little (deleting shadow copies, backup service pack files, cached virusdefs), and I'd only like to run it on servers that are really low on space.

                           

                          -chris

                          • 10. Re: Running an nsh script as remediation for component template compliance
                            Bill Robinson

                            Well, take out the scary stuff ☺

                             

                            You might also want to look at using powershell if you have mostly 2008 servers or 2003 w/ it installed.

                             

                            you can also create a ticket w/ support and ask for a rfe to use a nsh script as remediation.

                            • 11. Re: Running an nsh script as remediation for component template compliance
                              Ashitosh Wagh

                              Hi Chris,

                               

                              I am suggesting one way migt not be proper but your problem will solved.

                               

                              After execution of compliance Job, and export result. Result file will give you non compliant servers.

                               

                              Run your NSH script with NSH job againest only those servers.

                               

                              Thanks

                              Ashitosh

                              1 of 1 people found this helpful
                              • 12. Re: Running an nsh script as remediation for component template compliance

                                In continuation to what Ashitosh has written above:

                                You could create a smartgroup of the servers on the basis of the component template.

                                Check out the "TEMPLATES*" property in the server smartgroup creation UI.

                                You could then probably create a batch job that first runs the compliance job and then runs the NSH script job against the smartgroup.

                                 

                                Bill: You think this should be ok?

                                1 of 1 people found this helpful
                                • 13. Re: Running an nsh script as remediation for component template compliance
                                  Bill Robinson

                                  yeah - that should be ok.  there's probably some blcli you could run to look through each server and find only the non-compliant ones.

                                  • 14. Re: Running an nsh script as remediation for component template compliance
                                    Chris Haars

                                    I'm looking for an AUTOMATED way to run the compliance job, then run a NSH

                                    script against the non-compliant servers.

                                     

                                    I can't find any TEMPLATE references when using the smart group creation

                                    UI. Can you elaborate? Can I AUTOMATICALLY create a smart group based on

                                    the results of the compliance job? I want the smart group to contain the

                                    non-compliant servers.

                                     

                                    -chris

                                    1 2 Previous Next