1 2 Previous Next 16 Replies Latest reply on Oct 12, 2016 2:22 AM by Bogdan Dumitrescu

    Best Practice for cleaning up expired Components?

    richard mcleod

      Pretty simple question here I hope...

       

      Had components that were discovered on ~50 something servers, the file that once determined the component is no longer.

       

      if file 'a' then server gets component...

       

      so file 'a' has been removed from the hosts, discovery was run again, but component is maintained which causes the related compliance job to check against servers we know do not have the file any longer inducing a failure and to show bad data on the bdssa report.

       

      What's my best way forward to clean this up? Create a smart component group for the component and delete each then re-discover?

        • 1. Re: Best Practice for cleaning up expired Components?
          Bill Robinson

          if the target fails discovery then the component should be marked as IS_VALID = false.  then you can create a smart group and delete from there.

          • 2. Re: Best Practice for cleaning up expired Components?
            richard mcleod

            So the preferred method is manual deletion based on a component property + smart group? Just confirming...

            • 3. Re: Best Practice for cleaning up expired Components?
              Bill Robinson

              well, you can script that w/ some blcli to list all the members in the group and delete, or iterate over all the components associated w/ a template and delete the ones that are not valid.  there are reasons for having the invalid components - for deploy and some other cases and it's possible the server could move back to a valid state after some time or change.

               

              if you want to exclude the invalid components from jobs then target the job to a smart component group that only includes IS_VALID = true components for that template.

              1 of 1 people found this helpful
              • 4. Re: Best Practice for cleaning up expired Components?
                richard mcleod

                Thanks Bill - The use case in this situation should never lend itself to have to deploy to the invalid hosts and to eliminate any confusion during reporting of the components via BDSSA I will look into scripting their removal. Especially since we can always re-instantiate the component with a discovery if needed. Definitely can see the use of keeping the components in-place though for other use cases. Appreciate the info.

                • 5. Re: Best Practice for cleaning up expired Components?
                  richard mcleod

                  As a follow up, here is a basic script to delete the invalid components

                   

                  #DeleteInvalidComponents.nsh

                  #richard.mcleod@gmail.com

                  #Inputs:

                  #Path to Component Template in BSA (example: /PROD - Component Templates/Windows/Something)

                  #Template Name (example: This is my template name)

                  #

                  pathToTemplate="$1"

                  templateName="$2"

                   

                   

                  #Get the Template DB Key

                  blcli_execute Template getDBKeyByGroupAndName "$pathToTemplate" "$templateName"

                  blcli_storeenv templateDBKey

                   

                   

                  #Get the list of component keys

                  blcli_execute Component getAllComponentKeysByTemplateKey "$templateDBKey"

                  blcli_storeenv componentKeys

                   

                   

                  for component in $componentKeys

                  do

                   

                   

                  #Check validity

                  blcli_execute Component getFullyResolvedPropertyValue "$component" "IS_VALID*"

                  blcli_storeenv componentValid

                   

                   

                  if [ $componentValid = "false" ]; then

                   

                   

                  #Get component Target

                  blcli_execute Component getFullyResolvedPropertyValue "$component" "TARGET"

                  blcli_storeenv componentTarget

                   

                   

                  #Get hostname from class object string

                  componentTarget=`echo $componentTarget | awk -F/ '{print $5}'`

                   

                   

                  #Delete component

                  blcli_execute Component deleteComponentByDBKey "$component"

                  blcli_storeenv delStatus

                   

                   

                  if [ "$delStatus" = "void" ]; then

                  echo "Deleted $templateName from server: $componentTarget"

                  else

                  echo "Something went wrong when trying to delete $templateName from $componentTarget!"

                  fi

                  else

                  echo "Component $templateName is valid on $componentTarget, skipping!"

                  fi

                  done

                  • 6. Re: Re: Best Practice for cleaning up expired Components?
                    Bill Robinson

                    this should work for all invalid components, regardless of template.

                     

                    #!/bin/nsh
                    blcli_setoption serviceProfileName defaultProfile
                    blcli_setoption roleName BLAdmins
                    blcli_connect

                     

                    propertyName='IS_VALID*'
                    propertyValue=false

                     

                    blcli_execute SmartComponentGroup createGroup / "$$.tmp" "test group" "${propertyName}" "equals" "${propertyValue}"
                    blcli_storeenv groupKey
                    blcli_execute SmartComponentGroup groupNameToId "/$$.tmp"
                    blcli_storeenv groupId

                     

                    blcli_execute Component findAllByComponentGroup ${groupId} true
                    blcli_execute Component getDBKey
                    blcli_execute Utility setTargetObject
                    blcli_execute Utility listPrint
                    blcli_storeenv componentKeys
                    blcli_execute SmartComponentGroup deleteGroupByQualifiedName "/$$.tmp"
                    for componentKey in ${componentKeys}
                    do
                    blcli_execute Delete deleteModelObjectAndDependentObjects 251 ${componentKey}
                    done

                    • 7. Re: Best Practice for cleaning up expired Components?
                      Steffen Kreis

                      Hi,

                       

                      we ran into a similiar issue today.

                      One thing about this confuses me a lot.

                       

                      Why does a Compliance Job run against a Component that is marked as IS_VALID=false ?

                       

                      I was expecting that a Compliance Job would fail with a Warning like "No valid component found for target ...." but instead it moves along and runs all the rules against it ?!?!

                       

                      Steffen

                      • 8. Re: Best Practice for cleaning up expired Components?
                        Bill Robinson

                        it's by design.  we had a customer w/ a specific use case for this iirc.  imo compliance should automatically not run against and invalid components...

                         

                        the only scenario i could see using invalid would be for the deploy.

                        • 9. Re: Best Practice for cleaning up expired Components?
                          Steffen Kreis

                          Correct, it should not run !

                          It even allows to auto-remediate, which it did in our case !

                           

                          This means, all Discovery signatures need to be checked again in every single rule, just to make sure we don't do any damage.

                           

                          If even you agree this is wrong, what can we do against it ?

                          (An "idea" is not what i have in mind)

                          • 10. Re: Best Practice for cleaning up expired Components?
                            Bill Robinson

                            a component should only be flagged as invalid if the discovery job runs and the discovery conditions change.  there might be one other condition but i forget

                             

                            so you would need to run the discovery job regularly to get the component property IS_VALID=false first.  and you can always target a smart component group where the conditions are TEMPLATE* = 'the template' and IS_VALID=true.

                            • 11. Re: Best Practice for cleaning up expired Components?
                              Steffen Kreis

                              Yeah true,

                               

                              the problem in our special case here is that the affected Complience/Remediation job runs against the server object, not the component and therefore also works against invalid components.

                               

                              The reason why we are doing it this way is that this is our mechanism for Windows Server 2003 extended Patching, where the compliance job is part of a Batch-Job sequence that is ecxecuted against the target.

                               

                              Steffen

                              1 of 1 people found this helpful
                              • 12. Re: Best Practice for cleaning up expired Components?
                                Bogdan Dumitrescu

                                Hi Bill,

                                 

                                Because i did run into the same problem regarding the compliance, isn't there a better option to add a checkbox in the Compliance Job where to tick if you want the job to run against Invalid components?

                                I need to run the jobs against server objects too.

                                 

                                I don't thing that changing the whole standard is the best option. Big issues can come from this behavior.

                                 

                                The Discovery Signature is the main safety trigger, imo.

                                 

                                In  my case, i am running a batch job against a Static Server Group. My solution for this is to add the NSH script job for component cleanup between the Discovery and Compliance jobs.

                                This workaround fixes the problem partially, because we need to keep exceptions too, and if the component is removed, the exceptions are lost too.

                                • 13. Re: Best Practice for cleaning up expired Components?
                                  Bill Robinson

                                  Because i did run into the same problem regarding the compliance, isn't there a better option to add a checkbox in the Compliance Job where to tick if you want the job to run against Invalid components?

                                  -> in 8.9 there's a 'ignoreinvalidcomponents' setting in blasadmin which should do this globally.

                                   

                                  I need to run the jobs against server objects too.

                                  -> ok?  but compliance always runs against components.  why do you need to run against servers ?

                                   

                                  The Discovery Signature is the main safety trigger, imo.

                                  -> the discovery conditions in the template are what determine of the component is valid or not, when discovery runs.  i think there were a couple other ways to invalidate a component w/o running discovery (and having it fail on the target)

                                   

                                  In  my case, i am running a batch job against a Static Server Group. My solution for this is to add the NSH script job for component cleanup between the Discovery and Compliance jobs.

                                  -> and what is in the batch job ?

                                  • 14. Re: Best Practice for cleaning up expired Components?
                                    Bogdan Dumitrescu

                                    Hi,

                                     

                                    > I use static server groups for the moment, because the list of the servers changes from time to time and it is easier to track like this, for the moment, i cannot use smart group for this since i don't have the complete selection criteria in Bladelogic yet.

                                     

                                    > In some compliance rules, i am checking if the system is physical or it is vmware, but, from time to time, i get systems where the  Machine Summary cannot be retrieved, so the evaluation goes into a wrong direction.

                                    i.e.

                                     

                                    if

                                       "Hardware Information.Machine Summary:/System".Model contains "vmware"

                                    then

                                         "Command:/sbin/initctl status vmware-tools".Out_Put starts with "vmware-tools start/running" 

                                    end

                                     

                                    The compliance Job runs, the result is wrong.

                                     

                                    In order to avoid this type of situation, i have added a signature discovery rule:

                                    "Hardware Information.Machine Summary:/".Model != null

                                    The scope is to block the component creation, in order to block the compliance check.

                                     

                                    > the batch job consists of a

                                    1. NSH script Job,
                                    2. Component Discovery Job
                                    3. > Added the component cleanup NSH script Job
                                    4. Compliance job.

                                     

                                    They are run sequentially.and the batch job is run against the static server group.

                                    1 2 Previous Next