Remediating servers

Remediation is the process of downloading the payload for patches determined to be missing on one or more target servers and then applying that payload to the identified target servers to bring each one up to the required level.

This topic contains the following sections:

To automatically remediate servers

If you select the Create remediation artifacts check box during patching job definition, the process of packaging and deploying the payload is handled automatically according to the schedule you defined for the job.

Notes

  • On agents running versions earlier than 8.2 SP1, if you select the Create remediation artifacts check box to run the Patching Job, then you require write access to the helper server of the catalog.
  • As part of the Remediation Job, Deploy and Batch Jobs are created but those jobs are not executed immediately. You can run Deploy Jobs according to a separate schedule and set them to run during maintenance windows.

However, when analysis results indicate that patches are missing, you can also choose to remediate the target server manually, as described in the next section.

To manually remediate a server

  1. At the end of analysis, right-click the patching job and select Show Results.
  2. Expand the analysis results from the root node and under Server View, right-click Successful targets and select Remediate All Server(s).
  3. Provide information for the remediation job as described in the following table:

    PanelDescription

    Patch Remediation Job - General

    Enter some basic information about the patching job.

    Name

    Enter the name of the Patch Remediation Job.

    Description

    Enter some information about the Patch Remediation Job.

    Save In

    If not already displayed, enter or browse to the location where the Patch Remediation Job is stored.

    Set Execution Override

    Select if the Patching Job always executes as the user, BLAdmin, and the role, BLAdmins.

    Clear Execution Override

    Select if the Patching Job always executes using the user and role that scheduled the job.

    Patch Remediation Job - Remediation Options

    Enter the following Packaging Options information:

    Batch Job/Deploy Job/Package Name Prefix

    Text that is added to the names of all BLPackages and Deploy Jobs created during remediation. By default, the Remediation Job name is entered automatically in this box.

    Save package(s) in

    Enter a depot location where the BLPackages created during remediation are stored. By default, the location where the Remediation Job is stored in the depot is supplied.

    Enter the following Deploy Job Options information:

    Save batch/deploy job(s) in

    Enter a job folder where the Batch and Deploy Jobs created by the Remediation Job are stored.

    ACL Policy for Package(s)/Deploy Job(s)

    Browse to and select the ACL Policy which assigns predefined permissions to each BLPackage, Deploy Job, and Batch Job created by the Remediation Job.

    Deploy Job Options

    Select a set of predefined, parameter definitions that are applied to each Deploy Job created by the Remediation Job.
    Click this button to access the Deploy Job Options dialog box. The various options that you can configure are divided across several tabs, which correspond to the following Deploy Job wizard panels:

    Deploy Job PropertiesEnables you to define local values for any of the editable properties associated with the Deploy Jobs, through the Deploy Job Properties dialog box.
    Patch Remediation Job - Default Notifications

    The Default Notifications panel provides options for defining default notifications that are generated when a job completes. If you have set up notifications for a particular scheduled job, those notifications are generated instead of default notifications.

    Default notifications can take the form of emails or SNMP traps. When a job completes, an SNMP trap is sent to a specified server, where it can be read using software that receives and interprets SNMP traps. Default notifications are sent when you run a job immediately (that is, you do not schedule the job) or a scheduled job completes but you have not set up email or SNMP notifications for that scheduled occurrence.

    Job Run Notifications

    FieldDescription

    Send email to

    Lists email addresses of the accounts to notify when a job completes with the status that you specify. Separate multiple email addresses with semicolons, such as sysadmin@bmc.com;sysmgr@bmc.com. After entering email address information, check the statuses that cause an email to be generated. The statuses can be Success, Failed, or Aborted.

    Send SNMP trap to

    Provides name or IP address of the server to notify when the job completes. After entering server information, select the statuses that should cause an SNMP trap to be generated. The statuses can be Success, Failed, or Aborted.

    BMC Server Automation provides a management information base (MIB) that describes its SNMP trap structure. You can use this MIB to create scripts that integrate traps into your trap collection system. The MIB is located on the Application Server host computer at installDirectory/Share/BladeLogic.mib.

    List failed servers in email notification

    Indicates that email notifications should list all servers on which a job has failed.

    Patch Remediation Job - Schedules

    The Schedules panel lets you schedule a job to execute immediately, schedule a job at a specific time in the future, schedule a job on a recurring basis, and define notifications that are issued when a job runs.When scheduling a job, you can perform any of the following tasks:

    • Scheduling a job that executes immediately — To schedule a job that executes immediately, select Execute job now. If your system has been configured to require approval information for this job type, select Execute on Approval and then click Browse to display the Approval Information dialog box.
    • Scheduling a job — The Schedule tab lets you schedule a job so it can run one time, recur daily, weekly, or monthly, or recur at some arbitrary interval.
      While scheduling, you can set the time zone for the job. You can also set an execution priority level for the job.

      Note

      For a recurring schedule, BMC Server Automation automatically accounts for differences in time zones and changes in daylight savings time. For example, if you schedule a job that should run weekly at 06:00 Eastern Standard Time, the job always runs at 06:00 Eastern Time, no matter whether standard or daylight savings time is in effect.

      Ensure that all component machines in your BMC Server Automation system have their clocks synchronized. 

    • Defining scheduled job notifications — The Scheduled Job Notifications tab lets you set up notifications that are generated when a scheduled job runs.
    • Providing approval information — The Approval information tab lets you provide required approval information. This tab only appears when your system has been configured to require approval information for this job type. For details about BMC Remedy ITSM approval, see Executing a job with BMC Remedy ITSM approval.

    Patch Remediation Job - Properties

    The Properties panel provides a list of properties automatically assigned to a Snapshot Job. In this list, you can modify the value of any properties that are defined as editable.

    For any property that has a check in the Editable column, select the property and click in the Value column.

    • To set a property value back to its default value, click Reset to Default Value .
      The value of the property is reset to the value it inherits from a built-in property class. The Value Source column shows the property class from which the value is inherited.
    • Depending on the type of property you are editing, you can take different actions to set a new value, such as entering an alphanumeric string, choosing from an enumerated list, or selecting a date.
      To insert a parameter into the value, enter the value, bracketed with double question mark delimiters (for example, ??MYPARAMETER??) or click Select Property .
    Patch Remediation Job - Permissions
    The Permissions list is an access control list (ACL) granting roles access to any objects created in the system, such as jobs, servers, or depot objects. ACLs control access to all objects, including the sharing of objects between roles.

    Using the Permissions panel, you can add individual permissions to an object. You can also set permissions by adding ACL templates or ACL policies. For more information, see the following table:

    TaskDescription

    Adding an authorization

    An authorization grants permission to a role to perform a certain type of action on this object.

    To add an authorization to this object, click Add Entry  in the Access Control List area. Then use the Add New Entry dialog box to specify the role and authorization you want to add.

    Adding an ACL template

    An ACL template is a group of predefined authorizations granted to roles. Using an ACL template, you can add a group of authorizations to the object.

    To add an ACL template to the object, click Use ACL Template  in the Access Control List area. Then use the Select ACL Template dialog box to specify an ACL template that you want to add to this object.

    To set the contents of the selected ACL templates so they replace all entries in the access control list, check Replace ACL with selected templates. If you do not check this option, the contents of the selected ACL templates are appended to existing entries in the access control list.

    Adding an ACL policy

    An ACL policy is a group of authorizations that can be applied to this object but can be managed from one location.

    To add an ACL policy to this object, click Use ACL Policy  in the ACL Policies area. Then use the Select ACL Policy dialog box to specify an ACL policy that you want to add to the object.

    To set the contents of the selected ACL policies so they replace all entries in the access control list, check Replace ACL with selected policies. If you do not check this option, the contents of the selected ACL policies are appended to existing entries in the access control list.

For information about viewing the results of the remediation, see Viewing Patching Job results.

To set deploy options

Remediation generates one or more deployment jobs, which are used to apply a specific set of missing patches to a list of target servers. For each of those jobs, BMC Server Automation lets you control deployment behavior by defining deploy options.

Note

On all Microsoft Windows platforms, the Microsoft update service must be running for patching to work.

You can set deploy options:

  • Individually — Select the deploy options that should be used when generating a specific Deploy Job during remediation. For more information about the options you can select, refer to the following table describing Deploy Job behavior:

    PanelDescription

    Deploy Job - Job Options

    The Job Options panel lets you customize the behavior of a Deploy Job.

    There are many interactions to consider when specifying job options. For a description of the procedure necessary to define job options, see Specifying job options.

    If you are defining an advanced BLPackage Deploy Job, you can use this panel to control the flow of the job. You can specify whether a job should proceed as far as it can for each server or complete the same phase for all servers before proceeding to the next phase. You can also specify whether failed jobs are automatically reset so they can be immediately re-executed.

    If you are defining any type of Deploy Job, you can use the Job Options panel to:

    • Specify whether the job can execute in parallel on a target with other Deploy Jobs. In some situations you may want a job to execute in single-job mode, meaning no other Deploy Jobs can be processed while this job is executing.
      Note that when a job starts, it may be placed in a queue of jobs waiting to execute. The job leaves the queue when execution begins. Jobs defined to run in parallel can execute while other parallel jobs are also executing. A job defined to run in single-job mode must wait until the jobs ahead of it complete. Any jobs further back in the queue wait until the job running in single-job mode completes.
    • Specify how long the job can wait in an agent's queue of jobs to be processed before the job itself is processed.
    • Specify how long the job can lose its connection to a target before the job fails. Typically a Deploy Job loses a connection to a target because the network has a experienced a failure, a target server is in the process of rebooting or shutting down, or the server has rebooted into single-user mode.
    • Specify that the job uses single-user mode while processing the entire job or while processing individual items. Single-user mode is a minimal UNIX environment typically used when installing or removing software. When a server is in single-user mode, BMC Server Automation cannot communicate with the agent on that server. Single-user mode is available for all UNIX based systems. Windows systems ignore all single-mode instructions.
    • Specify that a server reboot after an object in the package is deployed if the definition for that object calls for a reboot. If necessary, you can specify that a server reboot at the end of the job or that the server not reboot. You can also specify that the job consolidate all reboots until the end of the job.
    • Specify for Solaris servers that a reconfiguration reboot occurs at the end of the job. You can also specify whether a Solaris server should perform a reconfiguration reboot after an object in the package is deployed if the definition for that object calls for a reconfiguration reboot.
    Deploy Job - Phase Options

    For all types of Deploy Jobs, you can use the Phase Options panel to make choices that control how the Simulate, Stage, and Commit phases of a job behave. You can also modify job behavior when undoing a deployment.

    The Phase Options panel also lets you assign pre- and post-commands for the Deploy Job and the undoing of the Deploy Job.

    To complete the Phase Options panel, you may have to perform the following procedures:

    Choosing simulate and stage options

    Choosing commit and undo options

    Defining precommands and postcommands

    Deploy Job - Phases and SchedulesThe Phases and Schedules panel lets you choose the deployment phases that should occur during deployment of a software package or BLPackage. It also lets you schedule the execution of a job.

    The Phases and Schedules panel prompts you for the following categories of information:

  • By Group — Specify an existing Deploy Job in the remediation options tab (in Deploy Options dialog) in the Remediation Editor. Its options are used as a template that is applied to all Deploy Jobs created during remediation.

Deploy Jobs are chained to the parent Patching Job, and the parent Patching Job is marked as complete only after the Deploy Job finishes execution. The BMC Server Automation Console displays the execution status of the Deploy Jobs and a consolidated status summary of all the Deploy Jobs.

Warning

Although an undo option is available for deployed patches, BMC neither supports nor recommends this action. The undo option, which depends on platform-specific operating system commands, can compromise the target server.

To stage the patches before applying them

When you are preparing to patch servers, you can save time in the deployment process by staging the patches on the target(s) prior to performing the actual patching. 

To do so, complete the following steps:

  1. When you run the Patch Remediation Job (the one that creates the Deploy Job or Jobs), in the Deploy Job Options of Patch Remediation Job, set the schedule for the Simulate phase to start relatively soon, or whenever you want the staging to occur (for example, during the weekdays).
  2. Ensure that the job executes the Stage start right after the Simulate phase. Do not schedule the job to Commit, as that is the phase that actually performs the patching.
    All the Deploy Jobs will run at the scheduled time that you specified (Simulate and Stage).  During the Stage phase, the patches will be copied to the targets.
  3. At a later point in time (for example during a change window on the weekend), you can kick off the Batch Job (which was also created during Patch Remediation run).

The Batch Job will simply resume every Deploy Job in the Commit phase. The Commit phase is the only one that performs the actual patch installation.

Where to go from here

Patch Remediation Job - General

Was this page helpful? Yes No Submitting... Thank you

Comments