Remediating servers

Remediation is the process of downloading the payload for patches determined to be missing on one or more target servers and then applying that payload to the identified target servers to bring each one up to the required level.

This topic contains the following sections:

To control the number of Deploy Jobs created during remediation

By default, a single Deploy Job is created during remediation to deploy multiple BLPackages to multiple target servers. However, you can choose to have multiple Deploy Jobs created, one for each target server, as was the standard behavior in earlier versions of TrueSight Server Automation.

Note

If you are performing patch remediation on Solaris servers, where some of the target servers are Guest LDOMs and other target servers are Primary LDOMs, two Deploy Jobs are created instead of a single Deploy Job. One Deploy Job is created for all Guest LDOM target servers and another Deploy Job is created for Primary LDOM target servers.

A Deploy Job for patch remediation that deploys multiple BLPackages on multiple target servers has the following limitations:

For additional limitations in the configuration of such Deploy Jobs, see To set deploy options.

  1. From the Configuration menu, select Patch Global Configuration.
  2. In the Patch Global Configuration dialog box, select a value for the Use Single Deploy Job setting:
    • Yes — only one Deploy Job for all target servers that require remediation. This is the default setting.
    • No — multiple Deploy Jobs, a separate Deploy Job for each target that requires remediation.
  3. Click OK.


To automatically remediate servers

If you select the Create remediation artifacts check box during patching job definition, the process of packaging and deploying the payload is handled automatically according to the schedule you defined for the job.

Notes

  • On agents running versions earlier than 8.2 SP1, if you select the Create remediation artifacts check box to run the Patching Job, then you require write access to the helper server of the catalog.
  • As part of the Remediation Job, Deploy and Batch Jobs are created but those jobs are not executed immediately. You can run Deploy Jobs according to a separate schedule and set them to run during maintenance windows.

However, when analysis results indicate that patches are missing, you can also choose to remediate the target server manually, as described in the next section.

To manually remediate a server

  1. At the end of analysis, right-click the patching job and select Show Results.
  2. Expand the analysis results from the root node and under Server View, right-click Successful targets and select Remediate All Server(s).

  3. Provide information for the remediation job as described in the following table:

    Panel

    Description

    The referenced document [xwiki:Automation-DevSecOps.Server-Automation.TrueSight-Server-Automation.Using.Creating-and-modifying-TrueSight-Server-Automation-jobs.Panel-reference-for-Patch-Management-Jobs.Patch-remediation-job-panels.Patch-Remediation-Job-General.WebHome] was not found.

    The referenced document [xwiki:Automation-DevSecOps.Server-Automation.TrueSight-Server-Automation.Using.Creating-and-modifying-TrueSight-Server-Automation-jobs.Panel-reference-for-Patch-Management-Jobs.Patch-remediation-job-panels.Patch-Remediation-Job-Remediation-Options.WebHome] was not found.

    The Default Notifications panel provides options for defining default notifications that are generated when a job completes. If you have set up notifications for a particular scheduled job, those notifications are generated instead of default notifications.

    The referenced document [xwiki:Automation-DevSecOps.Server-Automation.TrueSight-Server-Automation._inclusionsLibrary._Job_wizard.WebHome] was not found.

    The referenced document [xwiki:Automation-DevSecOps.Server-Automation.TrueSight-Server-Automation._inclusionsLibrary._Job_wizard.WebHome] was not found.

    The Schedules panel lets you schedule a job to execute immediately, schedule a job at a specific time in the future, schedule a job on a recurring basis, and define notifications that are issued when a job runs.

    The Properties panel provides a list of properties automatically assigned to the job being created. In this list, you can modify the value of any properties that are defined as editable.

    For any property that has a check in the Editable column, select the property and click in the Value column.

    • To set a property value back to its default value, click Reset to Default Value g_V95_reset_icon.gif.
      The value of the property is reset to the value it inherits from a built-in property class. The Value Source column shows the property class from which the value is inherited.
    • Depending on the type of property you are editing, you can take different actions to set a new value, such as entering an alphanumeric string, choosing from an enumerated list, or selecting a date.
      To insert a parameter into the value, enter the value, bracketed with double question mark delimiters (for example, ??MYPARAMETER??) or click Select Property g_V95_SelectPropertyIcon.gif.

    Using the Permissions panel, you can add individual permissions to an object. You can also set permissions by adding ACL templates or ACL policies. The Permissions list is an access control list (ACL) granting roles access to any objects created in the system, such as depot objects. ACLs control access to all objects, including the sharing of objects between roles. For more information, see the following table:

    Task

    Description

    Adding an authorization

    An authorization grants permission to a role to perform a certain type of action on this object.

    To add authorization to this object, click Add Entry g_V95_AddIcon.gif in the Access Control List area. Then use the Add New Entry dialog box to specify the role and authorization you want to add.

    Adding an ACL template

    An ACL template is a group of predefined authorizations granted to roles. Using an ACL template, you can add a group of authorizations to the object.

    To add an ACL template to the object, click Use ACL Template g_V95_TemplateIcon.gif in the Access Control List area. Then use the Select ACL Template dialog box to specify an ACL template that you want to add to this object.

    To set the contents of the selected ACL templates so that they replace all entries in the access control list, select Replace ACL with selected templates. If you do not select this option, the contents of the selected ACL templates are appended to existing entries in the access control list.

    Adding an ACL policy

    An ACL policy is a group of authorizations that can be applied to this object but can be managed from one location.

    To add an ACL policy to this object, click Use ACL Policy g_V95_ACLPolicyIcon.gif in the ACL Policies area. Then use the Select ACL Policy dialog box to specify an ACL policy that you want to add to the object.

    To set the contents of the selected ACL policies so they replace all entries in the access control list, select Replace ACL with selected policies. If you do not select this option, the contents of the selected ACL policies are appended to existing entries in the access control list.

For information about viewing the results of the remediation, see Viewing-Patching-Job-results.

To set deploy options

Remediation generates one or more deployment jobs, which are used to apply a specific set of missing patches to a list of target servers. For each of those jobs, TrueSight Server Automation lets you control deployment behavior by defining deploy options.

Note

On all Microsoft Windows platforms, the Startup type for Windows Update service must be set to Manual.

You can set deploy options:

  • Individually — Select the deploy options that should be used when generating a specific Deploy Job during remediation. For more information about the options you can select, refer to the following table describing Deploy Job behavior:

    Panel

    Description

    The referenced document [xwiki:Automation-DevSecOps.Server-Automation.TrueSight-Server-Automation.Using.Creating-and-modifying-TrueSight-Server-Automation-jobs.Jobs-for-deployment.Creating-and-modifying-Software-and-BLPackage-Deploy-Jobs.Creating-a-Deploy-Job.Deploy-Job-Job-Options.WebHome] was not found.

    For all types of Deploy Jobs, you can use the Phase Options panel to make choices that control how the Simulate, Stage, and Commit phases of a job behave. You can also modify job behavior when undoing a deployment.

    The Phase Options panel also lets you assign pre- and post-commands for the Deploy Job and the undoing of the Deploy Job.

    To complete the Phase Options panel, you may have to perform the following procedures:

    Choosing-simulate-and-stage-options

    Choosing-commit-and-undo-options

    Defining-precommands-and-postcommands

    The Phases and Schedules panel lets you choose the deployment phases that should occur during deployment of a software package or BLPackage. It also lets you schedule the execution of a job.The Phases and Schedules panel prompts you for the following categories of information:

  • By Group — Specify an existing Deploy Job in the remediation options tab (in Deploy Options dialog) in the Remediation Editor. Its options are used as a template that is applied to all Deploy Jobs created during remediation.

Deploy Jobs are chained to the parent Patching Job, and the parent Patching Job is marked as complete only after the Deploy Job finishes execution. The TrueSight Server Automation Console displays the execution status of the Deploy Jobs and a consolidated status summary of all the Deploy Jobs.

Note

When configuring a Deploy Job that deploys multiple BLPackages to multiple targets, note the following configuration limitations:


Warning

Although an undo option is available for deployed patches, BMC neither supports nor recommends this action. The undo option, which depends on platform-specific operating system commands, can compromise the target server.

To stage the patches before applying them

When you are preparing to patch servers, you can save time in the deployment process by staging the patches on the target(s) prior to performing the actual patching. 

To do so, complete the following steps:

  1. When you run the Patch Remediation Job (the one that creates the Deploy Job or Jobs), in the Deploy Job Options of Patch Remediation Job, set the schedule for the Simulate phase to start relatively soon, or whenever you want the staging to occur (for example, during the weekdays).
  2. Ensure that the job executes the Stage start right after the Simulate phase. Do not schedule the job to Commit, as that is the phase that actually performs the patching.
    All the Deploy Jobs will run at the scheduled time that you specified (Simulate and Stage).  During the Stage phase, the patches will be copied to the targets.
  3. At a later point in time (for example during a change window on the weekend), you can kick off the Batch Job (which was also created during Patch Remediation run).

The Batch Job will simply resume every Deploy Job in the Commit phase. The Commit phase is the only one that performs the actual patch installation.

To enable sequential execution of auto-remediation batch jobs

The referenced document [xwiki:Automation-DevSecOps.Server-Automation.TrueSight-Server-Automation.Administering.Managing-Application-Server-behavior-using-the-Application-Server-Administration-console.Enabling-sequential-execution-of-auto-remediation-batch-jobs.WebHome] was not found.

Where to go from here

Patch-Remediation-Job-General

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*