Pass Sequence Token
Log In or Register to download the BES file, and more.

0 Votes

Description

When placed at the end of a baseline created with a special relevance clause this task will assist in sequencing the execution of that baseline across a list of servers. 

The high-level functions performed by this task are:

  1. Copy a token file from the endpoint on which the task is currently being run to another endpoint determined by a pre-existing list
  2. Delete the original token file from the current endpoint before completing

Server names, user ids, wait times and passwords can be changed from what they are defined as in this task.

 


Property Details

ID6325
StatusBeta - Preliminary testing ready for more
TitlePass Sequence Token
DomainBESC
CategoryTask Sequencing
SourceMike Consuegra - Lighthouse Computer Services
Source Release Date12/26/2015 12:00:00 AM
KeywordsPass Sequencing Token
Is TaskTrue
Added by on 12/27/2015 11:59:23 PM
Last Modified by on 12/27/2015 11:59:23 PM
Counters 3319 Views / 18 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 81 fixlets and 86 analyses   * Results in a true/false
Show indented relevance
true

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
// The server has just been patched by the baseline and rebooted
// Wait until it is back up and a specific service is running before the token is passed
pause while {not exists running service "SERVICE-NAME"}

// Download the Server List file from the Root Server
// This list must be populated ahead of time and can be updated regularly
download as ServerList.txt http://BES-ROOT-SERVER-NAME:52311/Uploads/SequencingTasks/ServerList.txt
pause while {not exists file "__Download\ServerList.txt"}





// Check for the existence of the 'ServerList' folder in the Client Folder on the target
// If the directory exists, just copy the file over, if not, create the folder and copy the file over
if {not exists folder (parent folder of regapp "BESClient.exe" as string & "\Sequencing")}
    dos mkdir "{(parent folder of regapp "BESClient.exe" as string) & "\Sequencing"}"

    pause while {not exists folder ((parent folder of regapp "BESClient.exe" as string) & "\Sequencing")}

    dos copy /Y "{((client folder of current site) as string) & "\__Download\ServerList.txt"}" "{parent folder of regapp "BESClient.exe" as string & "\Sequencing\ServerList.txt"}"
    dos copy /Y "C:\temp\token.txt" "{parent folder of regapp "BESClient.exe" as string & "\Sequencing\token.txt"}"
else
    dos copy /Y "{((client folder of current site) as string) & "\__Download\ServerList.txt"}" "{parent folder of regapp "BESClient.exe" as string & "\Sequencing\ServerList.txt"}"
endif

// This section performs the actual passing of the token from the current server to the next one
// The process is encapsulated into a Conditional Statement that will execute under the following conditions:
// IF the next line after the current server in the 'ServerList.txt' file contains the word 'end' it will know that it has no more servers to process and execute the ELSE clause
// However, if the next line DOES NOT contain the word 'end' then it will process the lines following the IF
if {not active of action OR (following text of first ((hostname as string as lowercase) & "=") of (concatenation "=" of (lines of file ((parent folder of regapp "BESClient.exe") as string & "\Sequencing\ServerList.txt")) as lowercase ) does not equal "end")}

// Map a drive from the current server to the next server in the 'ServerList.txt' file
// In this format it will use the USERID and PASSWORD provided at the end of this line
dos net use w: \\{preceding text of first "=" of (following text of first ((hostname as string as lowercase) & "=") of (concatenation "=" of (lines of file ((parent folder of regapp "BESClient.exe") as string & "\Sequencing\ServerList.txt")) as lowercase ))}\c$ /user:localhost\user-id passw0rd

// WAIT for 15 seconds to make sure the map command completes
parameter "start" = "{now}"
pause while {now < ( (( parameter "start" of action ) as time ) + 15* second)}

// Copy the 'token.txt' from the 'Sequencing' folder to the 'C:\TEMP' directory on the server mapped above and WAIT 15 seconds for the copy to complete
dos copy /Y "{(parent folder of regapp "BESClient.exe" as string) & "\Sequencing\token.txt"}" "W:\TEMP\token.txt"
parameter "start1" = "{now}"
pause while {now < ( (( parameter "start1" of action ) as time ) + 15* second)}

// DELETE the 'token.txt' file from the current server to make sure it is no longer relevant to the Baseline containing this task and WAIT 15 seconds before proceding
dos del /F /Q "c:\temp\token.txt"
parameter "start2" = "{now}"
pause while {now < ( (( parameter "start2" of action ) as time ) + 15* second)}

// DELETE the 'token.txt' and 'ServerList.txt' from the 'Sequencing' folder on the current server and WAIT 5 seconds after each command before proceding
dos del /F /Q "{(parent folder of regapp "BESClient.exe" as string) & "\Sequencing\token.txt"}"
parameter "start3" = "{now}"
pause while {now < ( (( parameter "start3" of action ) as time ) + 5* second)}

dos del /F /Q "{(parent folder of regapp "BESClient.exe" as string) & "\Sequencing\ServerList.txt"}"
parameter "start4" = "{now}"
pause while {now < ( (( parameter "start4" of action ) as time ) + 5* second)}


// DISCONNECT the mapped drive to the next server
dos net use w: /d

else

// No More Servers to Process -- Delete Token and ServerList files and wait 5 seconds after each operation before proceding
dos del /F /Q "c:\temp\token.txt"
parameter "start5" = "{now}"
pause while {now < ( (( parameter "start5" of action ) as time ) + 5* second)}

dos del /F /Q "{(parent folder of regapp "BESClient.exe" as string) & "\Sequencing\token.txt"}"
parameter "start6" = "{now}"
pause while {now < ( (( parameter "start6" of action ) as time ) + 5* second)}

dos del /F /Q "{(parent folder of regapp "BESClient.exe" as string) & "\Sequencing\ServerList.txt"}"
parameter "start7" = "{now}"
pause while {now < ( (( parameter "start7" of action ) as time ) + 5* second)}

endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
jgstew -
I agree, I definitely don't recommend locking the client. It is far too limiting and you can achieve something similar just through good practices.
mxc0bbn -
Addendum to my previous comment: So part of the reason that time windows might not work in this particular use case is that they wanted to make ABSOLUTELY SURE that the patched server was up and available (i.e. the IIS server is up) before going onto the next one....Time Windows would certainly make sure they patch one at a time, but on rigid windows. If the server takes longer than expected to boot then you might get overlap...which was not desired.
mxc0bbn -
Actually...now that you mention it...I did that too for a different customer. In that particular instance they had endpoints that could only be patched during a specific week/day/time of the month so they wanted to send an action to every endpoint and leave it open for the month, but have the action execute only on an endpoint based on when that specific endpoint was supposed to be patched. I will probably post that one too, but it was several parts as well so it might not translate well here. In that case I know I could have recommended Maintenance Windows, but that would have required locking the endpoints which makes them totally untouchable outside of those particular windows...and what they really wanted to avoid was just patching except during those windows. BigFix is such a powerful tool it's just all fun figuring stuff out. :-)
jgstew -
You're welcome. Apparently you were already aware of the potential issues, but it is useful to spell them out for the sake of others. I figured that the use case had to do with something related to load balancing, otherwise it seemed unnecessarily difficult. An alternative that would have less assurances would be to create time windows randomly for the endpoints to update so that they would be unlikely to all update at the same time. Again, not as assured, but much easier to accomplish with just pure relevance.
mxc0bbn -
jgstew: Thanks for the feedback. I'll take each one separately: 1. The specific folders are there as placeholders really. Anyone is free to make whatever changes fit best in their environment. For example, in some companies they might use D, or E as the system drives so even that would have to be written as something like : (windows folder as string & "\TEMP"). Another reason I thought about using the TEMP off the root drive is because some networks require special permission to write to the Windows folder, but I digress. In essence, yes, Windows\Temp is a good option there too. 2. If I'm writing something to the BES Client folder I usually like to create a specific directory so it's easy to identify what is or goes there. It's just a subjective preference which can be tailored to the tastes of the operator. 3. It is very kind of you to call it "complicated"...I, myself called it "Ugly" :-) It's a less efficient way to do something that already exists within one of the product's modules. I was asked to write it for a specific use case (patching an IIS cluster that's being load-balanced upstream). In the version I gave to the client they opted to run the BESClient as a Domain-Level service ID with access to the desired servers so a user/pw was not necessary for the drive mapping. I posted it with the userid/pw because it's the simplest form of the Fixlet...And yes, it does present a vulnerability in having the userid/pw in clear text in the Fixlet. I tried to find a way to make it a parameter and obscure the input, but I couldn't make it work quickly enough and since this was for a very special use case it didn't merit spending more time on it... All excellent points...Thank you!
jgstew -
This pass the sequence token concept is a bit complicated and prone to breakage at many different points. I'm guessing this is being used for some specialized server use case. Having a password hardcoded into the actionscript isn't ideal. It is definitely interesting in some very specific use cases. I am curious what the use case is for this.
jgstew -
I typically use the following BigFix client folder for storing small items and installer logs: __BESData\__Global\Logs
jgstew -
In general, I'd recommend using C:\Windows\Temp instead of C:\Temp
mxc0bbn -
You must make some changes that will make this task applicable to your own environment: SERVICE NAME in line 3 BES ROOT SERVER NAME in line 7 USERID / PASSWORD on the line that begins 'dos net use'