-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
P40118820
authored and
P40118820
committed
Dec 13, 2021
1 parent
c65048a
commit fe54918
Showing
35 changed files
with
902 additions
and
222 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,71 +1,51 @@ | ||
| # Managing License Metric Tool disconnected scan with Ansible | ||
| # Managing License Metric Tool disconnected scans with Ansible | ||
|
|
||
| --- | ||
| <div style="text-align: center;"><h4 style="background-color: #fef6c8;">Important</h4></div> | ||
| Disconnected scans allow for discovering software and hardware inventory by running scripts that are provided in the disconnected scanner package. The scripts initiate software and capacity scans, and create a package with scan results that you later need to upload to the License Metric Tool server. You can automate management of disconnected scans by using [Ansible](https://docs.ansible.com/ansible/latest/index.html#about-ansible). | ||
|
|
||
| The minimal supported version of License Metric Tool disconnected scanner to use with Ansible automation is **9.2.22**.<br> | ||
| The minimal supported version of Ansible is **2.10.2**. However, it is recommended to use the latest version of Ansible that is available. | ||
| The current version of License Metric Tool playbooks is **9.2.26** | ||
|
|
||
| --- | ||
| <div style="text-align: center;"><h4 style="background-color: #fef6c8;">Version of License Metric Tool playbooks</h4></div> | ||
|
|
||
| The current version of License Metric Tool playbooks is **9.2.25**. | ||
| ## Prerequisites | ||
|
|
||
| --- | ||
| <div style="text-align: center;"><h4 style="background-color: #fef6c8;">Supported operating systems</h4></div> | ||
| - **Supported version of Ansible** | ||
|
|
||
| Playbooks that are delivered with License Metric Tool are supported on AIX, Linux, Solaris and Windows. They are not supported on HP-UX and IBM i. For information about exact versions, see the [list of operating systems that are supported by the disconnected scanner](https://www.ibm.com/support/pages/node/561443). | ||
| Ensure that you have Ansible in version **2.10.2** or higher. If you have an earlier version of Ansible, upgrade your environment, preferably to the latest available version. Otherwise, License Metric Tool playbooks will not work. | ||
|
|
||
| --- | ||
| - **Supported version of the disconnected scanner** | ||
|
|
||
| ## Disconnected scan | ||
| The minimal supported version of License Metric Tool disconnected scanner to use with Ansible automation is **9.2.22**. | ||
|
|
||
| Disconnected scans allow for discovering software and hardware inventory on computers that do not have connection to the BigFix server. Scripts that are provided in the disconnected scanner package initiate software and capacity scans, and create a package with scan results that you later upload to License Metric Tool. | ||
| You can use Ansible to automate the process of uploading scan results from the managed nodes to the License Metric Tool server. | ||
| - **Supported operating systems** | ||
|
|
||
| >**Note:** For more information, see: [Disconnected scan configuration](http://ibm.biz/disconnected_scan_config) in the License Metric Tool documentation. | ||
| Playbooks that are delivered with License Metric Tool are supported on AIX, Linux, Solaris and Windows. They are not supported on HP-UX and IBM i. For information about exact versions, see the [list of operating systems that are supported by the disconnected scanner](https://www.ibm.com/support/pages/node/561443). | ||
|
|
||
| ## Automating collection of disconnected scan results with Ansible | ||
|
|
||
| [Ansible](https://docs.ansible.com/ansible/latest/index.html#about-ansible) is an open source automation tool that is used to automate applications and IT tasks. To automate the management of disconnected scans with Ansible, perform the following steps. | ||
| <br> | ||
|
|
||
| ## Overview | ||
|
|
||
| 1. Define the disconnected data source. | ||
| After you install License Metric Tool, set up Ansible to manage disconnected scans by using playbooks. If Ansible is not yet implemented in your organization, refer to Ansible documentation for information how to install and configure it. If you already have Ansible implemented, ensure that it meets all requirements of License Metric Tool and configure it to manage the selected computers. | ||
|
|
||
| 2. Configure Ansible to manage the selected computers. | ||
| After you configure Ansible, run the `lmt_install_or_upgrade_scanner` playbook to install the disconnected scanner on the managed nodes. The playbook also performs initial configuration of the scanner. By default, it schedules weekly software scans and daily generation of packages with scan results. Next, run the `lmt_collect_results` playbook to schedule daily collection of scan results from the managed nodes. | ||
|
|
||
| 3. Install the disconnected scanner and schedule scans. | ||
| <br> | ||
|
|
||
| 4. Schedule daily collection of scan results from the managed nodes. | ||
| ## Table of contents | ||
|
|
||
| 5. Maintain the environment. Maintenance includes actions such as configuration changes, scanner upgrades, troubleshooting of potential issue. | ||
|
|
||
| For detailed instructions, see: [Automating collection of disconnected scan results with Ansible](docs/doc_automating_with_ansible.md). | ||
| - [Managing disconnected scans with Ansible](docs/doc_automating_with_ansible.md) | ||
| 1. [Configure Ansible to manage the selected computers](docs/doc_configure_ansible.md) | ||
| 2. [Install the disconnected scanner and schedule scans](docs/doc_install_scanner.md) | ||
| 3. [Schedule daily collection of scan results](docs/doc_schedule_collection.md) | ||
| 4. [Maintain the environment](docs/doc_maintain_environment.md) | ||
|
|
||
| ## Inventory of supported Ansible playbooks for disconnected scan management | ||
|
|
||
| This repository contains the following set of Ansible playbooks that can help you with performing basic configuration and management of the disconnected scanners. | ||
| - `lmt_collect_results.yml` - collects scan results from managed nodes and uploads them to the disconnected data source directory on the License Metric Tool server. | ||
| - `lmt_install_or_upgrade_scanner.yml` - installs or upgrades the disconnected scanner to the same version as the License Metric Tool server. | ||
| - `lmt_collect_status.yml` - collects basic information such as the version of the installed scanner and its status. | ||
| - `lmt_collect_troubleshooting_data.yml` - collects troubleshooting data such as logs and raw scan results from scanners. The data can be useful for investigating potential issues. | ||
| - `lmt_reconfigure_scanner.yml` - updates the scanner configuration, for example, changes frequency of software scans. | ||
| - `lmt_uninstall_scanner.yml` - uninstalls the disconnected scanner from the targeted computers. | ||
|
|
||
| For more information about playbooks, see the following links: | ||
| - [Managing disconnected scans with AWX or Tower](docs/doc_automating_with_awx_tower.md) | ||
| - [License Metric Tool playbooks](docs/doc_playbooks_list.md) | ||
| - [License Metric Tool parameters](docs/doc_lmt_parameters.md) | ||
| - [Updating License Metric Tool playbooks](docs/doc_updating_lmt_playbooks.md) | ||
|
|
||
| An inventory template that you can use with License Metric Tool playbooks is in the `lmt_inventory_template.yml` file. | ||
|
|
||
| ## Managing the disconnected scanner with AWX or Tower | ||
|
|
||
| AWX is an open source, easy-to-use user interface, dashboard and REST API for Ansible. Ansible Tower is a commercial version of AWX supported by Red Hat. | ||
| You can use either of these tools to manage the disconnected scanner. For detailed instructions, see: [Managing the disconnected scanner with AWX or Tower](docs/doc_automating_with_awx_tower.md). | ||
|
|
||
| ## Defect fixes | ||
|
|
||
| For information about defects that were solved in Ansible playbooks that are delivered with License Metric Tool, see: [Release notes](docs/release_notes.md). | ||
| - [Parameters used in playbooks](docs/doc_lmt_parameters.md) | ||
| - [Updating playbooks](docs/doc_updating_lmt_playbooks.md) | ||
| - [Release notes](docs/release_notes.md) | ||
|
|
||
| <br> | ||
|
|
||
| ## Other resources | ||
| - [Installing License Metric Tool with Ansible](https://www.ibm.com/docs/en/license-metric-tool?topic=installing-disconnected-scanners-ansible-lite) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,137 +1,9 @@ | ||
| # Automating collection of disconnected scan results with Ansible | ||
| [Ansible](https://docs.ansible.com/ansible/latest/index.html#about-ansible) is an open source automation tool that is used to automate applications and IT tasks. To automate the management of the disconnected scanners with Ansible, perform the following steps. | ||
| # Managing disconnected scans with Ansible | ||
| [Ansible](https://docs.ansible.com/ansible/latest/index.html#about-ansible) is an open source automation tool that is used to automate applications and IT tasks. To automate management of disconnected scanners with Ansible, perform the following steps. | ||
|
|
||
| ### 1. Define a disconnected data source | ||
| 1. [Configure Ansible to manage the selected computers](doc_configure_ansible.md). | ||
| 2. [Install the disconnected scanner and schedule scans](doc_install_scanner.md). | ||
| 3. [Schedule daily collection of scan results](doc_schedule_collection.md). | ||
| 4. [Maintain the environment](doc_maintain_environment.md). | ||
|
|
||
| For detailed instructions, see: [Adding a data source](https://ibm.biz/LMT_adding_data_source) in the License Metric Tool documentation. | ||
|
|
||
| ### 2. Configure Ansible to manage the selected computers | ||
|
|
||
| To use Ansible for automation, you need a control node where you can run the Ansible playbook. The control node communicates with the managed nodes (scanned computers) and collects results of the disconnected scans. The control node can be on the same computer as the License Metric Tool server or on a different one. | ||
|
|
||
| **Requirements** | ||
|
|
||
| <details> | ||
| <summary>Ansible version</summary> | ||
|
|
||
| The solution is tested on Ansible 2.10.2. However, it is recommended to use the latest version of Ansible that is available. | ||
|
|
||
| </details> | ||
|
|
||
| <details> | ||
| <summary>Control node requirements</summary> | ||
|
|
||
| - Python 2.7, or Python 3.5 or a higher 3.x version. | ||
| - [`pywinrm`](https://docs.ansible.com/ansible/latest/user_guide/windows_winrm.html#what-is-winrm) package installed to communicate with Windows servers over WinRM. | ||
| - For a full list of control nodes requirements and the most up-to-date information, see: [Control node requirements](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#control-node-requirements) in the Ansible documentation. | ||
| >**Note:** Control node is not officially supported on Windows. | ||
| </details> | ||
|
|
||
| <details> | ||
| <summary>Managed node requirements</summary> | ||
|
|
||
| **\[UNIX/Linux\]** | ||
| - A way to communicate which usually is SSH. By default, this uses SFTP. If that is not available, you can switch to SCP in the `ansible.cfg`. | ||
| - Python 2.6 or a higher 2.x version, or Python 3.5 or a higher 3.x version. | ||
| - The `lmt_install_or_upgrade_scanner` and `lmt_collect_troubleshooting_data` playbooks requires the `gzip` and `tar` commands to be present in the <code>$PATH</code> of the configured Ansible user. | ||
| - For a full list of managed nodes requirements and the most up-to-date information, see: [Managed node requirements](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#managed-node-requirements) in the Ansible documentation. | ||
|
|
||
| >**Note:** If you have SELinux enabled on the License Metric Tool server (the `lmt_server` host) and the server is on a managed node, install `libselinux-python` to be able to copy the disconnected scan results. For more information, see: [Managed node requirements](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#managed-node-requirements) in the Ansible documentation. | ||
| **\[Windows\]** | ||
| - Ansible can generally manage Windows versions that are under current and extended support from Microsoft. Ansible can manage desktop operating systems including Windows 7, 8.1, and 10, and server operating systems including Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, and 2019. | ||
| - PowerShell 3.0 or higher and at least .NET 4.0 must be installed on the Windows host. | ||
| - A WinRM listener must be created and activated. | ||
| - The user must be a member of the local Administrators group or must be explicitly granted access. | ||
| - For a full list of managed nodes requirements and the most up-to-date information, see: [Managed node requirements on Windows](https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#windows-setup) in the Ansible documentation. | ||
| </details> | ||
|
|
||
| <details> | ||
| <summary>License Metric Tool requirements for managed nodes</summary> | ||
|
|
||
| - For the list of disconnected scanner requirements, see: [IBM License Metric Tool - Supported Operating Systems](https://ibm.biz/LMT_supported_OS). On the page that opens, click Disconnected scanner. | ||
| </details> | ||
|
|
||
| **Procedure** | ||
|
|
||
| - If you are setting up a new Ansible environment, see: [Setting up a new Ansible environment](doc_automating_with_ansible_new.md). | ||
| - If you already have Ansible set up, see: [Setting up an existing Ansible environment](doc_automating_with_ansible_existing.md). | ||
|
|
||
| ### 3. Install the disconnected scanner and schedule scans | ||
|
|
||
| #### **Installation by using a playbook** | ||
|
|
||
| The recommended approach for installing and upgrading the disconnected scanners on your managed nodes is by using the `lmt_install_or_upgrade_scanner.yml` playbook. | ||
|
|
||
| **Requirements** | ||
|
|
||
| - Before you run this playbook, review the default configuration parameters and adjust them as needed. For more information, see: [License Metric Tool parameters](doc_lmt_parameters.md). | ||
| - This playbook requires full root or administrator rights. Ensure that you configure valid privilege escalation in the Ansible inventory or use root or administrator accounts directly. | ||
|
|
||
| **Procedure** | ||
| - By default, the playbook runs on all managed nodes as it targets the `all` Ansible group. To run the installation playbook, issue the following command: | ||
|
|
||
| `ansible-playbook lmt_install_or_upgrade_scanner.yml -i lmt_inventory.yml` | ||
|
|
||
| Where `lmt_inventory.yml` is your inventory file. You can create the file by using the `lmt_inventory_template.yml` template. | ||
|
|
||
|
|
||
|
|
||
| - To run the playbook on specific hosts or groups only, use the `-l` switch in the command followed by `lmt_server,localhost` and the list of your hosts or host groups. For example, to target the playbook on the `unix1` host and the `windows` group of hosts, run the following command: | ||
|
|
||
| `ansible-playbook lmt_install_or_upgrade_scanner.yml -i lmt_inventory.yml -l lmt_server,localhost,unix1,windows` | ||
|
|
||
| After the scanner is installed, the playbook performs initial configuration of the scanner and by default schedules weekly software scans and daily generation of results packages. | ||
| For more information about this and other playbooks, see: [License Metric Tool playbooks](doc_playbooks_list.md). | ||
|
|
||
| #### **Manual installation** | ||
|
|
||
| Another possible approach to installing disconnected scanners is the manual installation. Such method might be preferable when allowing Ansible to escalate privileges to the root or administrator level is not possible due to security reasons. | ||
| When the Ansible inventory is configured without root or administrator rights, only the `lmt_collect_results.yml` playbook is supported. | ||
|
|
||
| For detailed instructions for manual installation, see the following topics in the License Metric Tool documentation. | ||
| 1. [Downloading the disconnected scanner package](https://ibm.biz/LMT_download_disc_package). | ||
| 2. [Installing the scanner and gathering the initial data](https://ibm.biz/LMT_install_disc_scanner). | ||
| 3. [Running software scans and gathering scan results](https://ibm.biz/LMT_run_disc_sw_scan). | ||
| > **Tip**: Schedule regular software scans. In case of weekly software scans, schedule daily creation of scan results packages. | ||
| ### 4. Schedule daily collection of scan results | ||
|
|
||
| 1. For a non-root or non-Administrator user of Ansible and in case when the installation was performed manually (not by using the installation playbook), assign the user with correct privileges to the directory with disconnected scan results. | ||
| - **\[UNIX/Linux\]** Ensure that the user has the **rwx** privileges in the home directory of the disconnected scanner and in the directory with scan results packages (the `lmt_scanner_output_path_unix` directory). | ||
|
|
||
| - **\[Windows\]** Ensure that the following requirements are met. | ||
| - The user has the `List folder contents`, `Read` and `Write` privileges in the directory with scan results packages (the `lmt_scanner_output_path_windows` directory). To verify that the user has the right privileges, select the user, open the `Advanced Security Settings` tab and click `View`. | ||
| - The directory with scan result packages (the `lmt_scanner_output_path_windows` directory) has inheritance enabled. To enable inheritance, open the `Advanced Security Settings` tab, and click `Enable inheritance`. The inheritance should apply to `This folder, subfolder and files`. | ||
|
|
||
| 2. To run the playbook that collects scan results daily, issue the following command: | ||
|
|
||
| `ansible-playbook lmt_collect_results.yml -i lmt_inventory.yml` | ||
|
|
||
| The playbook is configured to run on all managed nodes as it targets the `all` Ansible group. To run the playbook on specific hosts or groups only, use the `-l` switch in the command followed by `lmt_server,localhost` and the list of your hosts or host groups. For example, to target the playbook on the `unix1` host and the `windows` group of hosts, run the following command: | ||
|
|
||
| `ansible-playbook lmt_collect_results.yml -i lmt_inventory.yml -l lmt_server,localhost,unix1,windows` | ||
|
|
||
| **Example** | ||
|
|
||
| To schedule the command to run every day at 2:30 AM by using crontab, open the crontab. | ||
|
|
||
| `crontab -e` | ||
|
|
||
| Then, add the following line to crontab configuration. | ||
|
|
||
| `30 2 * * * "ansible-playbook <LMT_upload_playbook_files_directory>/lmt_collect_results.yml -i <LMT_upload_playbook_files_directory>/lmt_inventory.yml"` | ||
|
|
||
| where `<LMT_upload_playbook_files_directory>` is the directory where the playbook files are stored. | ||
|
|
||
|
|
||
| ### 5. Maintain the environment | ||
|
|
||
| After you successfully configure your environment, monitor it on an ongoing basis and fix potential configuration problems if necessary (for example, expired keys or passwords). | ||
| - You can monitor the environment on the License Metric Tool dashboard. For more information, see: [Dashboard](https://ibm.biz/LMT_dashboard) in the License Metric Tool documentation. Pay special attention to the `Delayed Data Upload` status on the [Deployment Health](https://ibm.biz/LMT_deployment_health) widget and the Outdated Scan status on the [Capacity Scan Health](https://ibm.biz/LMT_capacity_scan_health) widget. | ||
| - In case of problems with the disconnected scanner, you can use the <code>lmt_collect_troubleshooting_data</code> playbook to collect | ||
| data such as logs or raw scan data for troubleshooting purposes. | ||
| - Keep your environment up to date and upgrade the scanner to the latest version by using the `lmt_install_or_upgrade_scanner` playbook after you upgrade the License Metric Tool server. | ||
|
|
||
| For detailed list of all playbooks with description and information which parameters are relevant for them, see: [License Metric Tool playbooks](doc_playbooks_list.md).<br> | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,19 @@ | ||
| # Setting up an existing Ansible environment | ||
| If Ansible is implemented in your organization, clone or download this Github repository. Then, update your existing inventory. | ||
|
|
||
| <br> | ||
|
|
||
| ## Procedure | ||
|
|
||
| 1. Clone or download the Github repository. | ||
|
|
||
| 2. Update your existing inventory. | ||
| - Mark the managed node on which the License Metric Tool server is installed with the `lmt_server` tag. | ||
| - Define setting of License Metric Tool (parameters that start with `lmt_`) to match your environment. For the list of parameters, see: [License Metric Tool parameters](doc_lmt_parameters.md). | ||
| >**Note:** You do not need to define the settings if you use the default values. | ||
| <br> | ||
| ## What to do next | ||
|
|
||
| Run the `lmt_install_or_upgrade_scanner.yml` playbook to install the disconnected scanner and perform its initial configuration. For more information, see: [Install the disconnected scanner and schedule scans](doc_install_scanner.md). |
Oops, something went wrong.