JS7 JobScheduler

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Introduction

Software packages included with the installation of JS7 components can be enabled and disabled by use of the Package Management Script.

  • Disabling software packages can be an immediate means for mitigation of vulnerabilities in 3rd-party components used by JS7.
  • The JS7 products ship with a JS7 - Software Bill of Materials that can be used to identify vulnerable components and package dependencies.
  • For environments with a larger number of JS7 products installed the management of software packages can be automated in a number of ways:
    • Users can apply the Software Package Management Script that is described in this article.
    • Users can apply the Software Package Management Script with their preferred tools such as Ansible®, Puppet®, Chef®.

Security

Secure rollout of JS7 products is critical. It is therefore recommended that the solution described here is adjusted to suit specific security needs.

  • Rollout of JS7 products is considered critical as the software allows jobs to be executed on a larger number of servers.
    • Vulnerabilities in 3rd-party libraries of JS7 products deserve attention.
  • The solution provided for software package management is based on shell scripting by design:
    • to provide readability and to rely on OS commands only,
    • to deny the use of 3rd-party components and additional dependencies that require code to be executed.
  • The Software Package Management Script can be integrated in a number of ways:
    • by running one's own SSH scripts,
    • by use with tools such as Ansible®, Puppet® that make use of an SSH Client,
    • by use of JS7 workflow automation.

Software Package Management Script

The Software Package Management Script is provided for download and can be used with JS7 Agents, Controller and JOC Cockpit.

  • The script is available for Linux, MacOS®, AIX® and Solaris® using bash, dash, ksh and zsh POSIX-compatible shells.
  • The script can be used to
    • disable software packages, i.e. to remove related files, such as *.jar files from the JS7 product.
    • enable software packages, i.e. to restore related files from a backup directory.
    • identify package dependencies if software packages are disabled.
  • The script terminates with exit code 0 to signal success, with exit code 1 for command line argument errors and with other exit codes for non-recoverable errors.
  • The script is intended as a baseline example for customization by JS7 users and by SOS within the scope of professional services.
  • Users might consider that installation, update and upgrade of JS7 products reverts disabled software packages.

Download

Find the Software Package Management Script for download from JS7 - Download.

Usage

Invoking the Software Package Management Script without arguments displays the usage clause:


Software Package Management Script: js7_features.sh
Usage: js7_features.sh [Options] [Switches]

  Options:
    --home=<directory>                 | required: directory to which the product is installed
    --features=<path>                  | optional: path to features.json file, default: <home>/features.json
    --sbom=<path>                      | optional: path to sbom.json file, default: <home>/sbom.json
    --enable=<package[,package]>       | optional: enables one or more packages
    --disable=<package[,package]>      | optional: disables one or more packages
    --backup-dir=<directory>           | optional: backup directory for disabled packages
    --log-dir=<directory>              | optional: log directory for log output of this script

  Switches:
    -h | --help                        | displays usage
    --list                             | returns the list of disabled/enabled packages
    --show-logs                        | shows log output of the script
    --make-dirs                        | creates the backup and logs directories if they do not exist
    --force                            | forces disabling packages without later enabling from a backup directory
    --confirm                          | confirm enabling or disabling of packages


Options

  • --home
    • Specifies the directory in which the JS7 product is installed.
  • --features
    • Specifies the path to a file in .json format that stores information about enabled and disabled software packages.
    • By default the <home>/features.json file is used.
  • --sbom
    • Specifies the path to a file that holds the JS7 - Software Bill of Materials.
    • For Controller and Agents the <home>/sbom.json file is used. For JOC Cockpit the JETTY_BASE/webapps/joc/sbom.json file is used.
  • --enable
    • Specifies software packages that should be enabled. When disabling software packages then the information is stored in the features.json file and is used to enable a software package later on.
    • As a prerequisite when disabling software packages a backup directory has to be specified, see --backup-dir option, that is used as the source to enable software packages.
    • If a software package is not available from a backup then to enable the software package the JS7 product has to be re-installed or updated.
  • --disable
    • Specifies software packages that should be disable. Technically the files related to a software package such as *.jar files are removed from the JS7 product.
    • To allow later enabling a backup directory is specified with the --backup-dir option. Users who do not want to use a backup directory can apply the --force switch.
  • --backup-dir
    • If a backup directory is specified when disabling software packages then the related files such as *.jar files are moved to this directory.
    • The backup directory holds a lib sub-folder that holds related sub-folders of the JS7 products lib directory such as lib/sos, lib/3rd-party etc.
  • --log-dir
    • If a log directory is specified then the Software Package Management Script will write information about processing steps to a log file in this directory.
    • File names are created according to the pattern: js7_features.<hostname>.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
    • For example: js7_features.centostest_primary.2022-03-19T20-50-45.log

Switches

  • -h | --help
    • Displays usage.
  • --list
    • Specifies the list of software packages that have been disabled or enabled. This information is used from the features.json file, see --features option.
  • --show-logs
    • Displays the log output created by the script if the --log-dir option is used.
  • --make-dirs
    • If directories are missing that are indicated with the  --backup-dir or --log-dir options then they will be created.
  • --force
    • Specifies that a software package is disabled, i.e. its files are removed from the JS7 product, without using a backup directory.
  • --confirm
    • Specifies that the operation to enable or disable a software package is confirmed. If this switch is omitted then a dry-run is performed that displays which software packages are affected by enabling or disabling.

Exit Codes

  • 1: argument errors
  • 2: non-recoverable errors

Examples

The following examples illustrate typical use cases.

Disable Software Packages (dry-run)

Example for use of Software Package Management Script
./js7_feature.sh \
    --home=/home/sos/agent \
    --backup-dir=/home/sos/backups \
    --disable=simple-xml,snakeyaml \
    --make-dirs

# displays candidate files for removal if the simple-xml and snakeyaml software package are disabled in an Agent installation 
# performs a dry-run without effective removal of files as the --confirm switch is not specified


Output of the above example can look like this:

Example for output of Software Package Management Script
-- begin of log --------------
./js7_features.sh --home=/home/sos/agent --backup-dir=/home/sos/backup --disable=simple-xml,snakeyaml --make-dirs --confirm
-- begin of output -----------
.. disabling package: simple-xml
.... candidate component files for removal in directory: /home/sos/agent
./lib/3rd-party/simple-xml-2.7.1.jar
..... recursing affected component reference: pkg:maven/org.simpleframework/simple-xml@2.7.1?type=jar
...... recursing affected component reference: pkg:maven/org.linguafranca.pwdb/KeePassJava2-simple@2.1.4?type=jar
....... recursing affected component reference: pkg:maven/org.linguafranca.pwdb/KeePassJava2@2.1.4?type=jar
........ recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-credentialstore@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-cli@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-hibernate@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-mail@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-vfs@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.. disabling package: snakeyaml
.... candidate component files for removal in directory: /home/sos/agent
./lib/3rd-party/snakeyaml-2.0.jar
..... recursing affected component reference: pkg:maven/org.yaml/snakeyaml@2.0?type=jar
...... recursing affected component reference: pkg:maven/com.sos-berlin/sos-js7-loganonymizer@2.5.4-SNAPSHOT?type=jar
....... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
-- end of log ----------------


Explanation:

  • The output suggests package dependencies. Consider that examples strictly depend on specific releases of JS7.
  • The simple-xml package is used by the KeePassJava2-simple and KeePassJava2 packages.
    • Further in the hierarchy users find the sos-commons-credentialstore package. The package implements the feature of the JS7 - Credential Store.
    • This translates to the fact that with removal of the simple-xml package a credential store can no longer be used in JS7.
  • The snakeyaml package is used by the sos-js7-loganonymizer package.
    • The later package implements the JS7 - Log Anonymization feature.
    • With snakeyaml being removed the log anonymization feature can no longer be used in JS7.
  • If users find vulnerabilities in 3rd-party components for which no immediate fixes are available then they can take a decision to disable related software packages and not to use certain JS7 features.

Disable Software Packages (permanently)

Example for use of Software Package Management Script
./js7_feature.sh \
    --home=/home/sos/agent \
    --backup-dir=/home/sos/backups \
    --disable=simple-xml,snakeyaml \
    --make-dirs \
    --confirm

# removes the simple-xml and snakeyaml software package from an Agent installation 
# copies files of disabled packages to the backup directory
# creates the backup directory if it does not exist
# confirms removal of disabled packages


Output of the above example can look like this:

Example for output of Software Package Management Script
-- begin of log --------------
./js7_features.sh --home=/home/sos/agent --backup-dir=/home/sos/backup --disable=simple-xml,snakeyaml --make-dirs --confirm
-- begin of output -----------
.. disabling package: simple-xml
.... creating copies of component files in backup directory: /home/sos/backup
./lib/3rd-party/simple-xml-2.7.1.jar
.... removing component files: /home/sos/agent/lib/*/simple-xml*2.7.1.jar
..... recursing affected component reference: pkg:maven/org.simpleframework/simple-xml@2.7.1?type=jar
...... recursing affected component reference: pkg:maven/org.linguafranca.pwdb/KeePassJava2-simple@2.1.4?type=jar
....... recursing affected component reference: pkg:maven/org.linguafranca.pwdb/KeePassJava2@2.1.4?type=jar
........ recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-credentialstore@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-cli@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-hibernate@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-mail@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-commons-vfs@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
........... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
......... recursing affected component reference: pkg:maven/com.sos-berlin/sos-jitl-jobs@2.5.4-SNAPSHOT?type=jar
.......... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.. package disabled: simple-xml
.. disabling package: snakeyaml
.... creating copies of component files in backup directory: /home/sos/backup
./lib/3rd-party/snakeyaml-2.0.jar
.... removing component files: /home/sos/agent/lib/*/snakeyaml*2.0.jar
..... recursing affected component reference: pkg:maven/org.yaml/snakeyaml@2.0?type=jar
...... recursing affected component reference: pkg:maven/com.sos-berlin/sos-js7-loganonymizer@2.5.4-SNAPSHOT?type=jar
....... recursing affected component reference: pkg:maven/com.sos-berlin.setups/agent-sos-sbom@2.5.4-SNAPSHOT?type=jar
.. package disabled: snakeyaml

Enable Software Packages

Example for use of Software Package Management Script
./js7_feature.sh \
    --home=/home/sos/agent \
    --backup-dir=/home/sos/backups \
    --enable=simple-xml,snakeyaml \
    --confirm

# restores the simple-xml and snakeyaml software package in an Agent installation 
# copies files of disabled packages from the backup directory


Output of the above example can look like this:

Example for output of Software Package Management Script
-- begin of log --------------
./js7_features.sh --home=/home/sos/agent --backup-dir=/home/sos/backup --enable=simple-xml,snakeyaml --confirm
-- begin of output -----------
.. enabling package: simple-xml
.... restoring component files from backup directory: /home/sos/backup
./lib/3rd-party/simple-xml-2.7.1.jar
.... removing component files from backup directory: /home/sos/backup/lib/*/simple-xml*2.7.1.jar
.. package enabled: simple-xml
.. enabling package: snakeyaml
.... restoring component files from backup directory: /home/sos/backup
./lib/3rd-party/snakeyaml-2.0.jar
.... removing component files from backup directory: /home/sos/backup/lib/*/snakeyaml*2.0.jar
.. package enabled: snakeyaml
-- end of log ----------------

List Software Packages

Example for use of Software Package Management Script
./js7_feature.sh \
    --home=/home/sos/agent \
    --list \
    --make-dirs

# removes the simple-xml and snakeyaml software package from an Agent installation 
# copies files of disabled packages to the backup directory
# creates the backup directory if it does not exist


Output of the above example is available if packages previously have been disabled and can look like this:

Example for output of Software Package Management Script
{
  "name": "simple-xml",
  "enabled": false
}
{
  "name": "snakeyaml",
  "enabled": false
}






  • No labels