Introduction
Software packages included with the installation of JS7 components can be enabled and disabled by use of the Package Management Script.
- Disabling software packages can be an immediate means for mitigation of vulnerabilities in 3rd-party components used by JS7.
- The JS7 products ship with a JS7 - Software Bill of Materials that can be used to identify vulnerable components and package dependencies.
- For environments with a larger number of JS7 products installed the management of software packages can be automated in a number of ways:
- Users can apply the Software Package Management Script that is described in this article.
- Users can apply the Software Package Management Script with their preferred tools such as Ansible®, Puppet®, Chef®.
Security
Secure rollout of JS7 products is critical. It is therefore recommended that the solution described here is adjusted to suit specific security needs.
- Rollout of JS7 products is considered critical as the software allows jobs to be executed on a larger number of servers.
- Vulnerabilities in 3rd-party libraries of JS7 products deserve attention.
- The solution provided for software package management is based on shell scripting by design:
- to provide readability and to rely on OS commands only,
- to deny the use of 3rd-party components and additional dependencies that require code to be executed.
- The Software Package Management Script can be integrated in a number of ways:
- by running one's own SSH scripts,
- by use with tools such as Ansible®, Puppet® that make use of an SSH Client,
- by use of JS7 workflow automation.
Software Package Management Script
The Software Package Management Script is provided for download and can be used with JS7 Agents, Controller and JOC Cockpit.
- The script is available for Linux, MacOS®, AIX® and Solaris® using bash, dash, ksh and zsh POSIX-compatible shells.
- The script can be used to
- disable software packages, i.e. to remove related files, such as *.jar files from the JS7 product.
- enable software packages, i.e. to restore related files from a backup directory.
- identify package dependencies if software packages are disabled.
- The script terminates with exit code 0 to signal success, with exit code 1 for command line argument errors and with other exit codes for non-recoverable errors.
- The script is intended as a baseline example for customization by JS7 users and by SOS within the scope of professional services.
- Users might consider that installation, update and upgrade of JS7 products reverts disabled software packages.
Download
Find the Software Package Management Script for download from JS7 - Download.
Usage
Invoking the Software Package Management Script without arguments displays the usage clause:
Usage: js7_features.sh [Options] [Switches] Options: --home=<directory> | required: directory to which the product is installed --features=<path> | optional: path to features.json file, default: <home>/features.json --sbom=<path> | optional: path to sbom.json file, default: <home>/sbom.json --enable=<package[,package]> | optional: enables one or more packages --disable=<package[,package]> | optional: disables one or more packages --backup-dir=<directory> | optional: backup directory for disabled packages --log-dir=<directory> | optional: log directory for log output of this script Switches: -h | --help | displays usage --list | returns the list of disabled/enabled packages --show-logs | shows log output of the script --make-dirs | creates the backup and logs directories if they do not exist --force | forces disabling packages without later enabling from a backup directory --confirm | confirm enabling or disabling of packages
Options
--home
- Specifies the directory in which the JS7 product is installed.
--features
- Specifies the path to a file in .json format that stores information about enabled and disabled software packages.
- By default the
<home>/features.json
file is used.
--sbom
- Specifies the path to a file that holds the JS7 - Software Bill of Materials.
- For Controller and Agents the
<home>/sbom.json
file is used. For JOC Cockpit theJETTY_BASE/webapps/joc/sbom.json
file is used.
--enable
- Specifies software packages that should be enabled. When disabling software packages then the information is stored in the
features.json
file and is used to enable a software package later on. - As a prerequisite when disabling software packages a backup directory has to be specified, see
--backup-dir
option, that is used as the source to enable software packages. - If a software package is not available from a backup then to enable the software package the JS7 product has to be re-installed or updated.
- Specifies software packages that should be enabled. When disabling software packages then the information is stored in the
--disable
- Specifies software packages that should be disable. Technically the files related to a software package such as *.jar files are removed from the JS7 product.
- To allow later enabling a backup directory is specified with the
--backup-dir
option. Users who do not want to use a backup directory can apply the--force
switch.
--backup-dir
- If a backup directory is specified when disabling software packages then the related files such as *.jar files are moved to this directory.
- The backup directory holds a
lib
sub-folder that holds related sub-folders of the JS7 productslib
directory such aslib/sos
,lib/3rd-party
etc.
--log-dir
- If a log directory is specified then the Software Package Management Script will write information about processing steps to a log file in this directory.
- File names are created according to the pattern:
js7_features.<hostname>.<yyyy>-<MM>-<dd>T<hh>-<mm>-<ss>.log
- For example:
js7_features.centostest_primary.2022-03-19T20-50-45.log
Switches
-h | --help
- Displays usage.
--list
- Specifies the list of software packages that have been disabled or enabled. This information is used from the
features.json
file, see--features
option.
- Specifies the list of software packages that have been disabled or enabled. This information is used from the
--show-logs
- Displays the log output created by the script if the
--log-dir
option is used.
- Displays the log output created by the script if the
--make-dirs
- If directories are missing that are indicated with the
--backup-dir
or--log-dir
options then they will be created.
- If directories are missing that are indicated with the
--force
- Specifies that a software package is disabled, i.e. its files are removed from the JS7 product, without using a backup directory.
--confirm
- Specifies that the operation to enable or disable a software package is confirmed. If this switch is omitted then a dry-run is performed that displays which software packages are affected by enabling or disabling.
Exit Codes
1
: argument errors2
: non-recoverable errors
Examples
The following examples illustrate typical use cases.
Disable Software Packages
./js7_feature.sh \ --home=/home/sos/agent \ --backup-dir=/home/sos/backups \ --disable=simple-xml,snakeyaml \ --make-dirs \ --confirm # removes the simple-xml and snakeyaml software package from an Agent installation # copies files of disabled packages to the backup directory # creates the backup directory if it does not exist # confirms removal of disabled packages
Enable Software Packages
./js7_feature.sh \ --home=/home/sos/agent \ --backup-dir=/home/sos/backups \ --enable=simple-xml,snakeyaml # restores the simple-xml and snakeyaml software package in an Agent installation # copies files of disabled packages from the backup directory
List Software Packages
./js7_feature.sh \ --home=/home/sos/agent \ --list \ --make-dirs # removes the simple-xml and snakeyaml software package from an Agent installation # copies files of disabled packages to the backup directory # creates the backup directory if it does not exist
Output of the above example is available if packages previously have been disabled and can look like this:
{ "name": "simple-xml", "enabled": false } { "name": "snakeyaml", "enabled": false }