This chapter explains how to create, edit, copy, and delete policies. A policy enables you to predefine how a job is performed. It allows you to determine which solutions are unacceptable, and it allows you to set the automation level of the job.
This chapter covers the following topics:
This chapter uses the following terms.
Any logical unit that is, or can be, part of a machine; not only software and files, but also any logical construct of the component hierarchy.
Deployment solution that has the least requirements for number of dependency issues, time, and resources, to fulfill a job.
Set of confirmation rules for the implementation of the dependency resolver and level of automation of jobs.
Set of patented algorithms to describe a solution for a job. Initiated by agent application when a job is received.
(1) List of components installed on a managed host. (2) List of components on the universal server.
Sub-system of the Sun Update Connection – Enterprise system dependency server, acts as a proxy server for the universal server, holding and updating deployment rules and certified components.
When you send a job to managed hosts, each selected agent runs the dependency resolver (DR) to find the most cost-effective solution for its own host to complete the job.
Creating a policy enables you to add your own rules to how the DR should determine what is the best solution.
You can predefine some actions as unacceptable. The DR rejects any solution that contains these actions. Thus, you can determine trends for the DR, without giving up on the automation.
You can predefine some actions as automatic, to be carried out without asking for user-intervention.
Sun Update Connection – Enterprise policies focus on the component level. You select a component from the knowledge base inventory, select a possible deployment action, and then apply a deployment policy setting to the pair. If the selected component is a category or a package-group, the setting applies to all packages contained in the category or package-group.
You want to install the latest version of a security software on a hundred hosts. You create a policy that protects your kernel from any changes.
Running Kernel Install - No Running Kernel Uninstall - No Running Kernel Upgrade From - No Running Kernel Downgrade From - No |
When you run the job on the group of hosts, the policy forces those hosts with old kernels either to find a way to install the new software in the present environment, or to fail the job.
In this procedure, you will create a policy to be used later in jobs. Users of all levels can perform this procedure in the console. Other users see your policies as read-only. They can use or copy your policies; they cannot delete or edit them. This restriction applies to users of all levels.
Do one of the following:
Do one of the following:
Type a name for the policy.
From the drop-down list on the tool bar, select a distribution-architecture.
The Components list shows the components of the selected distribution.
In the Components list, select a component, and for each action, set a policy for the selected component; do one of the following:
Select Ask Me, Yes, or No from the drop-down list of the action
Click the Ask Me, Yes, or No button for all actions.
To make the policy applicable to hosts of different distributions:
To select specific components from different distributions, select from the drop-down list of distributions. Find components and add settings to the Actions list.
To let Sun Update Connection – Enterprise find components from other distributions that are comparable to the ones you have in the Actions list, click the Multi Distro button (see To Align Component Settings for Multiple Distributions).
Click OK.
The Policy Editor window closes. The policy is created and appears in the Policies window.
The CLI command to create a policy allows for only one component-action and its setting. See Add Policy Attribute (-aca) Command.
#! /bin/bash echo -n “Enter your user name:” read user echo -n “Enter your password:” read password echo -n “Enter a string to search for exact component name:” read comp2find uce_cli -fc -T $comp2find -u $user -p $password echo -n “Copy the exact component name that you want to add to a policy:” read comp2use echo -n “Enter the name of a policy or create a new one:” read policyName echo “What action is relevant for this component?” echo “(install|downgrade|fix|remove|upgrade|ignore)” echo -n “Type the exact action, case-sensitive:” read action echo -n “Enter the setting (yes|no|ask_me) (case-sensitive):” read setting uce_cli -aca -C “$policyName” -T “$comp2use” -$action $setting -u “$user” -p “$password” |
In this procedure, you will edit a policy and save the changes. Users of all levels can perform this procedure in the console.
You cannot edit a policy in the following circumstances:
The policy was created by another user.
The policy is currently in an active job.
The policy is the Predefined Always ask me policy.
If you edit a policy that is scheduled for later deployment, the users who deploy that policy decide whether to use the original policy or the edited one.
Do one of the following:
Select a policy from the list.
Do one of the following:
From the drop-down list on the tool bar of the Policy Editor, select a distribution- architecture.
The Components list changes to display components of the selected distribution.
Change as many component settings as you want.
See Table 10–1.
To add a component setting, select the component and set a policy for each deployment action. Do one of the following:
Select Ask Me, Yes, or No from the drop-down list of the action
Click the Ask Me, Yes, or No button for all actions.
To delete a component setting, select an action in the Actions list and click the Delete Selected button.
To change a component setting, delete the action from the Actions list and then add a new action for the component setting you want.
Add as many component settings as you want.
To make the policy applicable to hosts of different distributions:
To select specific components from different distributions, change the selection of the drop-down list of distributions. Find the relevant components and add the settings to the Actions list.
To let Sun Update Connection – Enterprise find components from other distributions that are comparable to the ones you have in the Actions list, click the Multi Distro button (see To Align Component Settings for Multiple Distributions).
Click OK.
The Policy Editor window closes. The policy is edited.
You can edit a policy that you created, even if you deleted it from the policies list, so that future runs of a job will have different confirmation policies. Use this procedure to change the policy of scheduled jobs.
You can edit scheduled policies only when the following are all true:
The job that deploys/simulates the policy is scheduled for future runs.
The options of the job are set to automatically accept changes.
You are the owner of the policy.
The policy is not in a currently active job.
The policy is not the Always ask me policy.
Make sure the Jobs panel is open in the main window. From the View menu, choose Jobs.
Select a job name in the Jobs list and then select one of the tasks that appears in the Tasks list.
Do one of the following:
Edit the policy as needed.
Click OK.
The Policy Editor window closes. The policy is edited.
The CLI command to edit a policy is the same as to create a policy. See Example 10–2.
In this procedure you will copy an existing policy. Use this procedure when another user has created a policy that is useful to your own deployment and management jobs, but you want to be able to edit it. You could also use this procedure on your own policies, to create a new policy based on a prior one. You cannot copy the Predefined Always ask me policy. Users of all levels can perform this procedure in the console.
Do one of the following:
Select a profile from the list.
Do one of the following:
Edit the policy as needed, or simply change the name.
Click OK.
The Policy Editor window closes. The policy is edited.
The copy policy command in the CLI allows you only to save a policy under a new name, without making changes to the settings. See Copy Policy (-cc) Command.
#! /bin/bash echo -n “Enter your user name:” read user echo -n “Enter your password:” read password echo “The list of existing policies is:” uce_cli -lc -u $user -p $password echo -n “Type the exact name of the policy you want to copy:” read sourceP echo -n “Type a name for the new policy:” read targetP uce_cli -cc -sC “$sourceP” -tC “$targetP” -u “$user” -p “$password” |
You can copy any policy (except the default Always ask me policy), even if the owner deleted it from the policies list or it is in a currently active job. Use this procedure to create new policies from those used in jobs.
Make sure the Jobs panel is open in the main window by choosing Jobs from the View menu.
Select a job name in the Jobs list and then select one of the tasks that appears in the Tasks list.
Do one of the following:
Edit the policy as needed, or simply change the name.
Click OK.
The Policy Editor window closes. The policy is edited.
In this procedure you will delete a policy that you created. Users of all levels can perform this procedure in the console.
You cannot delete policies in the following circumstances:
The policy was created by another user.
The policy is currently being deployed in an active job.
The policy is scheduled to be used in a job, and the owner of the job selected that it not be updated with policy changes.
If a scheduled job is set to accept changes, you may delete the policy. On the next scheduled run, the job will use the default Always ask me policy.