Released in the latest update, AAG is now capable of working with Ansible to take action on problems found within your IBM i environment. I wanted to jump on here and quickly outline a use case to show a basic example of the opportunities this will open up.
Today AAG provides all kinds of checks for the IBM i. One of which will return the number of days until an IBM LPP key expires, check_Shield_KEYEXP. When the number of days is returned, AAG then checks this number against two ranges (Critical and Warning) and Nagios will handle notifying your admins if the key is coming up for renewal. But that used to be the end of AAG’s assistance… Your admins would either have to manually install keys that had been sent from Shield, or the system would have to wait for the IBM i LICMAINT JOBSCDE to run. Using Ansible we can instead take action and pull down the latest keys from the Shield site, while still sending out the timely notifications AAG is already known for.
Ansible uses YAML files called playbooks to accomplish the tasks you setup. IBM provides several commands to do certain tasks on the IBM i, however, I prefer to simply use the “ibm.power_ibmi.ibmi_cl_command” to call a CL Program on the IBM i. This allows for control the over library list and other things.
Here is the playbook I have created to call a CLP on which ever IBM i host reports an expiring key. Some items to take note of are the “hosts:” line, and the “PARM()” portion of the command string. These two are parameters that are passed into the YAML file so that it can be run on any of our LPARs and can select the product library which is the location of the LICMAINT tool we will use to pull the keys. It is important the Ansible host name is the same as the Nagios host name as you can see for the Nagios host SAS1002:
We use the Nagios variable $HOSTNAME$ to fill in the “lpar” variable, that is why this must match the host created in /etc/ansible/hosts …
This is the CLP that we will call, it will simply handle the LIBLE for the product library, call LICMAINT and monitor for error messages.
Once we have these items in place, we need to tell Nagios to run the ansible playbook when the keys are expiring. We will do this by creating a contact called “RunPlaybook” which will use the “runPlaybook” misc-command to …. “notify” … this contact. In short, this will call a program provided by AAG, which will handle executing the requested Ansible playbook. Setting up the connection in this way is convenient because we can change the notification alert settings for the contact so the playbook will only be run if a CRITICAL alert is found, not when the service is in a WARNING state and vice versa.
In the service we will need to tell AAG which playbook to execute, and which parameters to pass. This service will call the playbook “CheckKeys”, which is located in /usr/local/nagios/share/sas/playbooks, and the product library EM4I11 will be used as the “product” variable.
Now when this check finds an expiry date outside of one of these two ranges, a “notification” will be sent to the user RunPlaybook which will in turn execute the CheckKeys playbook.
That’s it!
AAG can now pull new keys from the Shield website.
Looking in the EM4i license menu you can see the current key expires tomorrow! (as of writing this over dramatic reenactment…)
When we check the check_Shield_KEYEXP service on SAS1002, AAG it is reporting that only one day remains on the current key…. Not good!!
However, if I look at the notification log for this service, we can see that RunPlaybook was notified. This should have called our playbook, which called our CLP, which called LICMAINT, which pulled new keys down…
Looking back in the EM4i license key Information you can see our keys have been extended by a year!! Problem avoided!! And other than taking screenshots, I had to take no action at all. AAG did everything for me!
Finally, you can set up Ansible in a way to log all the actions it takes. This was extra useful when originally figuring out the Ansible connection, but I still use this log to keep a history of the actions AAG has taken in the background.
Keep your eyes on this space as this is just the beginning for AAG, we will always continue to improve and add features. If you have an idea or a request, please don’t hesitate to reach out! We are very proud that our products are customer request driven.
Cheers!
Charlie.