How to restart a Linux Service Daemon with System Center 2.Orchestrator.System Center 2.Orchestrator provides strong support for the heterogeneous enterprise, as evidenced by one of the more common questions I have received lately Can I manage Linux UNIX systems with OrchestratorOrchestrator 2012 Jumpstart Day 1 Runbook Concepts, Components and Databus Rules.System Center 2012 Orchestrator provides strong support for the heterogeneous enterprise, as evidenced by one of the more common questions I have received lately.SelfService Active Directory User Provisioning Using System Center Orchestrator and SharePoint.The answer is definitely yes The Run SSH Command activity in the System category supports automating a wide variety of administrative tasks on Linux and UNIX systems and makes parsing command output a very simple task output is stored in a published data property called Execution Result.In this example, we will look at a sample runbook that will check the status of a Linux UNIX service daemon and start the service if it is not already running.Sample Runbook.The sample runbook we will walk through through is pictured here.This could very easily be adapted to function as a recovery task for System Center 2.Operations Manager by creating a monitoring runbook using the Monitor Alert activity that then calls this runbook.Accepting Input.First, create two variables to hold the Username and Password provided by your Linux UNIX administrator.Notice I selected the option to encrypt the password.This allows our Linux UNIX administrator to supply an audited account with the necessary permissions so we do not even need to know what it is.Never created a variableFind step by step help HERE.The Initialize Data activity accepts three input parameters Service The name of the linux UNIX server aka daemon.We are using the HTTP daemon in this example, which is httpd.Hasbro Rubik S Cube Manual here.Computer. Name the name or IP address of the target Linux system.SSHPort The listening port of the SSH daemon on the target system.Checking Service Status.To start the service, the Check Service Status activity is a renamed Run SSH Command activity from the System category in the Runbook Designer.BOeBSLUqtio/VV8beFtLkjI/AAAAAAAAAzI/6fthDcCNJSQ/s1600/sco-toolkit.jpg' alt='Orchestrator 2012 Integration Packs Download' title='Orchestrator 2012 Integration Packs Download' />The command to start a service in Cent.OS is service lt servicename status.For example, to start the httpd service, the command would be service httpd status.The parameters of this activity are On the Details tab are the inputs to accept the desired computer, SSH listening port and service for which we want to check status httpd in our example Computer Published data Computer.Name from Initialize DataPort Published data SSHPort from Initialize DataRun Command service Service from Initialize Data status.On the Advanced tab are the variables created containing the username and password for the target Linux UNIX system Username Variable Linux.UserPassword Variable Linux.PasswordBranching Logic Parsing Command OutputThe Run SSH Command activity includes a piece of published data named Execution Result, which contains the output of the command executed.In the case of the httpd service, a check of service status will return something like httpd service is running or httpd service is stopped, depending on the current status of the service.In this runbook, there are two branches which determine next step based on the results of the service status check.The Service not running branch is triggered if the httpd service is not running.The Service already running branch is triggered if the httpd service is running.Starting the Service.To start the service, the Start Service activity is a renamed Run SSH Command activity from the System category in the Runbook Designer.The command to start a service in Cent.OS is service lt servicename start.For example, to start the httpd service, the command would be service httpd start.The parameters of this activity are On the Details tab Computer Published data Computer.Name from Initialize DataPort Published data SSHPort from Initialize DataRun Command service Service from Initialize Data start.On the Advanced tab Username Variable Linux.UserPassword Variable Linux.PasswordYou may notice the only difference between this and the Check Service Status activity above is the command we are running.Event Logging.Log False Alarm is a renamed Send Event Log Message activity Additional Reading.A more robust version of this runbook is available in our upcoming book, System Center 2.Orchestrator Unleashed, due out in May 2.Sams Publishing.Order your advance copy at http www.System Center 2.Orchestrator Unleasheddp0.UTF8 qid1.OrchestratorUnleashed.System Center 2.Service Accounts Permissions.Following on from my first post which set the scene for what I was trying to achieve with my new test environment Dubbed the Customer Experience Center within Trustmarque I promised a post capturing some of the information you might find yourself needing when setting up an environment.In this post I thought I would provide some information around the requirements for some of the accounts System Center 2.I think that all this information is already out there, but this post helps to pull it all into one central location and hopefully easier to digest.All this information is of course assuming that you Have already drawn up a design for your System Center 2.Infrastructure with considerations to components, layout, performance sizing etc.You already have all your base VMs and SQL installs done.All Pre reqs are installed.You know how to install the System Center 2.Components.If you need more information on points 3 4 then a further post is coming listing lots of install guides and powershell scripts to install the pre requisites.Couple of tips first though Tip 1 Ensure the account used during install has rights to create databases on the SQL instancesservers you specify during installation and can add security rights etc.Easiest option is to give the account SQL Sys.Admin privileges and then look to revoke later.Tip 2 While using the Local System or Network Service option for the accounts is the easiest, I would personally only recommend this for labtest environments.Tip 3 Again, using the same account over and over is easiest, but from a security and also risk mitigation perspective, separate accounts is what I recommend.For example, using one account for all services possibly across multiple products would mean more than one system would fail if this account became locked out.Tip 4 If using and its recommended domain accounts for the SQL services, dont forget to ensure the SPNs are registered for them.Tip 5 Staying on SPNs, ensure the data access service accounts get their SPNs registered.Tip 6 Rule of least privileges.Its always tempting just to drop the accounts into either the local admins group, sysadmin or heaven forbid the domain admins group.Hopefully this information will help with only assigning the accounts the least amount of privileges they require which will always be best practise.Below are a series of tables with example account names, their purpose and the permissions they require.Ive used the domain of Trust.Lab in this example so all accounts are in the format of lt Domain.Name lt Account.Name Like I say, these are examples only, use your own naming conventions for service accounts.Virtual Machine Manager Accountshttp technet.Account Examples.Purpose.Permissions.Trust.LabSCVMMSASCVMM Service Account.Local Admin rights on VMM Server.Trust.LabSCVMMHVHost.Adding Hyper V hosts to VMMLocal Admin rights on target Hyper V server.Trust.LabSCVMMOMCon.SCVMM to SCOM connector account.SCOM Administrator Role.SCVMM Administrator Role.Trust.LabDom. Join.Domain Joining Account used in templates for VM Deployment.Do not grant the account interactive logon rights.Use Delegate Control in AD Computer Objects Reset Password.Validated write to DNS host name.Validated write to service principal name.ReadWrite Account Restrictions.This object and all descendant objects CreateDelete Computer Objects.Configuration Manager Accountshttp technet.Account Examples.Purpose.Permissions.Trust.LabSCCMNASCCM Network Access Account.Requires Access this computer from the network right on the Distribution Points.Minimum rights to access content on the Distribution Points.Trust.LabDom. Join.Domain Joining Account used within task sequences to join the OS to the domain.Do not grant the account interactive logon rights.Use Delegate Control in AD Computer Objects Reset Password.Validated write to DNS host name.Validated write to service principal name.ReadWrite Account Restrictions.This object and all descendant objects CreateDelete Computer Objects.Trust.LabSCCMCPSCCM Client Push Account.Do not grant the account interactive logon rights.Must be local admin on the target devices you push clients to.Trust.LabSCCMRASCCM Reporting Service Point Account.Account is granted rights if chosen as a new account during Reporting Point creation from the console.N.B. There are FAR too many accounts to realistically list for Config.Mgr, please refer to the link above for a full breakdown.Listed are the most common ones needed for the base install.Operations Manager Service Accountshttp technet.Account Examples.Purpose.Permissions.Trust. Download Gta Iv Save Game Installer . LabSCOMAASCOM Action Account.Local Admin NOT Domain AdminTrust.LabSCOMDASCOM Data Access Account.Local Admin.Trust.LabSCOMDRSCOM Data Warehouse Read Account.Setup assigns Read to DW DB.Best Practice to ensure account has SQL Logon rights before installation.Trust.LabSCOMDWSCOM Data Warehouse Write Account.Setup assigns Read to Operational DB, Write to DW DB.Best Practice to ensure account has SQL Logon rights before installation.N.B. Always use the same Action Account Data Access Account for each Management Server you deploy.N.B. This list does not cover Run.As accounts for management packs such as the SQL or AD MPs.Please refer to the applicable guide for the management pack for detailsrequirements.Service Manager Service Accountshttp technet.USlibraryhh.Account Examples.Purpose.Permissions.Trust.LabSCSM AdminsThis is a group not an accountManagement group administrators.Account used to run setup must be able to add users to this group as it will try to auto add the user to it.Trust.LabSCSMSASCSM Service Account.Local Admin on SCSM ServersMust be same account for DW MS Servers.Trust.LabSCSMRASCSM Reporting Account.Nothing specific, will be granted rights in SQL during install.Trust.LabSCSMASSCSM Analysis Services Account.Nothing specific, will be granted rights in SQL during install.Trust.LabSCSMWFSCSM Workflow Account.Normal User permissions, but must have mailbox and send permissions for notifications.Manually add account to Service Manager Administrators after install if not present.N.B. I havent listed the accounts here that are used for setting up Share.Point which will be needed when installing Share.Point dedicated for the Self Service Portal as I am not a Share.Point expert and would recommend seeking dedicated Share.Point best practise advice for that.Service Manager Connector Accounts.Account Examples.Purpose.Permissions.Trust.Lab SCSMADCONActive Directory Connector Account.AD Read.Advanced Operator in Service Manager.Trust.LabSCSMOMCICONSCOM CI Connector Account.Operations Manager Operator Privileges.Service Manager Advanced Operator.Trust.LabSCSMOMALCONSCOM Alert Connector Account.Operations Manager Administrator.Service Manager Advanced Operator Trust.LabSCSMCMCONSCCM Connector Account.SCCM SQL DB smsdbroleextract dbdatareader roles.Service Manager Advanced Operator.Trust.LabSCSMSCOCONSCORCH Connector Account.Read Properties, List Contents and Publish permissions to the root Runbook folder and all child objects.Grant via the Runbook Designer.Trust.LabSCSMVMMCONSCVMM Connector Account.SCVMM Administrator.Local Admin on VMM Server.Service Manager Advanced Operator.Orchestrator Service Accountshttp technet.Account Examples.Purpose.Permission.Trust.LabSCORCHSAOrchestrator Management Service.Recommended to be a domain account.No special permissions required other those that the installer assigns during installation.Trust.LabSCORCHSAOrchestrator Runbook Service.Recommended to be a domain account so that if Runbooks require access to remote resources, rights can be granted to this account.Trust.LabSCORCHSAOrchestrator Runbook Server Monitor service.Same account used as Orchestrator Management Service and same rights required.N.B. As is common with most deployments of Orchestrator, if you install the Management Server and Runbook Server components at the same time on the same server they will both use the same service account.N.B. To deploy an IP to Runbook Designer, ensure the account running the Deployment Manager has local admin rights on the target otherwise you will get Access Denied.Part 2 Service.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |