Call a script from a Control Policy

Posted by Christian Jung on Tue, Jan 17, 2017

Control and Compliance Policies

Red Hat CloudForms and ManageIQ allow users to create control and compliance policies to enforce compliance checks on the Cloud, IaaS and PaaS environment. There is Documentation available on how to create and manage Policies, so this post will skip going into further details on that.

With such a policy very powerful rules can be created and enabled. Sometimes a very simple example is all you need though. I’ve been asked several times how we could call a simple shell script or execute any command triggered by a control or compliance policy and this post should help to shed some light on it.

Automate Method to run a system command

First we need a method which we can call from a Control Policy. You can import my Automate Datastore from Github. You can find a method which calls a System Command in cjung-git/Control/Methods/run_script.

The interesting part is just this one line:

1system("/bin/rpm -q cfme &> /tmp/cfme-release.txt")

This examples queries the system for the installed version of the CFME package and writes the result into a file in /tmp called cfme-release.txt. You could replace the system command with anything you want. Keep in mind though, that you can not user interactive commands which are asking for user input.

Creating a Control Policy

CloudForms has two types of Policies. Control Policies consist of an Event which triggers the policy, a Condition which has to be met and an Action which will be performed.

Compliance Policies are slightly different. They are not trigered by an event and the result (compliant or not compliant) will be shown in the details of the affected object, for example a virtual machine. Control Policies can trigger a compliance check and the results of a compliance check can trigger a control policy.

For this example, we create a simple Compliance Policy.

Create a new Action

To be able to call our system command, we need to create a new action. Navigate to Control, Explorer, Actions and click Configuration, Add a new action. We want o run our own piece of code which is executed from Automate, so we have to select “Invoke a Custom Automation”. As usual, give your action a reasonable name.

In the Custom Automation fields which just appeared, we need to tell the system which action to perform. The Automate Datastore which you just imported has an Request defined which is called “run_script”. This has to go into the Request field. The message is in most cases “create”.

If you want to lean more about Automate, check out the book “Master CloudForms Automation” - which also applies to ManageIQ.

Add new Action

Create new Policy

Navigate to Control, Explorer, Policies and select “VM Compliant Policies”. In the Configuration Menu click select add a new policy. Choose a reasonable name.

Add Compliance Policy