sap_swpm: Add option to enable observer mode in sap_swpm role

[rob0d]

Hi, I would like to suggest to add an option to enable observer mode in SWPM. Observer mode allows user to watch the installation progress without the ability to change anything. User can, however, access all the log files via browser. The reasons why to allow this:

• Watch the installation progress for long running steps (e.g. PAS or DB load)
• Allow easier troubleshooting if the unattended installation fails with a non-obvious error
• The SAP Technical consultant may not have access to Ansible or to root user and may not be able to see the logs directly

I would suggest to create a new variable: sap_swpm_swpm_observer_mode which will default to false. If set to true the swpm command line parameter SAPINST_START_GUISERVER=false needs to be removed. This is currently set in "SAP SWPM Pre Install - Set sapinst command" on lines 17-25 in file pre_install.yml.

I haven't tested this when running via Ansible playbook, but I see no reason why it shouldn't work. For this to be more flexible an additional parameter may be introduced (e.g. sap_swpm_swpm_remote_access_user) which will set another command line parameter SAPINST_REMOTE_ACCESS_USER={{ sap_swpm_swpm_remote_access_user }} which will allow a non-root user login to the web interface.

SAP documentation reference: https://help.sap.com/docs/SLTOOLSET/7f0f5f0bdc954c1f80af6159f5e9fc41/3e7738abf8674ed7a6448d8c04fa5de7.html

[marcelmamula]

@berndfinger This suggestion looks feasible albeit being very much edge case, intended only for testing and engineering purpose.

[rob0d]

Yes. Primary reason would be troubleshooting rather than having to re-run the SWPM manually to find out why it's not happy. Secondary reason is segregation of duties as not all customers are able/willing to provide SAP Technical people appropriate access due to policy or regulatory reasons.

[sean-freeman]

@rob0d As the primary origin author, I am unsure if we can implement this with consistent success.

In previous iterations of this Ansible Role, sapinst would be called and once the process exited with return code 0 - the Ansible Task would proceed. See this placeholder left in the code > /roles/sap_swpm/tasks/swpm.yml#L53-L59. After a specific SWPM release (I forget what SP/PL), this approach broke.

The Ansible Role at the moment has to use background job / nohup, and a process watch using community.general.pids (not wanted but required due to parent-child process problems, where a second Ansible Task that runs ps aux on loop would fail to see when the sapinst process exited successfully). See in the code > /roles/sap_swpm/tasks/swpm.yml#L61-L100

In either case, to allow Observer Mode would break because the sapinst process would be left running indefinitely and therefore the Ansible Task would run indefinitely.

The only option would be to change the process watch, to a file watch.

When sapinst exits it will dump a installationSuccesfullyFinished.dat file into the installation directory, obtained via cat $(cat /tmp/sapinst_instdir/.lastInstallationLocation)/installationSuccesfullyFinished.dat and can be seen used later in the code to display the success to the end-user /roles/sap_swpm/tasks/swpm.yml#L113-L117

HOWEVER - I would not confidently state that this file's existance is proof of return code 0 exit.

.... more thinking is needed about this before we alter. It's a nice feature to allow, but not at the expensive of a trusted execution.

[Wabri]

The @rob0d request is possible to do with this changes in the line 24 of pre_install:

    sap_swpm_swpm_command_extra_args: >
      SAPINST_SKIP_DIALOGS=true 
      {% if sap_swpm_swpm_remote_access_user != true %}
      SAPINST_START_GUISERVER=false 
      {% else %}
      SAPINST_REMOTE_ACCESS_USER=true
      {% endif %}
      {{ sap_swpm_swpm_command_virtual_hostname }} 
      {{ sap_swpm_swpm_command_mp_stack }}

Plus sap_swpm_swpm_remote_access_user: false on defaults/main.yml

I didn't try it, but if this causes an execution that needs an interaction then ansible will run indefinitely like @sean-freeman pointed out.

[berndfinger]

@rob0d If I understand correctly, your request is about adding the ability to watch the installation process with a GUI. Did you already have a look at https://github.com/sap-linuxlab/community.sap_install/blob/42af6baab0310ec9c47994147d877f3d11ca4108/roles/sap_swpm/tasks/pre_install.yml#L79, which suggests running the following command for displaying the installation log in real time:

tail -f $(cat /tmp/sapinst_instdir/.lastInstallationLocation)/sapinst.log

The file is owned by root:sapinst with permission 640, so if the monitoring user is part of group sapinst, it can access the file. Mabye this is sufficient already for some of the use cases you mentioned?

[berndfinger]

@sean-freeman @rob0d I just tested running sap_swpm for product ID NW_ABAP_OneHost:S4HANA2022.FNDN.HDB.ABAP without specifying SAPINST_START_GUISERVER=false in sap_swpm_swpm_command_extra_args:

• I was able to monitor the progress in the browser, using the URL which was mentioned around line 100 of the file sapinst.log. As the credentials, I used those of the root user for this first test.
• The role reported SAP SWPM deployment successfully completed in the task SAP SWPM Deployment - Finished and the playbook finished.
• The last brower window showed 100% in the progress bar, and the major step was "Execute Service" with the detailed text copying /hana/software/sap_s4hana_foundation_2022/sap_swpm_extracted/COMMON/REPORTING/UndeploymentResults.xsl and the progress indicator still moving.
• No sapinst process was running at that time.

I was using the code which replaces community.general.pids by ps -ef and awk (see https://github.com/berndfinger/community.sap_install/blob/ef02f9f0c189e09eb8eaa316c1d78a8c8e533257/roles/sap_swpm/tasks/swpm.yml#L58) for this test.

[sean-freeman]

@berndfinger @rob0d @Wabri

Keep in mind that historically, when using SAP SWPM Unattended Mode if you do not specify SAPINST_START_GUISERVER it can lead to unstable results - I have not re-visited that operator since 2016-17 because it would crash the automated execution almost 100% of the time way back then (before SWPM Unattended Mode was properly documented). I would insist on at minimum 10 different Product IDs tested for both SWPM1 and SWPM2 to prove it's stable.

In summary....

I am NOT ok with the following:

• Remove community.general.pids and use process watcher for rc=0 via ps instead; this resulted in many failures when testing previously.

I am OK with the following:

• Remove community.general.pids and replace process watcher for rc=0, with file exists watch for installationSuccesfullyFinished.dat to avoid infinite Ansible wait when an SWPM failure occurs while using Observer Mode.
• Adding logic to handle SAPINST_START_GUISERVER, SAPINST_REMOTE_ACCESS_USER
  • Adding logic that checks the given remote access user, has a set username/password (remember on Cloud, users like root and ec2-admin are SSH Keys only - no passwords).

And I insist we test properly to ensure reliability:

• SWPM1, 5x installations (inc. NWAS JAVA)
• SWPM2, 5x installations (inc. S/4HANA Distributed HA with AAS)

With the last comment being:

• I am not willing to do this re-code and re-test

[rob0d]

Gents, @sean-freeman @Wabri @berndfinger

Thanks for looking at this. I did further tests and can confirm the following:

• sapinst exits at the end of installation regardless whether observer mode is on or off. I tested this with both swpm1_40 and swpm2_17.1
• When I enabled observer mode the existing process watcher has not been impacted (no need for ps-ef) and it correctly recognised that sapinst has exited. This was for both successful and unsuccessful installations.
• The only required addition to this is to specify SAPINST_REMOTE_ACCESS_USER_IS_TRUSTED=true when using SAPINST_REMOTE_ACCESS_USER otherwise sapinst will hang asking for confirmation.
• I have tested this 6+ time with SWPM1 when installing Diag Agents (@sean-freeman if it's ok I will reply to the chat you had with somebody a few months ago with a working example of SMD agent installation using an advanced template)
• I haven't tested this with SWPM2, but over the next 2-3 weeks we will be doing more installations of PAS, AAS, WebDisp, SMD agents so I can test that the observer mode doesn't cause issues.

[rob0d]

Hi @sean-freeman @Wabri @berndfinger.

I have tested this at least 20 times with swpm 1 and 2 (v17.1, 17.4 and 18.0) on PAS, AAS, WebDisp and SMD agents installations. All worked as expected. SWPM simply exits when it comes to the end of the installation. No change in role handling of the SWPM PID or installation success required, everything works as before. Pull request #749 created.

[berndfinger]

Fixed in #749.