Ansible with BigFix

rahamathid · January 28, 2017, 1:30am

Hello,
We are planning to use Ansible as config manager tool to build VM’s etc. Please share if we can trigger patching with Ansible and use BigFix. Ansible has a windows-update module but will use windows updates.

jgstew · January 28, 2017, 4:39am

I’m not certain what you want to accomplish.

I think you can install bigfix with ansible and bigfix could be set to auto patch them.

As far as how ansible would trigger something specifically, that is a bit more complicated. Ansible could potentially use the bigfix rest api to “trigger” or send things to endpoints, or you could have something “deployed” in bigfix already that is looking for something on the endpoint that ansible would set, which would cause bigfix to go to work.

rahamathid · January 28, 2017, 9:54am

I am thinking of an Ansible playbooks to do below

Build server
install post build agents and actions
Perform patching of all misssing baselines.

any reference for Bigfix rest api?

jgstew · January 30, 2017, 6:53pm

You could just have ansible install the bigfix agent, and you could have bigfix baselines containing patches already deployed to all computers, or all computers that ansible builds, then bigfix would take over automatically from there and installing the agent is the only part ansible would need to do.

The more advanced option would be for ansible to install the bigfix agent, wait until the bigfix agent has finished it’s initial work, then ansible could deploy a custom baseline to only that system that contains all of the patches that the single system needs. This would be much more difficult to do easily and would take some work with the REST API.

The biggest issue with this approach is that Ansible can’t just install the BigFix agent and then immediately deploy a patching baseline to the machine with only the patches that machine needs because the BigFIx agent will take a little while to determine which patches it needs, which depends on the settings used to deploy the BigFix agent. You can deploy the BigFix agent with settings to speed up the initial provisioning process, but it would still take at least 10 minutes to as much as an hour or so depending on settings and network.

I should note that if you deploy a baseline to a system or all systems and it contains patches the system does not need, they will not be installed.

There is an API reference here: https://developer.bigfix.com/get-started/api.html

I would recommend using the REST API in most cases. It is what I use the most.