Refactor command execution logic in CommandCollector and update DB2 configuration checks in YAML files for improved clarity and functionality

Author: devanshjainms

src/module_utils/collector.py

@@ -123,16 +123,13 @@ def collect(self, check, context) -> str:
                 )
                 return f"ERROR: Command sanitization failed after substitution: {e}"
 
-            check.command = command
             if user and user != "root":
-                if not re.match(r"^[a-zA-Z0-9_-]+$", user):
-                    self.parent.log(logging.ERROR, f"Invalid user parameter: {user}")
-                    return f"ERROR: Invalid user parameter: {user}"
-
                 if user == "db2sid":
                     user = f"db2{context.get('database_sid', '').lower()}"
+                command = f"su - {user} -c {shlex.quote(command)}"
+                self.parent.log(logging.INFO, f"Executing command as user {user} {command}")
 
-                command = f"sudo -u {shlex.quote(user)} {command}"
+            check.command = command
 
             return self.parent.execute_command_subprocess(
                 command, shell_command=check.collector_args.get("shell", True)

src/modules/configuration_check_module.py

@@ -281,7 +281,7 @@ def is_check_applicable(self, check: Check) -> bool:
         """
         self.log(
             logging.DEBUG,
-            f"Checking applicability for check {check.applicability} with context: {self.context}",
+            f"Checking applicability for check {check.applicability}",
         )
         for rule in check.applicability:
             context_value = self.context.get(rule.property)

src/roles/configuration_checks/tasks/files/db2.yml

@@ -142,24 +142,26 @@ checks:
     severity:                           *high
     workload:                           *sap
     applicability:
-      os_type:                          [*suse, *redhat]
+      os_type:                          [*redhat]
       os_version:                       *all_versions
       hardware_type:                    *vm
       storage_type:                     *all_storage
       role:                             *all_role
       database_type:                    [*db2]
     collector_type:                     *command
     collector_args:
-      command:                          "grep '^SELINUX=' /etc/selinux/config | awk -F= '{print $2}'"
+      command:                          "[ -f /etc/selinux/config ] && grep '^SELINUX=' /etc/selinux/config | awk -F= '{print $2}' || echo 'disabled'"
       user:                             *root
-    validator_type:                     *string
+    validator_type:                     *list
     validator_args:
-      expected_output:                  "enforcing"
+      valid_list:                       ["permissive", "disabled"]
     report:                             *check
+    references:
+      sap:                              "2936683"
 
   - id:                                 "DB-Db2-0004"
-    name:                               "vm.max_map_count setting"
-    description:                        "vm.max_map_count setting"
+    name:                               "vm.max_map_count should be MemTotal/4096"
+    description:                        "vm.max_map_count setting should be set to MemTotal/4096"
     category:                           *sap_check
     severity:                           *high
     workload:                           *sap
@@ -371,15 +373,15 @@ checks:
 
   - id:                                 "DB-Db2-0013"
     name:                               "HADR TIMEOUT"
-    description:                        "HADR TIMEOUT"
+    description:                        "HADR TIMEOUT should be 45 seconds for RHEL"
     category:                           *sap_check
     severity:                           *high
     workload:                           *sap
     applicability:
       os_type:                          [*redhat]
       os_version:                       *all_versions
       hardware_type:                    *vm
-      storage_type:                     [*premium_storage]
+      storage_type:                     *premium_storage
       role:                             [*db_role]
       database_type:                    [*db2]
     collector_type:                     *command
@@ -395,21 +397,21 @@ checks:
 
   - id:                                 "DB-Db2-0014"
     name:                               "HADR TIMEOUT"
-    description:                        "HADR TIMEOUT"
+    description:                        "HADR TIMEOUT should be 60 seconds for SUSE"
     category:                           *sap_check
     severity:                           *high
     workload:                           *sap
     applicability:
       os_type:                          [*suse]
       os_version:                       *all_versions
       hardware_type:                    *vm
-      storage_type:                     [*premium_storage]
+      storage_type:                     *premium_storage
       role:                             [*db_role]
       database_type:                    [*db2]
     collector_type:                     *command
     collector_args:
-      command:                          "db2pd -alldbs -hadr | grep -i 'HADR_TIMEOUT' | awk '{print $NF}'"
-      user:                             *root
+      command:                          ". ~/sqllib/db2profile && db2pd -alldbs -hadr | grep -i 'HADR_TIMEOUT' | awk '{print $NF}'"
+      user:                             *db2sid
     validator_type:                     *string
     validator_args:
       expected_output:                  "60"
@@ -419,15 +421,15 @@ checks:
 
   - id:                                 "DB-Db2-0015"
     name:                               "PEER WINDOW (seconds)"
-    description:                        "PEER WINDOW (seconds) RedHat"
+    description:                        "PEER WINDOW should be 240 seconds for RHEL"
     category:                           *sap_check
     severity:                           *high
     workload:                           *sap
     applicability:
       os_type:                          [*redhat]
       os_version:                       *all_versions
       hardware_type:                    *vm
-      storage_type:                     [*premium_storage]
+      storage_type:                     *premium_storage
       role:                             [*db_role]
       database_type:                    [*db2]
     collector_type:                     *command
@@ -443,15 +445,15 @@ checks:
 
   - id:                                 "DB-Db2-0016"
     name:                               "PEER WINDOW (seconds)"
-    description:                        "PEER WINDOW (seconds) SUSE SBD"
+    description:                        "PEER WINDOW should be 300 seconds for SUSE with SBD"
     category:                           *sap_check
     severity:                           *high
     workload:                           *sap
     applicability:
       os_type:                          [*suse]
       os_version:                       *all_versions
       hardware_type:                    *vm
-      storage_type:                     [*premium_storage]
+      storage_type:                     *premium_storage
       role:                             [*db_role]
       database_type:                    [*db2]
       high_availability_agent:          *sbd
@@ -468,15 +470,15 @@ checks:
 
   - id:                                 "DB-Db2-0017"
     name:                               "PEER WINDOW (seconds)"
-    description:                        "PEER WINDOW (seconds) SUSE Fencing Agent"
+    description:                        "PEER WINDOW should be 900 seconds for SUSE with Fencing Agent"
     category:                           *sap_check
     severity:                           *high
     workload:                           *sap
     applicability:
       os_type:                          [*suse]
       os_version:                       *all_versions
       hardware_type:                    *vm
-      storage_type:                     [*premium_storage]
+      storage_type:                     *premium_storage
       role:                             [*db_role]
       database_type:                    [*db2]
       high_availability_agent:          *fencing_agent
@@ -493,7 +495,7 @@ checks:
 
   - id:                                 "DB-Db2-0018"
     name:                               "Maximum shared memory segments"
-    description:                        "Maximum shared memory segments"
+    description:                        "Maximum shared memory segments should be at least 256 times the total physical memory in GB"
     category:                           *sap_check
     severity:                           *high
     workload:                           *sap
@@ -506,7 +508,7 @@ checks:
       database_type:                    [*db2]
     collector_type:                     *command
     collector_args:
-      command:                          "[ $((256 * $(free -g | grep Mem: | awk '{print $2}'))) -ge $(/sbin/sysctl kernel.shmmni -n) ] && echo OK || echo $(/sbin/sysctl kernel.shmmni -n)"
+      command:                          "shmmni=$(/sbin/sysctl kernel.shmmni -n); mem_gb=$(free -g | grep Mem: | awk '{print $2}'); min_required=$((256 * mem_gb)); [ $shmmni -ge $min_required ] && echo OK || echo \"kernel.shmmni=$shmmni (required: >= $min_required, memory: ${mem_gb}GB)\""
       user:                             *root
     validator_type:                     *string
     validator_args:
@@ -518,20 +520,20 @@ checks:
 
   - id:                                 "DB-Db2-0019"
     name:                               "Instance Memory size"
-    description:                        "Instance Memory size"
+    description:                        "Instance Memory size should be at least 64 GB"
     category:                           *sap_check
     severity:                           *high
     workload:                           *sap
     applicability:
       os_type:                          [*suse, *redhat]
       os_version:                       *all_versions
       hardware_type:                    *vm
-      storage_type:                     [*premium_storage]
+      storage_type:                     *premium_storage
       role:                             [*db_role]
       database_type:                    [*db2]
     collector_type:                     *command
     collector_args:
-      command:                          ". ~/sqllib/db2profile && output=$(db2pd -dbmcfg | grep INSTANCE_MEMORY | awk '{print $NF}'); [[ $output -le 100 ]] && echo $output || echo $(awk -v output=$output 'BEGIN {print output * 4096 / 1024 / 1024 / 1024}')"
+      command:                          ". ~/sqllib/db2profile && db2pd -dbmcfg | grep INSTANCE_MEMORY | awk \"{if(\\$NF<=100) print \\$NF; else print \\$NF*4096/1024/1024/1024}\""
       user:                             *db2sid
     validator_type:                     *range
     validator_args:

src/templates/azure-pipeline.yml

@@ -7,7 +7,7 @@
 # |                                                                            |
 # +------------------------------------4--------------------------------------*/
 
-name:                                  SAP Quality Assurance $(sap_system_configuration_name)
+name:                                  SAP Quality Assurance
 
 parameters:
   - name:                              sap_system_configuration_name
@@ -25,18 +25,17 @@ parameters:
     type:                              string
     default:                           ''
 
-  - name:                              sap_on_azure_quality_checks
-    displayName:                       SAP on Azure Quality Checks
+  - name:                              sap_configuration_checks
+    displayName:                       SAP Configuration Checks (v2 of SAP on Azure Quality Checks)
     type:                              boolean
     default:                           true
 
-
   - name:                              sap_functional_tests
     displayName:                       SAP Functional Tests
     type:                              boolean
     default:                           true
 
-  - name:                              sap_functional_test_type
+  - name:                              SAP_FUNCTIONAL_TEST_TYPE
     displayName:                       SAP Functional Tests Type
     type:                              string
     default:                           "DatabaseHighAvailability"
@@ -70,14 +69,14 @@ extends:
   template:                                ./resources.yml
   parameters:
     stages:
-      - template:                          deploy\pipelines\13-sap-quality-assurance.yaml@sap-automation
+      - template:                          deploy\pipelines\13-sap-automation-qa.yaml@sap-automation
         parameters:
           sap_system_configuration_name:   ${{ parameters.sap_system_configuration_name }}
           environment:                     ${{ parameters.environment }}
-          sap_on_azure_quality_checks:     ${{ parameters.sap_on_azure_quality_checks }}
           sap_automation_repo_path:        $(Build.SourcesDirectory)/sap-automation
           config_repo_path:                $(Build.SourcesDirectory)/config
           extra_params:                    ${{ parameters.extra_params }}
           sap_functional_tests:            ${{ parameters.sap_functional_tests }}
-          sap_functional_test_type:        ${{ parameters.sap_functional_test_type }}
+          SAP_FUNCTIONAL_TEST_TYPE:        ${{ parameters.SAP_FUNCTIONAL_TEST_TYPE }}
           telemetry_data_destination:      ${{ parameters.telemetry_data_destination }}
+          sap_configuration_checks:        ${{ parameters.sap_configuration_checks }}