Solved

Pre-written script to change CentOS IP addresses

Posted on 2009-05-20
13
969 Views
Last Modified: 2013-12-16
Are there any prewritten scripts out there to change the IP address info of a given machine?

Here is the scenario, I have a distributor who puts together my box, burns my image to the box, then ships it to different data centers in the country.

I want to give the distributor a script that he can use to install the IP addresses.

It can be a Windows Script or a Bash script.
0
Comment
Question by:lvnv
  • 4
  • 3
  • 2
  • +2
13 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24439136
In rehdat linux it is there's no need to write a script. If he edits the file in:

/etc/sysconfig/networking/profiles/default/ifcfg-eth0

and the contents will be something like this:

# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
TYPE=Ethernet
DEVICE=eth0
HWADDR=xx:xx:xx:xx:xx:xx:xx:xx
BOOTPROTO=none
NETMASK=<net_mesk>
IPADDR=>ip.addr>
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=no

Then when the system boots it will have the fixed IP specified in IPADDR and NETMASK with the interface MAC specified in HWADDR.

This is it.
0
 
LVL 10

Expert Comment

by:elf_bin
ID: 24439706
Just to expand on what KeremE said.
In /etc/sysconfig/network-scripts/ there are ifcfg-ethx (where x is the interface number, 0, 1, 2 etc in multi-homed hosts).  
Generally, they start with a comment about to which interface they apply (so mine has # Intel Corporation 82566DM-2 Gigabit Network Connection).  
Then the device number (i.e.: eth0, eth1 etc), prepended with DEVICE=
Then the boot protocol (BOOTPROTO=) which'll be none for static IP address, dhcp for dhcp and so on.
Next is the MAC address (HWADDR=).
NETMASK= & IPADDR= are the lines where IP address & subnet mask are configured (static only).
DHCP_HOSTNAME= would be the dhcp supplied hostname (if sent).
TYPE=Ethernet is the media type used.
USERCTL=yes|no.  Can the user manipulate the network interface (such as shut it down, bring it up etc.)?
IPV6INIT=yes|no.  Do we want IPv6 support?
PEERDNS=yes|no.  "Peer to peer" DNS queries.
What I'm assuming here is that you're not using the Network Manager tool to manage your interfaces.

So you could use the sed command to change known values into new values.  For example, if the manufacturer ships IPADDR=1.1.1.1 NETMASK=1.1.1.1 you could use this:
sed s/"IPADDR=1.1.1.1"/"IPADDR=192.168.2.1"/ /etc/sysconfig/network-scripts/ ifcfg-eth0 | sed s/"NETMASK=1.1.1.1"/"NETMASK=1.1.1.1"/ - > /etc/sysconfig/network-scripts/ifcfg-eth0.new

You could use the ip command to add | remove or manage interfaces and addresses.
You could use system-config-network-cmd to add | remove or manage interfaces and addresses.

But the obvious choice is why don't you just use DHCP?  That's what it's there for!

Hope this helps.
0
 

Author Comment

by:lvnv
ID: 24443548
Thanks, I know how to do both of your answers and that's how I've been doing in until now.

HOWEVER, both require root access to the system.  Therein lies the problem.  I don't want to give anyone root access or any shell access at all for that matter.
Remember, they are burning an image of disk, then changing the IP of that image.

If there was a C script that only logged in and changed the info it would be perfect.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24444474
So will you a bit clarify the steps of the process? At what step they burn the cd? D o they change after changing? What does the image file contain? Who uses the CD ?
0
 

Author Comment

by:lvnv
ID: 24444825
1) I have given the image of a disk to the "manufacturer"
2) they use G4L to copy the image to every new server that I order
3) they ship the new server to a remote location
some of the remote locations allow me to login and change the IP (because they / it uses DHCP)..
Others require me to give them root access so they can change the config files.

I don't like either option.

I'd like a script to give my manufacturer which will update the IP information on each new system without him logging in as root.

I am probably going to end up writing a C script that will do it.  I was hoping that someone on here had seen one already... I can't imagine this is a new problem..
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24444908
The problem with script is that: You'd allow a SUID script to the image which is very very very dangerous in that people could later change the script and use it as a vulnerability to exploit. The same goes with the C script since it would need to run with root privileges.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:lvnv
ID: 24445541
Well, as it stands now, they're getting root access so that's worse in my opinion...

but I figured there must be some way to encrypt the username and password in the C script then compile it as a binary...

with root:
they can do whatever they want...

with script:
They'd have to work at decompiling the binary or watching what it does...

0
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 168 total points
ID: 24445687
Yeah but can't you just connect to the host and change the root password once they have finished configuring the IP?  You can start with a default password to start.

Or better you create a user with sudo all privilege. Once he'd login the system for the first time he sts up the networking then you'd connect nd revoke the privliege to him.. So that Ho won't know root password.
0
 
LVL 10

Expert Comment

by:elf_bin
ID: 24448233
The thing is you'll never know how many times the CD has been used, so you'll never know which I addresses have been assigned.
What I'd do is put something in /etc/rc.local that creates a file somewhere on disk (say /usr/local/var) when it runs.  The idea being run the script if that file is there & don't run it if it isn't there.  That way the script will only run at first boot.  You can put in something that checks and updates an external server to indicate if an IP address has been used or not and setup the networking that way.  I reckon you could even change the root password with it.
Is that the kind of thing you're after?
0
 
LVL 3

Assisted Solution

by:tkuther
tkuther earned 166 total points
ID: 24457104
Why not use SSH with command restriction.

Just write a script that takes two parameters, reads out the MAC, and changes the ifcfg-eth0 script accordingly

in root's ~/.ssh/authorized_keys put something like this:

command="/path/to/ip-changer.sh $SSH_ORIGINAL_COMMAND" ssh-rsa ....

Open in new window

0
 
LVL 3

Expert Comment

by:tkuther
ID: 24457112
..and hand the private key to the customer. All he will be able to do, is execute this script with the parameters, and if the script has the needed sanity checks, this is a quite safe way

(sorry, I failed to find the edit button)
0
 
LVL 4

Assisted Solution

by:colinvann
colinvann earned 166 total points
ID: 24458148
Hi there,

How about on first boot, you make it ask the person in front of the system to setup networking using system-config-network. After execution it can update the ifcfg-eth0 or which ever interface you wish to configure and then set itself not to run again, rebooting the system to ensure that a clean start occurs...

Place the attached code snippet at the bottom of the /etc/rc.local ( -> /etc/rc.d/rc.local)...

The sleep commands are just there to give the system enough time realize that the last command has exited properly, on fast systems I've seen this be a problem.

This is a clean solution that doesn't risk security at all.

Let me know if you have problems with it,
Colin


# Setup networking and reboot the system without asking for it again

system-config-network

sleep 1

service network restart

sleep 1

# Restore the original rc.local

touch /tmp/rc.local

cat /etc/rc.d/rc.local | grep -v "Setup networking and" | grep -v system-config-network | grep -v sleep | grep -v "service network restart"  |grep -v "Restore the original" |grep -v reboot |grep -v touch > /tmp/rc.local

sleep 1

reboot & mv /tmp/rc.local /etc/rc.d/rc.local

Open in new window

0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now