jiiins2
asked on
Script to Automatically Configure Users, OpenSSH and Squid
I need to replicate a server configuration across multiple VPS (ubuntu and debian) and I'm wondering if it's possible to automate it almost entirely with a script. The script would need to accomplish the following:
- set hostname
- create a few users and permissions
- configure OpenSSH (copy existing config file I guess) and install a set of public keys
- configure Squid (copy config file)
- set up a few cron jobs
I know nothing about *nix scripts, so please be as precise as possible.
Thanks a lot
Jay
- set hostname
- create a few users and permissions
- configure OpenSSH (copy existing config file I guess) and install a set of public keys
- configure Squid (copy config file)
- set up a few cron jobs
I know nothing about *nix scripts, so please be as precise as possible.
Thanks a lot
Jay
ASKER
I was thinking of having the same public key on all servers for those particular users. I realise it's not a sound practice, but connections are allowed only from a few IP's anyway, and there isn't anything too precious to defend, so the chances of someone doing harm is quite contained. It is something I'm willing to trade for more automation, but if there is a better solution I'm all ears!
Regarding the openssh configuration, it's pretty standard, except for the port and a couple of minor things. Wouldn't it be possible to just copy the config file?
I have several VPS and I'm the one doing the setup.
As for the user, my thought was to script the useradd/passwd commands. Would they not work?
Regarding the openssh configuration, it's pretty standard, except for the port and a couple of minor things. Wouldn't it be possible to just copy the config file?
I have several VPS and I'm the one doing the setup.
As for the user, my thought was to script the useradd/passwd commands. Would they not work?
Each server should have its own key.
Lets say each user has their own identity, id_dsa, id_rsa. You can copy the authorized_keys authorized_keys2 if that is what you mean from one server to the other. IMHO since you are settings up the same users accross the system, you need only copy /etc/sudoers to make sure each user has the necessary rights on each system.
You can setup a script on each server to process a specific file/files that will handle the different changes.
I.e. you from a central location scp/rsync fileofreference.
The local script on each system will check whether the file matches a criteria, signed by you, and completely transferred and then will perform the tasks you setup there.
Could you explain, "I have several VPS and I'm the one doing the setup."
Why not use a starting/base VPS image, and copy it after making the necessary adjustments?
Lets say each user has their own identity, id_dsa, id_rsa. You can copy the authorized_keys authorized_keys2 if that is what you mean from one server to the other. IMHO since you are settings up the same users accross the system, you need only copy /etc/sudoers to make sure each user has the necessary rights on each system.
You can setup a script on each server to process a specific file/files that will handle the different changes.
I.e. you from a central location scp/rsync fileofreference.
The local script on each system will check whether the file matches a criteria, signed by you, and completely transferred and then will perform the tasks you setup there.
Could you explain, "I have several VPS and I'm the one doing the setup."
Why not use a starting/base VPS image, and copy it after making the necessary adjustments?
ASKER
Of course the image idea would be ideal, but is it possible to manage it across several VPS providers? For example, I have a VPS in the US and one in Germany and they run on completely different platforms. Would it work?
Thanks
Thanks
You can script anything and everything with the script taking into account the platform it is on.
rsync can be used to copy "control" files from one to the other.
i.e. the first part of the script is to determine the platform it is on i.e. look for /etc/redhat-release for Redhat/Centos
Or have multiple check for the files.
one has configuration file in /etc/httpd/conf/httpd.con another has /etc/apache2/conf/httpd.co nf etc.
Depending on the type of changes and the complexity you have to decide which shell scripting you would use.
webmin might be something that could simplify your administrative tasks.
rsync can be used to copy "control" files from one to the other.
i.e. the first part of the script is to determine the platform it is on i.e. look for /etc/redhat-release for Redhat/Centos
Or have multiple check for the files.
one has configuration file in /etc/httpd/conf/httpd.con another has /etc/apache2/conf/httpd.co
Depending on the type of changes and the complexity you have to decide which shell scripting you would use.
webmin might be something that could simplify your administrative tasks.
ASKER
What I would like is the follwing:
- I buy a VPS and login as root via SSH
- I copy over the script and run it
- The server is ready!
So I assume the script should execute the various "apt-get install" and copy the config files according to the platform (as you said), right? So how would such a script look like?
- I buy a VPS and login as root via SSH
- I copy over the script and run it
- The server is ready!
So I assume the script should execute the various "apt-get install" and copy the config files according to the platform (as you said), right? So how would such a script look like?
You would need to use a combination of /etc/passwd and /etc/shadow
username:password:UID:gid: comment:ho medir:shel l
This will handle the synchronization of User accounts. You would have to make sure not to use UID for user accounts below 1000.
User synchronization is fairly simple.
Here is an example of such a script, but they use
username password group
for the file format versus what I referenced above.
To synchronize UID you would need to add -u {$UID} after adding UID to the read line in the example.
Bacause of the platform changes, you would need to run apt-get manually or would have to have a template of what is needed based on a setting up each platform.
i.e. for type a, the following has to be present, type b .... , etc.
username:password:UID:gid:
This will handle the synchronization of User accounts. You would have to make sure not to use UID for user accounts below 1000.
User synchronization is fairly simple.
Here is an example of such a script, but they use
username password group
for the file format versus what I referenced above.
To synchronize UID you would need to add -u {$UID} after adding UID to the read line in the example.
Bacause of the platform changes, you would need to run apt-get manually or would have to have a template of what is needed based on a setting up each platform.
i.e. for type a, the following has to be present, type b .... , etc.
ASKER
Unfortunately I think the link to the example is missing. Can you please repost it?
Ok, so I believe I can sort out the users/pwd with rsync. Could you please help me write a little script that does the following:
apt-get update
apt-get install squid rsync -y
scp repo@server1.net:/home/rep o/squid.co nf /etc/squid/squid.conf
service squid start
squid -k reconfigure
+ get some sort of rsync config file?
+ start rsync client
That would be all I need...
Thanks a lot!
Jay
Ok, so I believe I can sort out the users/pwd with rsync. Could you please help me write a little script that does the following:
apt-get update
apt-get install squid rsync -y
scp repo@server1.net:/home/rep
service squid start
squid -k reconfigure
+ get some sort of rsync config file?
+ start rsync client
That would be all I need...
Thanks a lot!
Jay
Sorry
http://forums.devshed.com/scripts-94/shell-script-to-create-user-in-linux-using-text-file-81336.html
Blindly copying config files without knowing whether the versions changed is ill advised.
scp would likely require a password.
Presumably you would scp the configuration files from the source server where the repository is into the VM you want to synchronize.
Usually that will involve transferring the public keys for ssh.
and the configuration template.
http://forums.devshed.com/scripts-94/shell-script-to-create-user-in-linux-using-text-file-81336.html
Blindly copying config files without knowing whether the versions changed is ill advised.
scp would likely require a password.
Presumably you would scp the configuration files from the source server where the repository is into the VM you want to synchronize.
Usually that will involve transferring the public keys for ssh.
and the configuration template.
#!/bin/bash
apt-get update
apt-get install squid rsync -y
/sbin/chkdonfig squid on
ASKER
Yes, scp and rsync would use keys to avoid password input. To make sure I deal always with the same version I would do:
apt-get install <package name>=<version>
What should be added to the script to distribute the required (if any) rsync config to clients?
Thanks
Jay
apt-get install <package name>=<version>
What should be added to the script to distribute the required (if any) rsync config to clients?
Thanks
Jay
You will manually or have a script on the source system to push those settings to the VPS where you will run the script
Source system
script
#!/bin/bash
scp file1 file2 file3 file4 synchscript.sh identity.pub id_dsa.pub id_rsa.pub user@newvps:/tmp/
---
trying to maintain the same version would mean that you would prevent updates when some are necessary security/improvemenets.
Source system
script
#!/bin/bash
scp file1 file2 file3 file4 synchscript.sh identity.pub id_dsa.pub id_rsa.pub user@newvps:/tmp/
---
trying to maintain the same version would mean that you would prevent updates when some are necessary security/improvemenets.
ASKER
I see your point regarding the updates. What's the best practice then? How can I retain some control over the versions on the different servers?
You would have to have a template of each version (Local VMs is an option) At which point you will export the list of application that have to be installed.
Then scp the list as a file to the new server at which point your script will determine the platform that it is on (uname -a, more /etc/*release*) and then apply updates/install missing packages based on that.
How many VPS are you looking at setting up?maintaining?
I could see the user creation/synchronization, but you by trying to include everything you will end up with an unmanageable script.
Note most distro's use UID >1000
so if you have previously created users with uid's under a 1000, you may have to add logic to check whether the uid you are about to set for a new user is already in use and generate an email, etc. to notify you so that you can make the determination what you want to do about that.
Then scp the list as a file to the new server at which point your script will determine the platform that it is on (uname -a, more /etc/*release*) and then apply updates/install missing packages based on that.
How many VPS are you looking at setting up?maintaining?
I could see the user creation/synchronization, but you by trying to include everything you will end up with an unmanageable script.
Note most distro's use UID >1000
so if you have previously created users with uid's under a 1000, you may have to add logic to check whether the uid you are about to set for a new user is already in use and generate an email, etc. to notify you so that you can make the determination what you want to do about that.
ASKER
The template idea sounds good. But how to generate the list of installed packages? If I use
It's going to be about 25 VPS, but over time there would be some switches, like every month maybe the 2 slowest would get dropped in favor of 2 new ones.
As for the users/password sync, I think it's doable as currently there aren't any users and I can create them all from scratch.
dpkg --get-selections
I just get the general name without the version, i.e. (Squid Install).It's going to be about 25 VPS, but over time there would be some switches, like every month maybe the 2 slowest would get dropped in favor of 2 new ones.
As for the users/password sync, I think it's doable as currently there aren't any users and I can create them all from scratch.
Can the VPS's be interconnected, openLDAP to manage users?
You have your central one, and the others will be replicas over VPN.
You can maintain the general installed application base. To have each VPS be an exact replica of another you have to make sure that the same distro/version is deployed.
RedHat/Centos distro version wise maintains the same version of applications.
Not sure about the other distros.
You have your central one, and the others will be replicas over VPN.
You can maintain the general installed application base. To have each VPS be an exact replica of another you have to make sure that the same distro/version is deployed.
RedHat/Centos distro version wise maintains the same version of applications.
Not sure about the other distros.
ASKER
Well, they are all on the internet... Does OpenLDAP work outside a LAN?
The problem with application versions is that each VPS provider offers different distros, so I have to adapt to that constraint.
The problem with application versions is that each VPS provider offers different distros, so I have to adapt to that constraint.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks man
Do you already have the VPS setup?
Are you the one setting them up?
In what form do you have the user /etc/passwd /etc/shadow is needed?
What permissions are you talking about (for sudo)?