Solved

Script to Automatically Configure Users, OpenSSH and Squid

Posted on 2011-09-02
18
360 Views
Last Modified: 2012-05-12
I need to replicate a server configuration across multiple VPS (ubuntu and debian) and I'm wondering if it's possible to automate it almost entirely with a script. The script would need to accomplish the following:
- set hostname
- create a few users and permissions
- configure OpenSSH (copy existing config file I guess) and install a set of public keys
- configure Squid (copy config file)
- set up a few cron jobs

I know nothing about *nix scripts, so please be as precise as possible.

Thanks a lot
Jay
0
Comment
Question by:jiiins2
  • 9
  • 9
18 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
It depends on what changes you've made to the openssh configuration, the public keys are auto-generated by the host so I am uncertain what public keys you are looking to install.

Do you already have the VPS setup?
Are you the one setting them up?
In what form do you have the user /etc/passwd /etc/shadow is needed?
What permissions are you talking about (for sudo)?
 
0
 

Author Comment

by:jiiins2
Comment Utility
I was thinking of having the same public key on all servers for those particular users. I realise it's not a sound practice, but connections are allowed only from a few IP's anyway, and there isn't anything too precious to defend, so the chances of someone doing harm is quite contained. It is something I'm willing to trade for more automation, but if there is a better solution I'm all ears!

Regarding the openssh configuration, it's pretty standard, except for the port and a couple of minor things. Wouldn't it be possible to just copy the config file?

I have several VPS and I'm the one doing the setup.

As for the user, my thought was to script the useradd/passwd commands. Would they not work?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Each server should have its own key.
Lets say each user has their own identity, id_dsa, id_rsa. You can copy the authorized_keys authorized_keys2 if that is what you mean from one server to the other.  IMHO since you are settings up the same users accross the system, you need only copy /etc/sudoers to make sure each user has the necessary rights on each system.

You can setup a script on each server to process a specific file/files that will handle the different changes.
I.e. you from a central location scp/rsync fileofreference.
The local script on each system will check whether the file matches a criteria, signed by you, and completely transferred and then will perform the tasks you setup there.

Could you explain, "I have several VPS and I'm the one doing the setup."

Why not use a starting/base  VPS image, and copy it after making the necessary adjustments?

0
 

Author Comment

by:jiiins2
Comment Utility
Of course the image idea would be ideal, but is it possible to manage it across several VPS providers? For example, I have a VPS in the US and one in Germany and they run on completely different platforms. Would it work?

Thanks
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You can script anything and everything with the script taking into account the platform it is on.
rsync can be used to copy "control" files from one to the other.

i.e. the first part of the script is to determine the platform it is on i.e. look for /etc/redhat-release for Redhat/Centos
Or have multiple check for the files.
one has configuration file in /etc/httpd/conf/httpd.con another has /etc/apache2/conf/httpd.conf etc.
Depending on the type of changes and the complexity you have to decide which shell scripting you would use.  
webmin might be something that could simplify your administrative tasks.
0
 

Author Comment

by:jiiins2
Comment Utility
What I would like is the follwing:
- I buy a VPS and login as root via SSH
- I copy over the script and run it
- The server is ready!

So I assume the script should execute the various "apt-get install" and copy the config files according to the platform (as you said), right? So how would such a script look like?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You would need to use a combination of /etc/passwd and /etc/shadow
username:password:UID:gid:comment:homedir:shell

This will handle the synchronization of User accounts.  You would have to make sure not to use UID for user accounts below 1000.

User synchronization is fairly simple.
Here is an example of such a script, but they use
username password group
for the file format versus what I referenced above.
To synchronize UID you would need to add -u {$UID} after adding UID to the read line in the example.

Bacause of the platform changes, you would need to run apt-get manually or would have to have a template of what is needed based on a setting up each platform.
i.e. for type a, the following has to be present, type b .... , etc.

0
 

Author Comment

by:jiiins2
Comment Utility
Unfortunately I think the link to the example is missing. Can you please repost it?

Ok, so I believe I can sort out the users/pwd with rsync. Could you please help me write  a little script that does the following:

apt-get update
apt-get install squid rsync -y
scp repo@server1.net:/home/repo/squid.conf /etc/squid/squid.conf
service squid start
squid -k reconfigure
+ get some sort of rsync config file?
+ start rsync client

That would be all I need...

Thanks a lot!
Jay
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Sorry
http://forums.devshed.com/scripts-94/shell-script-to-create-user-in-linux-using-text-file-81336.html

Blindly copying config files without knowing whether the versions changed is ill advised.

scp would likely require a password.

Presumably you would scp the configuration files from the source server where the repository is into the VM you want to synchronize.
Usually that will involve transferring the public keys for ssh.
and the configuration template.
#!/bin/bash

apt-get update
apt-get install squid rsync -y
/sbin/chkdonfig squid on

Open in new window

0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:jiiins2
Comment Utility
Yes, scp and rsync would use keys to avoid password input. To make sure I deal always with the same version I would do:
apt-get install <package name>=<version>

What should be added to the script to distribute the required (if any) rsync config to clients?

Thanks
Jay
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You will manually or have a script on the source system to push those settings to the VPS where you will run the script

Source system
script
#!/bin/bash

scp file1 file2 file3 file4 synchscript.sh identity.pub id_dsa.pub id_rsa.pub user@newvps:/tmp/

---

trying to maintain the same version would mean that you would prevent updates when some are necessary security/improvemenets.

0
 

Author Comment

by:jiiins2
Comment Utility
I see your point regarding the updates. What's the best practice then? How can I retain some control over the versions on the different servers?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You would have to have a template of each version (Local VMs is an option) At which point you will export the list of application that have to be installed.
Then scp the list as a file to the new server at which point your script will determine the platform that it is on (uname -a, more /etc/*release*) and then apply updates/install missing packages based on that.

How many VPS are you looking at setting up?maintaining?

I could see the user creation/synchronization, but you by trying to include everything you will end up with an unmanageable script.
Note most distro's use UID >1000
so if you have previously created users with uid's under a 1000, you may have to add logic to check whether the uid you are about to set for a new user is already in use and generate an email, etc. to notify you so that you can make the determination what you want to do about that.
0
 

Author Comment

by:jiiins2
Comment Utility
The template idea sounds good. But how to generate the list of installed packages? If I use
dpkg --get-selections

Open in new window

I just get the general name without the version, i.e. (Squid        Install).

It's going to be about 25 VPS, but over time there would be some switches, like every month maybe the 2 slowest would get dropped in favor of 2 new ones.

As for the users/password sync, I think it's doable as currently there aren't any users and I can create them all from scratch.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Can the VPS's be interconnected, openLDAP to manage users?
You have your central one, and the others will be replicas over VPN.

You can maintain the general installed application base.  To have each VPS be an exact replica of another you have to make sure that the same distro/version is deployed.
RedHat/Centos distro version wise maintains the same version of applications.
Not sure about the other distros.

0
 

Author Comment

by:jiiins2
Comment Utility
Well, they are all on the internet... Does OpenLDAP work outside a LAN?

The problem with application versions is that each VPS provider offers different distros, so I have to adapt to that constraint.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
openladp works as long as one can talk to the other/others.
Are you interconnecting the VPS's ssh tunnels, ipsec, vpn?

i.e. you can create an ssh tunnel from the central openLDAP system to the other VPS with a local -L and remote tunnel -R
i.e. a remote replica connecting to localhost:special_port will traverse an ssh tunnel back to the primary/central server's 389 port
Since you are in the standardization VPS ports 32500 each vps will have
ssh -f -L 32501:localhost:389 -R 32500:localhost:389 username@VPS1
ssh -f -L 32502:localhost:389 -R 32500:localhost:389 username@vps2
.
.
ssh -f -L 32525:localhost:389 -R 32500:localhost:389 username@vps25

 http://www.revsys.com/writings/quicktips/ssh-tunnel.html
http://www.howtoforge.com/reverse-ssh-tunneling

The central local port might not be needed, but might be useful if you want to query the data on the replica without having to ssh to each host.

http://www.openldap.org/doc/admin24/replication.html
0
 

Author Closing Comment

by:jiiins2
Comment Utility
Thanks man
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now