[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Script to Automatically Configure Users, OpenSSH and Squid

Posted on 2011-09-02
18
Medium Priority
?
431 Views
Last Modified: 2012-05-12
I need to replicate a server configuration across multiple VPS (ubuntu and debian) and I'm wondering if it's possible to automate it almost entirely with a script. The script would need to accomplish the following:
- set hostname
- create a few users and permissions
- configure OpenSSH (copy existing config file I guess) and install a set of public keys
- configure Squid (copy config file)
- set up a few cron jobs

I know nothing about *nix scripts, so please be as precise as possible.

Thanks a lot
Jay
0
Comment
Question by:jiiins2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 9
18 Comments
 
LVL 80

Expert Comment

by:arnold
ID: 36477836
It depends on what changes you've made to the openssh configuration, the public keys are auto-generated by the host so I am uncertain what public keys you are looking to install.

Do you already have the VPS setup?
Are you the one setting them up?
In what form do you have the user /etc/passwd /etc/shadow is needed?
What permissions are you talking about (for sudo)?
 
0
 

Author Comment

by:jiiins2
ID: 36479608
I was thinking of having the same public key on all servers for those particular users. I realise it's not a sound practice, but connections are allowed only from a few IP's anyway, and there isn't anything too precious to defend, so the chances of someone doing harm is quite contained. It is something I'm willing to trade for more automation, but if there is a better solution I'm all ears!

Regarding the openssh configuration, it's pretty standard, except for the port and a couple of minor things. Wouldn't it be possible to just copy the config file?

I have several VPS and I'm the one doing the setup.

As for the user, my thought was to script the useradd/passwd commands. Would they not work?
0
 
LVL 80

Expert Comment

by:arnold
ID: 36480671
Each server should have its own key.
Lets say each user has their own identity, id_dsa, id_rsa. You can copy the authorized_keys authorized_keys2 if that is what you mean from one server to the other.  IMHO since you are settings up the same users accross the system, you need only copy /etc/sudoers to make sure each user has the necessary rights on each system.

You can setup a script on each server to process a specific file/files that will handle the different changes.
I.e. you from a central location scp/rsync fileofreference.
The local script on each system will check whether the file matches a criteria, signed by you, and completely transferred and then will perform the tasks you setup there.

Could you explain, "I have several VPS and I'm the one doing the setup."

Why not use a starting/base  VPS image, and copy it after making the necessary adjustments?

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jiiins2
ID: 36483305
Of course the image idea would be ideal, but is it possible to manage it across several VPS providers? For example, I have a VPS in the US and one in Germany and they run on completely different platforms. Would it work?

Thanks
0
 
LVL 80

Expert Comment

by:arnold
ID: 36483707
You can script anything and everything with the script taking into account the platform it is on.
rsync can be used to copy "control" files from one to the other.

i.e. the first part of the script is to determine the platform it is on i.e. look for /etc/redhat-release for Redhat/Centos
Or have multiple check for the files.
one has configuration file in /etc/httpd/conf/httpd.con another has /etc/apache2/conf/httpd.conf etc.
Depending on the type of changes and the complexity you have to decide which shell scripting you would use.  
webmin might be something that could simplify your administrative tasks.
0
 

Author Comment

by:jiiins2
ID: 36486777
What I would like is the follwing:
- I buy a VPS and login as root via SSH
- I copy over the script and run it
- The server is ready!

So I assume the script should execute the various "apt-get install" and copy the config files according to the platform (as you said), right? So how would such a script look like?
0
 
LVL 80

Expert Comment

by:arnold
ID: 36488610
You would need to use a combination of /etc/passwd and /etc/shadow
username:password:UID:gid:comment:homedir:shell

This will handle the synchronization of User accounts.  You would have to make sure not to use UID for user accounts below 1000.

User synchronization is fairly simple.
Here is an example of such a script, but they use
username password group
for the file format versus what I referenced above.
To synchronize UID you would need to add -u {$UID} after adding UID to the read line in the example.

Bacause of the platform changes, you would need to run apt-get manually or would have to have a template of what is needed based on a setting up each platform.
i.e. for type a, the following has to be present, type b .... , etc.

0
 

Author Comment

by:jiiins2
ID: 36501887
Unfortunately I think the link to the example is missing. Can you please repost it?

Ok, so I believe I can sort out the users/pwd with rsync. Could you please help me write  a little script that does the following:

apt-get update
apt-get install squid rsync -y
scp repo@server1.net:/home/repo/squid.conf /etc/squid/squid.conf
service squid start
squid -k reconfigure
+ get some sort of rsync config file?
+ start rsync client

That would be all I need...

Thanks a lot!
Jay
0
 
LVL 80

Expert Comment

by:arnold
ID: 36503162
Sorry
http://forums.devshed.com/scripts-94/shell-script-to-create-user-in-linux-using-text-file-81336.html

Blindly copying config files without knowing whether the versions changed is ill advised.

scp would likely require a password.

Presumably you would scp the configuration files from the source server where the repository is into the VM you want to synchronize.
Usually that will involve transferring the public keys for ssh.
and the configuration template.
#!/bin/bash

apt-get update
apt-get install squid rsync -y
/sbin/chkdonfig squid on

Open in new window

0
 

Author Comment

by:jiiins2
ID: 36508308
Yes, scp and rsync would use keys to avoid password input. To make sure I deal always with the same version I would do:
apt-get install <package name>=<version>

What should be added to the script to distribute the required (if any) rsync config to clients?

Thanks
Jay
0
 
LVL 80

Expert Comment

by:arnold
ID: 36510729
You will manually or have a script on the source system to push those settings to the VPS where you will run the script

Source system
script
#!/bin/bash

scp file1 file2 file3 file4 synchscript.sh identity.pub id_dsa.pub id_rsa.pub user@newvps:/tmp/

---

trying to maintain the same version would mean that you would prevent updates when some are necessary security/improvemenets.

0
 

Author Comment

by:jiiins2
ID: 36520574
I see your point regarding the updates. What's the best practice then? How can I retain some control over the versions on the different servers?
0
 
LVL 80

Expert Comment

by:arnold
ID: 36520762
You would have to have a template of each version (Local VMs is an option) At which point you will export the list of application that have to be installed.
Then scp the list as a file to the new server at which point your script will determine the platform that it is on (uname -a, more /etc/*release*) and then apply updates/install missing packages based on that.

How many VPS are you looking at setting up?maintaining?

I could see the user creation/synchronization, but you by trying to include everything you will end up with an unmanageable script.
Note most distro's use UID >1000
so if you have previously created users with uid's under a 1000, you may have to add logic to check whether the uid you are about to set for a new user is already in use and generate an email, etc. to notify you so that you can make the determination what you want to do about that.
0
 

Author Comment

by:jiiins2
ID: 36521552
The template idea sounds good. But how to generate the list of installed packages? If I use
dpkg --get-selections

Open in new window

I just get the general name without the version, i.e. (Squid        Install).

It's going to be about 25 VPS, but over time there would be some switches, like every month maybe the 2 slowest would get dropped in favor of 2 new ones.

As for the users/password sync, I think it's doable as currently there aren't any users and I can create them all from scratch.
0
 
LVL 80

Expert Comment

by:arnold
ID: 36522212
Can the VPS's be interconnected, openLDAP to manage users?
You have your central one, and the others will be replicas over VPN.

You can maintain the general installed application base.  To have each VPS be an exact replica of another you have to make sure that the same distro/version is deployed.
RedHat/Centos distro version wise maintains the same version of applications.
Not sure about the other distros.

0
 

Author Comment

by:jiiins2
ID: 36522662
Well, they are all on the internet... Does OpenLDAP work outside a LAN?

The problem with application versions is that each VPS provider offers different distros, so I have to adapt to that constraint.
0
 
LVL 80

Accepted Solution

by:
arnold earned 2000 total points
ID: 36522986
openladp works as long as one can talk to the other/others.
Are you interconnecting the VPS's ssh tunnels, ipsec, vpn?

i.e. you can create an ssh tunnel from the central openLDAP system to the other VPS with a local -L and remote tunnel -R
i.e. a remote replica connecting to localhost:special_port will traverse an ssh tunnel back to the primary/central server's 389 port
Since you are in the standardization VPS ports 32500 each vps will have
ssh -f -L 32501:localhost:389 -R 32500:localhost:389 username@VPS1
ssh -f -L 32502:localhost:389 -R 32500:localhost:389 username@vps2
.
.
ssh -f -L 32525:localhost:389 -R 32500:localhost:389 username@vps25

 http://www.revsys.com/writings/quicktips/ssh-tunnel.html
http://www.howtoforge.com/reverse-ssh-tunneling

The central local port might not be needed, but might be useful if you want to query the data on the replica without having to ssh to each host.

http://www.openldap.org/doc/admin24/replication.html
0
 

Author Closing Comment

by:jiiins2
ID: 36540136
Thanks man
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question