Link to home
Start Free TrialLog in
Avatar of jiiins2
jiiins2

asked on

Script to Automatically Configure Users, OpenSSH and Squid

I need to replicate a server configuration across multiple VPS (ubuntu and debian) and I'm wondering if it's possible to automate it almost entirely with a script. The script would need to accomplish the following:
- set hostname
- create a few users and permissions
- configure OpenSSH (copy existing config file I guess) and install a set of public keys
- configure Squid (copy config file)
- set up a few cron jobs

I know nothing about *nix scripts, so please be as precise as possible.

Thanks a lot
Jay
Avatar of arnold
arnold
Flag of United States of America image

It depends on what changes you've made to the openssh configuration, the public keys are auto-generated by the host so I am uncertain what public keys you are looking to install.

Do you already have the VPS setup?
Are you the one setting them up?
In what form do you have the user /etc/passwd /etc/shadow is needed?
What permissions are you talking about (for sudo)?
 
Avatar of jiiins2
jiiins2

ASKER

I was thinking of having the same public key on all servers for those particular users. I realise it's not a sound practice, but connections are allowed only from a few IP's anyway, and there isn't anything too precious to defend, so the chances of someone doing harm is quite contained. It is something I'm willing to trade for more automation, but if there is a better solution I'm all ears!

Regarding the openssh configuration, it's pretty standard, except for the port and a couple of minor things. Wouldn't it be possible to just copy the config file?

I have several VPS and I'm the one doing the setup.

As for the user, my thought was to script the useradd/passwd commands. Would they not work?
Each server should have its own key.
Lets say each user has their own identity, id_dsa, id_rsa. You can copy the authorized_keys authorized_keys2 if that is what you mean from one server to the other.  IMHO since you are settings up the same users accross the system, you need only copy /etc/sudoers to make sure each user has the necessary rights on each system.

You can setup a script on each server to process a specific file/files that will handle the different changes.
I.e. you from a central location scp/rsync fileofreference.
The local script on each system will check whether the file matches a criteria, signed by you, and completely transferred and then will perform the tasks you setup there.

Could you explain, "I have several VPS and I'm the one doing the setup."

Why not use a starting/base  VPS image, and copy it after making the necessary adjustments?

Avatar of jiiins2

ASKER

Of course the image idea would be ideal, but is it possible to manage it across several VPS providers? For example, I have a VPS in the US and one in Germany and they run on completely different platforms. Would it work?

Thanks
You can script anything and everything with the script taking into account the platform it is on.
rsync can be used to copy "control" files from one to the other.

i.e. the first part of the script is to determine the platform it is on i.e. look for /etc/redhat-release for Redhat/Centos
Or have multiple check for the files.
one has configuration file in /etc/httpd/conf/httpd.con another has /etc/apache2/conf/httpd.conf etc.
Depending on the type of changes and the complexity you have to decide which shell scripting you would use.  
webmin might be something that could simplify your administrative tasks.
Avatar of jiiins2

ASKER

What I would like is the follwing:
- I buy a VPS and login as root via SSH
- I copy over the script and run it
- The server is ready!

So I assume the script should execute the various "apt-get install" and copy the config files according to the platform (as you said), right? So how would such a script look like?
You would need to use a combination of /etc/passwd and /etc/shadow
username:password:UID:gid:comment:homedir:shell

This will handle the synchronization of User accounts.  You would have to make sure not to use UID for user accounts below 1000.

User synchronization is fairly simple.
Here is an example of such a script, but they use
username password group
for the file format versus what I referenced above.
To synchronize UID you would need to add -u {$UID} after adding UID to the read line in the example.

Bacause of the platform changes, you would need to run apt-get manually or would have to have a template of what is needed based on a setting up each platform.
i.e. for type a, the following has to be present, type b .... , etc.

Avatar of jiiins2

ASKER

Unfortunately I think the link to the example is missing. Can you please repost it?

Ok, so I believe I can sort out the users/pwd with rsync. Could you please help me write  a little script that does the following:

apt-get update
apt-get install squid rsync -y
scp repo@server1.net:/home/repo/squid.conf /etc/squid/squid.conf
service squid start
squid -k reconfigure
+ get some sort of rsync config file?
+ start rsync client

That would be all I need...

Thanks a lot!
Jay
Sorry
http://forums.devshed.com/scripts-94/shell-script-to-create-user-in-linux-using-text-file-81336.html

Blindly copying config files without knowing whether the versions changed is ill advised.

scp would likely require a password.

Presumably you would scp the configuration files from the source server where the repository is into the VM you want to synchronize.
Usually that will involve transferring the public keys for ssh.
and the configuration template.
#!/bin/bash

apt-get update
apt-get install squid rsync -y
/sbin/chkdonfig squid on

Open in new window

Avatar of jiiins2

ASKER

Yes, scp and rsync would use keys to avoid password input. To make sure I deal always with the same version I would do:
apt-get install <package name>=<version>

What should be added to the script to distribute the required (if any) rsync config to clients?

Thanks
Jay
You will manually or have a script on the source system to push those settings to the VPS where you will run the script

Source system
script
#!/bin/bash

scp file1 file2 file3 file4 synchscript.sh identity.pub id_dsa.pub id_rsa.pub user@newvps:/tmp/

---

trying to maintain the same version would mean that you would prevent updates when some are necessary security/improvemenets.

Avatar of jiiins2

ASKER

I see your point regarding the updates. What's the best practice then? How can I retain some control over the versions on the different servers?
You would have to have a template of each version (Local VMs is an option) At which point you will export the list of application that have to be installed.
Then scp the list as a file to the new server at which point your script will determine the platform that it is on (uname -a, more /etc/*release*) and then apply updates/install missing packages based on that.

How many VPS are you looking at setting up?maintaining?

I could see the user creation/synchronization, but you by trying to include everything you will end up with an unmanageable script.
Note most distro's use UID >1000
so if you have previously created users with uid's under a 1000, you may have to add logic to check whether the uid you are about to set for a new user is already in use and generate an email, etc. to notify you so that you can make the determination what you want to do about that.
Avatar of jiiins2

ASKER

The template idea sounds good. But how to generate the list of installed packages? If I use
dpkg --get-selections

Open in new window

I just get the general name without the version, i.e. (Squid        Install).

It's going to be about 25 VPS, but over time there would be some switches, like every month maybe the 2 slowest would get dropped in favor of 2 new ones.

As for the users/password sync, I think it's doable as currently there aren't any users and I can create them all from scratch.
Can the VPS's be interconnected, openLDAP to manage users?
You have your central one, and the others will be replicas over VPN.

You can maintain the general installed application base.  To have each VPS be an exact replica of another you have to make sure that the same distro/version is deployed.
RedHat/Centos distro version wise maintains the same version of applications.
Not sure about the other distros.

Avatar of jiiins2

ASKER

Well, they are all on the internet... Does OpenLDAP work outside a LAN?

The problem with application versions is that each VPS provider offers different distros, so I have to adapt to that constraint.
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jiiins2

ASKER

Thanks man