How to distribute automatic update on Linux clients

At work with the growth of clients in firm network I need to distribute updates automatically.
To do this I encountered a lot af weird problems due to Linux grants and Bash execution.
So let's have a look to our structure.
We have one server (a CentOS 6.5 in this case, but it's not significant) and many Ubuntu 12.04 LTS clients (also this is not very signficant).

Our goal

Download automatically from every client some settings (whatever you want) from server and update automatically the client settings.

Step 1 - SSH automatically to server

On client

First of all I need to ssh automatically to server. So log as root on the client and then type

 ssh-keygen -t rsa  

you need this to create a public and a private key useful to subsitute to the password.

Then send to the server the public key generated on client

 cd /root/  
 cat .ssh/id_rsa.pub | ssh [username]@[servername] -p [port] 'cat >> .ssh/authorized_keys'  

On server

 chmod 700 .ssh
 chmod 640 .ssh/authorized_keys

Adjust grants to permit only to root to manage this file.
The authorized_keys is the file where every client will store its public key, so at every login, server will check this file to recognize the key sent from the client.

Step 2 - Configure the automation 

On client

Now that we managed to login automatically every time we want, let's see how we could automate something.
First I create the file to be automated, something like this, named "script_to_execute.sh"

 scp -P [port] -c blowfish -C [username]@[servername]:/source_path/script /destination_path/s 

I define that this file should download at every execution some file from server via SCP.
Once opened SSH, also SCP is opened.

The next step is to define when this script should be called. I decided to define this directly on crontab. Due to user grants, the simplest way to do this is to log in as root on the client and access to root's crontab. So type

 crontab -e  

and then insert this line

 0 9,14 * * * /bin/sh /path/script 2>&1 | tee -a /path/update.log  

In this manner I define that twice a day, at 9 A.M. and 2 P.M. this script will be executed and both STDOUT and STDERR will redirect to the file "update.log".
You can define every hour or day you prefer, this is only an example.
For a more detailed guide about crontab see this: www.thegeekstuff.com/practical-crontab-examples/

Step 3 - Create an alert

On client

In the past two steps we've seen how to log on automatically and how to automate the execution of a script. Now we need to know if our automatic updates are working or not.
For this reason, on the client I create a script that will send automatically an email every time the log file will be written.

 # sendemail.sh  
 subject="Log update PC "   
 pcname=`cat /etc/hostname`  
# copy the content of update.log to emailmessage variable
 emailmessage=`cat /path/update.log`  
 actualsize=$(du -b "$logfile" | cut -f 1)  
# check if update.log file contains something
 if [ $actualsize -gt 0 ]; then  
      sendEmail -f sender@foo.com -t "$email" -u "$subject" -m "$emailmessage" -s [smtp_name]:[smtp_port] -xu [smtp_username] -xp [smtp_password]  
# delete update.log
 rm /path/update.log  

That's all. This is only a little aspect that could show you the potentiality of this tool.
For example I use this to update blacklists and whitelists on clients Dansguardian or to update an https proxy that I've made and that I accurately dscrive on this pages soon or later.

Thanks all and don't hesitate to ask if you are confused about this.

No comments:

Post a Comment