Friday, April 4, 2008

Getting a little pushy...

In our Solaris environment, we use a pair of machines for jumpstart, home directory hosting, and (here's the potentially unique bit) pushing configuration files or changes to the rest of the environment. The push process is the first component of a strategy for keeping OS configuration consistent across the environment. It certainly has its limitations, but that's fodder for another post...

The setup
Since these boxes are our jumpstart servers, they know about all of the other Solaris machines in the environment. We leverage that to make sure we are pushing to everyone:

...
open (ETHERS,"/etc/ethers");
foreach $line(<ETHERS>){
$hostname = (split(/ /,$line))[1];
chomp $hostname;
...
}
close (ETHERS);
...


The second core piece is our ssh configuration. To do a hands-off push to all of our hosts, we need to have the ability to login to them without entering a password on each. To accomplish that, the jumpstart servers both have the private portion of an ssh-keygen generated key pair. As part of the jumpstart process, they populate root's .ssh/authorized_keys file with the public portion of that key pair. They also put a modified version of the sshd_config file on each box during the jump:

...
#PermitRootLogin no
PermitRootLogin without-password
...


What, when, and how
We now have an infrastructure that both gives us the names of all the hosts in the environment and guarantees we can do an administrative login to them over ssh. Sounds like a hacker's dream, but I had to sign an agreement to only use my power for good, so it's time to start pushing. Another snippet from a push script:

        $ssh_pid = open (SSH,"|/usr/bin/sftp $hostname >/dev/null 2>&1");
        print SSH "put /etc/group /etc/group\n";
        print SSH "put /data/passwd.$hostname /etc/passwd\n";
        print SSH "put /etc/shadow /etc/shadow\n";
        print SSH "put /etc/project /etc/project\n";
        print SSH "put /etc/auto_home /etc/auto_home\n";
        print SSH "put /usr/local/bin/zone_map /usr/local/bin/zone_map\n";
        print SSH "put /opt/sfw/etc/sudoers /opt/sfw/etc/sudoers\n";
        print SSH "quit\n";
        debug_msg("closing connection to $hostname");
        close (SSH);


That's (part of) the "What and the How," and here's the "When"

37 2 * * * /usr/local/bin/update_push_nightly.sh
0,10,20,30,40,50 * * * 1-5 /usr/local/bin/update_push_frequent.pl


Next week we'll talk about what would go into the nightly instead of the frequent push. Also, we'll look at what's in the zone_map, how it got there, and what uses it.
Posted by at
Labels: , ,

3 comments:

Anonymous said...

Can't wait to read all about zone map!!! Twilight zone? Or other zones? LOL

April 4, 2008 at 3:38 PM
Tom H said...

John, consider when you write these posts that you may have a wide audience (all members of the project team) reading through them. Your 'power for good' extends to the metaphors you choose to use in your posts. :-)

April 14, 2008 at 3:47 PM
John McDevitt said...

I'm hoping my audience might grow a bit beyond the project team... Good point, though. I've made a three letter adjustment above.

April 14, 2008 at 5:13 PM

Post a Comment

Subscribe to: Post Comments (Atom)
counter free hit invisible