This is an old revision of the document!
remote-upgrades
Ok, I was looking for an easy secure way to remotely upgrade the servers I manage all at once from my primary server. I found some good online tutorials, and adjusted to my needs as follows. And before you begin, you should only do this after you set up pubkey ssh, disable password authentication, and disable root authentication - see my ssh tutorial for help with setting that up. Once your ssh access is secure, create a small shell script on each target machine that will update and upgrade its OS.
sudo touch /usr/local/bin/apt-remote sudo chmod 750 /usr/local/bin/apt-remote sudo chown $USER:$USER /usr/local/bin/apt-remote sudo nano /usr/local/bin/apt-remote
Enter your desired updating and upgrading parameters. For example, you could optionally enter a “-y” flag on these target machine scripts to additionally not be prompted when running upgrades. I do not advise this, in particular, just making the point that one can customize the update and upgrade script on each machine to whatever that target machine requires. Here is what I use:
#!/bin/bash apt update && apt dist-upgrade
Edit the sudoers file to allow this command to be executed without a password, thus enabling you to remotely execute this command over secure pubkey authentication without prompting you for additional authentication. Change the “username” parameter to the user on that particular target machine.
sudo nano /etc/sudoers
Add the following to the file, obviously changing “username” to the target machine's user name.
username ALL=(root) NOPASSWD: /usr/local/bin/apt-remote
Once this is set up, reboot each remote target, and now switch to configuring the primary workstation that you stage your updates from. On the primary workstation, create a small shell script that updates your remote servers by remotely executing the scripts you made on each target from the primary workstation. Here is an example, of a suitable shell script:
sudo touch /usr/local/bin/apt-remote-update.sh sudo chmod 750 /usr/local/bin/apt-remote-update.sh sudo chown $USER:$USER /usr/local/bin/apt-remote-update.sh sudo touch /usr/local/bin/apt-remote-update.sh
In the file that opens, use the following script parameters or something similar. This script runs on the primary workstation and then executes the “sudo apt-remote” script on the target machine. Again, none of this will work if your ssh is improperly configured.
#!/bin/bash hostsa="servera.com serverb.com" #run on each host for i in $hostsa; do echo $i; ssh -t -p 60000 $i sudo apt-remote; done; #use another set up if the targets have different ssh configs, etc. hostsb="serverc.com" #run on each host for i in $hostsb; do echo $i; ssh -t -p 222 $i sudo apt-remote; done;
When you test it, there should be no password prompts to connect to the remote hosts as the sudoer entry on the targets ensure that will not happen. Additionally, since your ssh connection is pubkey only, with no root or password access, this remotely executed command presents limited secruity flaws. And, shall you want to do this with an openvpn config, something like this script might work:
#!/bin/bash #cd /home/sexa/zion/client-recs/keith/vpn-keith/ #sudo openvpn vizcarraguitars.mooo.com.ovpn --daemon cd /home/sexa/zion/client-recs/keith/vpn-keith sudo openvpn vizcarraguitars.mooo.com.ovpn & sleep 10s #update hosts remotely using ssh hostsa="10.12.21.3 10.12.21.7" for i in $hostsa; do echo "I will now update" $i; ssh -t -p 59999 keith@$i sudo apt-remote; done; #finish the script cd ~ sudo killall openvpn sleep 10s
These configs an be found here:
Target Script: https://codetalkers.services/oemb1905/haackingclub/blob/master/nixnscripts/apt-remote Host Script: https://codetalkers.services/oemb1905/haackingclub/blob/master/nixnscripts/apt-remote-update.sh VPN Script: https://codetalkers.services/oemb1905/haackingclub/blob/master/nixnscripts/remote-update-vpn.sh
— oemb1905 2019/04/21 01:10