Haack's Wiki

User Tools

Site Tools

Trace:
computing:remote-upgrades

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
computing:remote-upgrades [2019/05/11 16:55] oemb1905computing:remote-upgrades [2020/01/27 20:42] (current) oemb1905
Line 11: Line 11:
 ------------------------------------------- -------------------------------------------
  
-Ok, I was looking for an easy secure way to remotely upgrade the servers I manage all at once from my primary server.  I found some good online tutorials, and adjusted to my needs as follows.  And before you begin, you should only do this after you set up pubkey ssh, disable password authentication, and disable root authentication - see my ssh tutorial for help with setting that up.  Once your ssh access is secure, create a small shell script on each target machine that will update and upgrade its OS.+For remote upgrades from primary workstationfirst create a file on target called apt-remote:
  
   sudo touch /usr/local/bin/apt-remote   sudo touch /usr/local/bin/apt-remote
Line 18: Line 18:
   sudo nano /usr/local/bin/apt-remote   sudo nano /usr/local/bin/apt-remote
      
-Enter your desired updating and upgrading parameters.  For example, you could optionally enter a "-y" flag on these target machine scripts to additionally not be prompted when running upgrades.  I do not advise this, in particular, just making the point that one can customize the update and upgrade script on each machine to whatever that target machine requires.  Here is what I use+Once that is doneput in some parameters that will provide nice feedback to you while you execute the command from primary workstation
-  +
   #!/bin/bash   #!/bin/bash
-  apt update && apt dist-upgrade+  echo "I am beginning"; 
 +  cat /etc/motd 
 +  apt update 
 +  apt dist-upgrade 
 +  apt autoremove 
 +  apt autoclean 
 +  echo "I just finished"; 
 +  echo "----->" 
 +  echo "-----> ----->" 
 +  echo "-----> -----> ----->" 
 +  echo "-----> -----> -----> ----->" 
 +  echo "-----> -----> -----> -----> -----> ... ... " 
 +  hostname 
 +  date 
 +  uname -a 
 +  echo "If there is another, I will begin that now ..."; 
 +  sleep 10s
  
-Edit the sudoers file to allow this command to be executed without password, thus enabling you to remotely execute this command over secure pubkey authentication without prompting you for additional authentication.  Change the "username" parameter to the user on that particular target machine.+Edit sudoers so that this command can be run on target without password, (or, if your prefer, do not do this, and then you can enter the password for each target as the primary workstations script executes):
  
   sudo nano /etc/sudoers   sudo nano /etc/sudoers
    
 Add the following to the file, obviously changing "username" to the target machine's user name.  Add the following to the file, obviously changing "username" to the target machine's user name. 
- +  
   username ALL=(root) NOPASSWD: /usr/local/bin/apt-remote   username ALL=(root) NOPASSWD: /usr/local/bin/apt-remote
- +   
-Once this is set up, reboot each remote target, and now switch to configuring the primary workstation that you stage your updates from.  On the primary workstation, create a small shell script that updates your remote servers by remotely executing the scripts you made on each target from the primary workstation.  Here is an example, of a suitable shell script:+Now you are ready to create the script on the primary workstation (localhost) that will pass the apt-remote script to the target workstations:
  
   sudo touch /usr/local/bin/apt-remote-update.sh   sudo touch /usr/local/bin/apt-remote-update.sh
Line 41: Line 57:
      
   #!/bin/bash   #!/bin/bash
-  hostsa="servera.com serverb.com"+  hosts="server.com 10.55.55.9"
   #run on each host   #run on each host
-  for i in $hostsa;+  for i in $hosts;
   do   do
-    echo $i; +    echo "I will now update" $i; 
-    ssh -t -p 60000 $i sudo apt-remote+    #ssh -t $i sudo apt-remote; 
-  done; +    ssh -t $i screen -S aptremotescreen sudo apt-remote;
-  #use another set up if the targets have different ssh configs, etc. +
-  hostsb="serverc.com" +
-  #run on each host +
-  for i in $hostsb; +
-  do +
-    echo $i+
-    ssh -t -p 222 $i sudo apt-remote;+
   done;   done;
  
-When you test it, there should be no password prompts to connect to the remote hosts as the sudoer entry on the targets ensure that will not happen.  Additionally, since your ssh connection is pubkey only, with no root or password access, this remotely executed command presents limited secruity flaws.  And, shall you want to do this with an openvpn config, something like this script might work:+If you would prefer to do these types of backups with a vpn connection (instead of port forwarding)then use something like these configurations below.
  
-  #!/bin/bash +Option 1 Using vpn connection, connect from localhost to remote host/server with ssh and screen, and then execute a script on the server that uses rsync over ssh to send its backup to target backup host on its LAN:
-  #cd /home/sexa/zion/client-recs/keith/vpn-keith/ +
-  #sudo openvpn vizcarraguitars.mooo.com.ovpn --daemon +
-  cd /home/sexa/zion/client-recs/keith/vpn-keith +
-  sudo openvpn vizcarraguitars.mooo.com.ovpn & +
-  sleep 10s +
-  #update hosts remotely using ssh +
-  hostsa="10.12.21.3 10.12.21.7" +
-  for i in $hostsa; +
-  do +
-    echo "I will now update" $i; +
-    ssh -t -p 59999 keith@$i sudo apt-remote; +
-  done; +
-  #finish the script +
-  cd ~ +
-  sudo killall openvpn +
-  sleep 10s+
  
-These configs an be found here +Use this script on your localhost[[https://repo.haacksnetworking.com/oemb1905/haackingclub/blob/master/backups/option1/localhost.sh|localhost.sh]] 
 +Use this script on the remote host that you are backing up: [[https://repo.haacksnetworking.com/oemb1905/haackingclub/blob/master/backups/option1/remote.sh|remote.sh]]
  
-Target Script:  https://codetalkers.services/oemb1905/haackingclub/blob/master/nixnscripts/apt-remote +Option 2 Using vpn connection, connect from localhost to remote host/server with ssh and screen, and then execute a script on the server that uses rsync over ssh to send its backup back to you at localhost:
-Host Script:  https://codetalkers.services/oemb1905/haackingclub/blob/master/nixnscripts/apt-remote-update.sh +
-VPN Script https://codetalkers.services/oemb1905/haackingclub/blob/master/nixnscripts/remote-update-vpn.sh+
  
- --- //[[netcmnd@jonathanhaack.com|oemb1905]] 2019/04/21 01:10//+Use this script on your localhost: [[https://repo.haacksnetworking.com/oemb1905/haackingclub/blob/master/backups/option2/localhost.sh|localhost.sh]] 
 +   
 + --- //[[jonathan@haacksnetworking.com|oemb1905]] 2020/01/27 13:18//
computing/remote-upgrades.1557593721.txt.gz · Last modified: 2019/05/11 16:55 by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki