Here is a version we run for each of our VM/zlinux servers to a allow
access to run scripts
on a inside web server in VMware. We do each and ecvery time a zLinux
Informix set up is
(and there will be about 120 instances)
MAYBE it will helps someone here:
------------------------------------------------------------------------------------------------
#!/bin/sh
##
## generate KEYS for Power User ..
## NOTE: INSIDESERVER variable is set prior
## To the script being run
if [ "$USER" != "root" ]
then
echo "YOu must be ROOT user to excute this ..."
exit 1
fi
cd /home/poweruser
rm -rf .ssh/
mkdir .ssh
chown poweruser:users .ssh/
su - poweruser -c 'ssh-keygen -b 2048 -t rsa -N "" -f
/home/poweruser/.ssh/id_rsa'
su - poweruser -c 'ssh-keygen -b 1024 -t dsa -N "" -f
/home/poweruser/.ssh/id_dsa'
echo "Now copying over the key pairs .."
cat /home/poweruser/.ssh/id_rsa.pub | ssh root@${INSIDESERVER} "cat >>
/root/.ssh/authorized_keys"
echo "Key gen now complete ..."
exit 0
-----------------------------------------------------------------------------------------------------------
Ben Duncan - Business Network Solutions, Inc. 336 Elton Road Jackson
MS, 39212
"Never attribute to malice, that which can be adequately explained by
stupidity"
- Hanlon's Razor
> -------- Original Message --------
> Subject: Re: Cloning & SSH keys
> From: "r.stricklin" <b...@typewritten.org>
> Date: Mon, July 16, 2012 9:24 pm
> To: LINUX-390@VM.MARIST.EDU
>
>
> On Jul 16, 2012, at 8:03 AM, Lee Stewart wrote:
>
> > I'd never thought about it before, but a customer pointed out that when
> > you clone a system, each Linux clone has the same Host RSA key
> > fingerprint as it's master. I can't think of anything that would cause
> > a problem with. On the other hand, if they wanted to regenerate the
> > keys, does it take more than erasing the current keys and restarting sshd?
>
> That's all it takes.
>
> Some of the security features of ssh break down in subtle ways if you have
> multiple hosts with the same host key. I personally would advise creating new
> keys for each clone. It was part of the clone automation I implemented in a
> prior life.
>
> Since I think none of this is left in production and somebody should get use
> from it...
>
> If you have a DHCP server on your VSWITCH, with entries in it like this:
>
> host lnx80151 { # ascii --> \0 L N X 8 0 1 5 1 <-- VM
> username
> option dhcp-client-identifier 00:4c:4e:58:38:30:31:35:31;
> option host-name "linux-dhcp-demo";
> fixed-address 192.168.13.151;
> }
>
> And change dhcpcd on your linux systems so that the client sends the VM
> username as its client ID. On SLES this is the DHCLIENT_CLIENT_ID line in
> /etc/sysconfig/dhcp:
>
> DHCLIENT_CLIENT_ID=`/usr/bin/awk '/VM00 Name:/ { print $NF }'
> /proc/sysinfo`
>
> Then you'll get the ability for a clone to detect that it's been cloned,
> using information provided by the DHCP client. From there, you can automate
> all kinds of post-clone configuration (which is also useful for reconfiguring
> guest network settings in in a DR test scenario), with dhcp-config-hook type
> scripts (SuSE provides an example for changing smb.conf when the DHCP lease
> changes).
>
> My dhcp-config-hook script was ugly but effective. I'll share it; check the
> end of the message. I also had to write an early-stage init script to
> regenerate UUIDs for LVM and XFS, that also worked off detecting that the VM
> user name had changed. I'll share that too, since I'm sharing. You guys are
> welcome to take from them what you need.
>
>
> ok
> bear.
>
> ---[BEGIN /etc/sysconfig/network/if-up.d/dhcpcd-config-hook]---
>
> #! /bin/bash
> #
> # Update system config files after DHCP changes
> # Inspired by SuSE 'dhcpcd-hook-samba'
> #
> # 20070426 rjs
> #
> # Apparently we receive these as arguments:
> # $1 - configuration name, e.g. ifcfg-qeth-bus-ccw-0.0.a001
> # $2 - interface name, e.g. eth0
> # $3-$n - additional options. Unknown whether this is anything useful or
> # important.
> #
>
> # The important bits:
> # 1. This script is called for every ifup, whether dhcp is used, or not.
> # Therefore, it is up to us to read a bunch of junk to determine whether
> # it's even appropriate to run.
> #
> # 2. I was cranky about the way the SuSE script relies on dhcpcd providing
> # old lease information, but then realized that it was a handy interface
> # for consolidating a few system maintenance processes that used to be
> # separate, into one. If the SuSE DHCP client ever changes so that the
> # old lease information is not available, things will become complicated
> # again.
> #
> # 3. There is no number 3.
> #
> # 4. If we ever decide to use dhclient instead of dhcpcd, some of this will
> # have to be rewritten.
> #
> # 5. The "new" version of dhcpcd is completely rewritten since SLES10 and no
> # longer provides old lease information. This script has been updated to
> # simulate this behavior. It creates an edge condition for the first run
> # but as long as the extra step to create the initial old lease file
> # stays in the process we should never encounter it (the edge condition)
> # in normal operation.
> #
>
> PATH=/bin:/sbin:/usr/bin:/usr/sbin ; export PATH
>
> # config file locations
>
> IF_CONFIG_FILE="/etc/sysconfig/network/ifcfg-${cfg}"
> DHCP_CONFIG_FILE="/etc/sysconfig/network/dhcp"
>
> # files we may change
>
> SSH_HOST_KEYS='/etc/ssh/ssh_host*key*'
>
> FILES="HOSTN HOSTS DSM VSFTPD POSTFIX_MAIN ANALOG APACHE2"
>
> # don't let any of these variable names be the same as records in
> # /var/lib/dhcpcd*info !
>
> HOSTN="/etc/HOSTNAME"
> HOSTS="/etc/hosts"
> DSM="/etc/dsm.sys"
> VSFTPD="/etc/vsftpd.conf"
> POSTFIX_MAIN="/etc/postfix/main.cf"
> ANALOG="/etc/analog.cfg"
> APACHE2="/etc/apache2/default-server.conf"
>
> #
> # Function declarations
> #
>
> function log_debug() {
> case "${options}" in
> *debug*)
> logger -t $0 -p daemon.debug "$1"
> ;;
> esac
> }
>
> function log_error() {
> logger -t $0 -p daemon.err "$1"
> exit 1
> }
>
> function getLeaseInfo() {
> DHCP_LEASE="/var/lib/dhcpcd/dhcpcd-${if}.info"
> DHCP_OLD="/var/lib/dhcpcd/dhcpcd-${if}.info.old"
>
> # this will break on the first call after making the system
> # a dhcp client... i.e. new install. I think in practice
> # we should never see this happen.
>
> if [ -r ${DHCP_LEASE} -a -r ${DHCP_OLD} ] ; then
> . $DHCP_LEASE
>
> new_CLIENTID=$CLIENTID
> new_HOSTNAME=$HOSTNAME
> new_DOMAIN=$DOMAIN
> new_IPADDR=$IPADDR
>
> . $DHCP_OLD
>
> old_CLIENTID=$CLIENTID
> old_HOSTNAME=$HOSTNAME
> old_DOMAIN=$DOMAIN
> old_IPADDR=$IPADDR
> else
> log_error "$0 can't read DHCP lease info. Aborting."
> exit 1
> fi
> }
>
> #
> # end function decl.
> #
>
>
> if [ $# -lt 2 ] ; then
> log_error "$0 did not receive the right number of arguments."
> exit 1
> fi
>
> cfg="$1" ; shift
> if="$1" ; shift
> options="$@" # apparently this may begin with "-o" ... ?
>
> #
> # Figure out whether we even ought to be running.
> #
> # 1. Check /etc/sysconfig/network/dhcp
> # relies on extra variable not part of normal SuSE installation
> # DHCLIENT_MODIFY_SYS_FILES (must be added for this to work)
> #
> # 2. Check /etc/sysconfig/network/ifcfg-(ifname)
> # if we're not setup for dhcp on this interface, exit quietly
> #
>
> if [ -r "$DHCP_CONFIG_FILE" ] ; then
> . $DHCP_CONFIG_FILE
>
> case "${DHCLIENT_MODIFY_SYS_FILES}" in
> yes|YES|Yes) : ;;
> *) exit 0 ;;
> esac
> fi
>
> if [ -r "$IF_CONFIG_FILE" ] ; then
> . $IF_CONFIG_FILE
>
> case "${BOOTPROTO}" in
> dhcp|dhcp+autoip) : ;;
> *) exit 0 ;;
> esac
> fi
>
> getLeaseInfo
>
> #
> # did anything important change?
> #
>
> predicate=0
> for info in CLIENTID HOSTNAME DOMAIN IPADDR ; do
> new="new_$info"
> old="old_$info"
> log_debug "${info}: NEW \(${!new}\) OLD \(${!old}\)"
> [ "${!new}" != "${!old}" ] && $((predicate++))
> done
>
> #
> # if nothing important changed, end quietly, now.
> #
>
> log_debug "PREDICATE $predicate"
> [ $predicate -eq 0 ] && exit 0
>
>
> #
> # something important changed, so fix files
> #
>
> # first, clean up some cruft
>
> if [ "$old_CLIENTID" != "$new_CLIENTID" ] ; then
> rm ${SSH_HOST_KEYS}
> rm /root/.*history
> fi
>
> new_LONGNAME=${new_HOSTNAME}.${new_DOMAIN}
> old_LONGNAME=${old_HOSTNAME}.${old_DOMAIN}
> log_debug "LONGNAME: NEW \($new_LONGNAME\) OLD \($old_LONGNAME\)"
>
>
> echo "DHCP client configuration changed."
>
> for file in $FILES ; do
>
> if [ -r "${!file}" ] ; then
>
> echo " updating ${!file}."
> cp ${!file} ${!file}.dhcpold
> # this is ugly.
> # change the old info to the new info
> # but an old_IPADDR of 192.168.13.12 will also match 192.168.13.120, etc.
> # so to make sure we get only the address (shortname, etc.) we care about
> # (barring shortnames like "the" or "web" (eek!)) make sure the patterns
> # are preceeded and followed only by whitespace, quotation marks, equal
> # signs, open or close parentheses, BOL (^) or EOL ($), and that the
> # replacements are preceeded and followed by the same.
>
> sed -e "s/\(^\|[(\"\' \t=]\)${old_LONGNAME}\([)\"\'
> \t=]\|$\)/\1${new_LONGNAME}\2/
> s/\(^\|[(\"\' \t=]\)${old_HOSTNAME}\([)\"\'
> \t=]\|$\)/\1${new_HOSTNAME}\2/
> s/\(^\|[(\"\' \t=]\)${old_IPADDR}\([)\"\'
> \t=]\|$\)/\1${new_IPADDR}\2/
> s/\(^\|[(\"\' \t=]\)${old_CLIENTID}\([)\"\'
> \t=]\|$\)/\1${new_CLIENTID}\2/" \
> ${!file}.dhcpold > ${!file}
>
> fi
> done
>
> # keep it going since dhcpcd no longer does this for us, as of SLES 11.
> # not needed (and undesireable) for SLES10 or earlier.
>
> cp $DHCP_LEASE $DHCP_OLD
>
> ---[END /etc/sysconfig/network/if-up.d/dhcpcd-config-hook]---
>
>
> ---[BEGIN /etc/init.d/boot.lvmunclone]---
>
> #! /bin/bash
> #
> # - ;rjs
> # - post cloning housework
> # - 20090120 updated to gen new XFS UUIDs, in addition to LVM UUIDs
> #
> ### BEGIN INIT INFO
> # Provides: boot.lvmunclone
> # Required-Start: boot.udev boot.device-mapper
> # Required-Stop:
> # Should-Start:
> # Should-Stop:
> # Default-Start: B
> # Default-Stop:
> # Description: Guarantee unique LVM UUIDs on vgroot after cloning
> ### END INIT INFO
>
> [ "$1" != "start" ] && exit 0
>
> VG=vgroot
>
> # sed, awk, and grep are all in bin, dynamically linked with libc in /lib64
> # no need for /usr to be mounted, just for the dynamic loader to work
> #
> # xfs_admin is in /usr/sbin though.
> #
>
> VM00=`awk '/VM00 Name/ { print $NF }' /proc/sysinfo`
> TAGS=`vgs --noheadings -o vg_tags ${VG} | sed -e 's/,/ /g'`
>
> case ${TAGS} in
> *${VM00}*)
> # VG tagged with VM00 Name, no work needed
> exit 0
> ;;
> *)
> # VG tagged with some other VM00 Name, we were cloned
> echo "Regenerating LVM UUIDs (${VG})."
>
> for dev in `pvdisplay -c | awk -F':' "/:${VG}:/ { print \\$1 }"` ; do
> pvchange -u ${dev}
> done
>
> vgchange -u ${VG}
>
> for dev in `lvdisplay -c | awk -F':' "/:${VG}:/ { print \\$1 }"` ; do
> xfs_admin -U generate ${dev}
> done
>
> # update vg tags for next run.
> for tag in ${TAGS} ; do
> vgchange --deltag ${tag} ${VG}
> done
>
> vgchange --addtag ${VM00} ${VG}
>
> ;;
> esac
>
> ---[END /etc/init.d/boot.lvmunclone]---
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
> ----------------------------------------------------------------------
> For more information on Linux on System z, visit
> http://wiki.linuxvm.org/
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
