yo61.com » scripting

Pre-generate sshd certificates

Robin Bowes — Wed, 11 Nov 2009 10:27:31 +0000

I use puppet to distribute my sshd configuration, including pre-generated ssh certificates.

Here's how I bulk create certificates for a bunch of new nodes named b001-b034:

for n in $(seq -w 1 34); do
    ssh-keygen -q -t rsa -f b0$n -C '' -N ''
done

Configuring lots of Dell DRACs at once

Robin Bowes — Tue, 10 Nov 2009 12:18:44 +0000

Having got racadm working on my workstation (see my previous post), the next step is to perform initial DRAC configuration, ie. change the root password, set the SSL cert values, etc.

First I checked that all DRACs were pingable:

for h in $(seq -w 1 34); do
    hn=b0$h.drac.example.com
    if ping -q -c 1 $hn >& /dev/null ; then
        echo OK
    else
        echo failed
    fi
done

Next, I created a drac config file (named drac.cfg) containing the settings that are common to all devices:

[cfgLanNetworking]
cfgDNSDomainName=drac.example.com
 
[cfgUserAdmin]
# cfgUserAdminIndex=2
cfgUserAdminUserName=root
cfgUserAdminPassword=secret
 
[cfgOobSnmp]
cfgOobSnmpAgentEnable=1
cfgOobSnmpAgentCommunity=my_community_name
 
[cfgRacSecurity]
cfgRacSecCsrKeySize=1024
# cfgRacSecCsrCommonName=
cfgRacSecCsrOrganizationName=example.com
cfgRacSecCsrOrganizationUnit=Web Services
cfgRacSecCsrLocalityName=My City
cfgRacSecCsrStateName=My State
cfgRacSecCsrCountryCode=IE
cfgRacSecCsrEmailAddr=contact@example.com

I then ran a script to apply the common configuration to all devices. I also set the device-specific settings in the same script:

for n in $(seq -w 1 34); do
    host=b0$hn
    domain=drac.example.com
    fullname=$host.$domain
    racadm -r $fullname -u root -p calvin config -g cfgLanNetworking -o cfgDNSRacName $host
    racadm -r $fullname -u root -p calvin config -g cfgRacSecurity -o cfgRacSecCsrCommonName $fullname
    racadm -r $fullname -u root -p calvin config -f drac.cfg
done

Notice that I don't change the default password until last.

Now, I just need to work out how to generate the CSR, sign it, and upload the new cert…

Check file system integrity of multiple xen domU guests

Robin Bowes — Mon, 09 Nov 2009 00:20:10 +0000

I needed to check the integrity of the file systems on several xen domU guests while the guests were shutdown, ie. I needed to do it from the dom0.

I use LVM logical volumes for the block devices for the guests disks named $host-disk0. These are stored in a volume group named vg_guests. I use kpartx to access the partitions on the block device.

Each guest disk has a small physical partition for /boot; the rest of the disk is allocated to a 2nd partition which is used as an LVM volume group named vg_$host.

Here's a script I knocked up to do the job:

for host in host1 host2 host3 ; do
    # create devices from the LVs
    kpartx -av /dev/mapper/vg_guests-$host--disk*
 
    # Activate the VGs for the host
    for vg in $(vgs --noheadings | grep $host | awk &#39;{print $1}' ) ; do
        echo Activating $vg
        vgchange -ay $vg
    done
 
    # check the file systems
    for p in $(/dev/mapper/vg_$host* | grep -v swap); do
        e2fsck -p $p
    done
 
    # Deactivate the VGs
    for vg in $(vgs --noheadings | grep $host | awk &#39;{print $1}' ) ; do
        echo De-activating $vg
        vgchange -an $vg
    done
 
    # Remove the devices
    kpartx -dv /dev/mapper/vg_guests-$host--disk0
done