A while ago I was in the middle of trying to figure out how to keep track of package updates on all of my servers. I have around 300 servers of various platforms (Debian, Redhat, Solaris) and periodically I'd have to shell around and figure out which machines needed updates and which didn't.
I then decided that a neat thing to have was a way to do this from one central location. So created a web-based System Package Manager, "sysmgr", where I can see all of my servers and an indication as to which ones need updates. This project is life-like. Meaning it is slowly evolving with new features frequently.
Screenshot:
This application is evolving quickly and new features are welcome. . I have a current need for this application and will be adding features frequently as I see fit. Feel free to use. Post comments, suggestions, or patches in the forum .
Ability to upgrade a package on a remote server by clicking the package name.
User administration system.
Setup Rolls for different users. Admins can get into the admin section, while users can not.
Added Confirmation when deleting anything (system, users, groups).
Added button to upgrade an entire server.
Added Shell script that can run manually or under cron.
The ability to enable/disable servers temporarily.
Users may now specify remote commands per OS Type.
Search Funtionality.
Inventory of cpus, memory, and chip speeds.
Automatic Database upgrades.
TODO/Wishlist
A PHP installer.
Sun Solaris upgrade support.
Themes!
History of PkiMap
As a security manager, the task of trying to manage who has ssh public keys installed in what accounts and from what machines do they have access to/from. I then thought it would be cool to create a map of what accounts had pki, or "Public Key Interface" ssh keys installed and what remote machines had access. I have come up with PkiMap. A couple of shell scripts that search your UNIX systems for installed public keys. this data then gets updated and displayed within System Manager. Just click on the pkimap tab and your will be presented with a heirarchy for that server:
This is an easy way, although not very intuative, way to install sysmgr.
First untar the package and make it available to your web server.
$ tar xvfz sysmgr.x.x.x.tar.gz
Note: replace x.x.x with the version of the package.
You can either put it under your httpd Document Root or add this to your httpd.conf:
Alias /sysmgr/ /path/to/sysmgr/
Options +FollowSymLinks AllowOverride None order allow,deny allow from all
Next make sure you have created the database in MySql and then point your browser to the location of install.php:
http://yoursite.com/sysmgr/install.php
For PkiMap: Copy the sysmgr/scripts/pkimap shell script to all of your remote machines. Keep sysmgr-pkimap on your management server which runs pkimap on the remote machines.
Usage: /usr/bin/sysmgr-pkimap [ -a | -g | -h | -l | -s ] -a - Check all systems. -h - Show This message. -g group - Specify sysmgr group to update -s hostname - Check this system -l - List hosts in group
Upgrading:
**Make a backup of your config.php**
Just untar the package ond overwrite your existing installation. Restore your backup of config.php.
Then upgrade the database schema:
mysql -u -D sysmgr -p < sysmgr_upgrade.sql<-- Dont have to do this anymore. Just untar, restore your config.php, and go!
--Important--
move the shell script from the scripts/ directory into /usr/local/bin or /usr/bin or wherever you want.
Setting up communication between apache and the remote servers:
Configuring the Directories
First, we are going to setup some directories. Let's assume that your super private admin-only password protected, Apache DENY protected website resides at: /var/www (referred to as DOCUMENT ROOT throughout this tutorial) where nobody can access it except you on your internal network's IP address and you have to use a 24 character length password to get into.
NOTE: This directory does not have to be in the DOCUMENT ROOT but is does need to be somewhere that the apache user can get to it. My system is not on an internet-facing system. Not that that was an excuse, but I felt it was adequite for what I needed to do.
First, we need to create a "working directory". This is where Apache will create its virtual environment for SSH. Essentially, this is going to be the same as the user directory of a standard system user, however we are not going to create a user for this. Go ahead and make a directory under your DOCUMENT ROOT named ssh
mkdir /var/www/ssh
Remember this directory because later on, you will be using it to to define some values in the config.php file
Now that we have our working directory setup, you need to generate a private and public key pair for SSH.
Creating the Private / Public SSH Key Pair
The key pair is basically a method of authenticating with a remote server using a key exchange. In other words, you do not have to type a password on the remote machine to login via SSH.
First, we need to generate the keys. So, login to your system as the user that the web server runs as, which is typically "apache", you only need to run this command:
ssh-keygen -t dsa -f ~/.ssh/id_dsa
WHEN PROMPTED FOR A PASSWORD, HIT ENTER TWICE. DO NOT ENTER A PASSWORD!
Now, let's assumed your username was 'apache' when you ran that command. In your HOME Directory, under a special directory named '.ssh', you will see two newly created files:
/var/www/.ssh/id_dsa This is your identity file, or your private key.
/var/www/.ssh/id_dsa.pub This is your public key file that you will install into the remote user's profile to authenticate against your local private key.
Now that you have those two files generated, you are ready to install the public key.
Installing the Pubilc Key on the Remote System
The next step is to install the public key into a profile of the user that resides on the remote system. You do this by running this command:
In the previous command USER is the local username such as 'apache' and the REMOTE_USER is the username on the remote machine and the REMOTE_HOST is the host name or the IP address of the remote machine.
For example, if I wanted to install this on machine "jupiter" under a user named 'foo', I would run:
When you run this command for the first time, you will need to enter the remote root password because you have no keys installed yet, so there's nothing to authenticate against. I have chosen root because I am going to want the ability to actually perform the upgrades from the browser, which was the whole point of this application anyways.
After your key is installed, PLEASE test it out! You want to make sure this works as advertised before you start pulling your hair out in PHP wondering why it does not work!. All you have to do is try to SSH into the remote box with the user.
ssh root@jupiter
If you are logged in without a password, then your key pair works and you're ready to start trying to SSH with PHP.
If the Key Pair Does Not Work
If it does not work, there are a few reasons why. The most common problem is that the remote user has never tried to SSH out of the box before. Therefore, there is no '.ssh' profile for that user. Simply login on that box as that user and try to SSH to another system. After that, repeat the key installation again and try to see if that works.
The other possiblity is that the SSH daemon configuration file is not properly configured for key authentication and you'll need to enable that!
Running the shell script
You can check your systems periodically by using the sysmgr-refresh shell script. The usage is as follows:
Usage: /usr/bin/sysmgr-refresh [ -a | -g | -h | -s ] -a - Check all systems. -h - Show This message. -g group - Specify sysmgr group to update -s hostname - Check this system
Example: /usr/bin/sysmgr-refresh -a -g development
Note* You will have to run the script for each group if you want to check every system you have.
Remote commands that work for me: (Send me your commands that work for you. I will include them here)
