On Jul 16, 2012, at 8:03 AM, Lee Stewart wrote:
> I'd never thought about it before, but a customer pointed out that when
> you clone a system, each Linux clone has the same Host RSA key
> fingerprint as it's master. I can't think of anything that would cause
> a problem with. On the other hand, if they wanted to regenerate the
> keys, does it take more than erasing the current keys and restarting sshd?
That's all it takes.
Some of the security features of ssh break down in subtle ways if you have
multiple hosts with the same host key. I personally would advise creating new
keys for each clone. It was part of the clone automation I implemented in a
prior life.
Since I think none of this is left in production and somebody should get use
from it...
If you have a DHCP server on your VSWITCH, with entries in it like this:
host lnx80151 { # ascii --> \0 L N X 8 0 1 5 1 <-- VM
username
option dhcp-client-identifier 00:4c:4e:58:38:30:31:35:31;
option host-name "linux-dhcp-demo";
fixed-address 192.168.13.151;
}
And change dhcpcd on your linux systems so that the client sends the VM
username as its client ID. On SLES this is the DHCLIENT_CLIENT_ID line in
/etc/sysconfig/dhcp:
DHCLIENT_CLIENT_ID=`/usr/bin/awk '/VM00 Name:/ { print $NF }'
/proc/sysinfo`
Then you'll get the ability for a clone to detect that it's been cloned, using
information provided by the DHCP client. From there, you can automate all kinds
of post-clone configuration (which is also useful for reconfiguring guest
network settings in in a DR test scenario), with dhcp-config-hook type scripts
(SuSE provides an example for changing smb.conf when the DHCP lease changes).
My dhcp-config-hook script was ugly but effective. I'll share it; check the end
of the message. I also had to write an early-stage init script to regenerate
UUIDs for LVM and XFS, that also worked off detecting that the VM user name had
changed. I'll share that too, since I'm sharing. You guys are welcome to take
from them what you need.
ok
bear.
---[BEGIN /etc/sysconfig/network/if-up.d/dhcpcd-config-hook]---
#! /bin/bash
#
# Update system config files after DHCP changes
# Inspired by SuSE 'dhcpcd-hook-samba'
#
# 20070426 rjs
#
# Apparently we receive these as arguments:
# $1 - configuration name, e.g. ifcfg-qeth-bus-ccw-0.0.a001
# $2 - interface name, e.g. eth0
# $3-$n - additional options. Unknown whether this is anything useful or
# important.
#
# The important bits:
# 1. This script is called for every ifup, whether dhcp is used, or not.
# Therefore, it is up to us to read a bunch of junk to determine whether
# it's even appropriate to run.
#
# 2. I was cranky about the way the SuSE script relies on dhcpcd providing
# old lease information, but then realized that it was a handy interface
# for consolidating a few system maintenance processes that used to be
# separate, into one. If the SuSE DHCP client ever changes so that the
# old lease information is not available, things will become complicated
# again.
#
# 3. There is no number 3.
#
# 4. If we ever decide to use dhclient instead of dhcpcd, some of this will
# have to be rewritten.
#
# 5. The "new" version of dhcpcd is completely rewritten since SLES10 and no
# longer provides old lease information. This script has been updated to
# simulate this behavior. It creates an edge condition for the first run
# but as long as the extra step to create the initial old lease file
# stays in the process we should never encounter it (the edge condition)
# in normal operation.
#
PATH=/bin:/sbin:/usr/bin:/usr/sbin ; export PATH
# config file locations
IF_CONFIG_FILE="/etc/sysconfig/network/ifcfg-${cfg}"
DHCP_CONFIG_FILE="/etc/sysconfig/network/dhcp"
# files we may change
SSH_HOST_KEYS='/etc/ssh/ssh_host*key*'
FILES="HOSTN HOSTS DSM VSFTPD POSTFIX_MAIN ANALOG APACHE2"
# don't let any of these variable names be the same as records in
# /var/lib/dhcpcd*info !
HOSTN="/etc/HOSTNAME"
HOSTS="/etc/hosts"
DSM="/etc/dsm.sys"
VSFTPD="/etc/vsftpd.conf"
POSTFIX_MAIN="/etc/postfix/main.cf"
ANALOG="/etc/analog.cfg"
APACHE2="/etc/apache2/default-server.conf"
#
# Function declarations
#
function log_debug() {
case "${options}" in
*debug*)
logger -t $0 -p daemon.debug "$1"
;;
esac
}
function log_error() {
logger -t $0 -p daemon.err "$1"
exit 1
}
function getLeaseInfo() {
DHCP_LEASE="/var/lib/dhcpcd/dhcpcd-${if}.info"
DHCP_OLD="/var/lib/dhcpcd/dhcpcd-${if}.info.old"
# this will break on the first call after making the system
# a dhcp client... i.e. new install. I think in practice
# we should never see this happen.
if [ -r ${DHCP_LEASE} -a -r ${DHCP_OLD} ] ; then
. $DHCP_LEASE
new_CLIENTID=$CLIENTID
new_HOSTNAME=$HOSTNAME
new_DOMAIN=$DOMAIN
new_IPADDR=$IPADDR
. $DHCP_OLD
old_CLIENTID=$CLIENTID
old_HOSTNAME=$HOSTNAME
old_DOMAIN=$DOMAIN
old_IPADDR=$IPADDR
else
log_error "$0 can't read DHCP lease info. Aborting."
exit 1
fi
}
#
# end function decl.
#
if [ $# -lt 2 ] ; then
log_error "$0 did not receive the right number of arguments."
exit 1
fi
cfg="$1" ; shift
if="$1" ; shift
options="$@" # apparently this may begin with "-o" ... ?
#
# Figure out whether we even ought to be running.
#
# 1. Check /etc/sysconfig/network/dhcp
# relies on extra variable not part of normal SuSE installation
# DHCLIENT_MODIFY_SYS_FILES (must be added for this to work)
#
# 2. Check /etc/sysconfig/network/ifcfg-(ifname)
# if we're not setup for dhcp on this interface, exit quietly
#
if [ -r "$DHCP_CONFIG_FILE" ] ; then
. $DHCP_CONFIG_FILE
case "${DHCLIENT_MODIFY_SYS_FILES}" in
yes|YES|Yes) : ;;
*) exit 0 ;;
esac
fi
if [ -r "$IF_CONFIG_FILE" ] ; then
. $IF_CONFIG_FILE
case "${BOOTPROTO}" in
dhcp|dhcp+autoip) : ;;
*) exit 0 ;;
esac
fi
getLeaseInfo
#
# did anything important change?
#
predicate=0
for info in CLIENTID HOSTNAME DOMAIN IPADDR ; do
new="new_$info"
old="old_$info"
log_debug "${info}: NEW \(${!new}\) OLD \(${!old}\)"
[ "${!new}" != "${!old}" ] && $((predicate++))
done
#
# if nothing important changed, end quietly, now.
#
log_debug "PREDICATE $predicate"
[ $predicate -eq 0 ] && exit 0
#
# something important changed, so fix files
#
# first, clean up some cruft
if [ "$old_CLIENTID" != "$new_CLIENTID" ] ; then
rm ${SSH_HOST_KEYS}
rm /root/.*history
fi
new_LONGNAME=${new_HOSTNAME}.${new_DOMAIN}
old_LONGNAME=${old_HOSTNAME}.${old_DOMAIN}
log_debug "LONGNAME: NEW \($new_LONGNAME\) OLD \($old_LONGNAME\)"
echo "DHCP client configuration changed."
for file in $FILES ; do
if [ -r "${!file}" ] ; then
echo " updating ${!file}."
cp ${!file} ${!file}.dhcpold
# this is ugly.
# change the old info to the new info
# but an old_IPADDR of 192.168.13.12 will also match 192.168.13.120, etc.
# so to make sure we get only the address (shortname, etc.) we care about
# (barring shortnames like "the" or "web" (eek!)) make sure the patterns
# are preceeded and followed only by whitespace, quotation marks, equal
# signs, open or close parentheses, BOL (^) or EOL ($), and that the
# replacements are preceeded and followed by the same.
sed -e "s/\(^\|[(\"\' \t=]\)${old_LONGNAME}\([)\"\'
\t=]\|$\)/\1${new_LONGNAME}\2/
s/\(^\|[(\"\' \t=]\)${old_HOSTNAME}\([)\"\'
\t=]\|$\)/\1${new_HOSTNAME}\2/
s/\(^\|[(\"\' \t=]\)${old_IPADDR}\([)\"\'
\t=]\|$\)/\1${new_IPADDR}\2/
s/\(^\|[(\"\' \t=]\)${old_CLIENTID}\([)\"\'
\t=]\|$\)/\1${new_CLIENTID}\2/" \
${!file}.dhcpold > ${!file}
fi
done
# keep it going since dhcpcd no longer does this for us, as of SLES 11.
# not needed (and undesireable) for SLES10 or earlier.
cp $DHCP_LEASE $DHCP_OLD
---[END /etc/sysconfig/network/if-up.d/dhcpcd-config-hook]---
---[BEGIN /etc/init.d/boot.lvmunclone]---
#! /bin/bash
#
# - ;rjs
# - post cloning housework
# - 20090120 updated to gen new XFS UUIDs, in addition to LVM UUIDs
#
### BEGIN INIT INFO
# Provides: boot.lvmunclone
# Required-Start: boot.udev boot.device-mapper
# Required-Stop:
# Should-Start:
# Should-Stop:
# Default-Start: B
# Default-Stop:
# Description: Guarantee unique LVM UUIDs on vgroot after cloning
### END INIT INFO
[ "$1" != "start" ] && exit 0
VG=vgroot
# sed, awk, and grep are all in bin, dynamically linked with libc in /lib64
# no need for /usr to be mounted, just for the dynamic loader to work
#
# xfs_admin is in /usr/sbin though.
#
VM00=`awk '/VM00 Name/ { print $NF }' /proc/sysinfo`
TAGS=`vgs --noheadings -o vg_tags ${VG} | sed -e 's/,/ /g'`
case ${TAGS} in
*${VM00}*)
# VG tagged with VM00 Name, no work needed
exit 0
;;
*)
# VG tagged with some other VM00 Name, we were cloned
echo "Regenerating LVM UUIDs (${VG})."
for dev in `pvdisplay -c | awk -F':' "/:${VG}:/ { print \\$1 }"` ; do
pvchange -u ${dev}
done
vgchange -u ${VG}
for dev in `lvdisplay -c | awk -F':' "/:${VG}:/ { print \\$1 }"` ; do
xfs_admin -U generate ${dev}
done
# update vg tags for next run.
for tag in ${TAGS} ; do
vgchange --deltag ${tag} ${VG}
done
vgchange --addtag ${VM00} ${VG}
;;
esac
---[END /etc/init.d/boot.lvmunclone]---
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/
