I use puppet to distribute my sshd configuration, including pre-generated ssh certificates.
Here's how I bulk create certificates for a bunch of new nodes named b001-b034:
for n in $(seq -w 1 34); do ssh-keygen -q -t rsa -f b0$n -C '' -N '' done |
I use puppet to distribute my sshd configuration, including pre-generated ssh certificates.
Here's how I bulk create certificates for a bunch of new nodes named b001-b034:
for n in $(seq -w 1 34); do ssh-keygen -q -t rsa -f b0$n -C '' -N '' done |
Having got racadm working on my workstation (see my previous post), the next step is to perform initial DRAC configuration, ie. change the root password, set the SSL cert values, etc.
First I checked that all DRACs were pingable:
for h in $(seq -w 1 34); do hn=b0$h.drac.example.com if ping -q -c 1 $hn >& /dev/null ; then echo OK else echo failed fi done |
Next, I created a drac config file (named drac.cfg) containing the settings that are common to all devices:
[cfgLanNetworking] cfgDNSDomainName=drac.example.com [cfgUserAdmin] # cfgUserAdminIndex=2 cfgUserAdminUserName=root cfgUserAdminPassword=secret [cfgOobSnmp] cfgOobSnmpAgentEnable=1 cfgOobSnmpAgentCommunity=my_community_name [cfgRacSecurity] cfgRacSecCsrKeySize=1024 # cfgRacSecCsrCommonName= cfgRacSecCsrOrganizationName=example.com cfgRacSecCsrOrganizationUnit=Web Services cfgRacSecCsrLocalityName=My City cfgRacSecCsrStateName=My State cfgRacSecCsrCountryCode=IE cfgRacSecCsrEmailAddr=contact@example.com |
I then ran a script to apply the common configuration to all devices. I also set the device-specific settings in the same script:
for n in $(seq -w 1 34); do host=b0$hn domain=drac.example.com fullname=$host.$domain racadm -r $fullname -u root -p calvin config -g cfgLanNetworking -o cfgDNSRacName $host racadm -r $fullname -u root -p calvin config -g cfgRacSecurity -o cfgRacSecCsrCommonName $fullname racadm -r $fullname -u root -p calvin config -f drac.cfg done |
Notice that I don't change the default password until last.
Now, I just need to work out how to generate the CSR, sign it, and upload the new cert…
I needed to check the integrity of the file systems on several xen domU guests while the guests were shutdown, ie. I needed to do it from the dom0.
I use LVM logical volumes for the block devices for the guests disks named $host-disk0
. These are stored in a volume group named vg_guests
. I use kpartx to access the partitions on the block device.
Each guest disk has a small physical partition for /boot
; the rest of the disk is allocated to a 2nd partition which is used as an LVM volume group named vg_$host
.
Here's a script I knocked up to do the job:
for host in host1 host2 host3 ; do # create devices from the LVs kpartx -av /dev/mapper/vg_guests-$host--disk* # Activate the VGs for the host for vg in $(vgs --noheadings | grep $host | awk '{print $1}' ) ; do echo Activating $vg vgchange -ay $vg done # check the file systems for p in $(/dev/mapper/vg_$host* | grep -v swap); do e2fsck -p $p done # Deactivate the VGs for vg in $(vgs --noheadings | grep $host | awk '{print $1}' ) ; do echo De-activating $vg vgchange -an $vg done # Remove the devices kpartx -dv /dev/mapper/vg_guests-$host--disk0 done |