Am 03.11.2013 14:23, schrieb Kevin Kofler:
Michael Scherer wrote:
> When statistics cost you money, yeah, I think that's important to take
> them in account. Maybe your employer do not care about this, but I
> strongly suspect mine does, and I strongly suspect that most companies
> do care about this as well.
Company computers should get updated only by the sysadmins (which AFAIK is
how it works at his company, him being the CTO, sysadmin and lead developer
in one person), or by automated scripts running as root (which is how it's
done at my university, there's an autoupdate script running at bootup).
Users have no business updating company-managed computers.
exactly
because i am in the position to have them written and as CTO i now declare my
management-scripts public because they do not cover informations which may lead
into attacks from outside and prove i am not talking bullshit while may make
some admins life easier
_____________________________________________________________________________________
in a company environment a workstation/server *never ever* pulls his
updates directly from the web because many reasons i can explain you
well but this may get off-topic - for now: *don't do it* it is your
basic job as sysadmin to take care of updates and make sure your
users never coming in touch with that
* after you are are at this principle you can do "yum -y upgrade" on
any machine at any moment because you deploy only tested updates
or at least if you are too lazy doing tests you prevent dependency
troubles this way
* if you are lazy install the updates at shutdown, the users are advised
never ever interrupt shutdown with long holding pwoer and if the same
user ignore this advise more than once fire him without discussion
* if you are not lazy make a maintenance window for all machines and
type distribute-command.sh "yum -y upgrade; systemctl reboot" within
this timeframe and go drinking a coffee - youz ca be lazy too
* after the coffee type "distribute-command.sh uptime"
the scripts below where written 2009 within a few days before taking
additional to lead-developer the CTO/Sysadmin role and replace the
old one and needed not much non-cosmetical changes over the years
while you can maintain 10, 20, 100, 1000 machines this way
_____________________________________________________________________________________
[root@mgmt-server:~]$ cat /mgmt/repo-cache.sh
#!/usr/bin/bash
basearch=`uname -i`
releasever=`rpm -q --qf "%{version}\n" fedora-release`
for g in `ls -1b /var/cache/yum`
do
if [ -d /var/cache/yum/$g/packages ]
then
echo "/var/cache/yum/$g/packages/ > /repo/cache/fc$releasever/"
sudo mv --verbose /var/cache/yum/$g/packages/*.rpm /repo/cache/fc$releasever/ 2>
/dev/null
fi
done
/mgmt/repo-create.sh
_____________________________________________________________________________________
[root@mgmt-server:~]$ cat /mgmt/repo-create.sh
#!/usr/bin/bash
basearch=`uname -i`
releasever=`rpm -q --qf "%{version}\n" fedora-release`
sudo createrepo --xz -d /repo/cache/fc$releasever/
sudo repoview /repo/cache/fc$releasever/
sudo createrepo --xz -d /repo/fc$releasever/$basearch/
sudo createrepo --xz -d /repo/fc$releasever/testing/
sudo nice -n 19 /usr/bin/find /repo/ -type d -exec /bin/chmod 0755 "{}" \;
sudo nice -n 19 /usr/bin/find /repo/ -type f -exec /bin/chmod 0644 "{}" \;
_____________________________________________________________________________________
[root@mgmt-server:~]$ cat /mgmt/distribute-updates.sh
#!/usr/bin/bash
source /mgmt/server-list.txt
function rh_push_updates
{
echo -e "\e[32m$1\e[0m"
/usr/bin/ssh root@$1 "/usr/bin/nice /usr/bin/yum -y update"
echo ""
echo -e
"\e[31m--------------------------------------------------------------------------\e[0m"
echo ""
}
for item in ${RH_TARGET_SERVERS[*]}
do
rh_push_updates $item
done
_____________________________________________________________________________________
[root@mgmt-server:~]$ cat /mgmt/server-list.txt
#!/usr/bin/bash
RH_TARGET_SERVERS=()
RH_TARGET_SERVERS[1]="machine1.example.com"
RH_TARGET_SERVERS[2]="machine2.example.com"
RH_TARGET_SERVERS[3]="machine3.example.com"
RH_TARGET_SERVERS[4]="machine4.example.com"
# put your 10,1000,1000 machines here
_____________________________________________________________________________________
[root@mgmt-server:~]$ cat /mgmt/repo-clean.php
#!/usr/bin/php
<?php
ob_start();
passthru('rpm -q --qf "%{version}\n" fedora-release');
$release = trim(ob_get_clean());
ob_start();
passthru('uname -i');
$basearch = trim(ob_get_clean());
clean_repo('/repo/cache/fc' . $release . '/');
clean_repo('/repo/fc' . $release . '/' . $basearch . '/');
clean_repo('/repo/fc' . $release . '/testing/');
function clean_repo($path)
{
ob_start();
passthru('/usr/bin/repomanage --old ' . escapeshellarg($path));
$out = ob_get_clean();
$files = explode("\n", $out);
$deleted = 0;
foreach($files as $file)
{
$file = trim($file);
if(is_file($file))
{
if(@unlink($file))
{
echo "REMOVED: " . $file . "\n";
$deleted++;
}
else
{
echo 'FAILED: ' . $file . "\n";
}
}
}
if($deleted > 0)
{
passthru('/usr/bin/createrepo --xz -d ' . escapeshellarg($path));
passthru('/bin/chmod -R 755 ' . escapeshellarg($path));
}
}
?>
_____________________________________________________________________________________
[root@mgmt-server:~]$ cat /mgmt/distribute-command.sh
#!/usr/bin/bash
source /mgmt/server-list.txt
function rh_run_command
{
echo -e "\e[32m$1\e[0m"
/usr/bin/ssh root@$1 "$2"
echo ""
echo -e
"\e[31m--------------------------------------------------------------------------\e[0m"
echo ""
}
if [ "$2" == "" ]
then
echo "" > /dev/null
else
echo "Put params in quotes"
exit
fi
for item in ${RH_TARGET_SERVERS[*]}
do
rh_run_command $item "$1"
done