This document describes the procedure to set up CA sync between two Zentyal servers. We will use for this rsync being run in a cron job.
We will use root in the side that starts the connection (provided script will be run by cron) and ebox for the side that receives it. We could use any other user, but using user ebox avoid having to create extra unneeded configurations. For the sake of the example we’ll be referring to two servers here:
- (Server A) The server on which the CA existed previously, and from which the files for the CA will be taken.
- (Server B). The secondary server to which we want to export the CA which exists on Server A.
In order to better understand the procedure we must keep in mind that:
Zentyal CA files are stored on /var/lib/zentyal/CA
This folder has these permissions:
1 | drwx r-x --x 9 ebox ebox |
ebox user has as his home the folder /var/lib/zentyal/
- With this information, we’ll proceed to follow these steps:Check that rsync is installed in server B, and if not install it.
1 | sudo apt-get install rsync |
- Check if root has a rsa key in server B. If it did not have, create if with ssh-keygen
1 | if [ ! -f /root/.ssh/id_rsa.pub ] ; then /usr/bin/ssh-keygen" ; else echo "Key Already exists" ; fi |
- Create folder /var/lib/zentyal/.ssh/ and create file authorized_keys
1 | sudo mkdir -p /var/lib/zentyal/.ssh/ |
2 | sudo touch /var/lib/zentyal/.ssh/authorized_keys |
1 | sudo chown -R ebox.ebox /var/lib/zentyal/.ssh/ |
- Copy the root public key to /var/lib/zentyal/.ssh/authorized_keys of server A. Given ebox user has no password you will have to do it by hand, as long as you won’t be able to do it with ssh-copy-id . Thus, open /root/.ssh/id_rsa.pub and paste its contents into /var/lib/zentyal/.ssh/authorized_keys of server A.
- Test that you can ssh without using password from root as ebox user:
1 | sudo ssh ebox@SERVER-A-IP |
1. Limit connections from IP:
To do so edit in SERVER A /var/lib/zentyal/.ssh/authorized_keys, and add prior to the ssh-rsa this:
1 | from="SERVER-B-IP" ssh-rsa dasghgdgh+RqUVx5wzgnaMxH2Km5KRx0Wzvsa5YvxjwERVVXs2mUEes5mDpoDMX9pUAwKqPCS5C |
2 | LyDwI+t0xNmVzPzeZjhypIfvBmgaG7pBNx7Zted7C+fha1X3SUmT4TguLzy7pfWbG7CKr2XkkFUYUOdUniYc99NsIxY1/51+/jjhfg |
3 | jhfg/Pr5jqH+jhfjfgj/jhfgjh+9kErROS1z root@hostname |
2. Ensuring that only rsync is used for this ssh connection:
To do so edit in SERVER A /var/lib/zentyal/.ssh/authorized_keys, and add prior to the ssh-rsa this:
1 | command="/usr/share/bin/check_command.sh” ssh-rsa fdasghgdgh+RqUVx5wzgnaMxH2Km5KRx0Wzvsa5YvxjwERV |
2 | VXs2mUEes5mDpoDMX9pUAwKqPCS5CLyDwI+t0xNmVzPzeZjhypIfvBmgaG7pBNx7Zted7C+fha1X3SUmT4TguLzy7pfWbG7CKr |
3 | 2XkkFUYUOdUniYc99NsIxY1/51+/jjhfgjhfg/Pr5jqH+jhfjfgj/jhfgjh+9kErROS1z root@hostname |
Now, you must add the script it mentions this line (script taken from http://troy.jdmz.net/rsync/index.html)
03 | case "$SSH_ORIGINAL_COMMAND" in |
If you use both, separate them with a “,”:
1 | from="SERVER-B-IP",command="/usr/share/bin/check_command.sh” ssh-rsa fdasghgdgh+RqUVx5wzgnaMxH2Km5KRx0Wzvsa5Y |
2 | vxjwERVVXs2mUEes5mDpoDMX9pUAwKqPCS5CLyDwI+t0xNmVzPzeZjhypIfvBmgaG7pBNx7Zted7C+fha1X3SUmT4TguLzy7pfWbG7CKr2Xkk |
3 | FUYUOdUniYc99NsIxY1/51+/jjhfgjhfg/Pr5jqH+jhfjfgj/jhfgjh+9kErROS1z root@hostname |
- Create the folder where you’re going to store the script that will do the sync and give it appropriate permissions:
1 | mkdir /var/local/rsync-ca |
2 | chmod 754 /var/local/rsync-ca |
- Create the script file and give it proper permissions:
1 | chmod 740 /var/local/sync-ca/rsync-ca |
- Place the following content on the script (change variables as needed)
7 | RPATH=/var/lib/zentyal/CA |
9 | $RSYNC -az -e "$SSH -i $KEY" $RUSER@$RHOST:$RPATH $LPATH |
- Test the script and confirm that it works as expected
- Create the cron job for the script we have just created. For instance, to run this daily write under /etc/cron.d/rsync-ca :
7 | @daily root /var/local/rsync-ca/rsync-ca |
Me gusta esto:
Me gusta Cargando...
Relacionado