 RPKGADD:
A Remote Package Management Tool for SolarisTM
Adam Ronthal
As a consulting engineer for a company focused on systems management
software and services, I am often in the position of having to install
Solaris packages on a large number of machines. Our flagship configuration-auditing
product is highly extensible, and we typically distribute add-on
modules in the form of Solaris packages that must be installed on
many distributed servers within a client environment.
The process of logging into each of these servers and running
pkgadd can be frustrating and time consuming. Additionally, many
environments restrict the use of FTP or NFS within their environments,
making it even more difficult to distribute software to a large
number of machines.
To efficiently distribute and install the packages, I have developed
a Korn shell script called rpkgadd. Based on ssh (now standard within
the Solaris 9 environment, and almost always installed in most environments
no matter what version of Solaris is running), this script simplifies
the distribution and management of Solaris packages over the network.
There are certainly some security implications of using an implementation
like this, but with judicious management of ssh RSA/DSA keys, and
a dedicated package management account, this scheme can be deployed
safely in most data center or enterprise environments.
What's Required?
The basic prerequisites are simple:
- SSH installed on all servers
- Access to an account with root permissions on each target server
A Dedicated Package Install Account
The recommended configuration includes a dedicated "root-equivalent"
account, which is used solely for managing packages. Access to this
account should be restricted to a single machine that serves as
the source of all packages to be distributed. For the purposes of
the following examples, this account is called pkginstall.
(The required configurations for restricting access via SSH by host
or by user can easily be accomplished through the AllowUsers directive
in the sshd_config file.)
Each machine that will require remote package management should
be configured with a pkginstall account. The relevant line from
/etc/passwd looks like this in my environment:
pkginstall:x:0:1:Package Install Account:/export/home/ pkginstall:/sbin/sh
The Script
The rpkgadd script (see Listing 1) allows the remote installation and removal of Solaris packages. It supports both standard "directory based" packages, as well as the DaTaStReAm package format. For convenience, it uses pkgtrans to convert DaTaStReAm packages to the standard format before installing them on a target host.
The script should support both SSH1 and SSH2 protocols, although it does not intelligently check to see what is currently in use. Instead, it relies on the brute-force method of creating both authorized_keys and authorized_keys2 files on the target hosts.
Additionally, rpkgadd provides some options to manage keys and packages on the local and target hosts. These options include the ability to:
- Maintain the package source on the target host if desired (-m).
- Uninstall packages from the target host (-D).
- Save the SSH keys in the authorized_keys and authorized_keys2 files on the target host (-S). (Note: the default behavior is to delete the package keys when finished.)
- Expunge the local copy of the SSH keys (-e). (Note: This option should be used with care as this will force the package keys to be regenerated and invalidate any keys currently in use. Since rpkgadd does not keep a list of all target hosts that it has installed packages to, there is a chance that invalid keys may be retained on target systems.)
Finally, rpkgadd allows you to specify a configuration file for use in batch mode processing. This allows you to specify multiple packages to be installed on multiple target hosts. Each of the options described previously and in the detailed "rpkgadd Usage" sidebar can also be set in this configuration file.
Use of SSH Keys
By default, rpkgadd uses temporary, empty-passphrase SSH keys to issue commands on the remote host. The first time rpkgadd is run (and anytime it cannot find a local copy of the pkgkey.pub file in the user's .ssh directory), it will automatically create new keys:
# ./rpkgadd -t sunspot -p SMCwget -u pkginstall
----------------------------------------------------------------
Hit return when asked for password. authorized_keys files will
be removed from the target host once packages are added unless
the '-S' option is specified on the command line.
----------------------------------------------------------------
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /.ssh/pkgkey.
Your public key has been saved in /.ssh/pkgkey.pub.
The key fingerprint is:
1f:96:8c:11:33:45:0e:b8:6c:9a:46:96:1f:d1:75:31 pkgkey
rpkgadd will then ask for the password of the remote root account so it can append the contents of ~/.ssh/pkgkey.pub to the remote host's authorized_keys file. Thus, you are only required to enter a password once for each target host; subsequent ssh commands use the DSA or RSA keys to authenticate.
Once the package(s) are installed on the target host, rpkgadd will remove any "pkgkey" public key files from the target host's authorized_keys file (unless told to retain them).
Note that if the local copies of pkgkey or pkgkey.pub are removed using the -e option, old copies of the pkgkey.pub might remain on target hosts if the "save keys" -S option was previously used. Care should be exercised when removing local copies of the keys.
Installing or Removing a Single Package on a Remote Host
The simplest use of rpkgadd is to install a single package to a remote host (see Figure 1). For this example, let's assume that a "root-equivalent" pkginstall account has already been created on the target host -- sunspot. (If this were not the case and a remote root user were not specified, rpkgadd would default to using the default root account, "root".) The package to be installed should be in the directory from which the command is issued. If necessary, however, a path to the package location can be specified for installs.
The required parameters are given below:
Target Host: sunspot
Remote Root: pkginstall
Package to Install: SMCwget
We issue the command as follows:
$ ./rpkgadd -t sunspot -u pkginstall -p SMCwget
pkginstall@sunspot's password:
Target host is sunspot
Package is standard format.
Preparing package for file transfer...
Transfering package to sunspot
Installing package on sunspot...
Processing package instance <SMCwget> from </var/spool/pkg>
wget
(sparc) 1.8.2
Free Software Foundation
Using </usr/local> as the package base directory.
## Processing package information.
## Processing system information.
6 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
Installing wget as <SMCwget>
## Installing part 1 of 1.
/usr/local/bin/wget
/usr/local/doc/wget/AUTHORS
...
Installation of <SMCwget> was successful.
Cleaning up...
Of course, SMCwget is typically distributed in DaTaStReAm format, so the command would more typically be run like this:
$ ./rpkgadd -t sunspot -u pkginstall -p wget-1.8.2-sol9-sparc-local
pkginstall@sunspot's password:
Target host is sunspot
Package is in DaTaStReAm format. Translating.
Preparing package for file transfer...
Transfering package to sunspot
Installing package on sunspot...
The rpkgadd script will automatically translate the package to the standard format before transferring it to the remote host and installing it.
To remove the package, simply add the -D option, making sure to specify the package name as seen by Solaris, which is not necessarily the name given to rpkgadd when installing the package (e.g., "SMCwget", not "wget-1.8.2-sol9-sparc-local"):
$ ./rpkgadd -t sunspot -u pkginstall -p SMCwget -D
pkginstall@sunspot's password:
Target host is sunspot
The following package is currently installed:
SMCwget wget
(sparc) 1.8.2
Do you want to remove this package? [y,n,?,q] y
## Removing installed package instance <SMCwget>
...
## Updating system information.
Removal of <SMCwget> was successful.
Batch Processing: Installing Multiple Packages to Many Remote Hosts
If you have multiple target hosts on which to install a package, or even multiple packages to install on a target host, the batch-processing mode of rpkgadd is useful. By specifying the options for each target host and a list of packages to be installed, you can simplify the installation process.
The rpkgadd.conf file has the following format:
target_host:root_user:pkgrm:remove_keys:remove_package_source: \
keytype:pkg1:pkg2:...:pkg_n
For example:
# This is the rpkgadd configuration file
#
sunspot:pkginstall:no:yes:yes:dsa:SMCwget:top-3.5beta12-\
sol9-sparc3264-local
expression:pkginstall:yes:yes:no:dsa:SMCmake:SMCcvs
For this configuration file, the host sunspot will have the packages SMCwget and SMCtop installed (the latter in the default DaTaStReAm format for Sun Freeware packages) with the following options:
Remote Root: pkginstall
Uninstall Packages: no
Remove SSH Public Key: yes
Remove Package Source: yes
Key Type: dsa
The host expression will have the packages SMCmake and SMCcvs uninstalled, with the following options set:
Remote Root: pkginstall
Uninstall Packages: yes
Remove SSH Public Key: yes
Remove Package Source: no
Key Type: dsa
Batch mode is initiated at the command line using the -b option and specifying the configuration file:
$ ./rpkgadd -b ./rpkgadd.conf
Some Notes about the Script
The rpkgadd script makes extensive use of ksh functions to simplify the processing in the main body of the script. All arguments are processed with standard getopts processing and can be specified in any order at the command line.
Default values for several options are set in the "Settings and Environment" section at the top of the script. The variable and description are given below:
| Variable |
Values |
Description |
| NIS |
yes,no |
Specifies whether the script is being run in an
NIS environment |
| RMKEYS |
yes,no |
Remove SSH keys, when finished installing packages
|
| DELPKG |
yes,no |
Remove package source from remote server /var/spool/pkg
when installed |
| RMPKG |
yes,no |
Default is to install packages, not uninstall
them |
| KEYTYPE |
dsa,rsa |
Use DSA keys by default |
| REMOTE_ROOT |
<valid user> |
Use <valid user> as the default remote root
if not specified |
Because some of the ssh commands are issued on a single line, their readability suffers. To better understand what is going on in these situations, simply copy the command text appearing in the
ksh -c '<command text>'
structure, and format it in such a way as to be human readable!
The option flags used in rpkgadd were selected to avoid conflicts with the existing flags used by Sun's pkgadd and pkgrm commands. Future versions of rpkgadd will allow the user to pass on additional flags to the underlying pkgadd or pkgrm command that ultimately gets executed on the target host. Future versions will also more closely mimic the options in pkgadd and pkgrm. The script itself should be well commented and understandable to anyone with a good knowledge of shell scripting.
The most recent version of the rpkgadd script is available on CiRBA's Web site at:
http://www.cirba.com/rpkgadd
Note that CiRBA, Inc. does not support rpkgadd, nor do they warrant the suitability of this software for any purpose, explicit or implied.
Adam Ronthal is a consulting engineer for CiRBA, Inc, a Toronto software firm specializing in systems management software and services. He can be reached at: ronthal@fugue.net. CiRBA, Inc. can be reached on the Web at: http://www.cirba.com.
| 
