[prev in list] [next in list] [prev in thread] [next in thread] 

List:       infrastructures
Subject:    Re: [Infrastructures] issh - a new shell for infrastructure
From:       James Neal <neal-infrastructures () timestudies ! skylab ! org>
Date:       2002-11-14 18:49:47
Message-ID: 200211141849.gAEInmf22756 () magic ! skylab ! org
[Download RAW message or body]

In message <20021114044246.GA28999@polishwonder.dyn.dhs.org>you write:
>Here's another LISA-spawned topic.  Would it be useful to be able to
>log into any ISConf managed host to make changes, and then have those
>changes automagically roll out to other hosts?  Here's an example login
>session:

Yeah, being able to capture uniqueness is an important step in the process
of going from "tons of systems managed individually" to "large-scale
100% central administration."

>ssh junioradmin@turing01.lab.foobar.com
>bash> issh --level domain
>issh> vi /etc/inetd.conf
>Error: Don't use interactive tools!  We can't put that in a makefile.
>issh> echo pop3 stream tcp nowait root /usr/local/lib/popper \
>qpopper -s >> /etc/inetd.conf
>issh> pkill -HUP inetd
>issh> isset runonce
>issh> exit
>bash> logout

I've considered something similar, but using LD_PRELOAD to catch syscalls
that would change the state of the system (such as open, chown, chmod,
etc).

ssh junioradmin@turing01.lab.foobar.com
# capture -m "Enabling POP3" enable_pop3
(capture adds libcapture.so to LD_PRELOAD and spawns a new shell)
capture# vi /etc/inetd.conf
(make changes)
:w!
('capture' sees a file being opened for writing.  Makes a copy of the
original file to a spool directory.  Writes out file.  Writes out new
file in a spool directory)
capture# exit
(capture processes the spool to create diffs, then leaves the captured
shell)
# exit

The spool would then be sent back to the gold server (via rsyncs, lpd,
sendmail, carrier pigeon..) for application to other systems.

Of course, LD_PRELOAD doesn't work with statically compiled binaries,
nor would this capture _all_ the changes on a system.

http://gmxsolutions.com/products/cm_safe.html is a product that captures
a wider number of changes to the system automatically, so that the
sysadmin can do diff's of the entire system to see what's changed between
two points in time (and includes an "undo" function, to undo bad changes)

(Disclaimer: I own shares in GMx Solutions's parent company.)

-James

[prev in list] [next in list] [prev in thread] [next in thread]