先日、NTPに脆弱性が見つかり対応する必要がありました。
Amazon Linux
Red Hat Enterprise Linux
対応すると言っても一言でいえばNTPを更新すれば良いのですが、対象のサーバが何十台、何百台あると大変です。
いわゆる刺身タンポポな作業になります。
人生は有限です。2014年ももうすぐ終わりです。機械に任せられるところは任せたいものです。
「機械に任せて」の部分をFabricでやってみます。
【30分で動かすシリーズ】FabricでOpenSSL祭に対応してみる 【30分で動かすシリーズ】Fabricでbash祭に対応してみると同様です。
Fabricについて、Fabricの導入については 【30分で動かすシリーズ】FabricでOpenSSL祭に対応してみる をご覧ください。
タスクを書く
対策としては「yum update ntp」すればいいので、そのようなタスクを書きます。
ntpupdate.py
#coding:utf-8
from fabric.api import env, run, sudo
from fabric.contrib.console import confirm
env.use_ssh_config = True
def yum_update_ntp():
sudo('yum clean all', user='root', pty=True)
sudo('yum -y update ntp', user='root', pty=True)
「yum clean all」して「yum update ntp」します。
※サーバの再起動は不要です。
動かしてみる
今回の対象はAmazon Linuxを使ってみます。
以前から検証で使っているインスタンスを使います。
インスタンスにsshするホスト名を「web01.maedadev」「web02.maedadev 」としています。ターミナルで「ssh web01.maedadev」すると接続できる感じです。
$ fab -H web01.maedadev,web02.maedadev -f ./ntpupdate.py yum_update_ntp [web01.maedadev] Executing task 'yum_update_ntp' [web01.maedadev] sudo: yum clean all [web01.maedadev] out: Loaded plugins: priorities, update-motd, upgrade-helper [web01.maedadev] out: Cleaning repos: amzn-main amzn-updates [web01.maedadev] out: Cleaning up everything [web01.maedadev] out: [web01.maedadev] sudo: yum -y update ntp [web01.maedadev] out: Loaded plugins: priorities, update-motd, upgrade-helper [web01.maedadev] out: [web01.maedadev] out: amzn-main/latest | 2.1 kB 00:00 [web01.maedadev] out: [web01.maedadev] out: amzn-main/latest/group | 35 kB 00:00 [web01.maedadev] out: [web01.maedadev] out: amzn-main/latest/primary_db | 3.1 MB 00:00 [web01.maedadev] out: [web01.maedadev] out: amzn-updates/latest | 2.3 kB 00:00 [web01.maedadev] out: [web01.maedadev] out: amzn-updates/latest/group | 35 kB 00:00 [web01.maedadev] out: [web01.maedadev] out: amzn-updates/latest/updateinfo | 197 kB 00:00 [web01.maedadev] out: [web01.maedadev] out: amzn-updates/latest/primary_db | 494 kB 00:00 [web01.maedadev] out: Resolving Dependencies [web01.maedadev] out: --> Running transaction check [web01.maedadev] out: ---> Package ntp.x86_64 0:4.2.6p5-2.21.amzn1 will be updated [web01.maedadev] out: ---> Package ntp.x86_64 0:4.2.6p5-2.22.amzn1 will be an update [web01.maedadev] out: --> Processing Dependency: ntpdate = 4.2.6p5-2.22.amzn1 for package: ntp-4.2.6p5-2.22.amzn1.x86_64 [web01.maedadev] out: --> Running transaction check [web01.maedadev] out: ---> Package ntpdate.x86_64 0:4.2.6p5-2.21.amzn1 will be updated [web01.maedadev] out: ---> Package ntpdate.x86_64 0:4.2.6p5-2.22.amzn1 will be an update [web01.maedadev] out: --> Finished Dependency Resolution [web01.maedadev] out: [web01.maedadev] out: Dependencies Resolved [web01.maedadev] out: [web01.maedadev] out: ==================================================================================================================================================== [web01.maedadev] out: Package Arch Version Repository Size [web01.maedadev] out: ==================================================================================================================================================== [web01.maedadev] out: Updating: [web01.maedadev] out: ntp x86_64 4.2.6p5-2.22.amzn1 amzn-updates 867 k [web01.maedadev] out: Updating for dependencies: [web01.maedadev] out: ntpdate x86_64 4.2.6p5-2.22.amzn1 amzn-updates 83 k [web01.maedadev] out: [web01.maedadev] out: Transaction Summary [web01.maedadev] out: ==================================================================================================================================================== [web01.maedadev] out: Upgrade 1 Package (+1 Dependent package) [web01.maedadev] out: [web01.maedadev] out: Total download size: 950 k [web01.maedadev] out: Downloading packages: [web01.maedadev] out: [web01.maedadev] out: (1/2): ntp-4.2.6p5-2.22.amzn1.x86_64.rpm | 867 kB 00:00 [web01.maedadev] out: [web01.maedadev] out: (2/2): ntpdate-4.2.6p5-2.22.amzn1.x86_64.rpm | 83 kB 00:00 [web01.maedadev] out: ---------------------------------------------------------------------------------------------------------------------------------------------------- [web01.maedadev] out: Total 3.3 MB/s | 950 kB 00:00:00 [web01.maedadev] out: Running transaction check [web01.maedadev] out: Running transaction test [web01.maedadev] out: Transaction test succeeded [web01.maedadev] out: Running transaction [web01.maedadev] out: [web01.maedadev] out: Updating : ntpdate-4.2.6p5-2.22.amzn1.x86_64 [ ] 1/4 [web01.maedadev] out: Updating : ntpdate-4.2.6p5-2.22.amzn1.x86_64 [########################################################################################### ] 1/4 [web01.maedadev] out: Updating : ntpdate-4.2.6p5-2.22.amzn1.x86_64 1/4 [web01.maedadev] out: [web01.maedadev] out: Updating : ntp-4.2.6p5-2.22.amzn1.x86_64 [ ] 2/4 [web01.maedadev] out: Updating : ntp-4.2.6p5-2.22.amzn1.x86_64 [############################################################################################### ] 2/4 [web01.maedadev] out: Updating : ntp-4.2.6p5-2.22.amzn1.x86_64 2/4 [web01.maedadev] out: [web01.maedadev] out: Cleanup : ntp-4.2.6p5-2.21.amzn1.x86_64 3/4 [web01.maedadev] out: [web01.maedadev] out: Cleanup : ntpdate-4.2.6p5-2.21.amzn1.x86_64 4/4 [web01.maedadev] out: [web01.maedadev] out: Verifying : ntp-4.2.6p5-2.22.amzn1.x86_64 1/4 [web01.maedadev] out: [web01.maedadev] out: Verifying : ntpdate-4.2.6p5-2.22.amzn1.x86_64 2/4 [web01.maedadev] out: [web01.maedadev] out: Verifying : ntp-4.2.6p5-2.21.amzn1.x86_64 3/4 [web01.maedadev] out: [web01.maedadev] out: Verifying : ntpdate-4.2.6p5-2.21.amzn1.x86_64 4/4 [web01.maedadev] out: [web01.maedadev] out: Updated: [web01.maedadev] out: ntp.x86_64 0:4.2.6p5-2.22.amzn1 [web01.maedadev] out: [web01.maedadev] out: Dependency Updated: [web01.maedadev] out: ntpdate.x86_64 0:4.2.6p5-2.22.amzn1 [web01.maedadev] out: [web01.maedadev] out: Complete! [web01.maedadev] out: [web02.maedadev] Executing task 'yum_update_ntp' [web02.maedadev] sudo: yum clean all [web02.maedadev] out: Loaded plugins: priorities, update-motd, upgrade-helper [web02.maedadev] out: Cleaning repos: amzn-main amzn-updates [web02.maedadev] out: Cleaning up everything [web02.maedadev] out: [web02.maedadev] sudo: yum -y update ntp [web02.maedadev] out: Loaded plugins: priorities, update-motd, upgrade-helper [web02.maedadev] out: [web02.maedadev] out: amzn-main/latest | 2.1 kB 00:00 [web02.maedadev] out: [web02.maedadev] out: amzn-main/latest/group | 35 kB 00:00 [web02.maedadev] out: [web02.maedadev] out: amzn-main/latest/primary_db | 3.1 MB 00:00 [web02.maedadev] out: [web02.maedadev] out: amzn-updates/latest | 2.3 kB 00:00 [web02.maedadev] out: [web02.maedadev] out: amzn-updates/latest/group | 35 kB 00:00 [web02.maedadev] out: [web02.maedadev] out: amzn-updates/latest/updateinfo | 197 kB 00:00 [web02.maedadev] out: [web02.maedadev] out: amzn-updates/latest/primary_db | 494 kB 00:00 [web02.maedadev] out: Resolving Dependencies [web02.maedadev] out: --> Running transaction check [web02.maedadev] out: ---> Package ntp.x86_64 0:4.2.6p5-2.21.amzn1 will be updated [web02.maedadev] out: ---> Package ntp.x86_64 0:4.2.6p5-2.22.amzn1 will be an update [web02.maedadev] out: --> Processing Dependency: ntpdate = 4.2.6p5-2.22.amzn1 for package: ntp-4.2.6p5-2.22.amzn1.x86_64 [web02.maedadev] out: --> Running transaction check [web02.maedadev] out: ---> Package ntpdate.x86_64 0:4.2.6p5-2.21.amzn1 will be updated [web02.maedadev] out: ---> Package ntpdate.x86_64 0:4.2.6p5-2.22.amzn1 will be an update [web02.maedadev] out: --> Finished Dependency Resolution [web02.maedadev] out: [web02.maedadev] out: Dependencies Resolved [web02.maedadev] out: [web02.maedadev] out: ==================================================================================================================================================== [web02.maedadev] out: Package Arch Version Repository Size [web02.maedadev] out: ==================================================================================================================================================== [web02.maedadev] out: Updating: [web02.maedadev] out: ntp x86_64 4.2.6p5-2.22.amzn1 amzn-updates 867 k [web02.maedadev] out: Updating for dependencies: [web02.maedadev] out: ntpdate x86_64 4.2.6p5-2.22.amzn1 amzn-updates 83 k [web02.maedadev] out: [web02.maedadev] out: Transaction Summary [web02.maedadev] out: ==================================================================================================================================================== [web02.maedadev] out: Upgrade 1 Package (+1 Dependent package) [web02.maedadev] out: [web02.maedadev] out: Total download size: 950 k [web02.maedadev] out: Downloading packages: [web02.maedadev] out: [web02.maedadev] out: (1/2): ntp-4.2.6p5-2.22.amzn1.x86_64.rpm | 867 kB 00:00 [web02.maedadev] out: [web02.maedadev] out: (2/2): ntpdate-4.2.6p5-2.22.amzn1.x86_64.rpm | 83 kB 00:00 [web02.maedadev] out: ---------------------------------------------------------------------------------------------------------------------------------------------------- [web02.maedadev] out: Total 19 MB/s | 950 kB 00:00:00 [web02.maedadev] out: Running transaction check [web02.maedadev] out: Running transaction test [web02.maedadev] out: Transaction test succeeded [web02.maedadev] out: Running transaction [web02.maedadev] out: [web02.maedadev] out: Updating : ntpdate-4.2.6p5-2.22.amzn1.x86_64 [ ] 1/4 [web02.maedadev] out: Updating : ntpdate-4.2.6p5-2.22.amzn1.x86_64 [########################################################################################### ] 1/4 [web02.maedadev] out: Updating : ntpdate-4.2.6p5-2.22.amzn1.x86_64 1/4 [web02.maedadev] out: [web02.maedadev] out: Updating : ntp-4.2.6p5-2.22.amzn1.x86_64 [ ] 2/4 [web02.maedadev] out: Updating : ntp-4.2.6p5-2.22.amzn1.x86_64 [############################################################################################### ] 2/4 [web02.maedadev] out: Updating : ntp-4.2.6p5-2.22.amzn1.x86_64 2/4 [web02.maedadev] out: [web02.maedadev] out: Cleanup : ntp-4.2.6p5-2.21.amzn1.x86_64 3/4 [web02.maedadev] out: [web02.maedadev] out: Cleanup : ntpdate-4.2.6p5-2.21.amzn1.x86_64 4/4 [web02.maedadev] out: [web02.maedadev] out: Verifying : ntp-4.2.6p5-2.22.amzn1.x86_64 1/4 [web02.maedadev] out: [web02.maedadev] out: Verifying : ntpdate-4.2.6p5-2.22.amzn1.x86_64 2/4 [web02.maedadev] out: [web02.maedadev] out: Verifying : ntp-4.2.6p5-2.21.amzn1.x86_64 3/4 [web02.maedadev] out: [web02.maedadev] out: Verifying : ntpdate-4.2.6p5-2.21.amzn1.x86_64 4/4 [web02.maedadev] out: [web02.maedadev] out: Updated: [web02.maedadev] out: ntp.x86_64 0:4.2.6p5-2.22.amzn1 [web02.maedadev] out: [web02.maedadev] out: Dependency Updated: [web02.maedadev] out: ntpdate.x86_64 0:4.2.6p5-2.22.amzn1 [web02.maedadev] out: [web02.maedadev] out: Complete! [web02.maedadev] out: Done. Disconnecting from ec2-user@54.238.167.9... done. Disconnecting from ec2-user@54.92.76.211... done.
※ダウンロードしているところのログは中略してます。
実行はあっという間でした。手動でログインからyumしてログアウトするまでやってられないですね。
まとめ
このくらいならFabricでさくっとやっちゃいましょう。
