Keeping several machines updated using "dsh" and "sudo"

If you manage a whole bunch of servers or client workstations (or both), it comes in handy
to update them all with just one command.
(Credits: This is based on an article to be found in the "Linux Magazin 5/2003, page 33". Thanks!)

Servers/Workstations

Run:

# adduser --disabled-login update
# apt-get install sudo

Use visudo to edit /etc/sudoers similar to:

Cmnd_Alias      APTGET = /usr/bin/apt-get update,
/usr/bin/apt-get -y upgrade, /usr/bin/apt-get -y dist-upgrade
root	          ALL=(ALL) ALL
update          ALL = NOPASSWD : APTGET

This allows user root to execute every command on every machine (default) as well as the user update
to execute all commands from APTGET as root on every machines without having to enter a password.

(If you have a NIS/NFS-network, of course just add the user update to the NIS-server and add "+update:*:::::" to the other machines.)

You also have to create the file ~update/.ssh/authorized_keys which simply holds the public-key(s) from the key-pair(s) to be generated on the initiating machine(s) (see below). This allows you to login to your servers/workstations as user update without having to provide a password.

The initiating machine

Run:

# apt-get install dsh

/etc/dsh/dsh.conf:

verbose = 0
remoteshell = ssh
showmachinenames = 1
waitshell = 1

~/.dsh/machines.list:

update@machine1
update@machine2
[...]

This configures the "dancer's shell".

If you don't already have an ssh-keypair, generate one (man ssh-keygen) and - as mentioned above -
copy the public-key to your machines' ~update/.ssh/authorized_keys file(s).

Update all machines using:

# dsh -a -- 'sudo apt-get update && sudo apt-get -y upgrade'

You might also want to use "-c" as an option to dsh. Check out its manpage.

Show Comments