This document describes the procedure to set up CA sync between two Zentyal servers. We will use for this rsync being run in a cron job.
We will use root in the side that starts the connection (provided script will be run by cron) and ebox for the side that receives it. We could use any other user, but using user ebox avoid having to create extra unneeded configurations. For the sake of the example we’ll be referring to two servers here:
- (Server A) The server on which the CA existed previously, and from which the files for the CA will be taken.
- (Server B). The secondary server to which we want to export the CA which exists on Server A.
In order to better understand the procedure we must keep in mind that:
Zentyal CA files are stored on /var/lib/zentyal/CA
This folder has these permissions:
drwx r-x --x 9 ebox ebox
ebox user has as his home the folder /var/lib/zentyal/
- With this information, we’ll proceed to follow these steps:Check that rsync is installed in server B, and if not install it.
sudo apt-get install rsync
- Check if root has a rsa key in server B. If it did not have, create if with ssh-keygen
if [ ! -f /root/.ssh/id_rsa.pub ] ; then /usr/bin/ssh-keygen" ; else echo "Key Already exists" ; fi
- Create folder /var/lib/zentyal/.ssh/ and create file authorized_keys
sudo mkdir -p /var/lib/zentyal/.ssh/ sudo touch /var/lib/zentyal/.ssh/authorized_keys
- Chown both to ebox.ebox:
sudo chown -R ebox.ebox /var/lib/zentyal/.ssh/
- Copy the root public key to /var/lib/zentyal/.ssh/authorized_keys of server A. Given ebox user has no password you will have to do it by hand, as long as you won’t be able to do it with ssh-copy-id . Thus, open /root/.ssh/id_rsa.pub and paste its contents into /var/lib/zentyal/.ssh/authorized_keys of server A.
- Test that you can ssh without using password from root as ebox user:
sudo ssh ebox@SERVER-A-IP
- Now you can:
1. Limit connections from IP:
To do so edit in SERVER A /var/lib/zentyal/.ssh/authorized_keys, and add prior to the ssh-rsa this:
from="SERVER-B-IP" ssh-rsa dasghgdgh+RqUVx5wzgnaMxH2Km5KRx0Wzvsa5YvxjwERVVXs2mUEes5mDpoDMX9pUAwKqPCS5C LyDwI+t0xNmVzPzeZjhypIfvBmgaG7pBNx7Zted7C+fha1X3SUmT4TguLzy7pfWbG7CKr2XkkFUYUOdUniYc99NsIxY1/51+/jjhfg jhfg/Pr5jqH+jhfjfgj/jhfgjh+9kErROS1z root@hostname
2. Ensuring that only rsync is used for this ssh connection:
To do so edit in SERVER A /var/lib/zentyal/.ssh/authorized_keys, and add prior to the ssh-rsa this:
command="/usr/share/bin/check_command.sh” ssh-rsa fdasghgdgh+RqUVx5wzgnaMxH2Km5KRx0Wzvsa5YvxjwERV VXs2mUEes5mDpoDMX9pUAwKqPCS5CLyDwI+t0xNmVzPzeZjhypIfvBmgaG7pBNx7Zted7C+fha1X3SUmT4TguLzy7pfWbG7CKr 2XkkFUYUOdUniYc99NsIxY1/51+/jjhfgjhfg/Pr5jqH+jhfjfgj/jhfgjh+9kErROS1z root@hostname
Now, you must add the script it mentions this line (script taken from http://troy.jdmz.net/rsync/index.html)
#!/bin/sh case "$SSH_ORIGINAL_COMMAND" in *\&*) echo "Rejected" ;; *\(*) echo "Rejected" ;; *\{*) echo "Rejected" ;; *\;*) echo "Rejected" ;; *\<*) echo "Rejected" ;; *\`*) echo "Rejected" ;; *\|*) echo "Rejected" ;; rsync\ --server*) $SSH_ORIGINAL_COMMAND ;; *) echo "Rejected" ;; esac
If you use both, separate them with a “,”:
from="SERVER-B-IP",command="/usr/share/bin/check_command.sh” ssh-rsa fdasghgdgh+RqUVx5wzgnaMxH2Km5KRx0Wzvsa5Y vxjwERVVXs2mUEes5mDpoDMX9pUAwKqPCS5CLyDwI+t0xNmVzPzeZjhypIfvBmgaG7pBNx7Zted7C+fha1X3SUmT4TguLzy7pfWbG7CKr2Xkk FUYUOdUniYc99NsIxY1/51+/jjhfgjhfg/Pr5jqH+jhfjfgj/jhfgjh+9kErROS1z root@hostname
- Create the folder where you’re going to store the script that will do the sync and give it appropriate permissions:
mkdir /var/local/rsync-ca chmod 754 /var/local/rsync-ca
- Create the script file and give it proper permissions:
chmod 740 /var/local/sync-ca/rsync-ca
- Place the following content on the script (change variables as needed)
#!/bin/bash RSYNC=/usr/bin/rsync SSH=/usr/bin/ssh KEY=/root/.ssh/id_rsa RUSER=ebox RHOST=SERVER-A-IP RPATH=/var/lib/zentyal/CA LPATH=/var/lib/zentyal/ $RSYNC -az -e "$SSH -i $KEY" $RUSER@$RHOST:$RPATH $LPATH
- Test the script and confirm that it works as expected
- Create the cron job for the script we have just created. For instance, to run this daily write under /etc/cron.d/rsync-ca :
# /etc/cron.d/rsync-ca - Runs the script that syncs CA with SERVERA daily SHELL=/bin/sh PATH=/usr/bin:/bin # Log data for report hourly @daily root /var/local/rsync-ca/rsync-ca