Syncing Zentyal CA between two Zentyal servers

This document describes the procedure to set up CA sync between two Zentyal servers. We will use for this rsync being run in a cron job.
We will use root in the side that starts the connection (provided script will be run by cron) and ebox for the side that receives it. We could use any other user, but using user ebox avoid having to create extra unneeded configurations. For the sake of the example we’ll be referring to two servers here:

  1. (Server A) The server on which the CA existed previously, and from which the files for the CA will be taken.
  2. (Server B). The secondary server to which we want to export the CA which exists on Server A.

In order to better understand the procedure we must keep in mind that:
Zentyal CA files are stored on /var/lib/zentyal/CA
This folder has these permissions:

drwx r-x --x 9 ebox ebox

ebox user has as his home the folder /var/lib/zentyal/

  • With this information, we’ll proceed to follow these steps:Check that rsync is installed in server B, and if not install it.
 sudo apt-get install rsync
  • Check if root has a rsa key in server B. If it did not have, create if with ssh-keygen
 if [ ! -f /root/.ssh/id_rsa.pub ] ; then /usr/bin/ssh-keygen" ; else echo "Key Already exists" ; fi

 

  • Create folder /var/lib/zentyal/.ssh/ and create file authorized_keys
sudo mkdir -p /var/lib/zentyal/.ssh/
sudo touch /var/lib/zentyal/.ssh/authorized_keys
  • Chown both to ebox.ebox:
sudo chown -R ebox.ebox /var/lib/zentyal/.ssh/
  • Copy the root public key to /var/lib/zentyal/.ssh/authorized_keys of server A. Given ebox user has no password you will have to do it by hand, as long as you won’t be able to do it with ssh-copy-id . Thus, open /root/.ssh/id_rsa.pub and paste its contents into /var/lib/zentyal/.ssh/authorized_keys of server A.
  • Test that you can ssh without using password from root as ebox user:
sudo ssh ebox@SERVER-A-IP
  • Now you can:

1. Limit connections from IP:

To do so edit in SERVER A /var/lib/zentyal/.ssh/authorized_keys, and add prior to the ssh-rsa this:

from="SERVER-B-IP" ssh-rsa dasghgdgh+RqUVx5wzgnaMxH2Km5KRx0Wzvsa5YvxjwERVVXs2mUEes5mDpoDMX9pUAwKqPCS5C
LyDwI+t0xNmVzPzeZjhypIfvBmgaG7pBNx7Zted7C+fha1X3SUmT4TguLzy7pfWbG7CKr2XkkFUYUOdUniYc99NsIxY1/51+/jjhfg
jhfg/Pr5jqH+jhfjfgj/jhfgjh+9kErROS1z root@hostname

2.  Ensuring that only rsync is used for this ssh connection:
To do so edit in SERVER A /var/lib/zentyal/.ssh/authorized_keys, and add prior to the ssh-rsa this:

command="/usr/share/bin/check_command.sh” ssh-rsa fdasghgdgh+RqUVx5wzgnaMxH2Km5KRx0Wzvsa5YvxjwERV
VXs2mUEes5mDpoDMX9pUAwKqPCS5CLyDwI+t0xNmVzPzeZjhypIfvBmgaG7pBNx7Zted7C+fha1X3SUmT4TguLzy7pfWbG7CKr
2XkkFUYUOdUniYc99NsIxY1/51+/jjhfgjhfg/Pr5jqH+jhfjfgj/jhfgjh+9kErROS1z root@hostname

Now, you must add the script it mentions this line (script taken from http://troy.jdmz.net/rsync/index.html)

#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo "Rejected"
;;
*\(*)
echo "Rejected"
;;
*\{*)
echo "Rejected"
;;
*\;*)
echo "Rejected"
;;
*\<*)
echo "Rejected"
;;
*\`*)
echo "Rejected"
;;
*\|*)
echo "Rejected"
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac

If you use both, separate them with a “,”:

from="SERVER-B-IP",command="/usr/share/bin/check_command.sh” ssh-rsa fdasghgdgh+RqUVx5wzgnaMxH2Km5KRx0Wzvsa5Y
vxjwERVVXs2mUEes5mDpoDMX9pUAwKqPCS5CLyDwI+t0xNmVzPzeZjhypIfvBmgaG7pBNx7Zted7C+fha1X3SUmT4TguLzy7pfWbG7CKr2Xkk
FUYUOdUniYc99NsIxY1/51+/jjhfgjhfg/Pr5jqH+jhfjfgj/jhfgjh+9kErROS1z root@hostname

 

  • Create the folder where you’re going to store the script that will do the sync and give it appropriate permissions:
mkdir /var/local/rsync-ca
chmod 754 /var/local/rsync-ca

 

  • Create the script file and give it proper permissions:
 chmod 740 /var/local/sync-ca/rsync-ca

 

  • Place the following content on the script (change variables as needed)
#!/bin/bash
RSYNC=/usr/bin/rsync
SSH=/usr/bin/ssh
KEY=/root/.ssh/id_rsa
RUSER=ebox
RHOST=SERVER-A-IP
RPATH=/var/lib/zentyal/CA
LPATH=/var/lib/zentyal/
$RSYNC -az -e "$SSH -i $KEY" $RUSER@$RHOST:$RPATH $LPATH

 

  • Test the script and confirm that it works as expected

 

  • Create the cron job for the script we have just created. For instance, to run this daily write under /etc/cron.d/rsync-ca :
 # /etc/cron.d/rsync-ca - Runs the script that syncs CA with SERVERA daily

SHELL=/bin/sh
PATH=/usr/bin:/bin

# Log data for report hourly
@daily root /var/local/rsync-ca/rsync-ca

Deja un comentario