11 Replies Latest reply on Feb 24, 2006 4:06 PM by Andrew Knott

    Installing UNIX agents via SSH

      Has anyone out there created any SSH scripts to install BladeLogic agents on UNIX? Looking for a solution to help with bulk UNIX agent distribution.




        • 1. Re: Installing UNIX agents via SSH



          Tim Stockton, of Capgemini, has written scripts to do this using expect.


          I'll talk to him and post details later.



          • 2. Re: Installing UNIX agents via SSH



            Yes I have been working on automating agent installs via expect scripts. The work that I have done is very much 'proof of concept' and is in no way a working solution, but it has been used to automate the installs on a Solaris node - reducing the time of an install to about 2 minutes.


            The scripts use expect that is in turn part of TCL/TK, expect should be on every Linux but will have to be installed on Solaris.


            While these scripts do work on the single node that I have tested on they will need some work to make them fit for a production rollout - for example if you SSH to a server for the first time you have to accept the new key pair, I have not scripted this part but it is certainly not very difficult.


            The scripts look for the agent install .sh file and the silent install answers file in a local directory called outgoing - I have not included that in this tar. The expect scripts are the .exp files and there is a very basic wrapper.sh script to call the expect scripts.


            Passwords and server names have been changed to protect the innocent :o)




            • 3. Re: Installing UNIX agents via SSH

              Sean Berry did a lot of expect scripting for ssh & telnet installations. I have a copy of the expect scripts, but Sean would have the latest copy, contact him for more info. (sberry@bladelogic.com)

              • 4. Re: Installing UNIX agents via SSH
                Sean Berry

                Here are a couple of scripts we used to automate agent installs. The ssh script is more usable than the telnet one. There are four packages you'll need to get expect working on Solaris: expect, tcl, tk, and one other I can't recall the name of.


                The usage doesn't print out on do-ssh, but if it did, it'd look like:


                puts "usage: do-ssh.exp \[user] \[password] \[package] \[script] \[hostname]"

                puts " where arguments are:"

                puts " # (username: root)"

                puts " # (password: password)"

                puts " # (package: /tmp/bl62package.tar)"

                puts " # (script: /tmp/RSCcfg.sh)"

                puts " # (hostname: yoyodyne.nsf.gov)"

                exit 1


                So your syntax for this is:




                Our package here was /tmp/bl62package.tar, which just contained all the supporting files for the install:


                gemsbl1d% tar tvf /tmp/bl62agent.tar

                -rw-rr 60001/22766 20480 Jan 31 18:49 2005 RSCcfg.tar

                -rwxr-xr-x 60001/22766 7446089 Jan 24 17:13 2005 RSCD62-SOLSPARC.SH


                60001/22766 87 Jan 24 17:12 2005 nsh-install-defaults



                RSCcfg.tar is a tarball with the users, users.local, exports, secure files. It could conceivably also had the nsh-install-defaults in it.


                do-ssh.exp pushes both the package and the script out, then executes the script, which -should- be able to complete the rest of the job.


                nsh-install-defaults is the silent install "answer" file for the Agent install, and RSCD62-SOLSPARC.SH is the actual installer for the Solaris agent. This script should work fine on any platform that has ssh.


                I ended up using a "package" tarball and script model because otherwise you end up with an arbitrary number of files to push, and I did not want to code for that.


                We used this script to push about 200 agents at GEHC, and it can also be handy for root password checking in environments where you may have 10 root passwords, and a set of machines that may have any of those passwords.


                Please feel free to contact me directly with questions or concerns. This is not a polished script, but is functional, handles the yes/no of new machines with new keys, and is relatively quick.

                • 5. Re: Installing UNIX agents via SSH

                  If I could be so bold as to make a suggestion, using passwords via SSH is unnecessary and doing away with them by using key files would eliminate a lot of the need for expect responses.


                  You have 2 options for using keyfiles. The first is a passphraseless key. This works well if you can trust the host that the private key resides on. Using a key without a passphrase means you're never prompted for a password/passphrase as long as you have the private key. The other option is to use a key with a passphrase and run an ssh-agentwhich prompts once for authentication and then runs in the background to provide auth tokens to new ssh calls.


                  You can pass the '-q', "quiet mode", argument to ssh (at least OpenSSH) to not warn about a previously unknown host and automatically add it to known_hosts. This eliminates your second challenge-response need for expect.

                  • 6. Re: Installing UNIX agents via SSH
                    Sean Berry

                    You're welcome to use those: these scripts are for environments where SSH keys are not otherwise setup, and deploying the agent is our first step towards access in the environment.


                    In the particular customer environment these scripts were written for, there are ~500 servers, with at least a dozen different root passwords, and the existing agent penetration had already eclipsed . Of course, not every environment will allow root to ssh in directly, that'll require a bit more customization.


                    Very incidentally, we also developed a short script job here to deploy SSH keys via bladelogic. Ideally we'd deploy these via a grammar, snapshot, audit, and remediate.


                    Of course, anywhere SSH keys can or have been setup, that'll be much easier to do agent deploys.

                    • 7. Re: Installing UNIX agents via SSH

                      Sorry, wrote this without understanding that you were at a base install and didn't have keys available.


                      I would then suggest having an "at install" base key be part of your Jumpstart or Kickstart image to use for such work. Or, go all out and use BL for your bare metal installs, right?

                      • 9. Re: Installing UNIX agents via SSH
                        Sean Berry

                        This do-telnet script no longer deletes /usr/nsh and /usr/lib/rsc, but instead renames them to /usr/nsh.old etc.

                        • 10. Re: Installing UNIX agents via SSH
                          Sean Berry

                          So, the packages you'll need to support these scripts are:





                          libgcc (optional, only if you don't have gcc installed)


                          For Solaris 8, consult this link:


                          • 11. Re: Installing UNIX agents via SSH

                            There is now a KB article for another Unix Bulk Installer that uses expect: