Today, we found a bash vulnerability, but I have nearly 1000 servers. To facilitate and save time, I feel that I am using ansible to install the bash update package. Next I will share my installation method.
1. Installed playbook content
19:00:03 # cd /etc/ansible[email protected]:/etc/ansible19:00:06 # cat update_bash.yml ---- hosts: "{{ host }}" remote_user: "{{ user }}" gather_facts: True tasks: - name: update bash in redhat 6 version yum: name=http://mirrors.hustunique.com/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.1.x86_64.rpm state=present when: ansible_os_family == "RedHat" and ansible_distribution_version|int >=6 - name: update bash in redhat 5 version yum: name=http://mirrors.hustunique.com/centos/5/updates/x86_64/RPMS/bash-3.2-33.el5.1.x86_64.rpm state=present when: ansible_os_family == "RedHat" and ansible_distribution_version|int <=5
The system version will be automatically determined, and different packages will be installed. In this case, we wanted to get the yum update source, but we found that it was still being updated, so we had to install the file ourselves.
2. test the system before installation (centos 6)
To test, use docker virtual containers
16:32:46 # ssh 172.17.0.9The authenticity of host ‘172.17.0.9 (172.17.0.9)‘ can‘t be established.RSA key fingerprint is 39:7c:13:9f:d4:b0:d7:63:fc:ff:ae:e3:46:a4:bf:6b.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added ‘172.17.0.9‘ (RSA) to the list of known hosts.[email protected]‘s password: Last login: Thu Sep 25 16:31:32 2014 from 172.17.42.1[email protected]:~16:35:04 # env x=‘() { :;}; echo vulnerable‘ bash -c "echo this is a test"vulnerablethis is a test
We can see that there is a bash vulnerability.
3. Use ansible playbook to upgrade bash
16:35:08 # time ansible-playbook update_bash.yml --extra-vars "host=172.17.0.9 user=root" -kSSH password: PLAY [172.17.0.9] ************************************************************* GATHERING FACTS *************************************************************** ok: [172.17.0.9]TASK: [update bash in redhat 6 version] *************************************** changed: [172.17.0.9]TASK: [update bash in redhat 5 version] *************************************** skipping: [172.17.0.9]PLAY RECAP ******************************************************************** 172.17.0.9 : ok=2 changed=1 unreachable=0 failed=0 real0m35.901suser0m0.952ssys0m0.216s
4. Check for vulnerabilities
[email protected]:/etc/ansible16:36:01 # ssh 172.17.0.9[email protected]‘s password: Last login: Thu Sep 25 16:35:57 2014 from 172.17.42.1[email protected]:~16:36:11 # env x=‘() { :;}; echo vulnerable‘ bash -c "echo this is a test"bash: warning: x: ignoring function definition attemptbash: error importing function definition for `x‘this is a test[email protected]:~
We can see that the vulnerability has been fixed.
Completed is
650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4A/41/wKioL1Qj91KAqbWpAATc-ukvu4U457.jpg "Title =" 5.jpg" alt = "wKioL1Qj91KAqbWpAATc-ukvu4U457.jpg"/>
If there are a large number of hosts, add-f at run time and select a suitable number of concurrent hosts. I used this here, and soon the Bash is upgraded.
We hope it will be helpful for you to update bash in batches.
This article is from the "Yin-Technical Exchange" blog, please be sure to keep this source http://dl528888.blog.51cto.com/2382721/1558227
Automatic O & M ansible playbook one-click solution to a large number of host bash updates