need advise on the ff
a. what would be the best language for script that I can use to create a restart facility of all applications and instances I have on let say more than 20 servers?
b. don't you think its not secure to have a central script residing on one server to remotely create a script to restart remote applications?
c. can you recommend how can this be done w/o sacrificing security? GUI?
You need something like net-snmp or nagios. SNMP is a protocol that is meant to monitor remote systems. SNMP has security built-in. If you are running Oracle, there are Oracle products like datagrid that will do this for you.
I would view creating a script as a poor alternative.
While you could probably write a script, the most straightforward method is to create a single God-like account for the entire set of systems you have. This has negative security implications.
A. I would say the scripting language you are most comfortable. And then weight that against what is required to start the apps. Off hand probably combinations of shell,awk,perl.
B. With logic and keeping in mind what these scripts will be doing. I think you can be secure in the process. Tools like ssh,sudo,sudosh with general user / group permissions. But using all these with a clean logic of access and validations.
C. Your choice for the access and control of the scripts. Any user interface can be used to run and execute the scripts as needed. So if you are giving this ability to say your operations support area. Then the access and control could be different than for a group of support UNIX admins.
The how to do it and stay in SOX compliance depends on your environment and what the applications and or instances that you are trying to bounce. If it is a DB environment that would be different and have other support groups and controls that need to be considered like a oracle grid stop / start sql script. Or a web server would maybe need a maintenance page put in place before the service is stopped. Can it be done I would say Yes. Can it be secure, again I would say yes. Has this been done to meet all the security requirements? That would be a yes also.
You don't have to pay for a 3rd party app to do this and then have all the money paid out for support and maintenance. nagios/bigbro/hobbit freeware system monitors / alerting are a start and can send alerts out about problems. But I don't think I would use it to perform the actual bounce of services and applications. But the alert could be sent to a operations support and then they have a procedure that they follow per the alert.
Many services have a auto restart built into them. And the system could do a restart from inittab for services also. That way if a service stops on the server then the OS sees and performs the restart local to the server. No login required and no outside resources needed. You can build smart scripts that the init service would use to bounce a service or application. These methods have been around for years. And if you test and build a script to perform the actions it should not be a problem. Many of the Linux servers have these scripts in the init.d directory. And they are called and used during server stop / start.
Sounds like a challenge and will keep you busy for a month or so. Maybe longer lol...
thanks for all your replies. All my 20servers do have restart script individually. My company would like though to have a central script for our monitoring officer to restart it instead of logging in EACH to the server. is it possible and secure? any recommendation?
Yes it can be done and be secure. I done a couple and basically here was my approach.
There are a lot more steps to all this...
Security wise - since the user login into the server as the service user. They don't know or have ability to be root. That is all controlled by the scripts and your programs. And the service account when it logs in will only run the menu to do your application. And you will also do the trap command in the login control so they can't ctl c or anything out to a shell.
This may sound worse than what the work really is. You could have the whole thing done in a day or so.
Use some great NMS like NetXMS
Are yo running Oracle (you mentioned instances)? It doesn't matter though. There have been many, many posts about 'remote commands' and 'central administration'.
My approach, which I'm surprised wasn't mentioned, is a wrapper for ssh.
If you can ssh to all your servers, then you can write a wrapper (or loop) to connect to all the servers and run a command.
My servers are running on different environment (application instances: sun java, glassfish etc web instances, database: oracle, postgre, informix). All of them have their own restart script on the individual servers.
Im thinking of doing this logic (actually this project is required by my boss:)]
a. on the centralized host, script that will ssh remotely to all the servers and point to the path where the restart script resides).
The support admin (not unix admin) will then have a menu choices like. Restart a. server1 b. server2 c. server3 so on......
So if I choose letter a, I will still have a choice to restart a. application b. web c.database. I will choose say letter a. Like that.
Do you recommend that logic?
Yea it will work. I have some menu's like that. And the looping down to lower menu's and then back up will take some logic. The call-out with ssh you will probably need sudo so that the script that you call can do the sudo su - <user id> -c "<command to run>" type thing. And the global user that will be coming from the central server will have to be auth keyed for login.
what is that? can you provide a template for my guide?
---------- Post updated 02-15-11 at 08:34 AM ---------- Previous update was 02-14-11 at 09:56 PM ----------
what is a wrapper? do you have any template that I can use as a guide?
---------- Post updated at 08:35 AM ---------- Previous update was at 08:34 AM ----------
just wanted to ask if anybody have script template for the subject above so I can make ti as my guide? example
a. server 1.1.1.1: restart script located at /etc/init.d/glassfish.sh
b. server 2.2.2.2: central script that support admin will use to execute to restart the /etc/init.d/glassfish.sh at server 1.1.1.1
note: rlogin, telnet, rsh disabled. server 2.2.2.2 can only ssh 1.1.1.1 asking for login pw.
any ideas so I can make it as my guide? I will create a central script as per my old thread to remotely restart several application instances (like glassfish, sun java etc).