我有一组 linux 计算机(从这里开始的“节点”),我将它们称为网络的临时成员。这些节点是车载的,并且经常进出wifi覆盖范围。
当然,将单个脚本、程序或文件的更新推送到所有节点对我来说通常是有益的。我想出的是:
- 生成所有节点共享的密钥对
- 在我的工作站上使用包含安装路径的标头加密新文件版本。我的工作站当然有公钥。
- 将加密更新放在节点可访问的网络“暂存”文件夹中
- 当一个节点发现自己连接良好时,它会检查暂存文件夹。
- 如果有新文件,它们是:
- 复制到节点
- 解密
- 检查完整性(“文件头看起来不错吗?”)
- 移动到标题规定的位置
这是我的代码的简单版本。这是一个坏主意吗?有没有更优雅的方法来处理更新超级不稳定连接上的无人值守节点?
#!/bin/bash
#A method for autonomously retrieving distributed updates
#The latest and greatest files are here:
stageDir="/remoteDirectory/stage"
#Files are initially moved to a quarantine area
qDir="/localDirectory/quarantine"
#If all went well, put a copy of the encrypted file here:
aDir="/localDirectory/pulled"
#generic extension for encrypted files "Secure Up Date"
ext="sud"
for file in "$stageDir"/*."$ext"; do #For each "sud" file...
fname=$(basename $file)
if [ ! -f $aDir/$fname ]; then #If this file has not already been worked on...
cp "$file" "$qDir"/"$fname" #Move it to the quarantine directory
else
echo "$fname has already been pulled" #Move along
fi
done
if [ "$(ls $qDir)" ]; then #If there's something to do (i.e. files in the directory)
for file in "$qDir"/*."$ext"; do
fname=$(basename $file)
qPath="$qDir/$fname"
untrusted="$qPath.untrusted"
#Decrypt file
gpg --output "$untrusted" --yes --passphrase "supersecretpassphrase" --decrypt "$qPath" #Say yes to overwriting
headline=$(head -n 1 $untrusted) #Get the header (which is the first line of the file)
#Check to see if this is a valid file
if [[ $headline == "#LOOKSGOOD:"* ]]; then #All headers must start with "#LOOKSGOOD:" or something
#Get install path
installPath=$(echo $headline | cut -d ':' -f 2) #Get the stuff after the colon
tail -n +2 $untrusted > $installPath #Send everything but the header line to the install path
#Clean up our working files
rm $untrusted
mv $qPath "$aDir/$fname"
#Report what we did
echo $headline
else
#trash the file if it's not a legit file
echo "$fname is not a legit update...trashing it"
rm "$qDir/$fname"*
fi
done
fi