CDP集群漏洞修复脚本(范例)
#!/bin/bash
#日志路径
log_path='/ciblog/cdp_BugFix_log'
if [ ! -d "$log_path" ];then
mkdir -p $log_path
fi
nowdate=`date -d now +'%Y%m%d'`
# 将cdp的升级jar包分发到所有节点
distribute_CdpJars(){
echo -e "\033[33m ******** 将cdp的升级jar包分发到所有节点 ******** \033[0m"
echo "cdp的升级jar包分发到所有节点" >>$log_path/cdpBugFix"_"$nowdate.log
tar -zxvf /cib/jzxf/jz/tool_cib.tar.gz -C /cib/jzxf/jz/
hosts=`cat /etc/hosts |grep m[1-3]\.idss\.com | grep '#' -v| awk '{print $1}'`
# hosts=`cat /cib/test_shell/cdp_jars/hosts.txt |grep idss|grep '#' -v| awk '{print $1}'`
for ip in $hosts
do
echo -e "\033[33m 当前节点IP为:$ip, 正在执行介质jar包分发操作... \033[0m "
echo "当前节点IP为:$ip, 正在执行jar包分发操作... " >>$log_path/cdpBugFix"_"$nowdate.log
# 分发jar包到所有节点
scp -r /cib/jzxf/jz/cdp_jars root@$ip:/opt/
done
}
# 分发介质cdp的jar包
distribute_CdpJars
#function remote_function(){
#echo -e "\033[34m **************************************************\033[0m "
#hostname=$(hostname)
#echo -e "\033[32m *** 当前的主机名:$hostname ***\033[0m "
#ip_address=$(hostname -I)
#echo -e "\033[32m *** 当前主机IP地址:$ip_address ***\033[0m "
#echo "Hello from remote host!"
#echo -e "\033[34m **************************************************\033[0m "
#}
fix_cdp_vulnerability(){
echo -e "\033[35m =========================== 判断介质是否存在 ================================\033[0m "
cdp_jarsDir="/opt/cdp_jars"
if [ -d "$cdp_jarsDir" ] && [ -f /opt/cdp_jars/velocity-engine-core-2.3.jar ] && [ -f /opt/cdp_jars/commons-fileupload-1.5.jar ] && [ -f /opt/cdp_jars/postgresql-42.2.26.jar ] && [ -f /opt/cdp_jars/xstream-1.4.20.jar ];then
echo -e "\033[34m **************************************************\033[0m "
hostname=$(hostname)
echo -e "\033[32m *** 当前的主机名:$hostname ***\033[0m "
ip_address=$(hostname -I)
echo -e "\033[32m *** 当前主机IP地址:$ip_address ***\033[0m "
echo -e "\033[34m **************************************************\033[0m "
cm_common_jarsPath='/opt/cloudera/cm/common_jars'
cm_lib_Path='/opt/cloudera/cm/lib'
cm_parcels_Path='/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars'
#1.修复velocity-1.7.6f104d5383d7f3d859dd77f14e34c9b5.jar漏洞(生产以实际为准)路径
jar_nums=`ls /opt/cloudera/cm/common_jars/ | grep velocity-1.7.6* |grep -v _bak | wc -l `
jar_name=`ls /opt/cloudera/cm/common_jars/ | grep velocity-1.7.6* |grep -v _bak `
# 判断文件是否已经更新过
if [ ! -f "$cm_common_jarsPath/$jar_name"_"bak" ] && [ ! -f "$cm_lib_Path/velocity-engine-core-2.0.jar_bak" ] && [ ! -f "$cm_lib_Path/velocity-engine-core-2.3.jar" ] && [ ! -f "$cm_parcels_Path/velocity-engine-core-2.3.jar" ] && [ ! -f "$cm_parcels_Path/velocity-1.7.jar_bak" ] && [ ! -f "$cm_parcels_Path/velocity-1.5.jar_bak" ];then
echo -e "\033[32m $jar_name 文件尚未更新,可以执行更新操作! \033[0m"
if [ $jar_nums == 0 ];then
echo " 没有查询到该jar包,无法升级!"
echo " 没有查询到该jar包,无法升级!" >>$log_path/cdpBugFix"_"$nowdate.log
exit 0
else
echo "需要升级的jar包,$jar_nums 个;jar名称为:$jar_name"
echo -e "\033[34m 升级cm的common_jars目录下的velocity的jar包为2.3版本 \033[0m "
#备份旧common_jars目录下的jar包
cd $cm_common_jarsPath && mv $jar_name $jar_name"_"bak
# 导入该目录 velocity-engine-core-2.3.jar包
cp /opt/cdp_jars/velocity-engine-core-2.3.jar $cm_common_jarsPath
# 修改更新后的jar包为原来jar的名称
mv velocity-engine-core-2.3.jar $jar_name
echo -e "\033[34m 升级cm的lib包下的velocity-engine-core-2.0.jar包为2.3版本 \033[0m "
echo "升级cm的lib包下的velocity-engine-core-2.0.jar包为2.3版本" >>$log_path/cdpBugFix"_"$nowdate"."log
#备份旧的jar包
cd $cm_lib_Path && mv velocity-engine-core-2.0.jar velocity-engine-core-2.0.jar_bak
# 导入该目录 velocity-engine-core-2.3.jar包
cp /opt/cdp_jars/velocity-engine-core-2.3.jar $cm_lib_Path
# 修复漏洞 /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars/velocity-1.7.jar
echo -e "\033[34m 升级/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars目录下jar包...\033[0m "
# 备份旧的jar包
cd $cm_parcels_Path && mv velocity-1.7.jar velocity-1.7.jar_bak && mv velocity-1.5.jar velocity-1.5.jar_bak
# 导入该目录 升级版 velocity-engine-core-2.3.jar包
cp /opt/cdp_jars/velocity-engine-core-2.3.jar $cm_parcels_Path
# 创建软链接
ln -sfv velocity-engine-core-2.3.jar velocity-1.5.jar
fi
else
echo -e "\033[31m 错误,$jar_name 文件已更新! \033[0m"
fi
#2.修复commons-fileupload-1.4.f5d15bbbb91b4f42d65e41763fe1c292.jar漏洞(生产以实际为准)路径
jar_nums_2=`ls /opt/cloudera/cm/common_jars/ | grep commons-fileupload | wc -l `
jar_name_2=`ls /opt/cloudera/cm/common_jars/ | grep commons-fileupload | grep -v _bak`
if [ ! -f "$cm_common_jarsPath/$jar_name_2"_"bak" ] && [ ! -f "$cm_parcels_Path/commons-fileupload-1.4.jar_bak" ] && [ ! -f "$cm_parcels_Path/commons-fileupload-1.5.jar" ];then
echo -e "\033[32m $jar_name_2 文件尚未更新,可以执行更新操作! \033[0m"
if [ $jar_nums_2 == 0 ];then
echo "没有查询到该jar包$jar_name_2,无法升级!"
echo "没有查询到该jar包$jar_name_2,无法升级!" >>$log_path/cdpBugFix"_"$nowdate.log
exit 0
else
echo "需要升级的jar包,$jar_nums_2 个;jar名称为:$jar_name_2"
echo -e "\033[34m 升级cm的common_jars目录下的commons-fileupload-1.4.jar包 \033[0m "
#备份旧的jar包
cd $cm_common_jarsPath && mv $jar_name_2 $jar_name_2"_"bak
# 导入该目录 commons-fileupload-1.5.jar 包
cp /opt/cdp_jars/commons-fileupload-1.5.jar $cm_common_jarsPath
# 修改jar包名称
mv commons-fileupload-1.5.jar $jar_name_2
# 修复升级,/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars/commons-fileupload-1.4.jar升级为1.5版本
echo -e "\033[34m 升级cm的/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars,目录下的commons-fileupload的jar包 \033[0m "
#备份旧的jar包
cd $cm_parcels_Path && mv commons-fileupload-1.4.jar commons-fileupload-1.4.jar_bak
# 导入该目录 commons-fileupload-1.5.jar 包
cp /opt/cdp_jars/commons-fileupload-1.5.jar $cm_parcels_Path
ln -sfv commons-fileupload-1.5.jar commons-fileupload-1.4.jar
fi
# 文件已经更新过
else
echo -e "\033[31m 错误,$jar_name_2 文件已更新! \033[0m"
fi
# 3.修复postgresql-42.2.24.jre7.a7b0f155b668470fb4e212e79724cc7d.jar漏洞(生产以实际为准)路径;升级jar包为postgresql-42.2.26.jar
jar_nums_3=`ls /opt/cloudera/cm/common_jars/ | grep postgresql-42.2.24.* | wc -l `
jar_name_3=`ls /opt/cloudera/cm/common_jars/ | grep postgresql-42.2.24.* |grep -v _bak `
if [ ! -f "$cm_common_jarsPath/$jar_name_3"_"bak" ] && [ ! -f "$cm_parcels_Path/postgresql-42.2.14.jar_bak" ] && [ ! -f "$cm_parcels_Path/postgresql-42.2.26.jar" ];then
echo -e "\033[32m $jar_name_3 文件尚未更新,可以执行更新操作! \033[0m"
if [ $jar_nums_3 == 0 ];then
echo "没有查询到该jar包$jar_name_3,无法升级!"
echo "没有查询到该jar包$jar_name_3,无法升级!" >>$log_path/cdpBugFix"_"$nowdate.log
exit 0
else
echo "需要升级的jar包,$jar_nums_3 个;jar名称为:$jar_name_3"
echo -e "\033[34m 升级cm的common_jars目录下的包postgresql的jar包 \033[0m "
#备份旧的jar包
cd $cm_common_jarsPath && mv $jar_name_3 $jar_name_3"_"bak
# 导入该目录 postgresql-42.2.26.jar 包
cp /opt/cdp_jars/postgresql-42.2.26.jar $cm_common_jarsPath
mv postgresql-42.2.26.jar $jar_name_3
# 升级/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars/路径下的postgresql-42.2.14.jar为42.2.26版本
echo -e "\033[34m 升级cm的/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars目录下的postgresql的jar包 \033[0m "
#备份旧的jar包
cd $cm_parcels_Path && mv postgresql-42.2.14.jar postgresql-42.2.14.jar_bak
# 导入该目录 postgresql-42.2.26.jar 包
cp /opt/cdp_jars/postgresql-42.2.26.jar $cm_parcels_Path
ln -sfv postgresql-42.2.26.jar postgresql-42.2.14.jar
fi
# 文件已经更新过
else
echo -e "\033[31m 错误,$jar_name_3 文件已更新! \033[0m"
fi
# 4.修复xstream-1.4.18.2XXXXXXXX.jar漏洞(生产以实际为准)路径; 升级jar包为xstream-1.4.20.jar
jar_nums_4=`ls /opt/cloudera/cm/common_jars/ | grep xstream | wc -l `
jar_name_4=`ls /opt/cloudera/cm/common_jars/ | grep xstream |grep -v _bak`
if [ ! -f "$cm_common_jarsPath/$jar_name_4"_"bak" ];then
echo -e "\033[32m ${jar_name_4}文件尚未更新,可以执行更新操作! \033[0m"
if [ $jar_nums_4 == 0 ];then
echo "没有查询到该jar包$jar_name_4,无法升级!"
echo "没有查询到该jar包$jar_name_4,无法升级!" >>$log_path/cdpBugFix"_"$nowdate.log
exit 0
else
echo "需要升级的jar包,$jar_nums_4 个;jar名称为:$jar_name_4"
# 备份旧的jar包
echo -e "\033[34m 升级cm的common_jars目录下xstream的jar包 \033[0m "
cd $cm_common_jarsPath && mv $jar_name_4 $jar_name_4"_"bak
# 导入该目录 xstream-1.4.20.jar 包
cp /opt/cdp_jars/xstream-1.4.20.jar $cm_common_jarsPath
mv xstream-1.4.20.jar $jar_name_4
fi
# 文件已经更新过
else
echo -e "\033[31m 错误,$jar_name_4 文件已更新! \033[0m"
echo "错误,$jar_name_4 文件已更新!" >>$log_path/cdpBugFix"_"$nowdate.log
fi
# 判断介质是否存在!
else
echo -e "介质文件不存在..,无法执行漏洞修复操作!"
echo "介质文件不存在..,无法执行漏洞修复操作!" >> $log_path/cdpBugFix"_"$nowdate.log
exit 0
fi
}
#获取主机列表,所有主机循环执行漏洞修复操作
hosts=`cat /etc/hosts |grep m[1-3]\.idss\.com | grep '#' -v| awk '{print $1}'`
# hosts=`cat /cib/test_shell/cdp_jars/hosts.txt |grep idss|grep '#' -v| awk '{print $1}'`
for ip in $hosts
do
echo "连接到主机: $ip"
#ssh root@$ip "$(typeset -f remote_function);remote_function"
ssh root@$ip "$(typeset -f fix_cdp_vulnerability);fix_cdp_vulnerability"
sleep 2
done
echo -e "\033[35m =========================== 重启CM操作 ================================\033[0m "
# 检查验证:CM 重启服务
# master节点
# ssh z101
function restartCM(){
echo -e "\033[32m 开始执行CM重启操作... \033[0m"
echo -e "开始执行CM重启操作... " >>$log_path/cdpBugFix"_"$nowdate.log
#echo -e "\033[32m 重启Cloudera Manager Server... \033[0m"
ssh root@m1 "systemctl restart cloudera-scm-server.service"
hosts=`cat /etc/hosts |grep m[1-3]\.idss\.com | grep '#' -v| awk '{print $1}'`
# hosts=`cat /etc/hosts |grep idss|grep '#' -v| awk '{print $1}'`
for ip in $hosts
do
ssh root@$ip "systemctl restart cloudera-scm-agent"
sleep 2
done
}
restartCM