Using Scripts to Batch Update the One-Click Password Reset Plug-ins for Linux ECSs

Scenarios

The offline password reset depends on the one-click password reset plug-in. If the one-click password reset plug-in is updated for security purposes, you can update the plug-in for an individual ECS by referring to this section.

This section describes how to use a script to batch update the one-click password reset plug-ins for multiple Linux ECSs.

Prerequisites

• An executor ECS meeting the requirements in Constraints is available.
• You have obtained the IP addresses of the ECSs where the plug-ins are to be batch installed, and the password of user root or the private key file for login.
• The executor ECS and the ECSs whose password reset plug-ins are to be updated must be in the same VPC.
• The EIP can be unbound only after you perform step 6.

Constraints

• The executor ECS must use the public image CentOS 7, has an EIP bound, and can communicate with the ECSs where the plug-ins are to be batch installed.
  

  If the internal yum repository has been configured, the executor ECS does not require an EIP.

• If ECSs are authenticated using key pairs, the plug-in can be batch installed only for ECSs using the same key pair.

Procedure

1. Log in to the executor ECS as user root.
2. Install the dependency required for batch script execution.

   yum install ansible -y

3. Download the plug-in package CloudResetPwdAgent.zip and verify its integrity by referring to Obtaining the One-Click Password Reset Plug-in and Verifying Its Integrity (Linux).

   There is no special requirement for the directory that stores CloudResetPwdAgent.zip.

4. Download the batch execution script to the root directory.

   curl URL > ~/batch_update_log4j_version.py

   URL is the address for downloading the batch execution script.

   Select an address for downloading the script based on the region where the ECSs are located.

   • CN North-Beijing1: https://cn-north-1-cloud-reset-pwd.obs.cn-north-1.myhuaweicloud.com/linux/batch_update_resetpwd/batch_update_log4j_version.py
   • CN North-Beijing4: https://cn-north-4-cloud-reset-pwd.obs.cn-north-4.myhuaweicloud.com/linux/batch_update_resetpwd/batch_update_log4j_version.py
   • CN East-Shanghai2: https://cn-east-2-cloud-reset-pwd.obs.cn-east-2.myhuaweicloud.com/linux/batch_update_resetpwd/batch_update_log4j_version.py
   • CN South-Guangzhou: https://cn-south-1-cloud-reset-pwd.obs.cn-south-1.myhuaweicloud.com/linux/batch_update_resetpwd/batch_update_log4j_version.py
   • CN-Hong Kong: https://ap-southeast-1-cloud-reset-pwd.obs.ap-southeast-1.myhuaweicloud.com/linux/batch_update_resetpwd/batch_update_log4j_version.py
   • AP-Bangkok: https://ap-southeast-2-cloud-reset-pwd.obs.ap-southeast-2.myhuaweicloud.com/linux/batch_update_resetpwd/batch_update_log4j_version.py
5. Download the plug-in update script to the root directory.

   curl URL > ~/update_log4j_version_for_resetpwdagent.sh

   URL is the address for downloading the plug-in update script.

   Select an address for downloading the script based on the region where the ECSs are located.

   • CN North-Beijing1: https://cn-north-1-cloud-reset-pwd.obs.cn-north-1.myhuaweicloud.com/linux/batch_update_resetpwd/update_log4j_version_for_resetpwdagent.sh
   • CN North-Beijing4: https://cn-north-4-cloud-reset-pwd.obs.cn-north-4.myhuaweicloud.com/linux/batch_update_resetpwd/update_log4j_version_for_resetpwdagent.sh
   • CN East-Shanghai2: https://cn-east-2-cloud-reset-pwd.obs.cn-east-2.myhuaweicloud.com/linux/batch_update_resetpwd/update_log4j_version_for_resetpwdagent.sh
   • CN South-Guangzhou: https://cn-south-1-cloud-reset-pwd.obs.cn-south-1.myhuaweicloud.com/linux/batch_update_resetpwd/update_log4j_version_for_resetpwdagent.sh
   • CN-Hong Kong: https://ap-southeast-1-cloud-reset-pwd.obs.ap-southeast-1.myhuaweicloud.com/linux/batch_update_resetpwd/update_log4j_version_for_resetpwdagent.sh
   • AP-Bangkok: https://ap-southeast-2-cloud-reset-pwd.obs.ap-southeast-2.myhuaweicloud.com/linux/batch_update_resetpwd/update_log4j_version_for_resetpwdagent.sh
6. Check whether the following scripts are in the root directory:
   • batch_update_log4j_version.py
   • update_log4j_version_for_resetpwdagent.sh
   • CloudResetPwdAgent.zip
7. Create host_list.txt and press i to enter editing mode.

   vi host_list.txt

   Enter the information of the target ECSs in the host_list.txt file.

   The file format must match the login mode to be switched.

   • If the target ECSs use a key pair for authentication, enter the following information:
     

     • Upload the private key file saved during ECS creation to the folder in which host_list.txt is stored.
     • Ensure that the permission code of the private key file is 400.

       chmod 400 Private key file

     Enter an ECS IP address in each line.

     An example is provided as follows:

     192.168.1.10
     192.168.1.11

   • If the target ECSs use a password for authentication, enter the following information:

     Enter an ECS IP address and password of user root separated using a comma (,) in each line.

     An example is provided as follows:

     192.168.1.10,'**********'
     192.168.1.11,'**********'

8. Run batch_update_log4j_version.py.
   • For ECSs authenticated using key pairs

     If the private key file and the batch execution script are in the same directory, you can simply use the private key file name.

     python batch_update_log4j_version.py {Private key file path/Private key file name}

     Figure 1 Successful script execution
     

     If information shown in Figure 1 is displayed, the execution is successful.

   • For ECSs authenticated using passwords

     python batch_update_log4j_version.py

     Figure 2 Successful script execution
     

     If information shown in Figure 2 is displayed, the execution is successful.

9. View the execution result log in the last line of /root/logs/exec_origin.log.

   vim /root/logs/exec_origin.log

   If information shown in Figure 3 is displayed, the one-click password reset plug-ins are batch updated.

   Figure 3 Execution result log
   

Follow-up Procedure

• After the one-click password reset plug-in is updated, you can add it to the startup items if it cannot automatically start upon ECS startup. For details, see What Do I Do If the One-Click Password Resetting Plug-In Failed to Start?
• After the one-click password reset plug-in is updated, do not delete the CloudResetPwdAgent process. Otherwise, one-click password reset will not be available.
• If you have updated the one-click password reset plug-in, newly created ECSs work in PIPE mode by default to prevent the plug-in from using service ports. Existing ECSs still work in AUTO mode, in which the plug-in selects an idle port with the smallest port number from 31000 to 32999.