CDP集群漏洞修复脚本

CDP集群漏洞修复脚本(范例)

#!/bin/bash

#日志路径
log_path='/ciblog/cdp_BugFix_log'
if [ ! -d "$log_path"  ];then
   mkdir -p $log_path
fi

nowdate=`date -d now +'%Y%m%d'`

# 将cdp的升级jar包分发到所有节点
distribute_CdpJars(){
echo -e "\033[33m ******** 将cdp的升级jar包分发到所有节点 ******** \033[0m"
echo "cdp的升级jar包分发到所有节点"  >>$log_path/cdpBugFix"_"$nowdate.log

tar -zxvf /cib/jzxf/jz/tool_cib.tar.gz -C /cib/jzxf/jz/

hosts=`cat /etc/hosts |grep m[1-3]\.idss\.com | grep '#' -v| awk '{print $1}'`

# hosts=`cat /cib/test_shell/cdp_jars/hosts.txt |grep idss|grep '#' -v| awk '{print $1}'`
for ip in $hosts
do
echo -e "\033[33m 当前节点IP为：$ip, 正在执行介质jar包分发操作... \033[0m "
echo "当前节点IP为：$ip, 正在执行jar包分发操作... " >>$log_path/cdpBugFix"_"$nowdate.log
# 分发jar包到所有节点
scp  -r /cib/jzxf/jz/cdp_jars  root@$ip:/opt/
done

}

# 分发介质cdp的jar包
distribute_CdpJars

#function remote_function(){

#echo -e "\033[34m **************************************************\033[0m "
#hostname=$(hostname)
#echo -e "\033[32m *** 当前的主机名：$hostname ***\033[0m "
#ip_address=$(hostname -I)
#echo -e "\033[32m *** 当前主机IP地址：$ip_address ***\033[0m "
#echo "Hello from remote host!"
#echo -e "\033[34m **************************************************\033[0m "

#}


fix_cdp_vulnerability(){

echo -e "\033[35m =========================== 判断介质是否存在 ================================\033[0m "

cdp_jarsDir="/opt/cdp_jars"
if [ -d "$cdp_jarsDir" ] && [ -f /opt/cdp_jars/velocity-engine-core-2.3.jar ]  && [ -f /opt/cdp_jars/commons-fileupload-1.5.jar ] && [ -f /opt/cdp_jars/postgresql-42.2.26.jar ] && [ -f /opt/cdp_jars/xstream-1.4.20.jar ];then

 echo -e "\033[34m **************************************************\033[0m "
 hostname=$(hostname)
 echo -e "\033[32m *** 当前的主机名：$hostname ***\033[0m "
 ip_address=$(hostname -I)
 echo -e "\033[32m *** 当前主机IP地址：$ip_address ***\033[0m "
 echo -e "\033[34m **************************************************\033[0m "

cm_common_jarsPath='/opt/cloudera/cm/common_jars'
cm_lib_Path='/opt/cloudera/cm/lib'
cm_parcels_Path='/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars'

#1.修复velocity-1.7.6f104d5383d7f3d859dd77f14e34c9b5.jar漏洞（生产以实际为准）路径

  jar_nums=`ls /opt/cloudera/cm/common_jars/ | grep velocity-1.7.6* |grep -v _bak | wc -l `
  jar_name=`ls /opt/cloudera/cm/common_jars/ | grep velocity-1.7.6* |grep -v _bak `

# 判断文件是否已经更新过

if [ ! -f "$cm_common_jarsPath/$jar_name"_"bak" ]  &&  [ ! -f "$cm_lib_Path/velocity-engine-core-2.0.jar_bak" ] && [ ! -f "$cm_lib_Path/velocity-engine-core-2.3.jar" ] && [ ! -f "$cm_parcels_Path/velocity-engine-core-2.3.jar" ] && [ ! -f "$cm_parcels_Path/velocity-1.7.jar_bak" ] && [ ! -f "$cm_parcels_Path/velocity-1.5.jar_bak" ];then
  echo -e  "\033[32m $jar_name 文件尚未更新,可以执行更新操作! \033[0m"
   if [ $jar_nums == 0 ];then
      echo " 没有查询到该jar包，无法升级!"
      echo " 没有查询到该jar包，无法升级!"  >>$log_path/cdpBugFix"_"$nowdate.log
      exit 0
 else
   echo "需要升级的jar包，$jar_nums 个；jar名称为：$jar_name"
   echo -e "\033[34m 升级cm的common_jars目录下的velocity的jar包为2.3版本 \033[0m "
#备份旧common_jars目录下的jar包
  cd  $cm_common_jarsPath  && mv $jar_name  $jar_name"_"bak

# 导入该目录 velocity-engine-core-2.3.jar包
  cp /opt/cdp_jars/velocity-engine-core-2.3.jar $cm_common_jarsPath
# 修改更新后的jar包为原来jar的名称
  mv  velocity-engine-core-2.3.jar  $jar_name
  echo -e "\033[34m 升级cm的lib包下的velocity-engine-core-2.0.jar包为2.3版本 \033[0m "

 echo "升级cm的lib包下的velocity-engine-core-2.0.jar包为2.3版本" >>$log_path/cdpBugFix"_"$nowdate"."log
#备份旧的jar包
  cd $cm_lib_Path && mv velocity-engine-core-2.0.jar  velocity-engine-core-2.0.jar_bak
# 导入该目录 velocity-engine-core-2.3.jar包
cp /opt/cdp_jars/velocity-engine-core-2.3.jar $cm_lib_Path

# 修复漏洞 /opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars/velocity-1.7.jar
echo -e "\033[34m 升级/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars目录下jar包...\033[0m "

 # 备份旧的jar包
cd  $cm_parcels_Path  &&  mv velocity-1.7.jar velocity-1.7.jar_bak &&  mv velocity-1.5.jar velocity-1.5.jar_bak
# 导入该目录 升级版 velocity-engine-core-2.3.jar包
cp /opt/cdp_jars/velocity-engine-core-2.3.jar  $cm_parcels_Path
# 创建软链接
ln -sfv  velocity-engine-core-2.3.jar velocity-1.5.jar

fi
else
  echo -e  "\033[31m 错误，$jar_name 文件已更新！ \033[0m"
fi

#2.修复commons-fileupload-1.4.f5d15bbbb91b4f42d65e41763fe1c292.jar漏洞（生产以实际为准）路径
jar_nums_2=`ls /opt/cloudera/cm/common_jars/ | grep commons-fileupload | wc -l `
jar_name_2=`ls /opt/cloudera/cm/common_jars/ | grep commons-fileupload | grep -v _bak`

if [ ! -f "$cm_common_jarsPath/$jar_name_2"_"bak" ]  && [ ! -f "$cm_parcels_Path/commons-fileupload-1.4.jar_bak" ] && [ ! -f "$cm_parcels_Path/commons-fileupload-1.5.jar" ];then
  echo -e  "\033[32m $jar_name_2 文件尚未更新,可以执行更新操作! \033[0m"
  if [ $jar_nums_2 == 0 ];then
  echo "没有查询到该jar包$jar_name_2，无法升级!"
  echo "没有查询到该jar包$jar_name_2，无法升级!"  >>$log_path/cdpBugFix"_"$nowdate.log
  exit 0
else
  echo "需要升级的jar包，$jar_nums_2 个；jar名称为：$jar_name_2"

  echo  -e "\033[34m 升级cm的common_jars目录下的commons-fileupload-1.4.jar包 \033[0m "
#备份旧的jar包
cd  $cm_common_jarsPath && mv $jar_name_2  $jar_name_2"_"bak
# 导入该目录 commons-fileupload-1.5.jar 包
cp /opt/cdp_jars/commons-fileupload-1.5.jar  $cm_common_jarsPath
# 修改jar包名称
mv commons-fileupload-1.5.jar $jar_name_2

# 修复升级，/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars/commons-fileupload-1.4.jar升级为1.5版本
echo  -e "\033[34m 升级cm的/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars，目录下的commons-fileupload的jar包 \033[0m "
#备份旧的jar包
cd  $cm_parcels_Path && mv  commons-fileupload-1.4.jar  commons-fileupload-1.4.jar_bak

# 导入该目录 commons-fileupload-1.5.jar 包
cp /opt/cdp_jars/commons-fileupload-1.5.jar  $cm_parcels_Path

ln -sfv  commons-fileupload-1.5.jar  commons-fileupload-1.4.jar
fi
# 文件已经更新过
else
  echo -e  "\033[31m 错误，$jar_name_2 文件已更新！ \033[0m"
fi

# 3.修复postgresql-42.2.24.jre7.a7b0f155b668470fb4e212e79724cc7d.jar漏洞（生产以实际为准）路径;升级jar包为postgresql-42.2.26.jar

jar_nums_3=`ls /opt/cloudera/cm/common_jars/ | grep postgresql-42.2.24.* | wc -l `
jar_name_3=`ls /opt/cloudera/cm/common_jars/ | grep postgresql-42.2.24.* |grep -v _bak `


if [ ! -f "$cm_common_jarsPath/$jar_name_3"_"bak" ] && [ ! -f "$cm_parcels_Path/postgresql-42.2.14.jar_bak" ] && [ ! -f "$cm_parcels_Path/postgresql-42.2.26.jar" ];then

echo -e  "\033[32m $jar_name_3 文件尚未更新,可以执行更新操作! \033[0m"

if [ $jar_nums_3 == 0 ];then
  echo "没有查询到该jar包$jar_name_3，无法升级!"
  echo "没有查询到该jar包$jar_name_3，无法升级!"  >>$log_path/cdpBugFix"_"$nowdate.log
  exit 0
else
  echo "需要升级的jar包，$jar_nums_3 个；jar名称为：$jar_name_3"

  echo  -e "\033[34m 升级cm的common_jars目录下的包postgresql的jar包 \033[0m "
#备份旧的jar包
cd  $cm_common_jarsPath && mv $jar_name_3  $jar_name_3"_"bak
# 导入该目录 postgresql-42.2.26.jar 包
cp /opt/cdp_jars/postgresql-42.2.26.jar  $cm_common_jarsPath

mv postgresql-42.2.26.jar $jar_name_3

# 升级/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars/路径下的postgresql-42.2.14.jar为42.2.26版本

echo  -e "\033[34m 升级cm的/opt/cloudera/parcels/CDH-7.1.7-1.cdh7.1.7.p1000.24102687/jars目录下的postgresql的jar包 \033[0m "
#备份旧的jar包
cd $cm_parcels_Path &&  mv  postgresql-42.2.14.jar  postgresql-42.2.14.jar_bak

# 导入该目录 postgresql-42.2.26.jar 包
cp /opt/cdp_jars/postgresql-42.2.26.jar $cm_parcels_Path

ln -sfv postgresql-42.2.26.jar  postgresql-42.2.14.jar

fi

# 文件已经更新过
else
  echo -e  "\033[31m 错误，$jar_name_3 文件已更新！ \033[0m"
fi

# 4.修复xstream-1.4.18.2XXXXXXXX.jar漏洞（生产以实际为准）路径; 升级jar包为xstream-1.4.20.jar

jar_nums_4=`ls /opt/cloudera/cm/common_jars/ | grep xstream | wc -l `
jar_name_4=`ls /opt/cloudera/cm/common_jars/ | grep xstream |grep -v _bak`

if [ ! -f "$cm_common_jarsPath/$jar_name_4"_"bak" ];then

echo -e  "\033[32m ${jar_name_4}文件尚未更新,可以执行更新操作! \033[0m"

if [ $jar_nums_4 == 0 ];then
  echo "没有查询到该jar包$jar_name_4，无法升级!"
  echo "没有查询到该jar包$jar_name_4，无法升级!"  >>$log_path/cdpBugFix"_"$nowdate.log
  exit 0
else
  echo "需要升级的jar包，$jar_nums_4 个；jar名称为：$jar_name_4"
# 备份旧的jar包
echo  -e "\033[34m 升级cm的common_jars目录下xstream的jar包 \033[0m "
cd  $cm_common_jarsPath && mv $jar_name_4  $jar_name_4"_"bak
# 导入该目录 xstream-1.4.20.jar 包
cp /opt/cdp_jars/xstream-1.4.20.jar  $cm_common_jarsPath

mv xstream-1.4.20.jar $jar_name_4
fi
# 文件已经更新过
else
  echo -e  "\033[31m 错误，$jar_name_4 文件已更新！ \033[0m"
  echo  "错误，$jar_name_4 文件已更新!"  >>$log_path/cdpBugFix"_"$nowdate.log
fi
# 判断介质是否存在!
else
 echo -e  "介质文件不存在..,无法执行漏洞修复操作！"
 echo     "介质文件不存在..,无法执行漏洞修复操作！"  >> $log_path/cdpBugFix"_"$nowdate.log
 exit 0
fi

}



#获取主机列表,所有主机循环执行漏洞修复操作

hosts=`cat /etc/hosts |grep m[1-3]\.idss\.com | grep '#' -v| awk '{print $1}'`

# hosts=`cat /cib/test_shell/cdp_jars/hosts.txt |grep idss|grep '#' -v| awk '{print $1}'`
for ip in $hosts
do
echo "连接到主机: $ip"
#ssh root@$ip "$(typeset -f remote_function);remote_function"

ssh root@$ip "$(typeset -f fix_cdp_vulnerability);fix_cdp_vulnerability"

sleep 2

done



echo -e "\033[35m =========================== 重启CM操作 ================================\033[0m "
# 检查验证：CM 重启服务
# master节点
# ssh  z101
function restartCM(){

echo -e "\033[32m 开始执行CM重启操作... \033[0m"
echo -e "开始执行CM重启操作... " >>$log_path/cdpBugFix"_"$nowdate.log
#echo -e "\033[32m 重启Cloudera Manager Server... \033[0m"
ssh root@m1 "systemctl restart cloudera-scm-server.service"

hosts=`cat /etc/hosts |grep m[1-3]\.idss\.com | grep '#' -v| awk '{print $1}'`

# hosts=`cat /etc/hosts |grep idss|grep '#' -v| awk '{print $1}'`
for ip in $hosts
do
ssh root@$ip "systemctl restart  cloudera-scm-agent"
sleep 2

done

}

restartCM