Dell Networking OS10:如何直接从 OS10 交换机运行证书更新

Summary: 如何直接从交换机运行 OS10 证书更新脚本。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

目录

  1. 需要满足的要求
  2. 从 OS10 交换机运行脚本的步骤
  3. 命令摘要
  4. APT 删除和清理
  5. 需要注意的项目

需要满足的要求

  • 必须可以访问互联网
  • 必须配置有效的 DNS(IP 名称服务器)
  • 需要将.zip或解压的文件传输到本地闪存上的一个交换机
  • 交换机系统管理员角色用户
  • 不得配置“system-cli disable”

从 OS10 交换机运行脚本的步骤

  1. 配置名称服务器

    OS10(config)# ip name-server <dnsserverip>

  2. 确认可以 ping DNS 名称

    OS10# ping debian.org
PING debian.org (130.89.148.77) 56(84) bytes of data.
64 bytes from klecker-misc.debian.org (130.89.148.77): icmp_seq=1 ttl=45 time=123 ms
64 bytes from klecker-misc.debian.org (130.89.148.77): icmp_seq=2 ttl=45 time=123 ms
^C
--- debian.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms

  3. 将文件复制到本地闪存

    OS10# copy scp://root@<fileserverip>/cert_upgrade_script-3.zip home://cert_upgrade_script-3.zip
password:
OS10# dir home
Directory contents for folder: home
Date (modified)        Size (bytes)  Name
---------------------  ------------  ------------------------------------------
2021-05-18T00:28:45Z   8426          cert_upgrade_script-3.zip

  4. 移至 shell 提示符。安装“unzip”,然后安装“except”(如果文件未解压)。

    leaf-2# system "sudo -i”

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for admin:
root@leaf-2:~# cd /home/admin/
root@OS10:/home/admin# apt-get update
Get:1 http://security.debian.org stretch/updates InRelease [53.0 kB]
<<snippet>>
Fetched 13.6 MB in 5s (2562 kB/s)
Reading package lists... Done
root@OS10:/home/admin# apt-get install unzip
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libevent-2.0-5 libfile-copy-recursive-perl openbsd-inetd update-inetd
Use 'apt autoremove' to remove them.
Suggested packages:
  zip
The following NEW packages will be installed:
  unzip
0 upgraded, 1 newly installed, 0 to remove and 78 not upgraded.
Need to get 172 kB of archives.
After this operation, 559 kB of additional disk space will be used.
Get:1 http://httpredir.debian.org/debian stretch/main amd64 unzip amd64 6.0-21+deb9u2 [172 kB]
Fetched 172 kB in 0s (354 kB/s)
Selecting previously unselected package unzip.
(Reading database ... 30678 files and directories currently installed.)
Preparing to unpack .../unzip_6.0-21+deb9u2_amd64.deb ...
Unpacking unzip (6.0-21+deb9u2) ...
Processing triggers for mime-support (3.60) ...
Setting up unzip (6.0-21+deb9u2) ...

root@OS10:/home/admin # apt-get install expect
<<snippet>>
Need to get 24.6 MB of archives.
After this operation, 186 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
<<snippet>

  5. 解压和 chmod 以将文件更改为可执行文件

    root@OS10:/home/admin# unzip cert_upgrade_script-3.zip
Archive:  cert_upgrade_script-3.zip
  inflating: cert_upgrade_script/cert.py
  inflating: cert_upgrade_script/cert.sh
  inflating: cert_upgrade_script/hosts.txt
  inflating: cert_upgrade_script/newdelldefault.crt
  inflating: cert_upgrade_script/README.md
root@OS10:/home/admin# cd cert_upgrade_script
root@OS10:/home/admin/cert_upgrade_script# ls -l
total 31
-rw-r--r-- 1 root root  5019 Mar 25 14:52 README.md
-rw-r--r-- 1 root root  9464 Apr 12 15:02 cert.py
-rw-r--r-- 1 root root 11793 Apr 12 15:02 cert.sh
-rw-r--r-- 1 root root   128 Feb 26 17:17 hosts.txt
-rw-r--r-- 1 root root  2049 Mar  2 18:06 newdelldefault.crt
root@OS10:/home/admin/cert_upgrade_script# chmod +x cert.sh

  6. 向每个交换机 IP 或根据自述文件与主机文件一起运行文件。

    root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 -c
192.168.122.243 Vulnerable
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243
192.168.122.243 Success
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 -c
192.168.122.243 Not Vulnerable

  7. 运行脚本后,请查看 LKB 文章(Dell Networking OS10 证书到期和解决方案),了解后续步骤。

    警报:根据 KB 步骤摆动 VLTi 或重新加载交换机,以使证书生效。

命令摘要

配置 说明
OS10(config)# ip name-server <dnsserverip> 为 APT 配置 DNS 以获取所需文件
OS10# ping debian.org 确保 Debian.org 可访问
OS10# copy scp://root@<fileserverip>/cert_upgrade_script-3.zip home://cert_upgrade_script-3.zip 将脚本文件复制到交换机
leaf-2# system "sudo -i” 以 root 用户身份输入系统 bash
root@leaf-2:~# cd /home/admin/ 切换到我们下载文件的用户主目录
root@OS10:/home/admin# apt-get update 更新当前 apt 应用程序表
root@OS10:/home/admin# apt-get install unzip 安装解压缩
root@OS10:/home/admin # apt-get install expect 安装预期
root@OS10:/home/admin# unzip cert_upgrade_script-3.zip 提取证书更新文件
root@OS10:/home/admin# cd cert_upgrade_script 移入脚本文件
root@OS10:/home/admin/cert_upgrade_script# ls -l 检查文件权限
root@OS10:/home/admin/cert_upgrade_script# chmod +x cert.sh 将 cert.sh 更改为可执行文件
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 -c 检查交换机是否易受攻击
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 按 IP 对交换机应用修复
root@OS10:/home/admin/cert_upgrade_script# ./cert.sh -u admin -p admin -h 192.168.122.243 -c 升级尝试后确认不易受攻击。

Apt 删除和清理

配置 说明
root@OS10:/home/admin/cert_upgrade_script#apt-get remove unzip 从交换机上取下解压缩
root@OS10:/home/admin/cert_upgrade_script#apt-get remove expect 从交换机中移除预期

需要注意的项目

  • 脚本会执行版本检查,查看运行的版本是否低于 10.4.3.x
    • 如果运行的版本低于此版本,则会创建消息“运行的版本低于 10.4.3.x,请升级到较新版本”
  • 脚本会检查 10.5.1.0 以上的版本。(在脚本版本 v4 中)
    • 如果群集中的其他交换机也运行 10.5.1.0 或更高版本,则系统不易受到攻击
    • 较新的固件可能已经影响证书,但它未在使用中,因此可以放心地忽略或升级
  • 如果 Linux 上的用户名或密码中有特殊字符,请确保使用 '(单引号)。
  • 如果现有 Linux作系统,请确保预期版本为 5.45 或更高版本

 

Affected Products

PowerSwitch S3048-ON, PowerSwitch S4048-ON, Dell EMC Networking MX5108n, Dell EMC Networking MX9116n, Dell EMC Networking N3200-ON, PowerSwitch S4048T-ON, PowerSwitch S4148U-ON, PowerSwitch S5148F-ON, PowerSwitch S5212F-ON, PowerSwitch S5224F-ON

Products

PowerSwitch S4112F-ON/S4112T-ON, PowerSwitch S4128F-ON/S4128T-ON, PowerSwitch S4148F-ON/S4148T-ON/S4148FE-ON, PowerSwitch S4248FB-ON /S4248FBL-ON, PowerSwitch S5232F-ON, PowerSwitch S5248F-ON, PowerSwitch S5296F-ON, PowerSwitch S6010-ON , PowerSwitch S6100-ON, PowerSwitch Z9100-ON, PowerSwitch Z9264F-ON, PowerSwitch Z9332F-ON, PowerSwitch Z9432F-ON ...
Article Properties
Article Number: 000188436
Article Type: How To
Last Modified: 23 Jul 2025
Version:  7
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.