Web集群之SSH批量管理

、什么是SSH批量管理

在管理机产生公钥和私钥，然后把自己的公钥推送给需要被管理的服务器，然后就可以通过scp和ssh命令，无需输入密码即可管理

锁=公钥，钥匙=私钥

企业里实现ssh方案：

1）直接root ssh key。

条件：系统允许root使用ssh

2）sudo提权来实现没有权限用户拷贝

实验环境：

hostnameip描述

m01172.16.1.61管理机

web01172.16.1.7被管理

nfs172.16.1.31被管理

backup172.16.1.41被管理

所有机器系统环境统一

[root@m01 /]# cat /etc/redhat-release CentOS Linux release7.5.1804(Core) [root@m01 /]# uname -r3.10.0-862.el7.x86_64

1.1 所有的服务器创建普通用户及密码

useradd xiaoliecho"123456"|passwd --stdin xiaoliid xiaolisu - xiaoli#<==统一切换到xiaoli用户

1.2 m01产生密钥

#使用xiaoli用户来创建私钥，并且分发公钥

[xiaoli@m01 ~]$ ssh-keygen -t dsa#<==生成私钥（一路回车）Generatingpublic/privatedsa key pair.Enter fileinwhich to save thekey(/home/xiaoli/.ssh/id_dsa): Created directory '/home/xiaoli/.ssh'. #<==私钥存放的目录Enterpassphrase(emptyforno passphrase): Enter same passphrase again: Your identification has been savedin/home/xiaoli/.ssh/id_dsa.Yourpublickey has been savedin/home/xiaoli/.ssh/id_dsa.pub.The key fingerprintis:SHA256:/UtUhhM++KSQH9OgJyP+MCRz+LhdYfRt/r6384aVLzU xiaoli@m01The key's randomart imageis:+---[DSA 1024]----+|        . . .    ||    . . + * o  ||    + + O * X o  ||    O o O O=  ||    . = S + +  .||    o =  o . Eo||    . . .  o .+o||          . oo.+||            . o*=|+----[SHA256]-----+[xiaoli@m01 ~]$ pwd/home/xiaoli[xiaoli@m01 ~]$ ls .ssh/id_dsa  id_dsa.pub[xiaoli@m01 ~]$ ll .ssh/total8-rw-------1xiaoli xiaoli672Nov520:57id_dsa#<==私钥-rw-r--r--1xiaoli xiaoli600Nov520:57id_dsa.pub#<==公钥

1.3 管理机分发公钥给客户端

管理机推送公钥给backup

[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]/bin/ssh-copy-id: INFO: Sourceofkey(s) to be installed:".ssh/id_dsa.pub"The authenticityofhost'172.16.1.41 (172.16.1.41)'can't be established.

ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.

ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.

Are you sure you want to continue connecting (yes/no)? yes

/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

[email protected]'s password: Numberofkey(s) added:1Nowtrylogging into the machine, with:"ssh '[email protected]'"andcheck to make sure that only the key(s) you wanted were added.#backup上查看是否收到公钥[xiaoli@backup ~]$ ls .ssh/authorized_keys .ssh/authorized_key#配置文件默认就是.ssh/authorized_key这个文件名，是由/etc/ssh/sshd_config这个配置文件所定义[root@backup backup]$ grep authorized_keys /etc/ssh/sshd_config |egrep -v"^#"AuthorizedKeysFile      .ssh/authorized_keys

管理机推送公钥给nfs

[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]/bin/ssh-copy-id: INFO: Sourceofkey(s) to be installed:".ssh/id_dsa.pub"The authenticityofhost'172.16.1.31 (172.16.1.31)'can't be established.

ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.

ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.

Are you sure you want to continue connecting (yes/no)? yes

/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

[email protected]'s password: Numberofkey(s) added:1Nowtrylogging into the machine, with:"ssh '[email protected]'"andcheck to make sure that only the key(s) you wanted were added.#nfs上查看是否收到公钥[xiaoli@nfs ~]$ ls -l .ssh/total4-rw-------1xiaoli xiaoli600Nov521:16authorized_keys

管理机推送公钥给web01

[xiaoli@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]/bin/ssh-copy-id: INFO: Sourceofkey(s) to be installed:".ssh/id_dsa.pub"The authenticityofhost'172.16.1.7 (172.16.1.7)'can't be established.

ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.

ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.

Are you sure you want to continue connecting (yes/no)? yes

/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

[email protected]'s password: Numberofkey(s) added:1Nowtrylogging into the machine, with:"ssh '[email protected]'"andcheck to make sure that only the key(s) you wanted were added.#web01查看是否收到公钥[xiaoli@web01 ~]$ ls -l .ssh/total4-rw-------1xiaoli xiaoli600Nov521:20authorized_keys

1.4 管理机实现批量获取参数

单独查看某一台客户端IP地址，如果端口号为22，就不需要加-p

[xiaoli@m01 ~]$ ssh [email protected]/sbin/ifconfig ens33ens33:flags=4163  mtu1500inet10.0.0.31netmask255.255.255.0broadcast10.0.0.255inet6 fe80::7ef6:6b6b:fba4:c66c  prefixlen64scopeid0x20        inet6 fe80::f15a:916:1ee7:65e9  prefixlen64scopeid0x20        ether00:50:56:20:de:ectxqueuelen1000(Ethernet)        RX packets68059bytes50182137(47.8MiB)        RX errors0dropped0overruns0frame0TX packets32722bytes6712416(6.4MiB)        TX errors0dropped0overruns0carrier0collisions0#我们可以发现这时执行ssh就不需要输入密码

创建脚本查看三台客户端的IP地址

[xiaoli@m01 ~]$ mkdir seripts[xiaoli@m01 ~]$ cd seripts[xiaoli@m01 seripts]$ cat view_ip.sh#!/bin/shUser=xiaoliIp=(172.16.1.7

172.16.1.31

172.16.1.41

)

for ((i=0;i<${#Ip[*]};i++))

do

        ssh ${User}@${Ip[$i]} /sbin/ifconfig ens33

done

#执行脚本 货运APP找上海捌跃网络科技有限公司QQ3343874032

[xiaoli@m01 seripts]$ sh view_ip.sh

ens33: flags=4163mtu1500inet10.0.0.7netmask255.255.255.0broadcast10.0.0.255inet6 fe80::7ef6:6b6b:fba4:c66c  prefixlen64scopeid0x20        inet6 fe80::b85a:6444:fdc7:90ef  prefixlen64scopeid0x20        inet6 fe80::f15a:916:1ee7:65e9  prefixlen64scopeid0x20        ether00:50:56:32:88:betxqueuelen1000(Ethernet)        RX packets11633bytes2805754(2.6MiB)        RX errors0dropped0overruns0frame0TX packets6003bytes1047269(1022.7KiB)        TX errors0dropped0overruns0carrier0collisions0ens33:flags=4163  mtu1500inet10.0.0.31netmask255.255.255.0broadcast10.0.0.255inet6 fe80::7ef6:6b6b:fba4:c66c  prefixlen64scopeid0x20        inet6 fe80::f15a:916:1ee7:65e9  prefixlen64scopeid0x20        ether00:50:56:20:de:ectxqueuelen1000(Ethernet)        RX packets68065bytes50182545(47.8MiB)        RX errors0dropped0overruns0frame0TX packets32726bytes6712704(6.4MiB)        TX errors0dropped0overruns0carrier0collisions0ens33:flags=4163  mtu1500inet10.0.0.41netmask255.255.255.0broadcast10.0.0.255inet6 fe80::7ef6:6b6b:fba4:c66c  prefixlen64scopeid0x20        inet6 fe80::b85a:6444:fdc7:90ef  prefixlen64scopeid0x20        inet6 fe80::f15a:916:1ee7:65e9  prefixlen64scopeid0x20        ether00:50:56:21:a4:2a  txqueuelen1000(Ethernet)        RX packets123357bytes15582283(14.8MiB)        RX errors0dropped0overruns0frame0TX packets130534bytes11862139(11.3MiB)        TX errors0dropped0overruns0carrier0collisions0上面结果为成功标志！连接所有机器，不提示密码直接可以操作

1.5 scp实现批量下发文件

每台服务器root权限下实施sudo#切换到root用户，给xiaoli用户赋予有rsync的命令执行权限echo"xiaoli ALL=(ALL) NOPASSWD:/usr/bin/rsync ">>/etc/sudoersvisudo -c

将/etc/hosts文件拷贝到家目录（xiaoli），并修改hosts文件内容

[xiaoli@m01 ~]$ cp /etc/hosts .[xiaoli@m01 ~]$ tail-5hosts172.16.1.7web01172.16.1.41backup172.16.1.31nfs172.16.1.51m01################2018-11-5################

使用脚本批量分发hosts文件

[xiaoli@m01 ~]$  cat seripts/fenfa_file.sh#!/bin/shUser=xiaoliIp=(172.16.1.7172.16.1.31172.16.1.41)for((i=0;i<${#Ip[*]};i++))doscp ~/hosts${User}@${Ip[$i]}:~ ssh -t${User}@${Ip[$i]}sudo rsync ~/hosts /etc/hostsdone#运行批量分发脚本[xiaoli@m01 seripts]$ sh  fenfa_file.shhosts                                                                    100%  268  245.5KB/s  00:00    Connection to 172.16.1.7 closed.hosts                                                                    100%  268    47.6KB/s  00:00    Connection to 172.16.1.31 closed.hosts                                                                    100%  268  295.1KB/s  00:00    Connection to 172.16.1.41 closed.

客户端查看结果

#以backup客户端为例展示结果：[xiaoli@backup ~]$ tail-5/etc/hosts172.16.1.7web01172.16.1.41backup172.16.1.31nfs172.16.1.51m01################2018-11-5################

扩展：使用rsync通道模式，实现增量、加密

[xiaoli@m01 ~]$ rsync -avz hosts -e'ssh -p 22'[email protected] incremental file listhostssent214bytes  received35bytes498.00bytes/sectotal sizeis268speedupis1.08

转自：http://blog.51cto.com/12643266/2314340