第十周-day41-批量分发秘钥与ansible模块

第十周-day41-批量管理一键分发秘钥、ansible模块.png

一、※批量创建与分发秘钥

一键创建秘钥对

一键分发公钥

StrictHostKeyChecking=no

sshpass -p 123456 ssh-copy-id -p22 -i  ~/.ssh/id_dsa.pub 10.0.0.41 -o StrictHostKeyChecking=no

1.初始批量分发公钥的脚本

可以用for循环语句

[21:33 root@m01 ~]# vim /server/scripts/fenfa_pub.sh
#!/bin/bash
 
for ip in 31 41
do
ssh-copy-id -i ~/.ssh/id_dsa.pub 172.16.1.$ip
done

2.第一次分发公钥的时候需要输入密码

sshpass -p 123456 ssh-copy-id -p22 -i  ~/.ssh/id_dsa.pub 10.0.0.41 -o StrictHostKeyChecking=no

3.第一次分发公钥的时候需要输入确认信息

sssh-copy-id -p22 -i  ~/.ssh/id_dsa.pub 10.0.0.41 -o StrictHostKeyChecking=no

ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys

$@  脚本所有参数
umask 权限是077
mkdir -p .ssh 
cat  >> .ssh/authorized_keys

---

删除之前的秘钥对,创建新环境

[09:35 root@m01 ~]# rm -rf .ssh/id_dsa .ssh/id_dsa.pub 

---

4.创建指定的秘钥

-t 指定秘钥类型 dsa rsa
-f 指定私钥的位置
-P 命令行中指定密码

ssh-keygen -t dsa -f ~/.ssh/id_dsa -P ''

[09:35 root@m01 ~]# ssh-keygen -t dsa -f ~/.ssh/id_dsa -P ''
Generating public/private dsa key pair.
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:kIna+Ce3UvZoIPzuIiOvKOaQwysKPlAeCTCC6zo+DRk root@m01
The key's randomart image is:
+---[DSA 1024]----+
|*                |
|+.   . o         |
| o .. +          |
|.E++   .         |
|.+=..   S        |
|o=+.. o          |
|B.ooo+oo         |
|&=o.o+o..        |
|%@++oo.          |
+----[SHA256]-----+

5.免密交互

sshpass -p 123456 ssh -o StrictHostKeyChecking=no 172.16.1.31 hostname

6.免密分发秘钥

 sshpass -p123456   ssh-copy-id -o StrictHostKeyChecking=no 172.16.1.7

7.可以依次给其他主机分发秘钥

[09:57 root@m01 ~]# ssh 172.16.1.31 hostname
nfs01
[09:57 root@m01 ~]# ssh 172.16.1.41 hostname
backup
[09:57 root@m01 ~]# ssh 172.16.1.7 hostname
web01

8.sshpass为ssh 提供密码

非交互式 sshpass需要安装

[19:14 root@m01 ~]# sshpass -p123456 ssh 172.16.1.7 hostname
web01

9.for 循环语句

for 循环的格式：

for 变量 in 列表
do
命令
done 

for ip in 7 41
do
echo 172.16.1.$ip
done

[15:05 root@m01 ~]# for ip in 7 41; do echo 172.16.1.$ip; done
172.16.1.7
172.16.1.41

通过for 循环和sshpass 批量分发公钥

10.写一个for循环脚本

[10:04 root@m01 ~]# vim /server/scripts/for.sh
#!/bin/bash
for ip in  {1..7}
do
 echo 172.16.1$ip
done

执行一下：

[10:05 root@m01 ~]# sh  /server/scripts/for.sh
172.16.11
172.16.12
172.16.13
172.16.14
172.16.15
172.16.16
172.16.17

11.用for循环语句批量分发秘钥

直接执行命令：
for ip in 7 41 31; do  sshpass -p123456   ssh-copy-id -o StrictHostKeyChecking=no 172.16.1.$ip; done

或写脚本文件：
[10:11 root@m01 ~]# vim /server/scripts/fenfa.sh 
#!/bin/bash
for ip in 7 41 31
do
 sshpass -p123456   ssh-copy-id -o StrictHostKeyChecking=no 172.16.1.$ip
done

二、※创建一个脚本※

非交互式创建秘钥
非交互式分发秘钥

[10:43 root@m01 ~]# vim  /server/scripts/fenfa.sh
#!/bin/bash
#make key pair  \\创建秘钥
ssh-keygen -t dsa -f ~/.ssh/id_dsa -P ''
#fenfa public key  \\分发秘钥
for ip in 7 41 31
do
 sshpass -p123456   ssh-copy-id -o StrictHostKeyChecking=no 172.16.1.$ip
done

1.检查一下批量分发秘钥是否可以免密

[11:25 root@m01 ~]# ssh 172.16.1.7 hostname
web01
[11:25 root@m01 ~]# ssh 172.16.1.41 hostname
backup
[11:25 root@m01 ~]# ssh 172.16.1.31 hostname
nfs01

2.脚本书写流程：

1.第一步m01安装ansible

2.第二步创建公钥私钥
ssh-keygen -t dsa -f ~/.ssh/id_dsa -P '' 

3.第三步推送公钥
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no" 172.16.1.41

4.第四部执行命令
ansible oldboy -m shell -a "w;df -h;free -h"
ansible /etc/ansible/hosts里设置的  主机组 -m 模块名 -a "命令"

扩展：脚本中添加一些其他的要求

---

---

三、※ ansible 批量管理 ※

不理解—先看图

image.png

安装ansible
yum install -y ansible

1.※ 查看ansible下配置文件

[11:53 root@m01 ~]# rpm -ql ansible|grep -v /usr/
/etc/ansible
/etc/ansible/ansible.cfg
/etc/ansible/hosts
/etc/ansible/roles

2.编辑主机清单/etc/ansible/hosts

在管理端配置好秘钥认证

[11:54 root@m01 ~]# ssh 172.16.1.41 hostname
backup
[11:56 root@m01 ~]# vim /etc/ansible/hosts 
......
[oldboy]
172.16.1.7
172.16.1.41
172.16.1.31
[11:58 root@m01 ~]# tail -4 /etc/ansible/hosts 
[oldboy]
172.16.1.7
172.16.1.41
172.16.1.31

3.ping 检查所有客户端是否存活

-m ping 检测添加的oldboy模块中的主机通不通

[11:58 root@m01 ~]# ansible oldboy -m ping
172.16.1.41 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"      \\pong表示通了
}
172.16.1.31 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"      \\pong表示通了
}
172.16.1.7 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"      \\pong表示通了
}

4.执行指定命令

command命令模式(只能执行简单命令 不支持 特殊符号)

[12:00 root@m01 ~]# ansible oldboy -m command -a 'hostname'
172.16.1.7 | CHANGED | rc=0 >>
web01

172.16.1.41 | CHANGED | rc=0 >>
backup

5.执行指定某台主机命令

[12:08 root@m01 ~]# ansible 172.16.1.7 -a 'hostname'
172.16.1.7 | CHANGED | rc=0 >>
web01

6.执行所有主机命令

[12:09 root@m01 ~]# ansible all -a 'hostname'
172.16.1.41 | CHANGED | rc=0 >>
backup

172.16.1.31 | CHANGED | rc=0 >>
nfs01

172.16.1.7 | CHANGED | rc=0 >>
web01

四、※ ansible inventory主机清单常见配置 ※

主机支持指定变量，基于密码连接

五、※ Ansible Ad-Hoc 命令行批量执行命令※

官网查询帮助 主要看哪个参数必须要有

https://docs.ansible.com/ansible/latest/modules/copy_module.html#copy-module

image.png

1.查询模块的命令

ansible-doc -s copy

---

ansable模块（service模块字母在图片中顺序写错了请注意）

2.模块案例

推送 ansible all -m copy -a 'src=/etc/hostname dest=/tmp/'
查看 ansible all -a 'cat /tmp/hostname'

copy模块
推送文件模块

模块实操：https://www.jianshu.com/p/57c0268a1aca

[12:30 root@m01 ~]# ansible all -m copy -a 'src=/etc/hostname dest=/tmp/'
172.16.1.31 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "checksum": "f434396716e2c9aed47cfde87c491cce5a2c08fa", 
    "dest": "/tmp/hostname", 
    "gid": 0, 
    "group": "root", 
    "md5sum": "318d7defb693a2eb0d4f1a7a96575a57", 
    "mode": "0644", 
    "owner": "root", 
    "size": 4, 
    "src": "/root/.ansible/tmp/ansible-tmp-1559017854.64-224769717508792/source", 
    "state": "file", 
    "uid": 0
}
...省略
[12:31 root@m01 ~]# ansible all -a 'cat /tmp/hostname'
172.16.1.31 | CHANGED | rc=0 >>
m01

172.16.1.41 | CHANGED | rc=0 >>
m01

172.16.1.7 | CHANGED | rc=0 >>
m01

backup=yes模块

[12:40 root@m01 ~]# ansible all -m copy -a 'src=/etc/hosts dest=/tmp/hostname backup=yes' 
172.16.1.31 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "backup_file": "/tmp/hostname.8691.2019-05-28@12:41:13~", 
    "changed": true, 
    "checksum": "d2c63329a65fa8c2a390e468cf037e28e6796f0f", 
    "dest": "/tmp/hostname", 
    "gid": 0, 

script 模块

分发这个脚本：
[08:50 root@m01 ~]# ansible all -m copy -a 'src=/server/scripts/for.sh dest=/server/scripts/yum.sh'

[root@m01 ~]# #ansible all  -m script  -a "/server/scripts/yum.sh"
[root@m01 ~]# ansible all -a 'rpm -qa ipvsadm'
 [WARNING]: Consider using the yum, dnf or zypper module rather than running 'rpm'.  If you need to use command because
yum, dnf or zypper is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in
ansible.cfg to get rid of this message.

172.16.1.41 | CHANGED | rc=0 >>
ipvsadm-1.27-7.el7.x86_64

172.16.1.7 | CHANGED | rc=0 >>
ipvsadm-1.27-7.el7.x86_64

yum模块

ansible all   -m yum  -a 'name=sl state=present'

file模块

[root@m01 ~]# #ansible all -m file  -a 'path=/tmp/a/b/c/d/e/f/g   state=directory '
[root@m01 ~]# #ansible all -m file  -a 'path=/tmp/a/b/c/d/e/f/g/oldboy.txt   state=touch '
[root@m01 ~]# ansible all  -a 'tree  /tmp/ '

user模块

#caiav 创建用户指定uid和gid 1111，不创建家目录也不允许登陆
groupadd -g 1111  caiav 
useradd -u 1111 -g caiav    -s /sbin/nologin  -M  caiav 

ansible all -m group  -a 'name=caiav gid=1111 state=present'
ansible all -m user  -a  'name=caiav uid=1111 group=caiav  shell=/sbin/nologin create_home=no '

ansible模块可查看下一篇文章