通过一个实验案例来说明shell脚本一键部署多种服务的方法。
初创公司是一家新成立的创业公司, 公司根据业务需求准备部署一个小型网络, 包含四
台服务器和若干客户机。考虑到后期需要在全国多个城市开分公司, 公司希望通过 Shell 的方式, 可以在不同的分支机构进行快速复制现有网络。
在管理员 PC 上编写 Shell 脚本, 实现一键部署。 实现以下项目需求:
在管理员PC上生成秘钥对
ssh-keygen
为了可以将管理员PC上生成的公钥上传到其他网段的服务器,需要在网关服务器(firewalld)开启路由转发 功能和地址伪装
echo "1" > /proc/sys/net/ipv4/ip_forward #路由转发
firewall-cmd --add-masquerade #地址伪装
上传公钥至其他服务器
命令ssh-copy-id IP地址
验证免密连接
main.sh
脚本,并完成调试(最终执行的脚本)#!/bin/bash
Admin_IP=172.16.1.10
FW_IP=172.16.1.2
DHCP_Server_IP=192.168.1.10
DHCP_relay_IP=172.16.1.2
DNS_Server_IP=192.168.1.20
FTP_Server_IP=192.168.1.30
source ./firewall.sh
source ./yum.sh
source ./dhcp.sh
source ./dhcrelay.sh
source ./dns.sh
source ./ftp.sh
赋予可执行权限
chmod +x main.sh
firewall.sh
脚本,并完成调试#!/bin/bash
FW_cmd="ssh $FW_IP"
route=`$FW_cmd cat /proc/sys/net/ipv4/ip_forward`
if test $route != 0
then
$FW_cmd "echo 1 > /proc/sys/net/ipv4/ip_forward"
echo "route on firewall is open"
fi
$FW_cmd firewall-cmd --zone=internal --query-interface=ens33 &> /dev/null
if test $? != 0
then
$FW_cmd ferewall-cmd --permanent --zone=internal --add-interface=ens33 &> /dev/null
fi
$FW_cmd firewall-cmd --zone=dmz --query-interface=ens37 &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --zone=dmz --add-interface=ens37 &> /dev/null
fi
$FW_cmd firewall-cmd --zone=external --query-interface=ens38 &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --zone=external --add-interface=ens38 &> /dev/null
fi
#ftp
$FW_cmd firewall-cmd --permanent --direct --query-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
fi
$FW_cmd firewall-cmd --permanent --direct --query-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 20000:20100 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 20000:20100 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
fi
#ssh
$FW_cmd firewall-cmd --permanent --direct --query-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 22 -j ACCEPT &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 22 -j ACCEPT &> /dev/null
fi
#dns
$FW_cmd firewall-cmd --permanent --direct --query-rule ipv4 filter FORWARD_direct 0 -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
fi
#端口转发
$FW_cmd firewall-cmd --permanent --zone=external --query-forward-port=port=22:proto=tcp:toport=22:toaddr=$Admin_IP &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --zone=external --add-forward-port=port=22:proto=tcp:toport=22:toaddr=$Admin_IP &> /dev/null
fi
$FW_cmd firewall-cmd --reload &> /dev/null
echo "firewalld rules are ok!"
赋予可执行权限
chmod +x firewall.sh
yum.sh
脚本,并完成调试在编写完后,一定要现将每一台服务器上/etc/yum.repos.d/
目录下的文件手动移动到其他目录,如:
cd /etc/yum.repos.d
mkdir repo
mv * repo
以下是脚本内容:
#!/bin/bash
ServerIP="$FW_IP $DHCP_Server_IP $DNS_Server_IP $FTP_Server_IP"
for i in $ServerIP
do
cmd="ssh $i"
$cmd 'df | grep /dev/cdrom' > /dev/null
if test $? == 0
then
$cmd 'umount /dev/cdrom' &> /dev/null
$cmd 'umount /mnt' &> /dev/null
fi
$cmd 'mount /dev/cdrom /mnt' &> /dev/null
$cmd 'echo "[local]" >> /etc/yum.repos.d/local.repo'
$cmd 'echo "name=local" >> /etc/yum.repos.d/local.repo'
$cmd 'echo "baseurl=file:///mnt" >> /etc/yum.repos.d/local.repo'
$cmd 'echo "enabled=1" >> /etc/yum.repos.d/local.repo'
$cmd 'echo "gpgcheck=0" >> /etc/yum.repos.d/local.repo'
$cmd 'yum clean all' &> /dev/null
$cmd 'yum makecache' &> /dev/null
if test $? == 0
then
echo "yum is ok($i)"
else
echo "yum is failed($i)"
fi
done
赋予可执行权限
chmod +x yum.sh
dhcp.sh
脚本,并完成调试#!/bin/bash
DHCP_Server_cmd="ssh $DHCP_Server_IP"
$DHCP_Server_cmd "rpm -qa | grep dhcp-4" &> /dev/null
if [ $? -eq 0 ]
then
$DHCP_Server_cmd yum -y remove dhcp &> /dev/null
fi
$DHCP_Server_cmd yum -y install dhcp &> /dev/null
if [ $? -eq 0 ]
then
$DHCP_Server_cmd 'echo "subnet 172.16.1.0 netmask 255.255.255.0 {" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "range 172.16.1.100 172.16.1.200;" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd ' echo "option domain-name-servers 192.168.1.20;" >> /etc/dhcp/dhcpd.conf‘
$DHCP_Server_cmd 'echo "option routers 172.16.1.2;" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "}" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "subnet 192.168.1.0 netmask 255.255.255.0 {}" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd systemctl enable firewalld &> /dev/null
$DHCP_Server_cmd systemctl restart firewalld &> /dev/null
$DHCP_Server_cmd firewall-cmd --permanent --zone=public --query-service=dhcp &> /dev/null
if test $? != 0
then
$DHCP_Server_cmd firewall-cmd --permanent --add-service=dhcp &> /dev/null
$DHCP_Server_cmd firewall-cmd --reload &> /dev/null
fi
$DHCP_Server_cmd systemctl enable dhcpd &> /dev/null
$DHCP_Server_cmd systemctl restart dhcpd &> /dev/null
if test $? != 0
then
echo "dhcpd boot error!"
else
echo "DHCP Server is ok"
fi
else
echo "dhcp install error!!!"
fi
赋予可执行权限
chmod +x dhcp.sh
dhcrelay.sh
脚本,并完成调试#!/bin/bash
DHCP_relay_cmd="ssh $DHCP_relay_IP"
$DHCP_relay_cmd "rpm -qa | grep dhcp-4" &> /dev/null
if [ $? -eq 0 ]
then
$DHCP_relay_cmd yum -y remove dhcp &> /dev/null
fi
$DHCP_relay_cmd yum -y install dhcp &> /dev/null
$DHCP_relay_cmd "sed -i 's/--no-pid/& 192.168.1.10/' /usr/lib/systemd/system/dhcrelay.service"
$DHCP_relay_cmd systemctl enable dhcrelay &> /dev/null
$DHCP_relay_cmd systemctl start dhcrelay &> /dev/null
if [ $? -eq 0 ]
then
echo "dhcrelay is ok!"
else
echo "dhcrelay boot error!"
fi
赋予可执行权限
chmod +x dhcrelay.sh
dns.sh
脚本,并完成调试#!/bin/bash
DNS_Server_cmd="ssh $DNS_Server_IP"
$DNS_Server_cmd "rpm -qa | grep '^bind-9'" &> /dev/null
if [ $? -eq 0 ]
then
$DNS_Server_cmd yum -y remove bind &> /dev/null
fi
$DNS_Server_cmd 'yum -y install bind*' &> /dev/null
$DNS_Server_cmd sed -i 's/127.0.0.1/any/g' /etc/named.conf
$DNS_Server_cmd sed -i 's/localhost/any/g' /etc/named.conf
$DNS_Server_cmd sed -i 's/\"\.\"/\"bdqn.com\"/g' /etc/named.conf
$DNS_Server_cmd sed -i 's/hint/master/g' /etc/named.conf
$DNS_Server_cmd sed -i 's/named.ca/bdqn.zone/g' /etc/named.conf
$DNS_Server_cmd touch /var/named/bdqn.zone
$DNS_Server_cmd chown root.named /var/named/bdqn.zone
$DNS_Server_cmd 'echo "\$TTL 1D" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "@ IN SOA bdqn.com. admin.bdqn.com. (200 1H 15M 1W 1D)" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "@ IN NS www.bdqn.com." >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "www IN A 192.168.1.20" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "dhcp IN A 192.168.1.10" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "ftp IN A 192.168.1.30" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "dns IN A 192.168.1.20" >> /var/named/bdqn.zone'
$DNS_Server_cmd systemctl enable firewalld &> /dev/null
$DNS_Server_cmd systemctl restart firewalld &> /dev/null
$DNS_Server_cmd firewall-cmd --permanent --zone=public --query-service=dns &> /dev/null
if test $? != 0
then
$DNS_Server_cmd firewall-cmd --permanent --zone=public --add-service=dns &> /dev/null
$DNS_Server_cmd firewall-cmd --reload
fi
$DNS_Server_cmd systemctl enable named &> /dev/null
$DNS_Server_cmd systemctl restart named &> /dev/null
if test $? != 0
then
echo named boot error
else
echo named is ok
fi
赋予可执行权限
chmod +x dns.sh
ftp.sh
脚本,并完成调试#!/bin/bash
FTP_Server_cmd="ssh $FTP_Server_IP"
$FTP_Server_cmd 'rpm -qa | grep vsftpd' &> /dev/null
if [ $? -eq 0 ]
then
$FTP_Server_cmd yum -y remove vsftpd &> /dev/null
fi
$FTP_Server_cmd yum -y install vsftpd &> /dev/null
# 备份原配置文件
$FTP_Server_cmd "mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak"
$FTP_Server_cmd 'grep -v "#" /etc/vsftpd/vsftpd.conf_bak > /etc/vsftpd/vsftpd.conf'
# 修改配置文件
$FTP_Server_cmd 'echo "anon_umask=022" >> /etc/vsftpd/vsftpd.conf'
$FTP_Server_cmd 'echo "anon_upload_enable=YES" >> /etc/vsftpd/vsftpd.conf'
$FTP_Server_cmd 'echo "anon_mkdir_write_enable=YES" >> /etc/vsftpd/vsftpd.conf'
$FTP_Server_cmd 'echo "anon_other_write_enable=YES" >> /etc/vsftpd/vsftpd.conf'
$FTP_Server_cmd 'echo "pasv_max_port=20100" >> /etc/vsftpd/vsftpd.conf'
$FTP_Server_cmd 'echo "pasv_min_port=20000" >> /etc/vsftpd/vsftpd.conf'
$FTP_Server_cmd chmod 777 /var/ftp/pub/
$FTP_Server_cmd systemctl enable firewalld &> /dev/null
$FTP_Server_cmd systemctl restart firewalld &> /dev/null
$FTP_Server_cmd firewall-cmd --permanent --zone=public --query-service=ftp &> /dev/null
if test $? != 0
then
$FTP_Server_cmd firewall-cmd --permanent --add-service=ftp &> /dev/null
$FTP_Server_cmd firewall-cmd --reload &> /dev/null
fi
$FTP_Server_cmd systemctl enable vsftpd &> /dev/null
$FTP_Server_cmd systemctl restart vsftpd &> /dev/null
if [ $? -eq 0 ]
then
echo "ftp is ok!"
else
echo "ftp boot error!"
fi
赋予可执行权限
chmod +x ftp.sh
main.sh
脚本实现一键部署./main.sh
运行结果:
从运行结果看,所有服务已经部署成功
提示: 如果在运行脚本的过程中出现报错,可执行bash -x mian.sh
命令来显示详细过程来查看具体错误
为了验证一键部署是否成功,在服务器上进行查看
服务正常都启动了,就说明yum也成功了