~本篇博客 感謝老男孩老師教導~
SSH 集群架构的机器部署
基于口令的安全认证:
基于口令的安全验证的方式就是大家现在一直在用的,只要知道服务器的SSH连接帐号和口令,应服务器的IP及开放的端口,默认为22端口,就可以透过SSH客户端登录到这台远程主机。此时,联机过程中所有传输的数据都是加密的。
基于口令的,如何实现批量管理? expect、pssh、sshpass
期中期群:一键搭建及优化50台服务器集群。
基于密钥的安全验证:
(详细的解说请看前几篇博客介绍)
1、在所有机器上创建用户及密码:
useradd oldgirl
echo 123456 | passwd --stdin oldgirl
id oldgirl
su - oldgirl
2、在m01创建密钥对
[oldgirl@m01 ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oldgirl/.ssh/id_dsa):
Created directory '/home/oldgirl/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oldgirl/.ssh/id_dsa.
Your public key has been saved in /home/oldgirl/.ssh/id_dsa.pub.
The key fingerprint is:
20:6a:91:99:18:d8:aa:7f:46:60:8f:87:6d:83:c5:fd oldgirl@m01
The key's randomart image is:
+--[ DSA 1024]----+
|o. |
|.o.+ |
|..=.... |
|. ooo... |
|..oO .S |
|..+ B E |
| . + . |
| . o |
| o |
+-----------------+
[oldgirl@m01 ~]$ ll .ssh/
total 8
-rw------- 1 oldgirl oldgirl 668 Dec 15 12:36 id_dsa。-->钥匙 (私钥)
-rw-r--r-- 1 oldgirl oldgirl 601 Dec 15 12:36 id_dsa.pub -->锁 (公钥)
**非交互式创建密钥 : 一键生成密钥对**
ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa >/dev/null 2>&1
3.m01分发公钥
[oldgirl@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 [email protected]"
The authenticity of host '[172.16.1.8]:52113 ([172.16.1.8]:52113)' can't be established.
RSA key fingerprint is ea:e2:b1:91:af:26:98:18:0c:5c:c4:7b:99:24:8c:9f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.16.1.8]:52113' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '-p 52113 [email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
利用这样的方式,将密钥发送给172.16.1.31、172.16.1.41
4.测试
那我们可以利用上面所建立的基础上,利用脚本查看所有服务器的ip。
[oldgirl@m01 ~]$ mkdir script
[oldgirl@m01 ~]$ cd script/
[oldgirl@m01 script]$ vi view_ip.sh
[oldgirl@m01 script]$ cat view_ip.sh
#!/bin/sh
ssh -p52113 [email protected] /sbin/ifconfig eth0
ssh -p52113 [email protected] /sbin/ifconfig eth0
ssh -p52113 [email protected] /sbin/ifconfig eth0
**进阶脚本写法**
[oldgirl@m01 script]$ cat view_ip.sh
#!/bin/sh
if [ $# -ne 1 ];then
echo "USAGE:/gin/sh $0 ARG1"
exit 1
fi
for n in 8 31 41
do
echo ===========172.16.1.$n ===========
ssh -p52113 [email protected].$n "$1"
done
[oldgirl@m01 script]$ sh view_ip.sh "/sbin/ifconfig eth0 "
输出过多,在此不展示....
在m01里面,我们把/etc/hosts档案复制到oldgirl的家目录,并且批量分发出去。
[oldgirl@m01 ~]$ scp -P52113 hosts [email protected]:/etc/hosts
scp: /etc/hosts: Permission denied
但...我们会遇到这样的问题: 权限不够......
在企业里实现ssh方案,最常见的三种:
1.直接root做ssh key
条件:允许root ssh 登录
缺点:安全差、同时无法禁止远程root连接进去
2.sudo 提权来实现没有权限的用户拷贝。
优点:比较安全,不需要root远程连接这个功能
缺点:复杂,安全性较差,任何人都可以处理带有suid权限的命令。
配置sudoers
hi在每一台的虚拟机里面,执行下面的命令:
echo "oldgirl ALL= NOPASSWD: /usr/bin/rsync" >>/etc/sudoers
visudo -c (检查语法)
[oldgirl@m01 ~]$scp -P52113 hosts [email protected]:~
远程sudo:(要加-t )
[oldgirl@m01 ~]$ssh -p52113 -t [email protected] sudo rsync ~/hosts /etc/hosts
3.利用suid来实现没有权限的用户拷贝。
(做思维扩展了解,工作中尽量不要用)
优点:相对安全
缺点:复杂,安全性较差
在m01
[oldgirl@m01 ~]$scp -P52113 hosts [email protected]:~ (先拷贝到家目录)
到nfs上
[root@nfs01 ~]# chmod u+s /usr/bin/rsync
[root@nfs01 ~]# ls -l `which rsync`
-rwsr-xr-x. 1 root root 414968 Apr 30 2014 /usr/bin/rsync
再一次回到m01,利用ssh 远程连接,执行rsync
ssh -p52113 [email protected] rsync ~/hosts /etc/hosts
依照上面的方式,我们可以把命令行堆起来,便可以写出一个批量分发脚本
[oldgirl@m01 ~]$ cat fenfa_file.sh
scp -P52113 hosts [email protected]:~
ssh -p52113 -t [email protected] sudo rsync ~/hosts /etc/hosts
scp -P52113 hosts [email protected]:~
ssh -p52113 -t [email protected] sudo rsync ~/hosts /etc/hosts
scp -P52113 hosts [email protected]:~
ssh -p52113 -t [email protected] sudo rsync ~/hosts /etc/hosts
我们也可以利用rsync 隧道模式来推送资料
[oldgirl@m01 ~]$ rsync -avz hosts -e 'ssh -p 52113' [email protected]:~
sending incremental file list
hosts
sent 86 bytes received 37 bytes 246.00 bytes/sec
total size is 324 speedup is 2.63
--->增量
--->加密
扩展 : 写一个脚本 批量分发某一个文件 并指定路径
[oldgirl@m01 script]$ cat fenfa_file2.sh
#!/bin/sh
if [ $# -ne 2 ];then ----->判断传参的值是否为两个
echo "USAGE:/bin/sh $0 ARG1 ARG2"
exit 1
fi
. /etc/init.d/functions
for n in 8 31 41
do
scp -P52113 ~/$1 [email protected].${n}:~ >/dev/null 2>&1 &&\
ssh -p52113 -t [email protected].${n} sudo rsync ~/$1 $2 >/dev/null 2>&1
if [ $? -eq 0 ];then
action "fenfa hosts 172.16.1.$n" /bin/true
else
action "fenfa hosts 172.16.1.$n" /bin/false
fi
done
测试:
[oldgirl@m01 ~]$ touch test
[oldgirl@m01 ~]$ sh script/fenfa_file2.sh test /opt
fenfa hosts 172.16.1.8 [ OK ]
fenfa hosts 172.16.1.31 [ OK ]
fenfa hosts 172.16.1.41 [ OK ]
企业级生产场景批量管理,自动化管理方案:
1.最简单最常用 ssh key ,功能最强大的,一般中小型企业会用,50-100台以下。
2.sina cfengine/puppet 较早的批量管理工具,现在基本没有企业在用了。
3.门户级别比较流行的,puppet批量管理工具,复杂、笨重。
4.saltstack批量管理工具,特点:简单,功能强大(配置复杂),赶集网,小米,一些CDN公司都有在用。
5.http+cron
批量管理路线:
sshkey-->cfengine-->puppet-->saltstack/ansible
expect非交互式生成密钥及实践批量管理实践
1.安装expect (安装在m01管理机)
[root@m01 ~]# yum install expect -y
[root@m01 ~]# rpm -qa expect
expect-5.44.1.15-5.el6_4.x86_64
2.所有机器创建用户及密码
useradd oldgirl888
echo 123456|passwd --stdin oldgirl888
id oldgirl888
su - oldgirl888
3.m01生成密钥对
ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa >/dev/null 2>&1
4.分发密钥
ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 [email protected]"
[oldgirl888@m01 ~]$vim fenfa_sshkey.exp
[oldgirl888@m01 ~]$ cat fenfa_sshkey.exp
#!/usr/bin/expect
if { $argc != 2 } {
send_user "usage: expect fenfa_sshkey.exp file host\n"
exit
}
#define var
set file [lindex $argv 0]
set host [lindex $argv 1]
set password "123456"
#spawn scp /etc/hosts [email protected]:/etc/hosts
#spawn scp -P52113 $file oldboy@$hosts:$dir
spawn ssh-copy-id -i $file "-p 52113 oldgirl888@$host"
expect {
"yes/no" {send "yes\r";exp_continue}
"*password" {send "$password\r"}
}
expect eof
exit -onexit {
send_user "Oldboy say goodbye to you!\n"
}
#script usage
#example
#expect fenfa_sshkey.exp file host dir
#expect fenfa_sshkey.exp ~/hosts 10.0.0.41:~
这样,便完成基本的expect非交互式方式,不过..在此还需要传参。
[oldgirl888@m01 ~]$ vim fenfa_sshkey.sh
[oldgirl888@m01 ~]$ cat fenfa_sshkey.sh
#!/bin/sh
. /etc/init.d/functions
for ip in 8 31 41
do
expect fenfa_sshkey.exp ~/.ssh/id_dsa.pub 172.16.1.$ip >/dev/null 2>&1
if [ $? -eq 0 ];then
action "$ip" /bin/true
else
action "$ip" /bin/false
fi
done
这样便可以以非交互式的方式,完成分发密钥。
扩展:一键给多台服务器安装httpd服务:
1.批量创建用户(这边的用户新增目前先以terminal 窗口发送到所有频道。)
useradd oldboy888
echo 123456|passwd --stdin oldboy888
id oldboy888
echo "oldboy888 ALL= NOPASSWD: ALL" >>/etc/sudoers
visudo -c
su - oldboy888
2.
(1)创建非交互式expect:
[oldboy888@m01 ~]$ vim fenfa_sshkey.exp
[oldboy888@m01 ~]$ cat fenfa_sshkey.exp
#!/usr/bin/expect
if { $argc != 2 } {
send_user "usage: expect fenfa_sshkey.exp file host\n"
exit
}
#define var
set file [lindex $argv 0]
set host [lindex $argv 1]
set password "123456"
#spawn scp /etc/hosts [email protected]:/etc/hosts
#spawn scp -P52113 $file oldboy@$hosts:$dir
spawn ssh-copy-id -i $file "-p 52113 oldboy888@$host"
expect {
"yes/no" {send "yes\r";exp_continue}
"*password" {send "$password\r"}
}
expect eof
exit -onexit {
send_user "Oldboy say goodbye to you!\n"
}
#script usage
#example
#expect fenfa_sshkey.exp file host dir
#expect fenfa_sshkey.exp ~/hosts 10.0.0.41:~
(2)新增资料夹,并写好要安装的脚本:(在此,我们要自动化安装httpd)
[oldboy888@m01 ~]$ mkdir scripts
[oldboy888@m01 ~]$ vim scripts/install.sh
[oldboy888@m01 ~]$ cat scripts/install.sh
yum install httpd -y
(3)批量自动化安装脚本
[oldboy888@m01 ~]$ vim auto_deploy.sh
[oldboy888@m01 ~]$ cat auto_deploy.sh
#!/bin/sh
. /etc/init.d/functions
#1.product key pair
ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa >/dev/null 2>&1
if [ $? -eq 0 ];then
action "create dsa $ip" /bin/true
else
action "create dsa $ip" /bin/false
exit 1
fi
#2.dis pub key
for ip in 8 31 41
do
expect fenfa_sshkey.exp ~/.ssh/id_dsa.pub 172.16.1.$ip >/dev/null 2>&1
if [ $? -eq 0 ];then
action "$ip" /bin/true
else
action "$ip" /bin/false
fi
done
#3.dis fenfa scripts
for n in 8 31 41
do
scp -P 52113 -rp ~/scripts [email protected].$n:~
done
#4.install service
for m in 8 31 41
do
ssh -t -p 52113 [email protected].$m sudo /bin/bash /home/oldboy888/scripts/install.sh
done
**执行看结果**
[oldboy888@m01 ~]$ sh -x auto_deploy.sh
配置expect文件以及脚本下载