~本篇博客 感謝老男孩老師教導~

SSH 集群架构的机器部署

基于口令的安全认证:
基于口令的安全验证的方式就是大家现在一直在用的,只要知道服务器的SSH连接帐号和口令,应服务器的IP及开放的端口,默认为22端口,就可以透过SSH客户端登录到这台远程主机。此时,联机过程中所有传输的数据都是加密的。
基于口令的,如何实现批量管理? expect、pssh、sshpass
期中期群:一键搭建及优化50台服务器集群。

基于密钥的安全验证:
(详细的解说请看前几篇博客介绍)

批量管理部署概念:
50台集群架构配置介绍-5ssh批量管理、expect非交互式生成密钥及实践批量管理实践_第1张图片

1、在所有机器上创建用户及密码:    
useradd oldgirl     
echo 123456 | passwd --stdin oldgirl    
id oldgirl 
su - oldgirl   
2、在m01创建密钥对
[oldgirl@m01 ~]$ ssh-keygen -t dsa 
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oldgirl/.ssh/id_dsa): 
Created directory '/home/oldgirl/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/oldgirl/.ssh/id_dsa.
Your public key has been saved in /home/oldgirl/.ssh/id_dsa.pub.
The key fingerprint is:
20:6a:91:99:18:d8:aa:7f:46:60:8f:87:6d:83:c5:fd oldgirl@m01
The key's randomart image is:
+--[ DSA 1024]----+
|o.               |
|.o.+             |
|..=....          |
|. ooo...         |
|..oO   .S        |
|..+ B   E        |
| . + .           |
|  . o            |
|   o             |
+-----------------+
[oldgirl@m01 ~]$ ll .ssh/
total 8
-rw------- 1 oldgirl oldgirl 668 Dec 15 12:36 id_dsa。-->钥匙 (私钥)
-rw-r--r-- 1 oldgirl oldgirl 601 Dec 15 12:36 id_dsa.pub -->锁 (公钥)

**非交互式创建密钥 :  一键生成密钥对**
ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa >/dev/null 2>&1

3.m01分发公钥
[oldgirl@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 [email protected]"
The authenticity of host '[172.16.1.8]:52113 ([172.16.1.8]:52113)' can't be established.
RSA key fingerprint is ea:e2:b1:91:af:26:98:18:0c:5c:c4:7b:99:24:8c:9f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.16.1.8]:52113' (RSA) to the list of known hosts.
[email protected]'s password: 
Now try logging into the machine, with "ssh '-p 52113 [email protected]'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

利用这样的方式,将密钥发送给172.16.1.31、172.16.1.41     

4.测试
那我们可以利用上面所建立的基础上,利用脚本查看所有服务器的ip。    
[oldgirl@m01 ~]$ mkdir script
[oldgirl@m01 ~]$ cd script/
[oldgirl@m01 script]$ vi view_ip.sh
[oldgirl@m01 script]$ cat view_ip.sh 
#!/bin/sh
ssh -p52113 [email protected] /sbin/ifconfig eth0
ssh -p52113 [email protected] /sbin/ifconfig eth0
ssh -p52113 [email protected] /sbin/ifconfig eth0

**进阶脚本写法**
[oldgirl@m01 script]$ cat view_ip.sh 
#!/bin/sh
if [ $# -ne 1 ];then
        echo "USAGE:/gin/sh $0 ARG1"
        exit 1
fi

for n in 8 31 41
do
        echo ===========172.16.1.$n ===========
        ssh -p52113 [email protected].$n "$1"
done
[oldgirl@m01 script]$ sh view_ip.sh "/sbin/ifconfig eth0 " 
输出过多,在此不展示....

在m01里面,我们把/etc/hosts档案复制到oldgirl的家目录,并且批量分发出去。

[oldgirl@m01 ~]$ scp -P52113 hosts [email protected]:/etc/hosts
scp: /etc/hosts: Permission denied

但...我们会遇到这样的问题: 权限不够......

在企业里实现ssh方案,最常见的三种:
1.直接root做ssh key
条件:允许root ssh 登录
缺点:安全差、同时无法禁止远程root连接进去
2.sudo 提权来实现没有权限的用户拷贝。
优点:比较安全,不需要root远程连接这个功能
缺点:复杂,安全性较差,任何人都可以处理带有suid权限的命令。

配置sudoers 
hi在每一台的虚拟机里面,执行下面的命令:     
echo "oldgirl ALL=  NOPASSWD: /usr/bin/rsync" >>/etc/sudoers
visudo -c (检查语法)

[oldgirl@m01 ~]$scp -P52113 hosts [email protected]:~
远程sudo:(要加-t )
[oldgirl@m01 ~]$ssh -p52113 -t [email protected] sudo rsync ~/hosts /etc/hosts

3.利用suid来实现没有权限的用户拷贝。
(做思维扩展了解,工作中尽量不要用)
优点:相对安全
缺点:复杂,安全性较差

在m01
[oldgirl@m01 ~]$scp -P52113 hosts [email protected]:~  (先拷贝到家目录)     

到nfs上 
[root@nfs01 ~]# chmod u+s /usr/bin/rsync 
[root@nfs01 ~]# ls -l `which rsync`
-rwsr-xr-x. 1 root root 414968 Apr 30  2014 /usr/bin/rsync

再一次回到m01,利用ssh 远程连接,执行rsync 
ssh -p52113 [email protected] rsync ~/hosts /etc/hosts

依照上面的方式,我们可以把命令行堆起来,便可以写出一个批量分发脚本

[oldgirl@m01 ~]$ cat fenfa_file.sh 
scp -P52113 hosts [email protected]:~
ssh -p52113 -t [email protected] sudo rsync ~/hosts /etc/hosts
scp -P52113 hosts [email protected]:~
ssh -p52113 -t [email protected] sudo rsync ~/hosts /etc/hosts
scp -P52113 hosts [email protected]:~
ssh -p52113 -t [email protected] sudo rsync ~/hosts /etc/hosts

我们也可以利用rsync 隧道模式来推送资料

[oldgirl@m01 ~]$ rsync -avz hosts -e 'ssh -p 52113' [email protected]:~ 
sending incremental file list
hosts

sent 86 bytes  received 37 bytes  246.00 bytes/sec
total size is 324  speedup is 2.63

--->增量
--->加密

扩展 : 写一个脚本 批量分发某一个文件 并指定路径

[oldgirl@m01 script]$ cat fenfa_file2.sh
#!/bin/sh
if [ $# -ne 2 ];then       ----->判断传参的值是否为两个
        echo "USAGE:/bin/sh $0 ARG1 ARG2"
        exit 1
fi 
. /etc/init.d/functions

for n in 8 31 41 
do
        scp -P52113 ~/$1 [email protected].${n}:~ >/dev/null 2>&1 &&\
ssh -p52113 -t [email protected].${n} sudo rsync ~/$1 $2 >/dev/null 2>&1
        if [ $? -eq 0 ];then
                action "fenfa hosts 172.16.1.$n" /bin/true
        else
                action "fenfa hosts 172.16.1.$n" /bin/false
        fi
done

测试:
[oldgirl@m01 ~]$ touch test 
[oldgirl@m01 ~]$ sh script/fenfa_file2.sh test /opt
fenfa hosts 172.16.1.8                                     [  OK  ]
fenfa hosts 172.16.1.31                                    [  OK  ]
fenfa hosts 172.16.1.41                                    [  OK  ]

企业级生产场景批量管理,自动化管理方案:
1.最简单最常用 ssh key ,功能最强大的,一般中小型企业会用,50-100台以下。
2.sina cfengine/puppet 较早的批量管理工具,现在基本没有企业在用了。
3.门户级别比较流行的,puppet批量管理工具,复杂、笨重。
4.saltstack批量管理工具,特点:简单,功能强大(配置复杂),赶集网,小米,一些CDN公司都有在用。
5.http+cron
批量管理路线:
sshkey-->cfengine-->puppet-->saltstack/ansible

expect非交互式生成密钥及实践批量管理实践

1.安装expect (安装在m01管理机)

[root@m01 ~]# yum install expect -y
[root@m01 ~]# rpm -qa expect       
expect-5.44.1.15-5.el6_4.x86_64

2.所有机器创建用户及密码

useradd oldgirl888
echo 123456|passwd --stdin oldgirl888
id oldgirl888
su - oldgirl888

3.m01生成密钥对

ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa >/dev/null 2>&1

4.分发密钥

ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 [email protected]"
[oldgirl888@m01 ~]$vim fenfa_sshkey.exp
[oldgirl888@m01 ~]$ cat fenfa_sshkey.exp 
#!/usr/bin/expect
if { $argc != 2 } {
 send_user "usage: expect fenfa_sshkey.exp file host\n"
 exit
}

#define var
set file [lindex $argv 0]
set host [lindex $argv 1]
set password "123456"
#spawn scp /etc/hosts [email protected]:/etc/hosts
#spawn scp -P52113 $file oldboy@$hosts:$dir
spawn ssh-copy-id -i $file "-p 52113 oldgirl888@$host"
expect {
        "yes/no"        {send "yes\r";exp_continue}
        "*password"     {send "$password\r"}
}
expect eof

exit -onexit {
 send_user "Oldboy say goodbye to you!\n"
}

#script usage
#example
#expect fenfa_sshkey.exp file host dir
#expect fenfa_sshkey.exp ~/hosts 10.0.0.41:~

这样,便完成基本的expect非交互式方式,不过..在此还需要传参。    

[oldgirl888@m01 ~]$ vim fenfa_sshkey.sh
[oldgirl888@m01 ~]$ cat fenfa_sshkey.sh 
#!/bin/sh
. /etc/init.d/functions
for ip in 8 31 41
do
 expect fenfa_sshkey.exp ~/.ssh/id_dsa.pub 172.16.1.$ip >/dev/null 2>&1
if [ $? -eq 0 ];then
        action "$ip" /bin/true
else
        action "$ip" /bin/false
fi
done
这样便可以以非交互式的方式,完成分发密钥。

扩展:一键给多台服务器安装httpd服务:

1.批量创建用户(这边的用户新增目前先以terminal 窗口发送到所有频道。)

useradd oldboy888
echo 123456|passwd --stdin oldboy888
id oldboy888
echo "oldboy888 ALL=  NOPASSWD: ALL" >>/etc/sudoers
visudo -c 
su - oldboy888

2.

(1)创建非交互式expect:
[oldboy888@m01 ~]$ vim fenfa_sshkey.exp 
[oldboy888@m01 ~]$ cat fenfa_sshkey.exp 
#!/usr/bin/expect
if { $argc != 2 } {
 send_user "usage: expect fenfa_sshkey.exp file host\n"
 exit
}

#define var
set file [lindex $argv 0]
set host [lindex $argv 1]
set password "123456"
#spawn scp /etc/hosts [email protected]:/etc/hosts
#spawn scp -P52113 $file oldboy@$hosts:$dir
spawn ssh-copy-id -i $file "-p 52113 oldboy888@$host"
expect {
        "yes/no"        {send "yes\r";exp_continue}
        "*password"     {send "$password\r"}
}
expect eof

exit -onexit {
 send_user "Oldboy say goodbye to you!\n"
}

#script usage
#example
#expect fenfa_sshkey.exp file host dir
#expect fenfa_sshkey.exp ~/hosts 10.0.0.41:~

(2)新增资料夹,并写好要安装的脚本:(在此,我们要自动化安装httpd)
[oldboy888@m01 ~]$ mkdir scripts
[oldboy888@m01 ~]$ vim scripts/install.sh
[oldboy888@m01 ~]$ cat scripts/install.sh 
yum install httpd -y

(3)批量自动化安装脚本
[oldboy888@m01 ~]$ vim auto_deploy.sh 
[oldboy888@m01 ~]$ cat auto_deploy.sh 
#!/bin/sh
. /etc/init.d/functions
#1.product key pair
ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa >/dev/null 2>&1
if [ $? -eq 0 ];then
        action "create dsa $ip" /bin/true
else
        action "create dsa $ip" /bin/false
        exit 1
fi
#2.dis pub key
for ip in 8 31 41
do
 expect fenfa_sshkey.exp ~/.ssh/id_dsa.pub 172.16.1.$ip >/dev/null 2>&1
if [ $? -eq 0 ];then
        action "$ip" /bin/true
else
        action "$ip" /bin/false
fi
done
#3.dis fenfa scripts
for n in 8 31 41
do
 scp -P 52113 -rp ~/scripts [email protected].$n:~
done

#4.install service
for m in 8 31 41
do 
 ssh -t -p 52113 [email protected].$m sudo /bin/bash /home/oldboy888/scripts/install.sh
done

**执行看结果**
[oldboy888@m01 ~]$ sh -x auto_deploy.sh 

配置expect文件以及脚本下载