SSH服务补充以及ansible

主要内容:

1.非交互式SSH密钥认证（一键创建秘钥，一键发送秘钥）

2.批量创建、发送、验证秘钥认证

3.ansible使用指南

4.Ansible inventory 主机清单

5.ansible模块清单

一、非交互式SSH密钥认证

1.非交互式创建密钥

命令：ssh-keygen
参数：-P 指定密码短语
-f 指定私钥地址
-t 指定秘钥类型

[root@m01 ~]# ll .ssh/
total 0
[root@m01 ~]# ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa
Generating public/private dsa key pair.
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:zCQ8DZKOadzwVoWbaLA00xe1bSziLlC3JbSG+QyJjB4 root@m01
The key's randomart image is:
+---[DSA 1024]----+
|   ...+=o        |
| o*.oB++ +       |
|.Eo%*+Xo* +      |
|. B.BBo@ o       |
| o.o  = S        |
|   . .           |
|    . .          |
|     .           |
|                 |
+----[SHA256]-----+
[root@m01 ~]# ll .ssh/
total 8
-rw------- 1 root root 668 May 28 19:06 id_dsa
-rw-r--r-- 1 root root 598 May 28 19:06 id_dsa.pub

2.非交互式发送公钥

命令：ssh-copy-id

[root@m01 ~]# sshpass -p123456  ssh-copy-id -i ~/.ssh/id_dsa.pub   172.16.1.41  -o   StrictHostKeyChecking=no
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

[root@m01 ~]# ssh 172.16.1.41
Last login: Tue May 28 16:33:09 2019 from 172.16.1.61
[root@backup ~]# 

二、编写脚本批量创建、分发、测试密钥

1.脚本编写：

[root@m01 ~]# vim /server/scripts/fengfa-pub.sh 
#!/bin/bash
source /etc/init.d/functions
rm -f ~/.ssh/*
#make  key  pair
      echo "-----------------Start Secret Key --------------------"
             ssh-keygen -t  dsa  -f ~/.ssh/id_dsa  -P ''  &>/dev/null
      if (($?==1))

      then
             action "Secret key creation failed!"   /bin/false

      else
             action "Secret key creation success"   /bin/true
      fi
      echo "-----------------End  Secret Key --------------------"

      echo ""
#fenfa  public key
for   ip in `cat /server/scripts/ip.txt`

do
      echo "---------------Sent START to host $ip----------------"
      sshpass -p123456 ssh-copy-id  -i /root/.ssh/id_dsa.pub  $ip  -o  StrictHostKeyChecking=no  &>/dev/null


      if (($?==1))
                                                                                                          1,7           Top
#!/bin/bash
source /etc/init.d/functions
rm -f ~/.ssh/*
#make  key  pair
      echo "-----------------Start Secret Key --------------------"
             ssh-keygen -t  dsa  -f ~/.ssh/id_dsa  -P ''  &>/dev/null
      if (($?==1))

      then
             action "Secret key creation failed!"   /bin/false

      else
             action "Secret key creation success"   /bin/true
      fi
      echo "-----------------End  Secret Key --------------------"

      echo ""
#fenfa  public key
for   ip in `cat /server/scripts/ip.txt`

do
      echo "---------------Sent START to host $ip----------------"
      sshpass -p123456 ssh-copy-id  -i /root/.ssh/id_dsa.pub  $ip  -o  StrictHostKeyChecking=no  &>/dev/null


      if (($?==1))

      then
             action "host $ip Send failed!"   /bin/false
      else
             action "host $ip Send success"   /bin/true
      fi

      echo "----------------End START to host $ip----------------"

      echo ""
#Connect  check        

      echo "-----------------connect START host $ip--------------"
      echo "hostname:"   `ssh $ip  hostname`


      if (($?==1))

      then
             action "host $ip connect failed!"   /bin/false

      else
             action "host $ip connect success"   /bin/true
      fi

      echo "----------------Connect END host $ip-----------------"
      echo ""
      echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"     
done

2.执行脚本：

[root@m01 ~]# sh /server/scripts/fengfa-pub.sh
-----------------Start Secret Key --------------------
Secret key creation success                                [  OK  ]
-----------------End  Secret Key --------------------

---------------Sent START to host 172.16.1.7----------------
host 172.16.1.7 Send success                               [  OK  ]
----------------End START to host 172.16.1.7----------------

-----------------connect START host 172.16.1.7--------------
hostname: web01
host 172.16.1.7 connect success                            [  OK  ]
----------------Connect END host 172.16.1.7-----------------

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
---------------Sent START to host 172.16.1.41----------------
host 172.16.1.41 Send success                              [  OK  ]
----------------End START to host 172.16.1.41----------------

-----------------connect START host 172.16.1.41--------------
hostname: backup
host 172.16.1.41 connect success                           [  OK  ]
----------------Connect END host 172.16.1.41-----------------

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
---------------Sent START to host 172.16.1.31----------------
host 172.16.1.31 Send success                              [  OK  ]
----------------End START to host 172.16.1.31----------------

-----------------connect START host 172.16.1.31--------------
hostname: nfs01
host 172.16.1.31 connect success                           [  OK  ]
----------------Connect END host 172.16.1.31-----------------

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

三、ansible使用指南：

1.前提：在管理机上配置好密钥认证并分发

2.ansible文件：

/etc/ansible
/etc/ansible/ansible.cfg：配置文件
/etc/ansible/hosts：主机清单（被管理的服务器列表）
/etc/ansible/roles

3.ansible命令及参数

参数：
-m 指定模块
-a 模块中的命令或参数

4.命令的书写方式(你要用的主机必须是在/etc/ansible/hosts中配置的，即必须配置这个文件)

（1）ansible oldboy -m command -a 'hostname'：这个oldboy组中的

[root@m01 ~]# ansible oldboy -m command -a 'hostname'
172.16.1.41 | CHANGED | rc=0 >>
backup

172.16.1.31 | CHANGED | rc=0 >>
nfs01

172.16.1.7 | CHANGED | rc=0 >>
web01

（2）ansible oldboy -a 'hostname'：默认为command模块 可以不加

[root@m01 ~]# ansible oldboy  -a 'hostname'
172.16.1.7 | CHANGED | rc=0 >>
web01

172.16.1.31 | CHANGED | rc=0 >>
nfs01

172.16.1.41 | CHANGED | rc=0 >>
backup

（4）ansible 172.16.1.41 -a 'hostname'：单个主机执行

[root@m01 ~]# ansible 172.16.1.41  -a 'hostname'
172.16.1.41 | CHANGED | rc=0 >>
backup

（5）ansible all -a 'hostname'：所有/etc/ansible/hosts 中的主机执行

[root@m01 ~]# ansible all  -a 'hostname'
172.16.1.41 | CHANGED | rc=0 >>
backup

172.16.1.7 | CHANGED | rc=0 >>
web01

172.16.1.31 | CHANGED | rc=0 >>
nfs01

5.颜色

（1）绿色：成功 对方服务器没有发送修改
（2）黄色：成功 修改内容（修改成功）
（3）红色：报错
（4）紫色：warning 警告

四、Ansible inventory 主机清单

里面存放着要可以批量管理的主机列表

[root@m01 ~]# tail -5 /etc/ansible/hosts 
## db-[99:101]-node.example.com
[oldboy]
172.16.1.7
172.16.1.41
172.16.1.31

五、ansible模块清单（ad-hoc模式常用的模块）

1.command：命令模块

默认模块，用于执行命令，不支持特殊符号

[root@m01 ~]# ansible 172.16.1.41  -a 'hostname -I'
172.16.1.41 | CHANGED | rc=0 >>
10.0.0.41 172.16.1.41 

[root@m01 ~]# ansible 172.16.1.41  -a 'hostname -I |awk '{peint $NF}''
ERROR! Extraneous options or arguments

2.shell模块：如果需要管道等操作可以使用shell

[root@m01 ~]# ansible 172.16.1.41  -m shell -a "ifconfig|grep eth0"  -f 50
172.16.1.41 | CHANGED | rc=0 >>
eth0: flags=4163  mtu 1500

3.copy 复制模块：将批量管理服务器的东西推送到其他服务器上

src= 源（文件从哪里来）
dest= 远端（文件到哪里去）
owner= 所有者
group= 所属组
backup=（yes/no） 是否备份
mode=权限
content=""

将引号中的内容追加到文件中
与src冲突 不能一起使用
先清空 再追加

[root@m01 ~]# ansible 172.16.1.41  -m copy -a 'src=/etc/hostname   dest=/tmp/'
172.16.1.41 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "checksum": "f434396716e2c9aed47cfde87c491cce5a2c08fa", 
    "dest": "/tmp/hostname", 
    "gid": 0, 
    "group": "root", 
    "md5sum": "318d7defb693a2eb0d4f1a7a96575a57", 
    "mode": "0644", 
    "owner": "root", 
    "size": 4, 
    "src": "/root/.ansible/tmp/ansible-tmp-1559047657.14-59898274981816/source", 
    "state": "file", 
    "uid": 0
}
[root@m01 ~]# ansible 172.16.1.41   -a 'cat /tmp/hostname'
172.16.1.41 | CHANGED | rc=0 >>
m01

4.script：脚本模块（先把脚本传输到远端，在执行脚本）

1.创建脚本文件
[root@m01 ~]# vim script.sh
#!/bin/bash
yum install -y cowsay

2.利用ansible批量安装
[root@m01 ~]# ansible all -m script  -a  '/root/script.sh'
3.查看是否安装成功
[root@m01 ~]# ansible all  -a  'animalsay check'
172.16.1.41 | CHANGED | rc=0 >>
 _______
< check >
 -------
    \
     \
      \
  ___       _____     ___
 /   \     /    /|   /   \
|     |   /    / |  |     |
|     |  /____/  |  |     |     
|     |  |    |  |  |     |
|     |  | {} | /   |     |
|     |  |____|/    |     |
|     |    |==|     |     |
|      \___________/      |
|                         |
|                         |

5.yum ：安装软件模块

name 指定要安装的软件包名称
state 指定使用yum的方法

installed，present 安装软件包 默认
removed，absent 移除软件包
latest 更新软件包

[root@m01 ~]# ansible all -m yum  -a 'name=cowsay  state=present'
172.16.1.7 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "msg": "", 
    "rc": 0, 
    "results": [
        "cowsay-3.04-4.el7.noarch providing cowsay is already installed"
    ]
}
172.16.1.31 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "msg": "", 
    "rc": 0, 
    "results": [
        "cowsay-3.04-4.el7.noarch providing cowsay is already installed"
    ]
}
172.16.1.41 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "msg": "", 
    "rc": 0, 
    "results": [
        "cowsay-3.04-4.el7.noarch providing cowsay is already installed"
    ]
}

由于cowsay已经安装所以没有显示完成

6.file 文件配置模块：相当于 touch mkdir ln rm

path：指定远程主机的目录或文件信息
state

directory：在远端创建目录
touch：在远端创建文件
link：软连接
absent：删除文件或目录

[root@m01 ~]# ansible 172.16.1.41  -m file  -a 'path=/tmp/a/b/c  state=directory'
172.16.1.41 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "gid": 0, 
    "group": "root", 
    "mode": "0755", 
    "owner": "root", 
    "path": "/tmp/a/b/c", 
    "size": 6, 
    "state": "directory", 
    "uid": 0
}
[root@m01 ~]# ansible 172.16.1.41 -m file  -a 'path=/tmp/a/b/c/ylz.txt  state=touch'
172.16.1.41 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "dest": "/tmp/a/b/c/ylz.txt", 
    "gid": 0, 
    "group": "root", 
    "mode": "0644", 
    "owner": "root", 
    "size": 0, 
    "state": "file", 
    "uid": 0
}
[root@m01 ~]# ansible 172.16.1.41   -a 'tree /tmp/a'
172.16.1.41 | CHANGED | rc=0 >>
/tmp/a
└── b
    └── c
        └── ylz.txt

2 directories, 1 file

7.service 服务模块

name：定义要启动服务的名称
state

started
启动服务
stoped
停止服务
restarted
重启服务
reloaded
平滑重启服务
enabled：开机自启（yes/no）

8.user 模块

name：用户名
uid：指定用户的uid
group：指定用户组名称
groups：添加用户附属组
password：给用户添加密码
shell：指定用户的登录shell
create_home：是否创建家目录

[root@m01 ~]# ansible 172.16.1.41  -m group -a 'name=oldgirl  gid=1111   state=present'
172.16.1.41 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "gid": 1111, 
    "name": "oldgirl", 
    "state": "present", 
    "system": false
}
[root@m01 ~]# ansible 172.16.1.41  -m user -a  'name=oldgirl uid=1111  group=oldgirl  shell=/sbin/nologin  create_home=no'
172.16.1.41 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "comment": "", 
    "create_home": false, 
    "group": 1111, 
    "home": "/home/oldgirl", 
    "name": "oldgirl", 
    "shell": "/sbin/nologin", 
    "state": "present", 
    "system": false, 
    "uid": 1111
}
[root@m01 ~]# ansible 172.16.1.41 -a 'grep oldgirl /etc/passwd'
172.16.1.41 | CHANGED | rc=0 >>
oldgirl:x:1111:1111::/home/oldgirl:/sbin/nologin

[root@m01 ~]#