Web集群之SSH批量管理
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Web集群之SSH批量管理相关的知识,希望对你有一定的参考价值。
1、什么是SSH批量管理
在管理机产生公钥和私钥,然后把自己的公钥推送给需要被管理的服务器,然后就可以通过scp和ssh命令,无需输入密码即可管理
锁=公钥,钥匙=私钥
企业里实现ssh方案:
1)直接root ssh key。
条件:系统允许root使用ssh
2)sudo提权来实现没有权限用户拷贝
实验环境:
hostname | ip | 描述 |
---|---|---|
m01 | 172.16.1.61 | 管理机 |
web01 | 172.16.1.7 | 被管理 |
nfs | 172.16.1.31 | 被管理 |
backup | 172.16.1.41 | 被管理 |
所有机器系统环境统一
[[email protected] /]# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
[[email protected] /]# uname -r
3.10.0-862.el7.x86_64
1.1 所有的服务器创建普通用户及密码
useradd xiaoli
echo "123456" |passwd --stdin xiaoli
id xiaoli
su - xiaoli #<==统一切换到xiaoli用户
1.2 m01产生密钥
#使用xiaoli用户来创建私钥,并且分发公钥
[[email protected] ~]$ ssh-keygen -t dsa #<==生成私钥(一路回车)
Generating public/private dsa key pair.
Enter file in which to save the key (/home/xiaoli/.ssh/id_dsa):
Created directory ‘/home/xiaoli/.ssh‘. #<==私钥存放的目录
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/xiaoli/.ssh/id_dsa.
Your public key has been saved in /home/xiaoli/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:/UtUhhM++KSQH9OgJyP+MCRz+LhdYfRt/r6384aVLzU [email protected]
The key‘s randomart image is:
+---[DSA 1024]----+
| . . . |
| . . + * o |
| + + O * X o |
| O o O O = |
| . = S + + .|
| o = o . Eo|
| . . . o .+o|
| . oo.+|
| . o*=|
+----[SHA256]-----+
[[email protected] ~]$ pwd
/home/xiaoli
[[email protected] ~]$ ls .ssh/
id_dsa id_dsa.pub
[[email protected] ~]$ ll .ssh/
total 8
-rw------- 1 xiaoli xiaoli 672 Nov 5 20:57 id_dsa #<==私钥
-rw-r--r-- 1 xiaoli xiaoli 600 Nov 5 20:57 id_dsa.pub #<==公钥
1.3 管理机分发公钥给客户端
管理机推送公钥给backup
[[email protected] ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"
The authenticity of host ‘172.16.1.41 (172.16.1.41)‘ can‘t be established.
ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.
ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘[email protected]‘"
and check to make sure that only the key(s) you wanted were added.
#backup上查看是否收到公钥
[[email protected] ~]$ ls .ssh/authorized_keys
.ssh/authorized_key
#配置文件默认就是.ssh/authorized_key这个文件名,是由/etc/ssh/sshd_config这个配置文件所定义
[[email protected] backup]$ grep authorized_keys /etc/ssh/sshd_config |egrep -v "^#"
AuthorizedKeysFile .ssh/authorized_keys
管理机推送公钥给nfs
[[email protected] ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"
The authenticity of host ‘172.16.1.31 (172.16.1.31)‘ can‘t be established.
ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.
ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘[email protected]‘"
and check to make sure that only the key(s) you wanted were added.
#nfs上查看是否收到公钥
[[email protected] ~]$ ls -l .ssh/
total 4
-rw------- 1 xiaoli xiaoli 600 Nov 5 21:16 authorized_keys
管理机推送公钥给web01
[[email protected] ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_dsa.pub"
The authenticity of host ‘172.16.1.7 (172.16.1.7)‘ can‘t be established.
ECDSA key fingerprint is SHA256:9mwPu7qxdn4iuw1GFz5nXmBdpXKRoj0D8dhDo6sp9XQ.
ECDSA key fingerprint is MD5:d2:35:47:86:60:b5:97:16:3f:26:4c:91:78:3a:02:2a.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘[email protected]‘"
and check to make sure that only the key(s) you wanted were added.
#web01查看是否收到公钥
[[email protected] ~]$ ls -l .ssh/
total 4
-rw------- 1 xiaoli xiaoli 600 Nov 5 21:20 authorized_keys
1.4 管理机实现批量获取参数
单独查看某一台客户端IP地址,如果端口号为22,就不需要加-p
[[email protected] ~]$ ssh [email protected] /sbin/ifconfig ens33
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.31 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen 64 scopeid 0x20<link>
inet6 fe80::f15a:916:1ee7:65e9 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:20:de:ec txqueuelen 1000 (Ethernet)
RX packets 68059 bytes 50182137 (47.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 32722 bytes 6712416 (6.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#我们可以发现这时执行ssh就不需要输入密码
创建脚本查看三台客户端的IP地址
[[email protected] ~]$ mkdir seripts
[[email protected] ~]$ cd seripts
[[email protected] seripts]$ cat view_ip.sh
#!/bin/sh
User=xiaoli
Ip=(
172.16.1.7
172.16.1.31
172.16.1.41
)
for ((i=0;i<${#Ip[*]};i++))
do
ssh ${User}@${Ip[$i]} /sbin/ifconfig ens33
done
#执行脚本
[[email protected] seripts]$ sh view_ip.sh
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.7 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen 64 scopeid 0x20<link>
inet6 fe80::b85a:6444:fdc7:90ef prefixlen 64 scopeid 0x20<link>
inet6 fe80::f15a:916:1ee7:65e9 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:32:88:be txqueuelen 1000 (Ethernet)
RX packets 11633 bytes 2805754 (2.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6003 bytes 1047269 (1022.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.31 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen 64 scopeid 0x20<link>
inet6 fe80::f15a:916:1ee7:65e9 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:20:de:ec txqueuelen 1000 (Ethernet)
RX packets 68065 bytes 50182545 (47.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 32726 bytes 6712704 (6.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.41 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::7ef6:6b6b:fba4:c66c prefixlen 64 scopeid 0x20<link>
inet6 fe80::b85a:6444:fdc7:90ef prefixlen 64 scopeid 0x20<link>
inet6 fe80::f15a:916:1ee7:65e9 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:21:a4:2a txqueuelen 1000 (Ethernet)
RX packets 123357 bytes 15582283 (14.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 130534 bytes 11862139 (11.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
上面结果为成功标志!连接所有机器,不提示密码直接可以操作
1.5 scp实现批量下发文件
每台服务器root权限下实施sudo
#切换到root用户,给xiaoli用户赋予有rsync的命令执行权限
echo "xiaoli ALL=(ALL) NOPASSWD:/usr/bin/rsync ">>/etc/sudoers
visudo -c
将/etc/hosts文件拷贝到家目录(xiaoli),并修改hosts文件内容
[[email protected] ~]$ cp /etc/hosts .
[[email protected] ~]$ tail -5 hosts
172.16.1.7 web01
172.16.1.41 backup
172.16.1.31 nfs
172.16.1.51 m01
################2018-11-5################
使用脚本批量分发hosts文件
[[email protected] ~]$ cat seripts/fenfa_file.sh
#!/bin/sh
User=xiaoli
Ip=(
172.16.1.7
172.16.1.31
172.16.1.41
)
for ((i=0;i<${#Ip[*]};i++))
do
scp ~/hosts ${User}@${Ip[$i]}:~
ssh -t ${User}@${Ip[$i]} sudo rsync ~/hosts /etc/hosts
done
#运行批量分发脚本
[[email protected] seripts]$ sh fenfa_file.sh
hosts 100% 268 245.5KB/s 00:00
Connection to 172.16.1.7 closed.
hosts 100% 268 47.6KB/s 00:00
Connection to 172.16.1.31 closed.
hosts 100% 268 295.1KB/s 00:00
Connection to 172.16.1.41 closed.
客户端查看结果
#以backup客户端为例展示结果:
[[email protected] ~]$ tail -5 /etc/hosts
172.16.1.7 web01
172.16.1.41 backup
172.16.1.31 nfs
172.16.1.51 m01
################2018-11-5################
扩展:使用rsync通道模式,实现增量、加密
[[email protected] ~]$ rsync -avz hosts -e ‘ssh -p 22‘ [email protected]
sending incremental file list
hosts
sent 214 bytes received 35 bytes 498.00 bytes/sec
total size is 268 speedup is 1.08
以上是关于Web集群之SSH批量管理的主要内容,如果未能解决你的问题,请参考以下文章