23.ansible批量管理与维护之基础部分
批量管理工具:ansible,saltstack,pssh等。
1.远程连接服务器过程
ssh连接:
[d:\~]$ ssh 10.0.0.41
Connecting to 10.0.0.41:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Sun Feb 4 22:37:53 2018 from 10.0.0.253
[root@backup ~]#
[root@backup ~]# cat .ssh/known_hosts
[root@backup ~]#
2.ssh密钥认证流程详解
基于密钥(钥匙锁头)的安全验证方式:指需要依靠密钥,必须事先建立一对密钥对,然后把共用密钥(锁头)public key放在需要访问的目标服务器上;把私有密钥(钥匙)private key放在ssh的客户端或者对应的客户端服务器上。
A(钥匙) ==> C(锁头)
B(钥匙) ==> C(锁头)
3.ssh密钥认证部署流程
m01为管理服务器主机:10.0.0.61/24 172.16.1.61/24
04-期中架构-m01-10.0.0.61
D:\vmware_centos\04-期中架构-m01-10.0.0.61
修改主机名:
[root@oldboyedu-mu ~]# hostname m01
[root@oldboyedu-mu ~]# hostname
m01
[root@oldboyedu-mu ~]# vim /etc/sysconfig/network
[root@oldboyedu-mu ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=m01
修改IP名:
[root@oldboyedu-mu ~]# sed -i '/IPADDR/s#210$#61#g' /etc/sysconfig/network-scripts/ifcfg-eth*
[root@oldboyedu-mu ~]# sed -n '/IPADDR/p' /etc/sysconfig/network-scripts/ifcfg-eth*
IPADDR=10.0.0.61
IPADDR=172.16.1.61
重启服务生效!
[root@m01 ~]# /etc/init.d/network restart
传统的:
[root@m01 ~]# ssh 10.0.0.41
The authenticity of host '10.0.0.41 (10.0.0.41)' can't be established.
RSA key fingerprint is 26:4e:2a:45:15:71:4b:80:a3:09:4e:5d:ae:10:a7:01.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.41' (RSA) to the list of known hosts.
root@10.0.0.41's password:
Last login: Mon Feb 5 12:32:46 2018 from 10.0.0.31
[root@backup ~]#
[root@backup ~]# logout
Connection to 10.0.0.41 closed.
[root@m01 ~]# ssh 10.0.0.41 whoami
root@10.0.0.41's password:
root
[root@m01 ~]# ssh oldboy@10.0.0.41 whoami
oldboy@10.0.0.41's password:
oldboy
[root@m01 ~]#
(1)生成钥匙和锁头:
[root@m01 ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
22:4c:b8:e6:18:a6:4a:eb:a5:5d:23:7f:d4:2c:e2:b4 root@m01
The key's randomart image is:
+--[ DSA 1024]----+
| |
| . |
| . . |
| + |
|..o o . S |
|o= + + o |
|o..ooo+ . |
|o = +E.. |
|o+ . .. |
+-----------------+
[root@m01 ~]# ll .ssh/
total 12
-rw------- 1 root root 668 Feb 5 12:41 id_dsa //私钥
-rw-r--r-- 1 root root 598 Feb 5 12:41 id_dsa.pub //公钥
-rw-r--r-- 1 root root 391 Feb 5 12:35 known_hosts//连接的信息
(2)把锁头发送到backup服务器和nfs01服务器
[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub root@10.0.0.41 //锁头发送到backup服务器
root@10.0.0.41's password:
Now try logging into the machine, with "ssh 'root@10.0.0.41'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
测试:
[root@m01 ~]# ssh 10.0.0.41 hostname
backup
[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub root@10.0.0.31 //锁头发送到nfs01服务器
The authenticity of host '10.0.0.31 (10.0.0.31)' can't be established.
RSA key fingerprint is 26:4e:2a:45:15:71:4b:80:a3:09:4e:5d:ae:10:a7:01.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.31' (RSA) to the list of known hosts.
root@10.0.0.31's password:
Now try logging into the machine, with "ssh 'root@10.0.0.31'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
测试:
[root@m01 ~]# ssh 10.0.0.31 hostname
nfs01
4.非交互式分发密钥(公钥)到服务器上
(3)把锁头发送到backup服务器和nfs01服务器-免密码方式
[root@m01 ~]# ssh 10.0.0.41 mv .ssh/ /tmp/
[root@m01 ~]# ssh 10.0.0.31 mv .ssh/ /tmp/
[root@m01 ~]# ssh 10.0.0.41 mv .ssh/ /tmp/
root@10.0.0.41's password:
[root@m01 ~]# ssh 10.0.0.31 mv .ssh/ /tmp/
root@10.0.0.31's password:
现在删除之前的密钥了。
[root@m01 ~]# yum install -y sshpass
[root@m01 ~]# rpm -qa sshpass
sshpass-1.06-1.el6.x86_64
//给ssh类,使用ssh协议相关的软件提供密码。
[root@m01 ~]# sshpass -p123456 ssh 10.0.0.41 hostname //
backup
初次连接模拟:
[root@m01 ~]# >.ssh/known_hosts //已知的主机、服务器信息清除,连接对方而不知道对方是谁!
[root@m01 ~]# sshpass -p123456 ssh 10.0.0.41 hostname
[root@m01 ~]# ?
则必须:
[root@m01 ~]# ssh 10.0.0.41 hostname
The authenticity of host '10.0.0.41 (10.0.0.41)' can't be established.
RSA key fingerprint is 26:4e:2a:45:15:71:4b:80:a3:09:4e:5d:ae:10:a7:01.
Are you sure you want to continue connecting (yes/no)?
想忽略主机验证可以:
[root@m01 ~]# sshpass -p123456 ssh -o StrictHostKeyChecking=no 10.0.0.41 hostname
Warning: Permanently added '10.0.0.41' (RSA) to the list of known hosts.
backup
[root@m01 ~]# sshpass -p123456 ssh -o StrictHostKeyChecking=no 10.0.0.41 hostname //
backup
非交互式 分发密钥(公钥):
测试一:
[root@m01 ~]# sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@10.0.0.41" //
Now try logging into the machine, with "ssh '-o StrictHostKeyChecking=no root@10.0.0.41'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@m01 ~]# ssh 10.0.0.41 hostname
backup
测试二:
[root@m01 ~]# sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@10.0.0.31"
Warning: Permanently added '10.0.0.31' (RSA) to the list of known hosts.
Now try logging into the machine, with "ssh '-o StrictHostKeyChecking=no root@10.0.0.31'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@m01 ~]# ssh 10.0.0.31 hostname
nfs01
5.如何一键部署整个网站思路
题目:期中100台集群规模架构一键自动化实现。
(1)5台服务器先配置好(kickstart,cobbler无人值守安装)。高级实现云计算(openstack,kvm,docker)。
(2)linux基本优化,包括ssh服务(可以自动化实现)。
(3)创建密钥自动化 (ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa)
(4)批量分发密钥(sshpass,expect自动化)
(5)ansible软件安装(可是自动化实现)。
(6)网络服务自动化安装(ansible实现)。
(搭建yum仓库,定制rpm包)。
指定密码为空,指定密钥路径,若之前有密钥的话定向到空(删除)
ansible大前提是 可以免密连接其他服务器。
6.常见批量管理工具及使用场景--ansible
(1)ansible简介
批量管理工具有ansible(适合200台以内),saltstack(适合>200台),pssh等,例如Xshell也可批量管理。
python语言是运维必会语言。
ansible是一个基于python开发的自动化运维工具,其功能实现基于ssh远程连接服务。ansible可以实现批量系统配置、批量软件部署、批量文件拷贝、批量运行命令等功能。
官网查找资料:
http://ansible.com/
https://docs.ansible.com/
http://docs.ansible.com/ansible/latest/intro.html
(2)ansible特点
a.不需要单独安装客户端(no agents),基于系统自带的sshd服务,sshd就相当于ansible的客户端。
b.不需要服务端(no servers)。
c.需要依赖大量的模块实现批量管理。
d.配置文件/etc/ansible/ansible.cfg
7.ansible部署与使用
(1)准备工作:实现从管理机m01到其他机器的密钥认证关系(见上文)。
一键生成钥匙和锁头:
[root@m01 ~]# ssh-keygen -t dsa -P '' -f ~/.ssh/id_dsa
Generating public/private dsa key pair.
/root/.ssh/id_dsa already exists.
Overwrite (y/n)? y
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
ac:3e:89:7a:1d:e8:9c:c0:42:3a:dc:bb:c4:81:42:4c root@m01
The key's randomart image is:
+--[ DSA 1024]----+
| E |
|o |
| o |
|... . |
|=o.. . S |
|=.+.o .. |
| o *.+.o |
| ..*.+ |
| .+. .. |
+-----------------+
非交互式 批量分发密钥(公钥)
[root@m01 ~]# sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@10.0.0.41"
[root@m01 ~]# sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@10.0.0.31"
检查测试成功:
[root@m01 ~]# ssh 10.0.0.41 hostname
backup
[root@m01 ~]# ssh 10.0.0.31 hostname
nfs01
(2)正式安装ansible软件及相关模块
[root@m01 ~]# yum install -y ansible
[root@m01 ~]# yum install -y libselinux-python
[root@m01 ~]# rpm -ql ansible|egrep "^/etc/"
/etc/ansible
/etc/ansible/ansible.cfg
/etc/ansible/hosts
/etc/ansible/roles
[root@m01 ~]# tree /etc/ansible/
/etc/ansible/
├── ansible.cfg //ansible配置文件
├── hosts //被ansible管理的主机名单(分组)
└── roles
[root@backup ~]# yum install -y libselinux-python
[root@nfs01 ~]# yum install -y libselinux-python
[root@m01 ~]# cp /etc/ansible/hosts{,.bak}
[root@m01 ~]# vim /etc/ansible/hosts
[root@m01 ~]# cat /etc/ansible/hosts
[oldboy]
10.0.0.31
10.0.0.41
(3)利用ansible远程批量执行命令语法:
ansible命令 主机组/单独IP/域名 -m command -a 'uptime'
说明:oldboy为主机组的名字,-m(module)后接模块的名字,-a(action)后接具体行为命令。
[root@m01 ~]# ansible oldboy -m command -a "hostname" //
10.0.0.41 | SUCCESS | rc=0 >>
backup
10.0.0.31 | SUCCESS | rc=0 >>
nfs01
[root@m01 ~]# ansible oldboy -m command -a "yum install -y cowsay"
[root@m01 ~]# cowsay "hello" //自身不涉及
-bash: cowsay: command not found
[root@backup ~]# cowsay "hello"
[root@nfs01 ~]# cowsay "hello"
_______
< hello >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
浙公网安备 33010602011771号