SSHD服务、NFS服务
1 SSHD服务
1.1 简介
SSH( Secure Shell )即安全外壳协议;SSH 为建立在应用层和传输层基础上的安全协议;
- 作用1:是远程连接linux系统的一种服务协议,常用于加密传输数据。
- 作用2:相比较之前用telnet方式来传输文件要安全很多,因为telnet使用明文传输,ssh是加密传输;
- 作用3:sshd服务使用SSH协议可以用来进行远程控制, 或在计算机之间传送文件;
SSH协议默认端口22,这个端口一般是可以更改或者添加的,配置文件位置在:/etc/ssh/sshd_config通过编辑文件可以修改sshd服务的相关配置;
1.2 ssh配置文件
/etc/ssh/ssh_config #客户端配置文件
/etc/sshd_config #服务器端配置文件
1.3 SSH服务安装(系统已经默认安装并开机自启)
╭─root@localhost.localdomain ~
╰─➤ yum -y install openssh openssh-clients openssh-server openssh-askpass
1.4 远程连接线上服务器
语法:ssh[远程主机用户名]@远程主机ip地址
第一步:ssh连接(确保能ping通)
方法一:ssh root@192.168.80.4
方法二:ssh 192.168.80.4
╭─root@localhost.localdomain ~
╰─➤ ssh 192.168.80.4
The authenticity of host '192.168.80.4 (192.168.80.4)' can't be established.
ECDSA key fingerprint is SHA256:m+YjLnd/Q27EtPXBv+ZkEawNSjcgcExVmGZCFC6M0v8.
ECDSA key fingerprint is MD5:2c:8c:34:b9:0c:00:5f:41:9e:f8:03:bf:ce:50:de:27.
Are you sure you want to continue connecting (yes/no)? yes #输入yes
Warning: Permanently added '192.168.80.4' (ECDSA) to the list of known hosts.
root@192.168.80.4's password: #输入密码
Last login: Sun Jun 2 13:42:47 2019 from 192.168.80.1
╭─root@localhost.localdomain ~
╰─➤ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:2e:d0:de brd ff:ff:ff:ff:ff:ff
inet 192.168.80.4/24 brd 192.168.80.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::5e15:9431:4cf4:2bd5/64 scope link
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000
link/ether 52:54:00:8f:de:b3 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN qlen 1000
link/ether 52:54:00:8f:de:b3 brd ff:ff:ff:ff:ff:ff
第二步:退出远程服务器
╭─root@localhost.localdomain ~
╰─➤ exit
Connection to 192.168.80.4 closed.
╭─root@localhost.localdomain ~
╰─➤ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:7f:e5:12 brd ff:ff:ff:ff:ff:ff
inet 192.168.80.3/24 brd 192.168.80.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe7f:e512/64 scope link
valid_lft forever preferred_lft forever
1.5 sshpass配置集群免密
#下载sshpass
[root@kubeadm ~]# yum install -y sshpass
#生成密钥对
[root@kubeadm ~]# ssh-keygen
#编写待免密主机信息
[root@kubeadm ~]# vim host.txt
[root@kubeadm ~]# cat host.txt
root 192.168.75.10 root
root 192.168.75.11 root
root 192.168.75.12 root
#编写脚本
[root@kubeadm ~]# vim ssh_all.sh
[root@kubeadm ~]# cat ssh_all.sh
#!/bin/bash
cat host.txt |while read hostname ipaddr passwd
do
sshpass -p $passwd ssh-copy-id $ipaddr
done
#优化sshd
[root@kubeadm ~]# vim /etc/ssh/ssh_config
[root@kubeadm ~]# cat /etc/ssh/ssh_config | grep -A2 "the end of"
#Add at the end of the file
StrictHostKeyChecking no #ssh未连接过的主机不输入yes进行确认,避免影响sshpass的执行
#执行
[root@kubeadm ~]# bash ssh_all.sh
1.6 集群中各机器免密登录远程主机
1. 生成密钥对
[root@master ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:OP8oYKbm4QB9QtDW1t9IHDCT0SLLSB8I4X0Qw/z1HJw root@master
The key's randomart image is:
+---[RSA 2048]----+
|++o*..=*o.. |
|..*oB +++E |
| +.*.=.+oo. |
| o. =. .oo. |
|. o . o S |
|. o+ o |
|. .+ . . |
| oo. . o |
| oo .. . |
+----[SHA256]-----+
[root@master ~]# ls /root/.ssh/
id_rsa id_rsa.pub
#id_rsa 私钥
#id_rsa.pub 公钥
2. 传输公钥
[root@master ~]# cat /root/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwnSCAxrfOjzwYAtZQoUmavRFLnsAXUq958u3A37TkrOmLPkP39c2wMVy3K12PpqUjUNJyZcPg4TC3FvsSasMk6DM3neCnzu1795rUWDGLJxjha+OpWEuzB0E043Z4N2c3pKd/j44ktiVQoV/5weA35kty1DymRwhmqN5gFh57eRxepfEMLRvaED8pJRGucqKYxnl7uIBMPWjPiWZ3YzKXnC3O5N3Q2FkSWQWmG6J4qV8FjrqfplWf4RjMPxeeG0o2vddnJ2jqn7ZfuBQP6Px7JupqmBVjcX8fiU9RcOptmododnhn/yMwLVTlZs7JfSf2vPEI512cqfiH7JJYYKEh root@master
[root@master ~]#
[root@master ~]# ssh-copy-id root@192.168.75.11
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.75.11 (192.168.75.11)' can't be established.
ECDSA key fingerprint is SHA256:1YdNYcyKZg7826XQQ8u9S9Eq/JYxUvGeCf1kwt67f8Q.
ECDSA key fingerprint is MD5:51:17:74:f8:53:d8:0b:14:a1:00:23:9d:6d:65:18:e5.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.75.11's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.75.11'"
and check to make sure that only the key(s) you wanted were added.
[root@master ~]#
3.查看node1机器的/root/.ssh/authorized_keys
[root@node1 ~]# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwnSCAxrfOjzwYAtZQoUmavRFLnsAXUq958u3A37TkrOmLPkP39c2wMVy3K12PpqUjUNJyZcPg4TC3FvsSasMk6DM3neCnzu1795rUWDGLJxjha+OpWEuzB0E043Z4N2c3pKd/j44ktiVQoV/5weA35kty1DymRwhmqN5gFh57eRxepfEMLRvaED8pJRGucqKYxnl7uIBMPWjPiWZ3YzKXnC3O5N3Q2FkSWQWmG6J4qV8FjrqfplWf4RjMPxeeG0o2vddnJ2jqn7ZfuBQP6Px7JupqmBVjcX8fiU9RcOptmododnhn/yMwLVTlZs7JfSf2vPEI512cqfiH7JJYYKEh root@master
[root@node1 ~]#
#可以看到master的公钥写在node1的authorized_keys文件里,这样master就可以免密登录node1了
#所以可以制作一个含有集群中所有机器的公钥的authorized_keys文件,scp到集群中的每台机器的/root/.ssh/目录下就可以所有机器互相免密登录了
4.制作含有集群中所有机器的公钥的authorized_keys文件
[root@node1 ~]# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwnSCAxrfOjzwYAtZQoUmavRFLnsAXUq958u3A37TkrOmLPkP39c2wMVy3K12PpqUjUNJyZcPg4TC3FvsSasMk6DM3neCnzu1795rUWDGLJxjha+OpWEuzB0E043Z4N2c3pKd/j44ktiVQoV/5weA35kty1DymRwhmqN5gFh57eRxepfEMLRvaED8pJRGucqKYxnl7uIBMPWjPiWZ3YzKXnC3O5N3Q2FkSWQWmG6J4qV8FjrqfplWf4RjMPxeeG0o2vddnJ2jqn7ZfuBQP6Px7JupqmBVjcX8fiU9RcOptmododnhn/yMwLVTlZs7JfSf2vPEI512cqfiH7JJYYKEh root@master
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCaskCwnXJNi/nb5B04FWJEnDAPCznONqZy11BnnM6SIf7auh+B90oJVhvcxry5sPHv4V4vRr3Zk+2iwP1N66RekaMdr6noIlfn0l6DHJnNaZbGphjmuipGFomUFWnswEdApu9ZCJWdT1SY3mFAj/ENMhEEjLmCDrYETyTxtriVBZw8VYTZRMJ2lBoe39aTBdeLT60EcEeTayxj3jCQ71I9++ohD+9mkysKEQY85DsTcvLY8/JjTyKVb4sKjz2uhUGye3Cj/KhFFXOAGN6J15CfHuKv6Ox6rOaNNVTqutanTlL/SPosTdvCN0rNIU61kFtID+23rv/vxu488lJMOLiv root@node1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlLeubdH1JrEbK166DvMJkYjEyoscMFyYyR1QP1ebS9iEloOy2m4WjD5OeWwOCzdnjLlPXBWILSX5jDBL+QDzVcGKjKK46c9bG8IaqXzZmMfK4S9YCy7XAsdMFaSWYJkxy/AusGIkEa0wlnMsQDf/taA6B1v81XBhCNBxmPE6c4Nj0foDtsHz3mLZY3VJASkKwEQ+VDNCeIm627sGHzQN4InyD6unZopCgJ7594tnfZzr1BSC/z4gttnDcWjLuP1PQomdBdKzCCm4XyBw0gEaqCLi1S7qt9v2UgXakFx4sXnmE5vSRa8HOwF+Q1su/OXesHfCMbBRTMX2z2qtdj2yJ root@node2
[root@node1 ~]#
5.将做好的authorized_keys文件scp到集群中的所有机器
[root@node1 ~]# scp /root/.ssh/authorized_keys master:/root/.ssh/authorized_keys
root@master's password:
authorized_keys 100% 1177 86.0KB/s 00:00
[root@node1 ~]# scp /root/.ssh/authorized_keys node2:/root/.ssh/authorized_keys
root@node2's password:
authorized_keys 100% 1177 676.6KB/s 00:00
[root@node1 ~]#
6.测试免密登录
[root@master ~]# ssh node2
The authenticity of host 'node2 (192.168.75.12)' can't be established.
ECDSA key fingerprint is SHA256:MCT2/sGdyZIwtltAMiG75kp2oWvY+Y00CRC6aiPFhws.
ECDSA key fingerprint is MD5:6f:b9:bc:cf:5f:c1:f0:28:15:b4:91:62:7a:1e:a3:78.
Are you sure you want to continue connecting (yes/no)? yes #输入yes即可,不用输入密码
Warning: Permanently added 'node2,192.168.75.12' (ECDSA) to the list of known hosts.
Last login: Fri Mar 24 17:50:46 2023 from node1
[root@node2 ~]#
[root@node2 ~]# ls /root/.ssh/
authorized_keys id_rsa id_rsa.pub known_hosts
[root@node2 ~]#
[root@node2 ~]# cat /root/.ssh/known_hosts #第一次登录时需要确认,并将机器信息记录在known_hosts文件中
master,192.168.75.10 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5fgVfMYoD2oretcvK0LFZiRV6u2+Hr27jftFZaC2ke6h5QBEE4O9QSUm/RvC3XWehX5C5c772NAr7yAFaf63A=
[root@node1 ~]# ssh master
Last login: Fri Mar 24 17:55:27 2023 from node2
[root@master ~]# ssh node1
Last login: Fri Mar 24 17:55:37 2023 from node2
[root@node1 ~]# ssh node2
Last login: Fri Mar 24 17:55:31 2023 from master
[root@node2 ~]# ssh node1
Last login: Fri Mar 24 17:55:48 2023 from master
[root@node1 ~]#
2 NFS服务
NFS(Network File System)即网络文件系统,用以在网络上与他人共享文件和目录;NFS是运行在应用层的协议;基于Client/Server架构。
2.1部署NFS
2.1.1 server端部署
第一步:下载nfs和rpcbind
rpcbind服务:由于在使用NFS服务进行文件共享之前,需要使用RPC(Remote Procedure Call,远程程序调用)服务将NFS服务器的IP地址和端口号等信息发送给客户端。因此,在启动NFS服务之前,还需要顺带重启并启用rpcbind服务程序
╭─root@server /home/du
╰─➤ yum install nfs-utils rpcbind -y
...
Complete!
第二步:配置nfs文件
╭─root@server /home/du
╰─➤ vim /etc/exports #补充编辑文件内容
...
/du 192.168.80.4/24(rw)
/du 192.168.80.0/24(rw)
/du *(rw)
...
第三步:重启nfs服务和rpcbind服务
╭─root@server /home/du
╰─➤ systemctl restart rpcbind nfs
第四步:更改共享目录“/du”属主为nfsnobody
╭─root@server /home/du
╰─➤ chown -R nfsnobody: /du
2.1.2 client端部署
第一步:下载nfs
╭─root@client ~
╰─➤ yum install nfs-utils -y
...
完毕!
第二步:查看共享
╭─root@client ~
╰─➤ showmount -e 192.168.80.3
Export list for 192.168.80.3:
/du (everyone)
第三步:挂载使用
╭─root@client ~
╰─➤ mkdir /du #创建挂载目录
╭─root@client ~
╰─➤ mount -t nfs 192.168.80.3:/du /du #-t:--type vfstype
╭─root@client ~
╰─➤ df -h #查看挂载
文件系统 容量 已用 可用 已用% 挂载点
/dev/mapper/cl-root 17G 4.7G 13G 28% /
devtmpfs 473M 0 473M 0% /dev
tmpfs 489M 144K 489M 1% /dev/shm
tmpfs 489M 7.1M 482M 2% /run
tmpfs 489M 0 489M 0% /sys/fs/cgroup
/dev/sda1 1014M 173M 842M 18% /boot
tmpfs 98M 24K 98M 1% /run/user/0
/dev/sr0 4.1G 4.1G 0 100% /run/media/root/CentOS 7 x86_64
192.168.80.3:/du 17G 1.3G 16G 8% /du
╭─root@client ~
╰─➤ cd /du #进入到挂载目录
╭─root@client /du
╰─➤ touch cjk #如果sever端没有更改共享目录的属主就会报错
touch: 正在设置"cjk" 的时间: 权限不够
╭─root@client /du
╰─➤ touch cjk #sever端执行第四步:更改属主后
╭─root@client /du
╰─➤ ls
1903班学员基本信息表(1).xlsx cjk 威武.docx
3 拓展:scp
作用:
scp可以实现远程主机之间的文件复制
scp使用ssh协议,所有想要免密进行复制,需要发送秘钥给相应的节点
option:
-r: 复制目录时使用
-P:大写的P指定端口
演示:
╭─root@localhost.localdomain /home/du
╰─➤ ls
3 cjk default 改名.docx
╭─root@localhost.localdomain /home/du
╰─➤ scp cjk 192.168.80.4:/home #scp发送主机文件到远程节点
The authenticity of host '192.168.80.4 (192.168.80.4)' can't be established.
ECDSA key fingerprint is 2c:8c:34:b9:0c:00:5f:41:9e:f8:03:bf:ce:50:de:27.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.80.4' (ECDSA) to the list of known hosts.
root@192.168.80.4's password: #输入密码
cjk 100% 6 0.0KB/s 00:00
╭─root@localhost.localdomain /home/du
╰─➤ scp 192.168.80.4:/home/cjk /home #scp拉取远程节点文件到本地
root@192.168.80.4's password: #输入密码
cjk 100% 6 0.0KB/s 00:00
╭─root@localhost.localdomain /home/du
╰─➤ ls /home
cjk du test1 test2
浙公网安备 33010602011771号