[TOC]
前言
《項目實戰》系列為《linux實戰教學筆記》第二階段內容的同步教學配套實戰練習,每個項目循序銜接最終將組成《Linux實戰教學筆記》第二階段核心教學目標10台規模的基礎核心服務架構集群。本文上接http://www.cnblogs.com/chensiqiqi/p/6556509.html 項目實戰二
本文轉自
【SSH項目實戰三】腳本密鑰的批量分發與執行 - 陳思齊 - 博客園
http://www.cnblogs.com/chensiqiqi/p/6554055.html
【企業案例】
公司來了8台新服務器,計划組成一個小規模集群架構;其中有一台服務器作為批量管理服務器使用,其余7台則是業務架構所需。現在先由你來負責服務器的前期配置工作,
現要求如下:
- [x] 從管理服務器ssh連接到其他任何服務器時進行免密碼的密鑰認證,要求進行批量分發。(腳本實現批量分發)
- [x] 由於沒有DNS解析服務器,所以各個服務器需要進行hosts的服務器地址解析,因此,需要進行/etc/hosts文件的批量分發(ansible實現文件批量分發)
- [x] 新服務器初期需要做簡單的優化(服務器優化腳本)和yum倉庫的搭建(epel.repo源)。(ansible實現腳本的批量分發和批量執行)
環境准備
操作系統
[root@m01 ~]# cat /etc/redhat-release CentOS release 6.8 (Final)內核版本
[root@m01 ~]# uname -r 2.6.32-642.el6.x86_64主機網絡參數設置:
| 主機名 | 網卡eth0 | 網卡eth1 | 用途 |
|---|---|---|---|
| lb01 | 10.0.0.5/24 | 172.16.1.5/24 | A1-nginx負載均衡服務器01 |
| lb02 | 10.0.0.6/24 | 172.16.1.6/24 | A2-nginx負載均衡服務器02 |
| web02 | 10.0.0.7/24 | 172.16.1.7/24 | B1-apache web服務器 |
| web01 | 10.0.0.8/24 | 172.16.1.8/24 | B2-nginx web服務器 |
| db01 | 10.0.0.51/24 | 172.16.1.51/24 | C3-mysql數據庫服務器 |
| nfs01 | 10.0.0.31/24 | 172.16.1.31/24 | C1-NFS存儲服務器 |
| backup | 10.0.0.41/24 | 172.16.1.41/24 | C2-rsync存儲服務器 |
| m01 | 10.0.0.61/24 | 172.16.1.61/24 | X-管理服務器 |
一,開始部署ssh密鑰的批量分發
第一步:開始安裝sshpass免交互工具並進行SSH-key的批量分發
下載epel源並更新yum倉庫
[root@m01 ~]# wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo [root@m01 ~]# yum -y clean all [root@m01 ~]# yum makecache
安裝sshpass工具
[root@m01 ~]# yum -y install sshpass
第二步:創建密鑰對文件
免交互創建密鑰對
[root@m01 ~]# ssh-keygen -t dsa -f ~/.ssh/id_dsa -P "" Generating public/private dsa key pair. Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: 4d:01:91:98:be:02:89:ab:ce:63:4f:81:e3:ab:0b:f8 root@m01 The key's randomart image is: +--[ DSA 1024]----+ | oo+. | | o . . | | . . . . | |. + . o | | + o .S . | |+ . o . | |+. . . | |++o | |*=E. | +-----------------+ [root@m01 ~]# ls ~/.ssh/ authorized_keys id_dsa id_dsa.pub known_hosts 命令說明: ssh-keygen:生成密鑰對命令 -t:指定密鑰對的密碼加密類型(rsa,dsa兩種) -f:指定密鑰對文件的生成路徑包含文件名 -P(大寫):指定密鑰對的密碼
第三步:免交戶方式分發公鑰
[root@m01 ~]# sshpass -p "ssh登錄密碼" ssh-copy-id -i ~/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no root@172.16.1.31" Now try logging into the machine, with "ssh '-o StrictHostKeyChecking=no root@172.16.1.31'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. [root@m01 ~]# 命令說明: sshpass:專為ssh連接服務的免交戶工具 -p :指定登錄的密碼 ssh-copy-id:自動分發公鑰的工具 -i:指定公鑰路徑 -o StrictHostKeyChecking=no :不進行對方主機信息的寫入(第一次ssh連接會在know_hosts文件里記錄)
第四步:測試ssh密鑰認證情況
[root@m01 ~]# ssh root@172.16.1.31 #測試成功,免密碼ssh連接 Last login: Tue Mar 14 21:49:58 2017 from 172.16.1.1 [root@nfs01 ~]#
第五步:編寫ssh密鑰對免交戶批量分發腳本
#!/bin/bash # author:Mr.chen # 2017-3-14 # description:SSH密鑰批量分發 User=root passWord=##Linux登錄密碼 function YumBuild(){ echo "正在安裝epel源yum倉庫,請稍后..." cd /etc/yum.repos.d/ &&\ [ -d bak ] || mkdir bak [ `find ./*.* -type f | wc -l` -gt 0 ] && find ./*.* -type f | xargs -i mv {} bak/ wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo &>/dev/null yum -y clean all &>/dev/null yum makecache &>/dev/null } echo "正在進行網絡連接測試,請稍后..." ping www.baidu.com -c2 >/dev/null ||(echo "無法連同外網,本腳本運行環境必須和外網相連!" && exit) [ $# -eq 0 ] && echo "沒有參數!格式為:sh $0 參數1...n" && exit rpm -q sshpass &>/dev/null || yum -y install sshpass &>/dev/null if [ $? -gt 0 ];then YumBuild yum -y install sshpass &>/dev/null || (echo "sshpass build error!" && exit) fi [ -d ~/.ssh ] || mkdir ~/.ssh;chmod 700 ~/.ssh echo "正在創建密鑰對...." rm -rf ~/.ssh/id_dsa ~/.ssh/id_dsa.pub ssh-keygen -t dsa -f ~/.ssh/id_dsa -P "" &>/dev/null for ip in $* do ping $ip -c1 &>/dev/null if [ $? -gt 0 ];then echo "$ip無法ping通請檢查網絡" continue fi sshpass -p "$passWord" ssh-copy-id -i ~/.ssh/id_dsa.pub "-o StrictHostKeyChecking=no ${User}@$ip" &>/dev/null echo "$ip 密鑰分發成功" done
特別提示:
腳本內容僅作思路開拓之用!
想學好shell或者編程,光看是沒用的;
1,學(基礎)
2,看(思路)
3,仿(寫法)
4,練(課外)
切記....
第六步:腳本分發測試
[root@m01 yum.repos.d]# sh /server/scripts/ssh_key.sh 172.16.1.5 172.16.1.6 172.16.1.7 172.16.1.8 172.16.1.51 172.16.1.31 172.16.1.41 172.16.1.61 正在進行網絡連接測試,請稍后... 正在創建密鑰對.... 172.16.1.5無法ping通請檢查網絡 172.16.1.6無法ping通請檢查網絡 172.16.1.7 密鑰分發成功 172.16.1.8 密鑰分發成功 172.16.1.51無法ping通請檢查網絡 172.16.1.31 密鑰分發成功 172.16.1.41 密鑰分發成功 172.16.1.61 密鑰分發成功 備注: 故意少開了3台,腳本測試成功。
二,開始部署ansible自動化工具並進行文件的批量分發
第一步:安裝ansible工具
需要epel.repo源
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo yum -y install ansible
第二步:配置主機組
配置/etc/ansible/hosts文件
[root@m01 ~]# tail -8 /etc/ansible/hosts [chensiqi] 172.16.1.31 172.16.1.41 172.16.1.51 172.16.1.5 172.16.1.6 172.16.1.7 172.16.1.8
由於已經配置過免密碼的密鑰認證了,所以/etc/ansible/hosts的主機映射文件只要加入被管理主機的IP地址就可以了。
第三步:進行ansible批量管理測試
[root@m01 ~]# ansible chensiqi -m command -a "w" 172.16.1.6 | SUCCESS | rc=0 >> 08:47:40 up 12 min, 1 user, load average: 0.00, 0.01, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 m01 08:47 0.00s 0.27s 0.01s /bin/sh -c /usr 172.16.1.41 | SUCCESS | rc=0 >> 22:48:28 up 1 day, 3:37, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - Sat03 1:15m 0.15s 0.15s -bash root pts/0 m01 22:48 1.00s 0.33s 0.00s /bin/sh -c /usr 172.16.1.51 | SUCCESS | rc=0 >> 08:47:41 up 13 min, 1 user, load average: 0.08, 0.03, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 m01 08:47 1.00s 0.29s 0.00s /bin/sh -c /usr 172.16.1.31 | SUCCESS | rc=0 >> 10:27:47 up 15:47, 2 users, load average: 0.16, 0.05, 0.06 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - Mon20 20:56m 0.15s 0.15s -bash root pts/0 m01 10:27 0.00s 0.26s 0.00s /bin/sh -c /usr 172.16.1.5 | SUCCESS | rc=0 >> 08:47:41 up 12 min, 1 user, load average: 0.00, 0.01, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 m01 08:47 0.00s 0.20s 0.00s /bin/sh -c /usr 172.16.1.7 | SUCCESS | rc=0 >> 21:03:00 up 10:03, 2 users, load average: 0.05, 0.05, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - 11:00 2:03m 0.14s 0.14s -bash root pts/0 m01 21:02 1.00s 0.18s 0.00s /bin/sh -c /usr 172.16.1.8 | SUCCESS | rc=0 >> 10:27:48 up 14:31, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - Sat09 20:03m 0.10s 0.10s -bash root pts/0 m01 10:27 1.00s 0.16s 0.00s /bin/sh -c /usr
第四步,進行/etc/hosts文件的批量分發
[root@m01 ~]# ansible chensiqi -m copy -a "src=/etc/hosts dest=/etc/hosts backup=yes" #backup=yes 如果目標存在文件,那么覆蓋前是否備份目標文件 172.16.1.51 | SUCCESS => { "changed": true, "checksum": "dba0126bf49ea8d4cdc476828f9edb37085c6afe", "dest": "/etc/hosts", "gid": 0, "group": "root", "md5sum": "09bad48d0c62411850fd04b68f836335", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:net_conf_t:s0", "size": 294, "src": "/root/.ansible/tmp/ansible-tmp-1489446564.45-249855699288208/source", "state": "file", "uid": 0 } 172.16.1.31 | SUCCESS => { "changed": true, "checksum": "dba0126bf49ea8d4cdc476828f9edb37085c6afe", "dest": "/etc/hosts", "gid": 0, "group": "root", "md5sum": "09bad48d0c62411850fd04b68f836335", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:net_conf_t:s0", "size": 294, "src": "/root/.ansible/tmp/ansible-tmp-1489446564.26-6373581674916/source", "state": "file", "uid": 0 } 172.16.1.41 | SUCCESS => { "changed": true, "checksum": "dba0126bf49ea8d4cdc476828f9edb37085c6afe", "dest": "/etc/hosts", "gid": 0, "group": "root", "md5sum": "09bad48d0c62411850fd04b68f836335", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:net_conf_t:s0", "size": 294, "src": "/root/.ansible/tmp/ansible-tmp-1489446564.37-90309519963188/source", "state": "file", "uid": 0 } 172.16.1.5 | SUCCESS => { "changed": true, "checksum": "dba0126bf49ea8d4cdc476828f9edb37085c6afe", "dest": "/etc/hosts", "gid": 0, "group": "root", "md5sum": "09bad48d0c62411850fd04b68f836335", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:net_conf_t:s0", "size": 294, "src": "/root/.ansible/tmp/ansible-tmp-1489446564.91-218095487370821/source", "state": "file", "uid": 0 } 172.16.1.6 | SUCCESS => { "changed": true, "checksum": "dba0126bf49ea8d4cdc476828f9edb37085c6afe", "dest": "/etc/hosts", "gid": 0, "group": "root", "md5sum": "09bad48d0c62411850fd04b68f836335", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:net_conf_t:s0", "size": 294, "src": "/root/.ansible/tmp/ansible-tmp-1489446564.92-48667872204035/source", "state": "file", "uid": 0 } 172.16.1.8 | SUCCESS => { "changed": true, "checksum": "dba0126bf49ea8d4cdc476828f9edb37085c6afe", "dest": "/etc/hosts", "gid": 0, "group": "root", "md5sum": "09bad48d0c62411850fd04b68f836335", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:net_conf_t:s0", "size": 294, "src": "/root/.ansible/tmp/ansible-tmp-1489446566.37-188264096277764/source", "state": "file", "uid": 0 } 172.16.1.7 | SUCCESS => { "changed": true, "checksum": "dba0126bf49ea8d4cdc476828f9edb37085c6afe", "dest": "/etc/hosts", "gid": 0, "group": "root", "md5sum": "09bad48d0c62411850fd04b68f836335", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:net_conf_t:s0", "size": 294, "src": "/root/.ansible/tmp/ansible-tmp-1489446566.39-64165112131501/source", "state": "file", "uid": 0 }
特別提示:
如果目標路徑存在文件,並且目標文件和你想要copy的文件完全相同的話,也會導致ansilbe的copy功能失效
三,編寫服務器初期優化腳本(服務優化+自動安裝epel源yum倉庫),並用ansible進行腳本的批量分發和批量執行
第一步:編寫服務器初期服務優化+epel源yum倉庫搭建腳本
#!/bin/bash # author:Mr.chen # 2017-3-15 # description:服務器初期優化腳本+epel源yum倉庫搭建 function ServerSystemOptimize(){ echo "腳本開始嘗試對服務器進行一些必要的優化...." && sleep 2 /etc/init.d/iptables stop &>/dev/null && echo "防火牆已經關閉!" && sleep 1 setenforce 0 &>/dev/null && echo "SElinux 已關閉!" || echo "SElinux未開啟!" chkconfig iptables off && echo "防火牆已經取消開機啟動!"&& sleep 1 sed -i '7 s/enforcing/disabled/g' /etc/selinux/config && echo "SElinux已經取消開機啟動!"&& sleep 1 A=`awk '/id:/ {print NR,$0}' /etc/inittab | awk '{print $1}'` sed -i "$A s/5/3/g" /etc/inittab && echo "Linux啟動運行級別已經永久設置為3!" && sleep 1 chkconfig --list | egrep -v "rsyslog|network|crond|sysstat|sshd" | awk '{print "chkconfig",$1,"off"}' | bash &>/dev/null && echo "腳本已經關閉Linux不必要服務的開機自啟動!" && sleep 1 } function YumBuild(){ echo "正在安裝epel源yum倉庫,請稍后..." cd /etc/yum.repos.d/ &&\ [ -d bak ] || mkdir bak [ `find ./*.* -type f | wc -l` -gt 0 ] && find ./*.* -type f | xargs -i mv {} bak/ wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo &>/dev/null yum -y clean all &>/dev/null yum makecache &>/dev/null } echo "腳本正在進行網絡連接測試,請稍后..." ping www.baidu.com -c2 &>/dev/null ||(echo "無法連同外網,或者DNS解析有問題,本腳本運行環境必須和外網相連!" && exit) YumBuild ServerSystemOptimize
第二步:本地測試腳本功能
[root@m01 ~]# sh /server/scripts/server_uptimize.sh 腳本正在進行網絡連接測試,請稍后... 正在安裝epel源yum倉庫,請稍后... *****************腳本開始嘗試對服務器進行一些必要的優化....********************** 防火牆已經關閉! SElinux 已關閉! 防火牆已經取消開機啟動! SElinux已經取消開機啟動! Linux啟動運行級別已經永久設置為3! 腳本已經關閉Linux不必要服務的開機自啟動!
第三步:用ansible進行腳本批量分發
[root@m01 ~]# ansible chensiqi -m copy -a "src=/server/scripts/server_uptimize.sh dest=/server/scripts/ backup=yes" 172.16.1.6 | SUCCESS => { "changed": true, "checksum": "9d508da8cce8830722ac38ad274361601d33f43e", "dest": "/server/scripts/server_uptimize.sh", "gid": 0, "group": "root", "md5sum": "efeaffe8266992c190c1055241458259", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:default_t:s0", "size": 1600, "src": "/root/.ansible/tmp/ansible-tmp-1489449184.22-105813674245985/source", "state": "file", "uid": 0 } 172.16.1.5 | SUCCESS => { "changed": true, "checksum": "9d508da8cce8830722ac38ad274361601d33f43e", "dest": "/server/scripts/server_uptimize.sh", "gid": 0, "group": "root", "md5sum": "efeaffe8266992c190c1055241458259", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:default_t:s0", "size": 1600, "src": "/root/.ansible/tmp/ansible-tmp-1489449184.22-102726815232979/source", "state": "file", "uid": 0 } 172.16.1.51 | SUCCESS => { "changed": true, "checksum": "9d508da8cce8830722ac38ad274361601d33f43e", "dest": "/server/scripts/server_uptimize.sh", "gid": 0, "group": "root", "md5sum": "efeaffe8266992c190c1055241458259", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:default_t:s0", "size": 1600, "src": "/root/.ansible/tmp/ansible-tmp-1489449184.26-180721242166387/source", "state": "file", "uid": 0 } 172.16.1.41 | SUCCESS => { "changed": false, "checksum": "9d508da8cce8830722ac38ad274361601d33f43e", "dest": "/server/scripts/server_uptimize.sh", "gid": 0, "group": "root", "mode": "0644", "owner": "root", "path": "/server/scripts/server_uptimize.sh", "secontext": "system_u:object_r:default_t:s0", "size": 1600, "state": "file", "uid": 0 } 172.16.1.31 | SUCCESS => { "changed": false, "checksum": "9d508da8cce8830722ac38ad274361601d33f43e", "dest": "/server/scripts/server_uptimize.sh", "gid": 0, "group": "root", "mode": "0644", "owner": "root", "path": "/server/scripts/server_uptimize.sh", "secontext": "system_u:object_r:default_t:s0", "size": 1600, "state": "file", "uid": 0 } 172.16.1.8 | SUCCESS => { "changed": false, "checksum": "9d508da8cce8830722ac38ad274361601d33f43e", "dest": "/server/scripts/server_uptimize.sh", "gid": 0, "group": "root", "mode": "0644", "owner": "root", "path": "/server/scripts/server_uptimize.sh", "secontext": "system_u:object_r:default_t:s0", "size": 1600, "state": "file", "uid": 0 } 172.16.1.7 | SUCCESS => { "changed": false, "checksum": "9d508da8cce8830722ac38ad274361601d33f43e", "dest": "/server/scripts/server_uptimize.sh", "gid": 0, "group": "root", "mode": "0644", "owner": "root", "path": "/server/scripts/server_uptimize.sh", "secontext": "system_u:object_r:default_t:s0", "size": 1600, "state": "file", "uid": 0 }
第四步:用ansible批量執行腳本
[root@m01 ~]# ansible chensiqi -m shell -a "sh /server/scripts/server_uptimize.sh" 172.16.1.5 | SUCCESS | rc=0 >> 腳本正在進行網絡連接測試,請稍后... 正在安裝epel源yum倉庫,請稍后... *****************腳本開始嘗試對服務器進行一些必要的優化....********************** 防火牆已經關閉! SElinux 已關閉! 防火牆已經取消開機啟動! SElinux已經取消開機啟動! Linux啟動運行級別已經永久設置為3! 腳本已經關閉Linux不必要服務的開機自啟動! 172.16.1.6 | SUCCESS | rc=0 >> 腳本正在進行網絡連接測試,請稍后... 正在安裝epel源yum倉庫,請稍后... *****************腳本開始嘗試對服務器進行一些必要的優化....********************** 防火牆已經關閉! SElinux 已關閉! 防火牆已經取消開機啟動! SElinux已經取消開機啟動! Linux啟動運行級別已經永久設置為3! 腳本已經關閉Linux不必要服務的開機自啟動! 172.16.1.31 | SUCCESS | rc=0 >> 腳本正在進行網絡連接測試,請稍后... 正在安裝epel源yum倉庫,請稍后... *****************腳本開始嘗試對服務器進行一些必要的優化....********************** 防火牆已經關閉! SElinux 已關閉! 防火牆已經取消開機啟動! SElinux已經取消開機啟動! Linux啟動運行級別已經永久設置為3! 腳本已經關閉Linux不必要服務的開機自啟動! 172.16.1.41 | SUCCESS | rc=0 >> 腳本正在進行網絡連接測試,請稍后... 正在安裝epel源yum倉庫,請稍后... *****************腳本開始嘗試對服務器進行一些必要的優化....********************** 防火牆已經關閉! SElinux 已關閉! 防火牆已經取消開機啟動! SElinux已經取消開機啟動! Linux啟動運行級別已經永久設置為3! 腳本已經關閉Linux不必要服務的開機自啟動! 172.16.1.51 | SUCCESS | rc=0 >> 腳本正在進行網絡連接測試,請稍后... 正在安裝epel源yum倉庫,請稍后... *****************腳本開始嘗試對服務器進行一些必要的優化....********************** 防火牆已經關閉! SElinux 已關閉! 防火牆已經取消開機啟動! SElinux已經取消開機啟動! Linux啟動運行級別已經永久設置為3! 腳本已經關閉Linux不必要服務的開機自啟動! 172.16.1.8 | SUCCESS | rc=0 >> 腳本正在進行網絡連接測試,請稍后... 正在安裝epel源yum倉庫,請稍后... *****************腳本開始嘗試對服務器進行一些必要的優化....********************** 防火牆已經關閉! SElinux 已關閉! 防火牆已經取消開機啟動! SElinux已經取消開機啟動! Linux啟動運行級別已經永久設置為3! 腳本已經關閉Linux不必要服務的開機自啟動! 172.16.1.7 | SUCCESS | rc=0 >> 腳本正在進行網絡連接測試,請稍后... 正在安裝epel源yum倉庫,請稍后... *****************腳本開始嘗試對服務器進行一些必要的優化....********************** 防火牆已經關閉! SElinux 已關閉! 防火牆已經取消開機啟動! SElinux已經取消開機啟動! Linux啟動運行級別已經永久設置為3! 腳本已經關閉Linux不必要服務的開機自啟動!