SSH免密登录、sudo免密执行
背景:使用jenkins发布版本时需要远程连接到k8s主节点启动执行kubectl命令,需要解决两个问题:1.ssh远程免密登录,2.sudo免密执行
kubectl apply -f /opt/${JOB_NAME}.yaml
kubectl rollout restart deployment ${JOB_NAME} -n test2
SSH免密登录
# 创建一个普通用户
adduser lijie
# 切换至普通用户
su lijie
cd ~
生成ssh key
lijie@lijie-vm:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/lijie/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/lijie/.ssh/id_rsa
Your public key has been saved in /home/lijie/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:o27B/XKyUXIyyn63ofxdBnSnJSccRofB+SR4NBGOp1o lijie@lijie-vm
The key's randomart image is:
+---[RSA 3072]----+
| =X*.|
| .=*+.|
| o.B++|
| . + B.|
| . .S o E . |
| .oo.B o . |
| +...o o |
| o..+o+o o |
| .o.+Bo.. |
+----[SHA256]-----+
lijie@lijie-vm:~$
使用ssh-copy-id命令将id_rsa.pub公钥复制到指定远程服务器的.ssh/authorized_keys文件下
ssh-copy-id -i ~/.ssh/id_rsa.pub root@localhost
这样就可以直接密码ssh连接远程服务器,并执行命令
ssh root@localhost ip a
sudo免密执行
切换到root用户下,修改/etc/sudoers
su
vim /etc/sudoers
添加一行内容‘lijie ALL=(ALL:ALL) NOPASSWD: ALL’
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
lijie ALL=(ALL:ALL) NOPASSWD: ALL
使用wq!强制保存退出
普通用户就可以免密使用sudo命令了
远程免密连接普通用户执行sudo命令
ssh test@localhost sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
22496811bd3e idoop/zentao:latest "docker-entrypoint" 5 days ago Up 6 hours (healthy) 0.0.0.0:3306->3306/tcp, :::3306->3306/tcp, 0.0.0.0:8081->80/tcp, :::8081->80/tcp zentao
3fdb9790eb87 sonarqube:8.9.8-community "bin/run.sh bin/sona…" 3 weeks ago Up 6 hours 0.0.0.0:9000->9000/tcp, :::9000->9000/tcp sonarqube
b4d44c9dd75a postgres "docker-entrypoint.s…" 3 weeks ago Up 6 hours 0.0.0.0:5432->5432/tcp, :::5432->5432/tcp db
fafb7fefd312 jenkins/jenkins:2.355 "/usr/bin/tini -- /u…" 3 weeks ago Up 6 hours 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp, 0.0.0.0:50000->50000/tcp, :::50000->50000/tcp jenkins
亦可以远程登录k8s主节点并sudo执行命令
ssh lijie@192.168.2.101 sudo kubectl apply -f /opt/${JOB_NAME}.yaml
ssh lijie@192.168.2.101 sudo kubectl rollout restart deployment ${JOB_NAME} -n test2