Ansible:批量升级openssh版本至OpenSSH_8.4p1

ansible 同时被 3 个专栏收录
3 篇文章 0 订阅
83 篇文章 0 订阅
1 篇文章 0 订阅

批量升级openssh版本至OpenSSH_8.4p1

CentOS Linux release 7.8.2003(Core)默认的openssh版本是OpenSSH_7.4p1,yum提供的最新版本也是 OpenSSH_7.4p1,所以要对openssh升级,必须采用编译安装的方法,下面给大家分享一个可以一键升级的playbook。

准备工作

  • 需要升级的机器需要配置好yum源
  • 确认openssh版本是OpenSSH_7.4p1, OpenSSL 1.0.2k-fips(其他版本未必适用以下的playbook,如果不是这个版本,可以先yum安装到7.4,再执行以下playbook)
  • 在管理节点的机器安装ansible,并配置好inventory,免密(之前已经分享过)

剧本内容
role的文件结构

[root@open-1 ansible]# tree roles/
roles/
├── openssh_update
│   ├── files
│   │   ├── openssh-8.4p1.tar.gz
│   │   └── openssl-1.1.1g.tar.gz
│   ├── handlers
│   │   └── main.yaml
│   ├── tasks
│   │   ├── install.yaml
│   │   └── main.yaml
│   └── vars
│       └── main.yaml
└── update_openssh.yaml

5 directories, 7 files

将两个tar包放到files目录(完整的资源已经上传–openssh升级
update_openssh.yaml

[root@open-1 roles]# cat update_openssh.yaml
---
- name: 升级openssh版本到openssh8.4p1
  hosts: open
  user: root
  gather_facts: false
  roles:
  - openssh_update

vars/main.yaml

[root@open-1 roles]# cat openssh_update/vars/main.yaml
open_ssh_package: openssh-8.4p1.tar.gz
open_ssl_package: openssl-1.1.1g.tar.gz

tasks/main.yaml

[root@open-1 roles]# cat openssh_update/tasks/main.yaml
---
- import_tasks: install.yaml

tasks/install.yaml

[root@open-1 roles]# cat openssh_update/tasks/main.yaml
---
- import_tasks: install.yaml
[root@open-1 roles]# cat openssh_update/tasks/install.yaml
---
- name: 安装telnet、xinetd
  yum:
    name: ['telnet','telnet-server','xinetd']
    state: present
- name: 启动telnet、xinetd,并设置开机启动
  service:
    name: "{{ item }}"
    state: started
    enabled: yes
  loop:
  - xinetd
  - telnet.socket
- name: 备份/etc/securetty文件
  shell:
    cmd: cp -rf /etc/securetty /etc/securetty.bak$(date +%Y%m%d)
- name: 在/etc/securetty文件添加其他终端设备
  blockinfile:
    dest: /etc/securetty
    block: "pts/0\npts/1\npts/2\npts/3\npts/4"
- name: 重启xinetd服务
  service:
    name: xinetd
    state: restarted
  notify:                                #要确保telnet成功启动后才能进行升级,否则如果升级失败,telnet又没启动,就无法远程连接服务器了
  - telnet已经启动成功,可以进行升级

handlers/main.yaml

[root@open-1 roles]# cat openssh_update/handlers/main.yaml
---
- name: 安装编译环境
  yum:
    name: ['gcc','gcc-c++','glibc','make','autoconf','openssl','openssl-devel','pcre-devel','pam-devel']
    state: present
  listen: telnet已经启动成功,可以进行升级
- name: 安装pam,zlib
  shell:
    cmd: yum -y install pam* zlib*
  listen: telnet已经启动成功,可以进行升级
- name: 将openssh、openssl的压缩包解压到/opt目录
  unarchive:
    src: "{{ item }}"
    dest: /opt/
  loop:
  - "{{ open_ssh_package }}"
  - "{{ open_ssl_package }}"
  listen: telnet已经启动成功,可以进行升级
- name: 备份openssl文件
  shell:
    cmd: mv /usr/bin/openssl /usr/bin/openssl_bak;mv /usr/include/openssl /usr/include/openssl_bak
  listen: telnet已经启动成功,可以进行升级
- name: 编译安装openssl
  shell:
    cmd: ./config shared --prefix=/usr/local/ssl && make && make install
    chdir: /opt/openssl-1.1.1g
  listen: telnet已经启动成功,可以进行升级
- name: 设置openssl指令的软链接
  shell:
    cmd: 'ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl;ln -s /usr/local/ssl/include/openssl /usr/include/openssl'
  listen: telnet已经启动成功,可以进行升级
- name: 加载openssl模块
  shell:
    cmd: echo "/usr/local/ssl/lib" >> /etc/ld.so.conf;/sbin/ldconfig
  listen: telnet已经启动成功,可以进行升级
- name: 备份/etc/ssh、/etc/pam.d/sshd.pam
  shell:
    cmd: mv /etc/ssh /etc/ssh.$(date +%Y%m%d);cp -rf /etc/pam.d/sshd.pam /etc/pam.d/sshd.pam.$(date +%Y%m%d) || echo "ansible_ens33['ipv4']['address']上暂无这个文件。"
  listen: telnet已经启动成功,可以进行升级
- name: 编译安装openssh
  shell:
    cmd: ./configure --prefix=/usr --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl   --with-zlib   --with-md5-passwords   --with-pam  && make && make install
    chdir: /opt/openssh-8.4p1
  listen: telnet已经启动成功,可以进行升级
- name: 替换新的sshd_config
  shell:
    cmd: cp -rf /opt/openssh-8.4p1/sshd_config /etc/ssh/sshd_config
  listen: telnet已经启动成功,可以进行升级
- name: override default of no subsystems
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: .*Subsystem.*sftp-server
    line: Subsystem       sftp    /usr/libexec/openssh/sftp-server
  listen: telnet已经启动成功,可以进行升级
- name: 关闭DNS解析
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: .*UseDNS
    line: UseDNS no
  listen: telnet已经启动成功,可以进行升级
- name: 允许root远程登录
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: .*PermitRootLogin
    line: PermitRootLogin yes
  listen: telnet已经启动成功,可以进行升级
- name: 添加banner路径
  lineinfile:
    dest: /etc/ssh/sshd_config
    insertafter: ^#Banner none
    line: Banner /etc/sshbanner
  listen: telnet已经启动成功,可以进行升级
- name: 拷贝sshd.init和sshd.pam
  shell:
    cmd: cp -a contrib/redhat/sshd.init /etc/init.d/sshd;cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
    chdir: /opt/openssh-8.4p1
  listen: telnet已经启动成功,可以进行升级
- name: 将sshd交给chkconfig管理
  shell:
    cmd: chmod +x /etc/init.d/sshd;chkconfig --add sshd;chkconfig sshd on;systemctl enable sshd
  listen: telnet已经启动成功,可以进行升级
- name: 备份sshd.service并重启sshd服务
  shell:
    cmd: mv  /usr/lib/systemd/system/sshd.service  /opt/;mv  /usr/lib/systemd/system/sshd.socket  /opt/;systemctl daemon-reload;service sshd restart
  listen: telnet已经启动成功,可以进行升级
- name: 检查版本,确认是否升级成功
  shell:
    cmd: ssh -V;openssl version
  register: check
  listen: telnet已经启动成功,可以进行升级
- name: 更新后版本信息
  debug:
    var: check
    verbosity: 0
  listen: telnet已经启动成功,可以进行升级

语法检查

[root@open-1 roles]# ls
openssh_update  update_openssh.yaml
[root@open-1 roles]# ansible-playbook --syntax-check update_openssh.yaml

playbook: update_openssh.yaml

运行

[root@open-1 roles]# ansible-playbook  update_openssh.yaml

PLAY [升级openssh版本到openssh8.4p1] ************************************************************************************************************************************************************

TASK [openssh_update : 安装telnet、xinetd] ****************************************************************************************************************************************************
changed: [open-2]
changed: [open-3]

TASK [openssh_update : 启动telnet、xinetd,并设置开机启动] ********************************************************************************************************************************************
changed: [open-2] => (item=xinetd)
changed: [open-3] => (item=xinetd)
changed: [open-2] => (item=telnet.socket)
changed: [open-3] => (item=telnet.socket)

TASK [openssh_update : 备份/etc/securetty文件] *************************************************************************************************************************************************
changed: [open-3]
changed: [open-2]

TASK [openssh_update : 在/etc/securetty文件添加其他终端设备] ******************************************************************************************************************************************
changed: [open-3]
changed: [open-2]

TASK [openssh_update : 重启xinetd服务] *********************************************************************************************************************************************************
changed: [open-2]
changed: [open-3]

RUNNING HANDLER [openssh_update : 安装编译环境] **************************************************************************************************************************************************
changed: [open-3]
changed: [open-2]

RUNNING HANDLER [openssh_update : 安装pam,zlib] **********************************************************************************************************************************************
changed: [open-3]
changed: [open-2]

RUNNING HANDLER [openssh_update : 将openssh、openssl的压缩包解压到/opt目录] ***************************************************************************************************************************
changed: [open-3] => (item=openssh-8.4p1.tar.gz)
changed: [open-2] => (item=openssh-8.4p1.tar.gz)
changed: [open-3] => (item=openssl-1.1.1g.tar.gz)
changed: [open-2] => (item=openssl-1.1.1g.tar.gz)

RUNNING HANDLER [openssh_update : 备份openssl文件] *********************************************************************************************************************************************
changed: [open-2]
changed: [open-3]

RUNNING HANDLER [openssh_update : 编译安装openssl] *********************************************************************************************************************************************
changed: [open-3]
changed: [open-2]

RUNNING HANDLER [openssh_update : 设置openssl指令的软链接] *****************************************************************************************************************************************
changed: [open-3]
changed: [open-2]

RUNNING HANDLER [openssh_update : 加载openssl模块] *********************************************************************************************************************************************
changed: [open-3]
changed: [open-2]

RUNNING HANDLER [openssh_update : 备份/etc/ssh、/etc/pam.d/sshd.pam] **************************************************************************************************************************
changed: [open-3]
changed: [open-2]

RUNNING HANDLER [openssh_update : 编译安装openssh] *********************************************************************************************************************************************
changed: [open-2]
changed: [open-3]

RUNNING HANDLER [openssh_update : 替换新的sshd_config] *****************************************************************************************************************************************
changed: [open-2]
changed: [open-3]

RUNNING HANDLER [openssh_update : override default of no subsystems] ***********************************************************************************************************************
changed: [open-2]
changed: [open-3]

RUNNING HANDLER [openssh_update : 关闭DNS解析] *************************************************************************************************************************************************
changed: [open-3]
changed: [open-2]

RUNNING HANDLER [openssh_update : 允许root远程登录] **********************************************************************************************************************************************
changed: [open-3]
changed: [open-2]

RUNNING HANDLER [openssh_update : 添加banner路径] **********************************************************************************************************************************************
changed: [open-3]
changed: [open-2]

RUNNING HANDLER [openssh_update : 拷贝sshd.init和sshd.pam] ************************************************************************************************************************************
changed: [open-3]
changed: [open-2]

RUNNING HANDLER [openssh_update : 将sshd交给chkconfig管理] **************************************************************************************************************************************
changed: [open-3]
changed: [open-2]

RUNNING HANDLER [openssh_update : 备份sshd.service并重启sshd服务] *********************************************************************************************************************************
changed: [open-3]
changed: [open-2]

RUNNING HANDLER [openssh_update : 检查版本,确认是否升级成功] *******************************************************************************************************************************************
changed: [open-2]
changed: [open-3]

RUNNING HANDLER [openssh_update : 更新后版本信息] *************************************************************************************************************************************************
ok: [open-2] => {
    "check": {
        "changed": true,
        "cmd": "ssh -V;openssl version",
        "delta": "0:00:00.010729",
        "end": "2020-12-23 09:43:04.779265",
        "failed": false,
        "rc": 0,
        "start": "2020-12-23 09:43:04.768536",
        "stderr": "OpenSSH_8.4p1, OpenSSL 1.1.1g  21 Apr 2020",
        "stderr_lines": [
            "OpenSSH_8.4p1, OpenSSL 1.1.1g  21 Apr 2020"
        ],
        "stdout": "OpenSSL 1.1.1g  21 Apr 2020",
        "stdout_lines": [
            "OpenSSL 1.1.1g  21 Apr 2020"
        ]
    }
}
ok: [open-3] => {
    "check": {
        "changed": true,
        "cmd": "ssh -V;openssl version",
        "delta": "0:00:00.010667",
        "end": "2020-12-23 09:42:42.195868",
        "failed": false,
        "rc": 0,
        "start": "2020-12-23 09:42:42.185201",
        "stderr": "OpenSSH_8.4p1, OpenSSL 1.1.1g  21 Apr 2020",
        "stderr_lines": [
            "OpenSSH_8.4p1, OpenSSL 1.1.1g  21 Apr 2020"
        ],
        "stdout": "OpenSSL 1.1.1g  21 Apr 2020",
        "stdout_lines": [
            "OpenSSL 1.1.1g  21 Apr 2020"
        ]
    }
}

PLAY RECAP *********************************************************************************************************************************************************************************
open-2                     : ok=24   changed=23   unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
open-3                     : ok=24   changed=23   unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

可以看到,已经成功升级,原来配置的免密登录应该是无法登录了,把root/.ssh/konwn_hosts文件里面的记录删掉就能连接了。

  • 4
    点赞
  • 0
    评论
  • 3
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

相关推荐
©️2020 CSDN 皮肤主题: 游动-白 设计师:白松林 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值