day41-SSH补充及ansible

ansible.png

SSH补充

免交互式创建秘钥

创建秘钥对

[root@m01 ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):   ##输入保存密钥的文件

我们创建秘钥对是遇到的第一个阻碍我们是问题是让我们输入存放私钥的路径，所以创建时自己给他指定私钥的路径就可以解决这个问题

创建公钥对并指定私钥存放路径

[root@m01 ~]# ssh-keygen -t dsa -f ~/.ssh/id_dsa
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):   ##输入密码(空为无密码):

这时候第一个问题已经解决了，但是有遇到了第二个问题。提示我们输入一个备用密码。

创建秘钥对(指定私钥存放路径,指定密码为空）

[root@m01 ~]# ssh-keygen -t dsa -f ~/.ssh/id_dsa -P ''
Generating public/private dsa key pair.
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:hB/Hb1VHd0XR4fJOSiQc6GSzdRDsc2DwBPfiH5ETz/8 root@m01
The key's randomart image is:
+---[DSA 1024]----+
|         o=*o. =&|
|       . *==o.*.=|
|      . * O=oB.+ |
|       o =.++o= .|
|        S  .=o o.|
|           .o = .|
|             o .E|
|                 |
|                 |
+----[SHA256]-----+

到这里就可以实现免交互式创建秘钥对。

免交互式秘钥分发多台主机

秘钥分发给172.16.1.41

[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_dsa.pub 172.16.1.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.
ECDSA key fingerprint is SHA256:mU5M6MktWhokHwVZzj/AEmqU4GXI4YvfFP4rloahoaU.
ECDSA key fingerprint is MD5:2d:82:64:00:ab:37:bc:74:0a:e4:23:91:f7:40:6e:d1.
Are you sure you want to continue connecting (yes/no)? 

秘钥分发时遇到第一影响免交互的问题，这是一个主机验证，只有在第一次连接某台主机的时候才会提示，连接之后会在.ssh目录下生成一个文本，在下次连接时就不会提示了。

主机验证文件

[root@m01 ~]# cat .ssh/known_hosts 
172.16.1.41 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN9h9FAvRl/eo16mvqPFQGZqSOP//2ZS1ev1/n90eXVMWu4+8KXubiQWDiEqUbHwmJ8xKJYIGBFDAuFcHmMAUtA=

秘钥分发给172.16.1.41 （临时关闭主机验证）

[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_dsa.pub -oStrictHostKeyChecking=no 172.16.1.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.41's password: 

第一个问题已经解决，又遇到了第一问题，需要我们输入对端的密码（172.16.1.41）。使用sshpass命令即可解决这个问题。它是一个专门给linux上各种服务提供密码的命令

安装sshpass

yum install -y sshpass

秘钥分发给172.16.1.41 （临时关闭主机验证,指定对端密码）

[root@m01 ~]# sshpass  -p 123456  ssh-copy-id -i ~/.ssh/id_dsa.pub -oStrictHostKeyChecking=no 172.16.1.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

这样就可以实现免交互式分发秘钥了。

向多台主机免交互式分发秘钥

1.需要用到for循环，for 循环格式为

for 变量 in 列表
do
命令
done 

2.写入脚本

[root@m01 ~]# vim /server/scripts/key.sh
#!/bin/bash
#ssh-keygen
ssh-keygen -t dsa -f ~/.ssh/id_dsa -P ''
#ssh-copy 7 41
for ip in 7 41
sshpass -p 123456  ssh-copy-id -i -oStrictHostKeyChecking=no 172.1
6.1.$ip
done

3.执行脚本

[root@m01 ~]# sh /server/scripts/key.sh
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:1mLwhWvr2OOddKJWs9baUE1Yk3SUtxEMuRLTf95PJuk root@m01
The key's randomart image is:
+---[DSA 1024]----+
|            .oB+=|
|         . o =.*.|
|      . . . + + +|
|       o + . + o.|
|        S . o .oo|
|       + oo.  o =|
|        ..++.. +.|
|       +o+o*. E .|
|      .o=o+..    |
+----[SHA256]-----+
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '172.16.1.7'"
and check to make sure that only the key(s) you wanted were added.

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

4.进行测试

pssh -Ph hosts.txt hostname

image.png

☆※ ansible 批量管理 ※☆

image.png

image.png

image.png

image.png

安装ansible

yum install -y ansible

查看ansible下配置文件

[11:53 root@m01 ~]# rpm -ql ansible|grep -v /usr/
/etc/ansible
/etc/ansible/ansible.cfg  ##配置文件
/etc/ansible/hosts   ##主机清单
/etc/ansible/roles

配置主机清单(基本)

[root@m01 ~]# tail -n4 /etc/ansible/hosts
[oldboy]
172.16.1.7
172.16.1.41

主机清单创建配置

image.png

使用ansible进行管理建立在配置秘钥完成之后。

使用ping模块检查客户端是否存活

[root@m01 ~]# ansible all -m ping
172.16.1.41 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"  #通畅
}
172.16.1.7 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"  ##通畅
}

模块

command

默认的命令模块。只支持简单命令不支持特殊符号

[root@m01 ~]# ansible all -m command -a 'hostname'
172.16.1.7 | CHANGED | rc=0 >>
web01

172.16.1.41 | CHANGED | rc=0 >>
backup
[root@m01 ~]# ansible all -m command -a 'echo {1..5}'
172.16.1.41 | CHANGED | rc=0 >>
{1..5}

172.16.1.7 | CHANGED | rc=0 >>
{1..5}

shell

支持特殊符号 ,执行脚本

[root@m01 ~]# ansible all -m shell  -a 'echo {1..5}'
172.16.1.41 | CHANGED | rc=0 >>
1 2 3 4 5

172.16.1.7 | CHANGED | rc=0 >>
1 2 3 4 5

copy

推送文件，修改权限，所有者，所属组

[root@m01 ~]# ansible 172.16.1.41  -m copy  -a 'src=/etc/hostname dest=/tmp/ owner=oldboy group=oldboy mode=755 '
172.16.1.41 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "checksum": "f434396716e2c9aed47cfde87c491cce5a2c08fa", 
    "dest": "/tmp/hostname", 
    "gid": 1002, 
    "group": "oldboy", 
    "md5sum": "318d7defb693a2eb0d4f1a7a96575a57", 
    "mode": "0755", 
    "owner": "oldboy", 
    "size": 4, 
    "src": "/root/.ansible/tmp/ansible-tmp-1559052772.95-91077190707652/source", 
    "state": "file", 
    "uid": 1002
}

script

先把脚本传输到远端然后再执行

[root@m01 ~]# #ansible all  -m script  -a "/server/scripts/yum.sh"
[root@m01 ~]# ansible all -a 'rpm -qa ipvsadm'
 [WARNING]: Consider using the yum, dnf or zypper module rather than running 'rpm'.  If you need to use command because
yum, dnf or zypper is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in
ansible.cfg to get rid of this message.

172.16.1.41 | CHANGED | rc=0 >>
ipvsadm-1.27-7.el7.x86_64

172.16.1.7 | CHANGED | rc=0 >>
ipvsadm-1.27-7.el7.x86_64

**yum **

安装，删除，更新 软件

删除

[root@m01 ~]# ansible all -m yum -a 'name=tree state=absent'

安装

[root@m01 ~]# ansible all -m yum -a 'name=tree state=present'

更新

[root@m01 ~]# ansible all -m yum -a 'name=tree state=lastest'

file

创建文件 或目录

[root@m01 ~]# ansible 172.16.1.7 -m file -a 'path=/tmp/1/2/3/4 state=directory'
172.16.1.7 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "gid": 0, 
    "group": "root", 
    "mode": "0755", 
    "owner": "root", 
    "path": "/tmp/1/2/3/4", 
    "size": 6, 
    "state": "directory", 
    "uid": 0
[root@m01 ~]# ansible all -m shell -a 'tree /tmp'
172.16.1.41 | CHANGED | rc=0 >>
/tmp
├── 1
│   └── 2
│       └── 3
│           └── 4