问题:现在有6台生产环境,不能随意访问,必须有手机验证才能通过ssh或者sftp登录,查看日志比较不方便。想把日志同步到一台测试机上。这样可以不登录生产机来查看生产环境的日志文件。
思路:想安装rsync,但是如果实时同步的话,比较占用资源,同步慢的话,调查不方便;而且也没有太大必要保留两份日志文件。由于生产环境的cpu和带宽压力都不是很大,想用ssh直接进行挂载。于是查了查,可以通过shfs格式来进行挂载,结果生产机内核没有编译shfs模块,不打算做大动作更新内核了。考虑使用sshfs来实现。
实现:由于生产环境不连外网,所以不能通过Yum来安装,只能下载rpm包来实现。
下载了:
fuse-sshfs-3.4.0-1.fc30.x86_64.rpm
fuse3-3.2.3-16.fc30.x86_64.rpm
fuse-common-3.2.3-14.fc29.x86_64.rpm
安装的时候,提示错误
[root@xxxx db2inst1]# rpm -ivf fuse-common-3.2.3-14.fc29.x86_64.rpm
warning: fuse-common-3.2.3-14.fc29.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 429476b4: NOKEY
Preparing packages for installation...
fuse-common-3.2.3-14.fc29
[root@xxxx db2inst1]# rpm -ivf fuse3-3.2.3-16.fc30.x86_64.rpm
warning: fuse3-3.2.3-16.fc30.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID cfc659b9: NOKEY
error: Failed dependencies:
libc.so.6(GLIBC_2.14)(64bit) is needed by fuse3-3.2.3-16.fc30.x86_64
想升级GLIBC,发现生产环境没安装gcc。不想做这种级别的安装。
于是查看了一下现在的libc.so.6的版本,是(最高到GLIBC_2.12)
#strings /lib64/libc.so.6 | grep GLIBC
GLIBC_2.2.5
GLIBC_2.2.6
GLIBC_2.3
GLIBC_2.3.2
GLIBC_2.3.3
GLIBC_2.3.4
GLIBC_2.4
GLIBC_2.5
GLIBC_2.6
GLIBC_2.7
GLIBC_2.8
GLIBC_2.9
GLIBC_2.10
GLIBC_2.11
GLIBC_2.12
GLIBC_PRIVATE
[db2inst1@xxxx~]$
按照这个版本,下载了低版本的sshfs后安装成功。
fuse-sshfs-2.2-1.el6.rf.x86_64.rpm
fuse-2.7.4-8_12.el4.x86_64.rpm
[root@xxxx db2inst1]# rpm -ivf fuse-2.7.4-8_12.el4.x86_64.rpm
warning: fuse-2.7.4-8_12.el4.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 66534c2b: NOKEY
Preparing packages for installation...
package fuse-2.8.3-4.el6.x86_64 (which is newer than fuse-2.7.4-8_12.el4.x86_64) is already installed
file /bin/fusermount from install of fuse-2.7.4-8_12.el4.x86_64 conflicts with file from package fuse-2.8.3-4.el6.x86_64
file /bin/ulockmgr_server from install of fuse-2.7.4-8_12.el4.x86_64 conflicts with file from package fuse-2.8.3-4.el6.x86_64
file /etc/udev/rules.d/99-fuse.rules from install of fuse-2.7.4-8_12.el4.x86_64 conflicts with file from package fuse-2.8.3-4.el6.x86_64
file /sbin/mount.fuse from install of fuse-2.7.4-8_12.el4.x86_64 conflicts with file from package fuse-2.8.3-4.el6.x86_64
[root@xxxx db2inst1]# rpm -ivf fuse-sshfs-2.2-1.el6.rf.x86_64.rpm
warning: fuse-sshfs-2.2-1.el6.rf.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 6b8d79e6: NOKEY
Preparing packages for installation...
开始设置
先mount一下进行一下验证。
#sshfs tomcat@xxx.xxx.xxx.xxx:/app/apache-tomcat-8.5.31/logs/ app1
#ls app
能看到日志了,可以把其他的服务器都进行挂载,然后设置每次启动时,自动挂载的问题。
设置自启动:
写挂载脚本
#vi /etc/init.d/mountsshfs
#!/bin/sh
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
#
# Mount SSH file systems in /etc/sshfstab.
#
echo -n "Mounting SSH filesystems..."
if [ -f /etc/sshfstab ] ; then
( cat /etc/sshfstab ; echo ) | sed -e '/^#/d' -e '/^$/d' | (
while read host mount_point sshfs_options fuse_options
do
sshfs $host $mount_point -o $sshfs_options -o $fuse_options
done
)
fi
echo "done"
: exit 0
写卸载脚本
vi /etc/init.d/umountsshfs
#!/bin/sh
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH
#
# Unmount SSH file systems in /etc/mtab.
#
echo -n "Unmounting SSH filesystems..."
if [ -f /etc/mtab ] ; then
( cat /etc/mtab ; echo ) | sed -e '/^#/d' -e '/^$/d' | (
while read host mount_point options
do
if echo $host | awk '{ if ( substr($0, 1, 6)
== "sshfs#" ) exit 0; else exit 1 }' ; then
umount $mount_point
fi
done
)
fi
echo "done"
: exit 0
挂载一览
#vi /etc/sshfstab
tomcat@xxx.xxx.xxx.xxx:/app/apache-tomcat-8.5.31/logs /logs/app1 sshfs_sync default_permissions,allow_other,kernel_cache,hard_remove
tomcat@xxx.xxx.xxx.xxx:/app/apache-tomcat-8.5.31/logs /logs/app2 sshfs_sync
给挂载和卸载脚本追加ln
#cd /etc/rc0.d
#ln -s ../init.d/umountsshfs S15umountsshfs
cd /etc/rc6.d
#ln -s ../init.d/umountsshfs S15umountsshfs
#cd /etc/rc2.d
#ln -s ../init.d/mountsshfs S85mountsshfs
#cd /etc/rc3.d
#ln -s ../init.d/mountsshfs S85mountsshfs
#cd /etc/rc4.d
#ln -s ../init.d/mountsshfs S85mountsshfs
#cd /etc/rc5.d
#ln -s ../init.d/mountsshfs S85mountsshfs
设置免密登录
客户端设置
ssh-keygen -t rsa
使用默认的路径,密码设置为空
cat ~/.ssh/id_rsa.pub | ssh tomcat@xxx.xxx.xxx.xxx "cat - >>.ssh/authorized_keys"
输入密码后传输成功。
服务器端设置
由于默认没有.ssh这个路径,也直接执行
ssh-keygen -t rsa后生成路径后,再由客户端重新传输authorized_keys
然后客户端用
ssh tomcat@xxx.xxx.xxx.xxx 确认不需要密码直接进入。
然后整机重启,reboot now之后,验证OK~
踩过的坑:
1,免密不好用
把服务器端的.ssh目录和.ssh/authorized_keys 分别设置为700,600
2,提示警告,但是能连接上
reverse mapping checking getaddrinfo for bogon [xxx.xxx.xxx.xxx] failed - POSSIBLE BREAK-IN ATTEMPT!
把/etc/hosts里面的ip和机器名加上后解决。
3,设置后其他用户不能打开文件,追加sshfs的option属性:allow_other