SSH批量管理项目如何一键一秒钟完成:一秒完成。
1.ssh-keygen非交互式创建秘钥对:
具体命令:ssh-keygen -f ~/.ssh/id_rsa -P '' -q
参数讲解:
ssh-keygen:密钥对创建工具
[-P old_passphrase] 密码
[-f output_keyfile] 输出的秘钥文件
[-q] 不输出信息
[-t dsa ] 指定秘钥类型。
2.ssh-copy-id不需要提示yes/no分发秘钥
具体命令:ssh-copy-id -f -i ~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no 172.16.1.8
参数讲解:
ssh-copy-id -f -i ~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no root172.16.1.8
ssh-copy-id [-f] [-i [identity_file]] [-p port] [[-o
说明:
-f: force mode 强制
[-i [identity_file]] 指定秘钥文件
[[-o
3.sshpass工具:指定密码非人工交互分发秘钥
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.7
[root@web02 ~]# sshpass -help
Usage: sshpass [-f|-d|-p|-e] [-hV] command parameters
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.7
sshpass [-f|-d|-p|-e] [-hV] command parameters
参数讲解:
-p password Provide password as argument (security unwise) #指定用户密码操作
4.一键配置实践
把web02作为分发服务器:
web02(8)-->m01(61)
web02(8)-->web01(7)
ssh-keygen -f ~/.ssh/id_rsa -P '' -q
ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.7
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.7
#!/bin/bash
#yum install sshpass -y
ssh-keygen -f ~/.ssh/id_rsa -P '' -q
for ip in 7 61
do
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done
#test
ssh 172.16.1.7 "ifconfig eth0"
ssh 172.16.1.61 "ifconfig eth0"
老男孩Linux58期-ansible自动化管理实践
1.ansible介绍
ssh秘钥认证+脚本批量管理,特点:简单、实用,
但是看起来比较LOW,需要人工写脚本,类似实时复制的inotify工具。
2013以前这种方式很普遍。
MySQL高可用 MHA集群,要求所有机器互相秘钥认证。
大数据集群也需要。
2.批量管理工具历史
SSH+脚本 CFEngine、Puppet、saltstack 、ansible
08年以前 07-08年 10-13年 14-17(python开发) 16-(python开发)
sina网
3.为什么用ansible?
简单、方便、容易学习、功能同样强大。
ansible有配置文件,可以多线程直接实现。不需要写脚本,类似实时复制的sersync。
4.什么是ansible?
Ansible是一个用来远程管理服务器的工具软件。
Ansible是一个用来批量部署远程主机上服务的工具。这里“远程主机(Remote Host)”是指任
何可以通过SSH登录的主机,所以它既可以是远程虚拟机或物理机,也可以是本地主机。
Ansible通过SSH协议实现管理节点与远程节点之间的通信。理论上来说,只要能通过SSH登录到
远程主机来完成的操作,都可以通过Ansible实现批量自动化操作。
涉及管理操作:复制文件、安装服务、服务启动停止管理、配置管理等等。
5.为什么要用批量管理工具运维?
提高效率,百度几万台服务器,阿里几十万台服务器。
如何省钱?
SSD+SATA 热点存储 15 15 7
6.Ansible特点
Ansible基于Python语言实现,由Paramiko和PyYAML两个关键模块构建。
Shell、Python是Linux运维学员必会的两门语言。
1)安装部署过程特别简单,学习曲线很平坦。
2)不需要单独安装客户端,只是利用现有的SSHD服务(协议)即可。
3)不需要服务端(no servers)。
4)ansible playbook,采用yaml配置,提前编排自动化任务。
5)ansible功能模块较多,对于自动化的场景支持丰富。
官方:http://docs.ansible.com
7.Ansible架构介绍(见图说明)
1、连接插件connectior plugins用于连接主机 用来连接被管理端
2、核心模块 core modules 连接主机实现操作, 它依赖于具体的模块来做具体的事情
3、自定义模块 custom modules,根据自己的需求编写具体的模块
4、插件 plugins,完成模块功能的补充
5、剧本 playbooks,ansible的配置文件,将多个任务定义在剧本中,由ansible自动执行
6、主机清单 inventor,定义ansible需要操作主机的范围
最重要的一点是 ansible是模块化的 它所有的操作都依赖于模块
(懂Python可以二次开发)
8.ansible实践环境准备
61(m01)====>31(nfs01)
61(m01) ====>41(backup)
9.安装ansible
m01管理机:
yum install epel-release -y
yum install ansible -y
#如果有libselinux-python就不执行下面的命令了。
#rpm -qa |grep libselinux-python
#yum install libselinux-python -y
其他所有机器:
#rpm -qa |grep libselinux-python
#yum install libselinux-python -y
10.主机列表配置
ssh列表实现方法:
for n in 7 8
do
echo 172.16.1.$n
done
/etc/ansible/hosts主机资产清单文件,用于定义被管理主机的认证信息,
例如ssh登录用户名、密码以及key相关信息。如何配置Inventory文件
1.主机支持主机名通配以及正则表达式,例如web[1:3].oldboy.com代表三台主机
2.主机支持基于非标准的ssh端口,例如web1.oldboyedu.com:6666
3.主机支持指定变量,可对个别主机的特殊配置,如登陆用户\密码
4.主机组支持指定变量[group_name:vars],同时支持嵌套组[game:children]
实践:
cp /etc/ansible/hosts{,.ori}
cat >/etc/ansible/hosts<
172.16.1.31
172.16.1.41
[oldgirl]
172.16.1.31
172.16.1.41
172.16.1.51
EOF
cat /etc/ansible/hosts
/etc/ansible/ansible.cfg #ansible的配置文件
11.小试牛刀
直接执行如下命令或报错
ansible oldboy -m command -a "free -m"
基于SSH秘钥认证的前提下:
如果没有做SSH秘钥认证,可以把用户名密码写到
/etc/ansible/hosts
[oldboy_pass]
172.16.1.7 ansible_ssh_user=root ansible_ssh_pass=123456
172.16.1.8 ansible_ssh_user=root ansible_ssh_pass=123456
ansible oldboy -m command -a "free -m" 要想成功,先解决yes/no的问题。
1、ssh连接一遍。
2、ssh -o 参数
上述命令就是sshpass的封装
ansible关闭ssh首次连接时yes/no提示
使用ssh连接时,可以使用-o参数将StrictHostKeyChecking设置为no,
避免使用ssh连接时避免首次连接时让输入yes/no部分的提示。
方法1:修改 /etc/ansible/ansible.cfg中的374行
369 [ssh_connection]
370
371 # ssh arguments to use
372 # Leaving off ControlPersist will result in poor performance, so use
373 # paramiko on older platforms rather than removing it, -C controls compression use
374 #ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
374行改为:
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no
方法2:修改 /etc/ansible/ansible.cfg中的71行
70 # uncomment this to disable SSH key host checking
71 #host_key_checking = False
71行的注释取消:host_key_checking = False
[root@m01 /server/scripts]# > ~/.ssh/known_hosts
[root@m01 /server/scripts]# ssh 172.16.1.31
The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
ECDSA key fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.
ECDSA key fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.
Are you sure you want to continue connecting (yes/no)? ^C
[root@m01 /server/scripts]# ansible oldboy -m command -a "free -m"
172.16.1.31 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 88 592 13 291 708
Swap: 767 0 767
172.16.1.41 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 89 572 13 310 706
Swap: 767 0 767
目标:ansible是不是需要免秘钥认证(ssh免秘钥认证)? yes
[root@m01 ~]# cat /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.7
还原ansible.cfg配置,重启服务器
[root@m01 ~]# ansible oldboy -m command -a "free -m"
The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established.
ECDSA key fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.
ECDSA key fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.
Are you sure you want to continue connecting (yes/no)? The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
ECDSA key fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.
ECDSA key fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.
Are you sure you want to continue connecting (yes/no)?
解决yes/no不需要输入问题:
修改ansible.cfg 374行:
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no
在执行报错:
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.7 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,password).",
"unreachable": true
}
172.16.1.31 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
解决公钥问题:
ssh-keygen -f ~/.ssh/id_rsa -P '' -q
for ip in 7
do
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done
#test
ssh 172.16.1.7 "ifconfig eth0"
执行ansible命令:
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.31 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
172.16.1.7 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 69 807 7 95 771
Swap: 767 0 767
for ip in 31
do
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done
#test
ssh 172.16.1.31 "ifconfig eth0"
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.7 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 69 807 7 95 771
Swap: 767 0 767
172.16.1.31 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 71 804 7 96 768
Swap: 767 0 767
验证:删除公钥,是不是不可以了?
重启后,不行,重启前可以
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.7 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,password).",
"unreachable": true
}
172.16.1.31 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Could not create directory '/root/.ssh'.\r\nWarning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
修改Host增加用户和密码:
[root@m01 ~]# cat /etc/ansible/hosts
#[oldboy]
#172.16.1.31
#172.16.1.7
[oldboy_pass]
172.16.1.31 ansible_ssh_user=root ansible_ssh_pass=123456
172.16.1.7 ansible_ssh_user=root ansible_ssh_pass=123456
结果:
[root@m01 ~]# ansible oldboy_pass -m command -a "free -m"
172.16.1.31 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 79 791 7 101 758
Swap: 767 0 767
172.16.1.7 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 69 806 7 95 771
Swap: 767 0 767
结论:使用SSH连接:
密码认证 host里主机后面加密码 Paramiko模块 重点:
秘钥认证:提前发公钥,才能用ansible. SSHPASS工具
http://docs.ansible.com/ansible/latest/intro_inventory.html#list-of-behavioral-inventory-parameters
特殊端口:
[oldboy]
172.16.1.7 ansible_port=52113 ansible_user=root ansible_ssh_pass=123456
172.16.1.8 ansible_port=52113 ansible_user=root ansible_ssh_pass=123456
12.基于SSH秘钥认证的实践
一键创建及分发秘钥:
#!/bin/bash
ssh-keygen -f ~/.ssh/id_rsa -P '' -q
for ip in 7 8 41 31
do
sshpass -p123456 ssh-copy-id -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done
[root@m01 ~]# cat /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.41
172.16.1.7
[root@m01 ~]# ansible oldboy -m command -a "free -m" #和前面sh cmd.sh "free -m"
11.ansible命令参数
-m MODULE_NAME, 模块名字,默认command
-a MODULE_ARGS, 模块参数
-f FORKS 并发进程数,默认5个。
-i INVENTORY(default=/etc/ansible/hosts)指定主机列表文件
===================
ansible
ansible-doc
ansible-playbook
ansible-galaxy
===================
12.ansible模块查看和帮助
查找模块
ansible-doc -l #模块就Linux命令了。
查看某个模块的具体参数帮助
ansible-doc -s command #Linux命令参数
12.1 command模块
1)功能说明:
command Executes a command on a remote node
功能说明:执行一个命令在远程节点上
操作实践:
ansible oldboy -m command -a "free -m"
ansible oldboy -m command -a "df -h"
ansible oldboy -m command -a "ls /root"
ansible oldboy -m command -a "cat redhat-release"
ansible oldboy -m command -a "cat /etc/redhat-release"
最通用的功能。
[root@m01 ~]# ansible oldboy -m command -a "cat /etc/redhat-release"
172.16.1.7 | CHANGED | rc=0 >>
CentOS Linux release 7.6.1810 (Core)
172.16.1.31 | CHANGED | rc=0 >>
CentOS Linux release 7.6.1810 (Core)
172.16.1.41 | CHANGED | rc=0 >>
CentOS Linux release 7.6.1810 (Core)
[root@m01 ~]# cat /server/scripts/cmd.sh
for n in 31 41
do
echo "=====172.16.1.n "$1"
done
[root@m01 ~]# sh /server/scripts/cmd.sh "cat /etc/redhat-release"
=====172.16.1.31======
CentOS Linux release 7.6.1810 (Core)
=====172.16.1.41======
CentOS Linux release 7.6.1810 (Core)
特殊:不支持的东西,例如 > < | &等 $HOME,替代方案用shell模块
ansible oldboy -m shell -a "ps -ef|grep ssh"
ansible oldboy -m shell -a "echo oldboy >/tmp/a.log"
2)常用参数说明及实践
[root@m01 ~]# ansible-doc -s command
- name: Executes a command on a remote node
command:
argv: # Allows the user to provide the command as a list vs. a string. Only the
string or the list form can be provided, not
both. One or the other must be provided.
chdir: # Change into this directory before running the command.
creates: # A filename or (since 2.0) glob pattern. If it already exists, this step
won't be run.
free_form: # (required) The command module takes a free form command to run. There is no
parameter actually named 'free form'. See the
examples!
removes: # A filename or (since 2.0) glob pattern. If it already exists, this step will be run.
stdin: # Set the stdin of the command directly to the specified value.
warn: # If command_warnings are on in ansible.cfg, do not warn about this particular
line if set to `no'.
参数:chdir=/tmp配置相当于cd /tmp
[root@m01 ~]# ansible oldboy -m command -a "pwd chdir=/etc"
ansible oldboy -m shell -a "cd /etc/;pwd"
参数:creates=/etc 相当于条件测试 [ -e /etc ]||pwd 和下面removes相反
[root@m01 ~]# ansible oldboy -m command -a "pwd creates=/etc"
参数:removes=/root 相当于条件测试 [ -e /root ]&&ls /root
ansible oldboy -m command -a "ls /root removes=/root"
ansible oldboy -m shell -a "[ -d /etc ]||pwd"
[root@m01 ~]# ansible oldboy -m command -a "cat /etc/hosts removes=/etc/hosts"
参数:warn=False 忽略警告
[root@m01 ~]# ansible oldboy -m command -a "chmod 000 /etc/hosts warn=False"