一、安装依赖包
1、添加本地yum源,上传安装介质
root@dg01[/soft/os_iso]#pwd
/soft/os_iso
root@dg01[/soft/os_iso]#ll CentOS*
-rwxrwxrwx. 1 root root 8694792192 Jun 14 23:07 CentOS-7-x86_64-Everything-1708.iso
2、mount介质
root@dg01[/soft/os_iso]#mount -o loop /soft/os_iso/CentOS-7-x86_64-Everything-1708.iso /mnt
root@dg01[/soft/os_iso]#df -Th
/dev/loop0 iso9660 8.1G 8.1G 0 100% /mnt
3、配置本地iso yum源
root@dg01[/etc/yum.repos.d]#vi /etc/yum.repos.d/file.repo
[centos7-Server]
name=centos7-Server
baseurl=file:///mnt
enabled=1
gpgcheck=04、更新yum源
root@dg01[/soft/os_iso]#yum update
5、安装依赖包
root@dg01[/etc/yum.repos.d]#yum -y install python-jinja2
root@dg01[/etc/yum.repos.d]#yum -y install PyYAML
5、下载安装epel
root@dg01[/root]#ll epel*
-rw-r--r-- 1 root root 15080 Jul 29 12:11 epel-release-latest-7.noarch.rpm
root@dg01[/root]#6、安装完epel后,建了一个网络yum源,在/etc/yum.repos.d目录下,会新增两个文件
root@dg01[/etc/yum.repos.d]#ll
total 12
drwxr-xr-x. 2 root root 187 Jul 23 22:18 backup
-rw-r--r-- 1 root root 951 Oct 3 2017 epel.repo
-rw-r--r-- 1 root root 1050 Oct 3 2017 epel-testing.repo
-rw-r--r--. 1 root root 78 Jul 23 22:18 file.repo将原本地iso源改名
root@dg01[/etc/yum.repos.d]#mv file.repo file.repo_bak再次更新yum源
root@dg01[/etc/yum.repos.d]#yum update7、安装ansible
root@dg01[/etc/yum.repos.d]#yum -y install ansible
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python-paramiko-2.1.1-0.4.el7.noarch 1/9
Installing : python2-jmespath-0.9.0-1.el7.noarch 2/9
Installing : libtommath-0.42.0-5.el7.x86_64 3/9
Installing : libtomcrypt-1.17-25.el7.x86_64 4/9
Installing : python2-crypto-2.6.1-13.el7.x86_64 5/9
Installing : python-keyczar-0.71c-2.el7.noarch 6/9
Installing : sshpass-1.06-1.el7.x86_64 7/9
Installing : python-httplib2-0.9.2-0.1.el7.noarch 8/9
Installing : ansible-2.6.1-1.el7.noarch 9/9
Verifying : python-keyczar-0.71c-2.el7.noarch 1/9
Verifying : python-httplib2-0.9.2-0.1.el7.noarch 2/9
Verifying : ansible-2.6.1-1.el7.noarch 3/9
Verifying : sshpass-1.06-1.el7.x86_64 4/9
Verifying : libtomcrypt-1.17-25.el7.x86_64 5/9
Verifying : libtommath-0.42.0-5.el7.x86_64 6/9
Verifying : python2-crypto-2.6.1-13.el7.x86_64 7/9
Verifying : python2-jmespath-0.9.0-1.el7.noarch 8/9
Verifying : python-paramiko-2.1.1-0.4.el7.noarch 9/9
Installed:
ansible.noarch 0:2.6.1-1.el7
Dependency Installed:
libtomcrypt.x86_64 0:1.17-25.el7 libtommath.x86_64 0:0.42.0-5.el7
python-httplib2.noarch 0:0.9.2-0.1.el7 python-keyczar.noarch 0:0.71c-2.el7
python-paramiko.noarch 0:2.1.1-0.4.el7 python2-crypto.x86_64 0:2.6.1-13.el7
python2-jmespath.noarch 0:0.9.0-1.el7 sshpass.x86_64 0:1.06-1.el7
Complete!8、如果安装过程中有其它依赖包未装,直接按照报错的装就ok了。
二、使用ansible对相关主机设置批量免密登陆
本例中通过针对多台主机进行免密登陆后实现全量主机一个脚本一键关机。
9、脚本如下:
#!/bin/bash
ssh-keygen
#1、对ip列表文件去除空行、空格
cat /root/ip_lists.txt | sed -e '/^$/d' | sed s/[[:space:]]//g > /tmp/ip_lists.txt
mv /root/ip_lists.txt /root/ip_lists_bak.txt
cp /tmp/ip_lists.txt /root/ip_lists.txt
#2、对/etc/ansible/hosts文件去除空行
cat /etc/ansible/hosts | sed -e '/^$/d' > /tmp/hosts
mv /etc/ansible/hosts /etc/ansible/hosts_bak
cp /tmp/hosts /etc/ansible/hosts
#3、对需要操作的主机批量加入ansible管理端/root/.ssh/known_hosts文件中
while read line
do
echo $line
ssh-keyscan $line >>/root/.ssh/known_hosts
done < /root/ip_lists.txt
#4、将需要批量免密的主机ip地址加入到ansible管理端/etc/ansible/hosts文件中
while read line
do
echo $line
echo $line >> /etc/ansible/hosts
done < /root/ip_lists.txt
#5、在ansible管理主机命令行,执行如下命令,需要手工输入密码进行免密登陆
##针对列表中的主机root密码不同,可以使用所有已知的密码做一遍,密码匹配的就免密成功
##多次使用不同密码执行并不影响已经免密成功的主机
#ansible webservers -m authorized_key -a "user=root key='{{ lookup('file','/root/.ssh/id_rsa.pub') }}'" -k
##6、针对免密成功的执行关机指令
#while read line
#do
#echo $line
##执行关机操作
#ssh -tq $line << remotessh
#sync
#shutdown -h now
#echo "remote host shutdown successfully!"
#exit
#remotessh
#done < /root/ip_lists.txt脚本说明:
该脚本实现对/root/ip_lists.txt文本文件中记录的所有主机ip地址进行免密操作,然后通过脚本一键登录这些主机进行一键关机操作,当然你也可以执行其它任何ssh下的命令。
/root/ip_lists.txt文件格式:
root@dg01[/root]#cat /root/ip_lists.txt
192.168.2.18
192.168.2.100文件只有一列,记录了所有的主机ip地址。要求这些主机的root用户密码都是一致的,或者说是已知的固定几个。如果是一致的,那么批量免密的时候只需要手工输入一次密码,如果是固定的2个那么手工输入密码就需要做两次,依次类推。
a、第一次执行脚本
ssh-keygen第一次执行脚本,此命令只需要执行一次,会要求提示输入:
root@dg01[/root]#./shutdown_all_vmlinux.sh
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:wXsasJMijX0ftnoy9kl1xaxaNcNW2p7GPPQtUnPkoqw root@dg01
The key's randomart image is:
+---[RSA 2048]----+
| o|
| . + * |
| . o #.+|
| + + o . B+B+|
| o + = S o B .*+|
| . o + B = ....|
| = E |
| +o.. |
| ..=o |
+----[SHA256]-----+
192.168.2.18
# 192.168.2.18:22 SSH-2.0-OpenSSH_5.3
# 192.168.2.18:22 SSH-2.0-OpenSSH_5.3
# 192.168.2.18:22 SSH-2.0-OpenSSH_5.3
192.168.2.100
# 192.168.2.100:22 SSH-2.0-OpenSSH_5.3
# 192.168.2.100:22 SSH-2.0-OpenSSH_5.3
# 192.168.2.100:22 SSH-2.0-OpenSSH_5.3
192.168.2.18
192.168.2.100一路回车即可。
b、第一次执行完后,记得注释掉
#ssh-keygenc、此步是手工操作部分
对主机批量免密操作,此处就需要手工输入/root/ip_lists.txt中所有主机的密码,如果这些主机root密码都是一致的,那么只需要一次。如果这些主机root密码是固定的两个,需要手工输入两次。
脚本中的第5条命令:
ansible webservers -m authorized_key -a "user=root key='{{ lookup('file','/root/.ssh/id_rsa.pub') }}'" -k拿出来直接在ansible主控主机(就是安装ansible的主机)执行。
第一次执行:
root@dg01[/root]#ansible webservers -m authorized_key -a "user=root key='{{ lookup('file','/root/.ssh/id_rsa.pub') }}'" -k
SSH password:
192.168.2.100 | UNREACHABLE! => {
"changed": false,
"msg": "Authentication failure.",
"unreachable": true
}
192.168.2.18 | UNREACHABLE! => {
"changed": false,
"msg": "Authentication failure.",
"unreachable": true
}第一次我特意输入了一个错误的密码,因为我的两台远端主机192.168.2.100和192.168.2.18密码是一致的,所以两台都免密失败,但是不要紧,在来一次,输入正确密码即可免密成功。
root@dg01[/root]#ansible webservers -m authorized_key -a "user=root key='{{ lookup('file','/root/.ssh/id_rsa.pub') }}'" -k
SSH password:
192.168.2.18 | SUCCESS => {
"changed": true,
"comment": null,
"exclusive": false,
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD9085G8kysFvmQQ7+AjK2I21tmoEdALze+NAlauXF9cFj3mOtmC3b90I5zWPSdw3bkXySzYbFfdZWuJvXFfvB7xYa0gzCz0Fc6YkwRwXIKcwr3TiVc4zUlN4ajRolYayJy8JBtPbiB1MHVyUDfLtn7RJdr5v1EEIgZWrjxZK9cISqdru7UwWQZyX4g3y7uIJzAY10IRtoC+55oMOF0YEqWzwUkIkNkmS2C/IZSwMwJbe12Ac7mmo7nvUGytzlGBVoc8cTjcYfpXl6b0AbrqtzjB54Hi6Tr1pV+sUk+lBE/B2FLE2C/X8kclxH3jQAamnUeikq/uYzgSE8gVR6U9WnD root@dg01",
"key_options": null,
"keyfile": "/root/.ssh/authorized_keys",
"manage_dir": true,
"path": null,
"state": "present",
"unique": false,
"user": "root",
"validate_certs": true
}
192.168.2.100 | SUCCESS => {
"changed": true,
"comment": null,
"exclusive": false,
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD9085G8kysFvmQQ7+AjK2I21tmoEdALze+NAlauXF9cFj3mOtmC3b90I5zWPSdw3bkXySzYbFfdZWuJvXFfvB7xYa0gzCz0Fc6YkwRwXIKcwr3TiVc4zUlN4ajRolYayJy8JBtPbiB1MHVyUDfLtn7RJdr5v1EEIgZWrjxZK9cISqdru7UwWQZyX4g3y7uIJzAY10IRtoC+55oMOF0YEqWzwUkIkNkmS2C/IZSwMwJbe12Ac7mmo7nvUGytzlGBVoc8cTjcYfpXl6b0AbrqtzjB54Hi6Tr1pV+sUk+lBE/B2FLE2C/X8kclxH3jQAamnUeikq/uYzgSE8gVR6U9WnD root@dg01",
"key_options": null,
"keyfile": "/root/.ssh/authorized_keys",
"manage_dir": true,
"path": null,
"state": "present",
"unique": false,
"user": "root",
"validate_certs": true
}看到了吗,我输入了正确的密码,两台都免密成功了。
如果我现在还有一台192.168.2.110主机,但是root密码跟上面免密成功的两台都不同,我只需要在次执行上面的命令,输入192.168.2.110主机的root密码即可,此时会输出3台主机都免密成功的信息。由此可见,多次执行免密操作对于已经免密成功的主机并不影响。
验证一下,是否免密成功
root@dg01[/etc/yum.repos.d]#ssh 192.168.2.18
Last login: Sun Jul 29 13:27:24 2018 from 192.168.2.171
[root@mongodb ~]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 08:00:27:29:AE:5C
inet addr:192.168.2.18 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe29:ae5c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11659 errors:0 dropped:0 overruns:0 frame:0
TX packets:6464 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16883692 (16.1 MiB) TX bytes:460958 (450.1 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:480 (480.0 b) TX bytes:480 (480.0 b)
[root@mongodb ~]# exit
logout
Connection to 192.168.2.18 closed.
root@dg01[/etc/yum.repos.d]#ssh 192.168.2.100
Last login: Sun Jul 29 13:29:11 2018 from 192.168.2.230
[root@mysql ~]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 08:00:27:29:38:66
inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe29:3866/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5858 errors:0 dropped:0 overruns:0 frame:0
TX packets:471 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:452018 (441.4 KiB) TX bytes:62576 (61.1 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:240 (240.0 b) TX bytes:240 (240.0 b)
[root@mysql ~]# 此时两台主机已经都免密成功了。
d、免密成功后,就可以再次(第二次)执行脚本,进行批量登录关机了,脚本只保留最后第6部分,前面代码都注释掉。
代码如下:
#!/bin/bash
##ssh-keygen
#
##1、对ip列表文件去除空行、空格
#cat /root/ip_lists.txt | sed -e '/^$/d' | sed s/[[:space:]]//g > /tmp/ip_lists.txt
#mv /root/ip_lists.txt /root/ip_lists_bak.txt
#cp /tmp/ip_lists.txt /root/ip_lists.txt
#
##2、对/etc/ansible/hosts文件去除空行
#cat /etc/ansible/hosts | sed -e '/^$/d' > /tmp/hosts
#mv /etc/ansible/hosts /etc/ansible/hosts_bak
#cp /tmp/hosts /etc/ansible/hosts
#
##3、对需要操作的主机批量加入ansible管理端/root/.ssh/known_hosts文件中
#while read line
#do
# echo $line
# ssh-keyscan $line >>/root/.ssh/known_hosts
#done < /root/ip_lists.txt
#
##4、将需要批量免密的主机ip地址加入到ansible管理端/etc/ansible/hosts文件中
#while read line
#do
# echo $line
# echo $line >> /etc/ansible/hosts
#done < /root/ip_lists.txt
#
##5、在ansible管理主机命令行,执行如下命令,需要手工输入密码进行免密登陆
###针对列表中的主机root密码不同,可以使用所有已知的密码做一遍,密码匹配的就免密成功
###多次使用不同密码执行并不影响已经免密成功的主机
##ansible webservers -m authorized_key -a "user=root key='{{ lookup('file','/root/.ssh/id_rsa.pub') }}'" -k
#6、针对免密成功的执行关机指令
while read line
do
echo $line
#执行关机操作
ssh -tq $line << remotessh
sync
shutdown -h now
echo "remote host shutdown successfully!"
exit
remotessh
done < /root/ip_lists.txt执行结果如下:
root@dg01[/root]#./shutdown_all_vmlinux.sh
192.168.2.18
remote host shutdown successfully!
192.168.2.100
remote host shutdown successfully!
root@dg01[/root]#附上/etc/ansible/hosts文件内容
root@dg01[/etc/yum.repos.d]#cat /etc/ansible/hosts
# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the '#' character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
## green.example.com
## blue.example.com
## 192.168.100.1
## 192.168.100.10
# Ex 2: A collection of hosts belonging to the 'webservers' group
## [webservers]
## alpha.example.org
## beta.example.org
## 192.168.1.100
## 192.168.1.110
# If you have multiple hosts following a pattern you can specify
# them like this:
## www[001:006].example.com
# Ex 3: A collection of database servers in the 'dbservers' group
## [dbservers]
##
## db01.intranet.mydomain.net
## db02.intranet.mydomain.net
## 10.25.1.56
## 10.25.1.57
# Here's another example of host ranges, this time there are no
# leading 0s:
## db-[99:101]-node.example.com
[webservers]
192.168.2.18
192.168.2.100
root@dg01[/etc/yum.repos.d]#该文件安装完只需要在文件最后加个
[webservers]
节点然后后面留个空行即可,ip是前面的脚本第一次执行时根据/root/ip_lists.txt里面的内容自动追加进来的。