This section index
-
Scene analysis
-
ssh-free dense Login
-
pssh bulk management tools
-
SHELL automated scripts
-
本篇 summary
Scene analysis
As an operation and maintenance engineers, not the environment that everyone wants to work Ali, Tencent as quick to PV amount of millions of thousands of servers. We usually still work in such an environment several hundred units server platform, using ansible or puppet automated operation and maintenance of such tools are overkill, and the final results may not be as good a few small tools to achieve results. Such as ssh login-free dense push tool with pssh, with automatic configuration script, it can be said that is also easy to use. This section will take you to achieve detailed ssh login-free dense configure and manage one hundred machines in the form of shell scripts.
ssh service
With the clear text communications protocol gradually fade into history telnet, ssh remote login this as a security tool, and more by the majority of users of all ages. SSH is the abbreviation of the Secure Shell, developed by the IETF web team (Network Working Group); SSH is built on the basis of the application layer security protocol. SSH is more reliable, designed to provide security protocol for remote login session, and other network services. SSH protocol can effectively prevent the use of remote management in the process of information disclosure issue. SSH was originally a program on UNIX systems, and later quickly spread to other operating platforms. SSH when used properly can make up for network vulnerabilities. SSH client for multiple platforms. Almost all UNIX platforms - including HP-UX, Linux, AIX, Solaris, Digital UNIX, Irix, and other platforms, can run SSH.
ssh service There are two ways to verify a user logs on, one is password-based password authentication, one is key authentication, this paper is based on the realization of key-based authentication. ssh key-based authentication process:
ssh tool not only provides remote login, and he also comes with some command tool that can generate ssh session key, and the ability to generate a key pair of public key copied to the remote host, such as:
Key generation : ssh-keygen -t rsa [-P ''] [-f '~ / .ssh / id_rsa']
Copy the public key to the remote host : ssh-copy-id [-i indetify_file] [user @ host_ip]
-p indicates that the specified private key password, above, I do not have private key encryption, mainly convenient, it is recommended to encrypt the private key in the actual production, because if the private key is not accidentally lost, your whole system will face great risks of. After two steps you through the above can be achieved ssh password-free login, the next time you use ssh to log in to 172.18.14.123 (have your public key host) will not enter the password.
But here we will find that we still need to manually enter the password when copy the public key, we can expect to use the syntax shell script programming, we can replace him enter the password:
#!/usr/bin/expect
spawn
ssh
172.18.8.100
expect {
"yes/no"
{ send
"yes\n"
;exp_continue }
# 替你回答下载公钥是的提示
"password"
{ send
"your_passwd\n"
}
# 提示输入密码
}
interact
expect eof
pssh Tools
In the example above, we found that we just realized a host of free ssh password, and our environment to have to have dozens of machines, which is far from reaching our goal, "automated deployment, configuration, management "; the older generation had a saying: If you operate with a greater than 3 times, then you should consider using an automated way. So, we have to make further improvements, this time we thought of a very powerful gadget pssh.
pssh command is a tool written in python can execute commands on multiple servers, while supporting copy files, similar tools are in very good, similar pdsh, personally I think that the relatively pdsh easier to use must be configured on each server secret authenticated access key. Log in to do a free secret after, pssh will play its most important function. The following parameters pssh talk about.
*****pssh的选项参数*****
--version:查看版本
--help:查看帮助,即此信息
-h:主机文件列表,内容格式
"[user@]host[:port]"
-H:主机字符串,内容格式
"[user@]host[:port]"
- :登录使用的用户名
-p:并发的线程数[ 可选 ]
-o:输出的文件目录[ 可选 ]
-e:错误输入文件[ 可选 ]
-t:TIMEOUT 超时时间设置,0无限制[ 可选 ]
-O:SSH的选项
-
v
:详细模式
-A:手动输入密码模式
-x:额外的命令行参数使用空白符号,引号,反斜线处理
-X:额外的命令行参数,单个参数模式,同-x
-i:每个服务器内部处理信息输出 -P:打印出服务器返回信息
We observed parameters pssh, we found that -f is specified hosts file, which gives us the potential mean that we can ip placed in a file when using pssh can directly call the file, it seems to us that thinking coincide. So I flew to create several virtual machines tested, first in a ip.txt file, and then try to perform a bit ip address storage, good, good! Here only a few usage, if you need to use the work you can look at other parameters.
我去查看了一下两台虚拟机的负载情况,上图显示出来了执行结果,说明可行。当然了我之前手动实现了到两台主机的免密登录。
SHELL脚本实现
上面的过程,我们一步步的实现了ssh免密码登录,使用pssh工具实现批量部署管理,当然了我只是去目标主机看了下负载情况,你可以根据你公司的业务编写需要配置或部署的脚本,让后使用pssh推上去并执行即可。那么下面将用一个脚本来实现上述这一切操作。
[root@vinsent app]
# cat ssh_auto.sh
#!/bin/bash
#!/bin/bash
#------------------------------------------#
# FileName: ssh_auto.sh
# Revision: 1.1.0
# Date: 2017-07-14 04:50:33
# Author: vinsent
# Email: [email protected]
# Website: www.vinsent.cn
# Description: This script can achieve ssh password-free login,
# and can be deployed in batches, configuration
#------------------------------------------#
# Copyright: 2017 vinsent
# License: GPL 2+
#------------------------------------------#
[ ! -f
/root/
.
ssh
/id_rsa
.pub ] &&
ssh
-keygen -t rsa -p
''
&>
/dev/null
# 密钥对不存在则创建密钥
while
read
line;
do
ip=`
echo
$line |
cut
-d
" "
-f1`
# 提取文件中的ip
user_name=`
echo
$line |
cut
-d
" "
-f2`
# 提取文件中的用户名
pass_word=`
echo
$line |
cut
-d
" "
-f3`
# 提取文件中的密码
expect <<EOF
spawn
ssh
-copy-
id
-i
/root/
.
ssh
/id_rsa
.pub $user_name@$ip
# 复制公钥到目标主机
expect {
"yes/no"
{ send
"yes\n"
;exp_continue}
# expect 实现自动输入密码
"password"
{ send
"$pass_word\n"
}
}
expect eof
EOF
done
<
/root/host_ip
.txt
# 读取存储ip的文件
pscp.pssh -h
/root/host_ip
.txt
/root/your_scripts
.sh
/root
# 推送你在目标主机进行的部署配置
pssh -h
/root/host_ip
.txt -i
bash
/root/your_scripts
.sh
# 进行远程配置,执行你的配置脚本
host_ip.txt文件可以通过手动写(当然了这就显得不自动化)你可以使用扫描工具扫描你网络中的主机,然后配合awk等工具生成该文件。ip地址即登录用户名密码的文件实例:
[root@vinsent app]
# cat host_ip.txt
172.18.14.123 root 123456
172.18.254.54 root 123456
...
当然了上述的脚本可能稍显粗略,但功能是完全能够实现的。
本节索引
-
场景分析
-
ssh免密登录
-
pssh工具批量管理
-
SHELL自动化脚本
-
本篇总结
场景分析
作为一个运维工程师,不是每个人工作的环境都想阿里、腾讯那样,动不动就上亿的PV量,上万台服务器。我们通常还是工作在,几十台上百台服务器这样的环境,而使用ansible或者puppet这样的自动化运维工具则显得大材小用,并且最终的效果可能还不如几个小工具达到的效果好。像ssh免密登录在配合pssh这样的推送工具,在配合自动化配置脚本,可以说是即方便也使用。这一节将详细带大家以shell脚本的形式实现ssh免密登录进行百台机器的配置和管理。
ssh服务
随着明文通信协议telnet渐渐退出历史舞台,ssh这个作为安全的远程登录工具,更加受广大用户的青睐。SSH 为 Secure Shell 的缩写,由 IETF 的网络小组(Network Working Group)所制定;SSH 为建立在应用层基础上的安全协议。SSH 是目前较可靠,专为远程登录会话和其他网络服务提供安全性的协议。利用 SSH 协议可以有效防止远程管理过程中的信息泄露问题。SSH最初是UNIX系统上的一个程序,后来又迅速扩展到其他操作平台。SSH在正确使用时可弥补网络中的漏洞。SSH客户端适用于多种平台。几乎所有UNIX平台—包括HP-UX、Linux、AIX、Solaris、Digital UNIX、Irix,以及其他平台,都可运行SSH。
ssh服务有两种验证用户登录的方式,一种是基于密码口令的认证,一种是基于密钥的认证,本文主要是实现基于密钥的认证。ssh基于密钥认证过程:
ssh工具不仅仅提供了远程登录的功能,他还自带了一些命令工具,能够生成ssh会话密钥,并且能够将生成密钥对的公钥复制到远程主机,例如:
生成密钥:ssh-keygen -t rsa [-P ''] [-f '~/.ssh/id_rsa']
复制公钥至远程主机:ssh-copy-id [-i indetify_file ][user@host_ip]
-p表示指定私钥密码,上面我没有对私钥进行加密,主要是方便,在实际生产中建议对私钥进行加密,因为如果不小心丢了私钥,你的整个系统都将面临很大的风险。通过上面两步之后你就可以实现ssh免密码登录了,下次你在用ssh登录到172.18.14.123(有你公钥的主机)时将不在输入密码。
不过这里我们会发现,我们在复制公钥的时候还是需要手动输入密码,我们可以使用shell脚本编程中的expect语法,他能代替我们输入登录密码:
#!/usr/bin/expect
spawn
ssh
172.18.8.100
expect {
"yes/no"
{ send
"yes\n"
;exp_continue }
# 替你回答下载公钥是的提示
"password"
{ send
"your_passwd\n"
}
# 提示输入密码
}
interact
expect eof
pssh工具
In the example above, we found that we just realized a host of free ssh password, and our environment to have to have dozens of machines, which is far from reaching our goal, "automated deployment, configuration, management "; the older generation had a saying: If you operate with a greater than 3 times, then you should consider using an automated way. So, we have to make further improvements, this time we thought of a very powerful gadget pssh.
pssh command is a tool written in python can execute commands on multiple servers, while supporting copy files, similar tools are in very good, similar pdsh, personally I think that the relatively pdsh easier to use must be configured on each server secret authenticated access key. Log in to do a free secret after, pssh will play its most important function. The following parameters pssh talk about.
*****pssh的选项参数*****
--version:查看版本
--help:查看帮助,即此信息
-h:主机文件列表,内容格式
"[user@]host[:port]"
-H:主机字符串,内容格式
"[user@]host[:port]"
- :登录使用的用户名
-p:并发的线程数[ 可选 ]
-o:输出的文件目录[ 可选 ]
-e:错误输入文件[ 可选 ]
-t:TIMEOUT 超时时间设置,0无限制[ 可选 ]
-O:SSH的选项
-
v
:详细模式
-A:手动输入密码模式
-x:额外的命令行参数使用空白符号,引号,反斜线处理
-X:额外的命令行参数,单个参数模式,同-x
-i:每个服务器内部处理信息输出 -P:打印出服务器返回信息
We observed parameters pssh, we found that -f is specified hosts file, which gives us the potential mean that we can ip placed in a file when using pssh can directly call the file, it seems to us that thinking coincide. So I flew to create several virtual machines tested, first in a ip.txt file, and then try to perform a bit ip address storage, good, good! Here only a few usage, if you need to use the work you can look at other parameters.
I went to see a bit load two virtual machines, the figure shows the results came out, indicating feasible. Of course I had to manually log on to achieve a free secret two hosts.
SHELL script to achieve
The above process, we realized step by step ssh password-free login, pssh use tool for batch deployment manager, of course I'm just going to read the target host under load, you can write to configure or deploy the company's business based on your script after make use pssh pushed up and execution can be. Then the following will use a script to achieve all the above operations.
[root@vinsent app]
# cat ssh_auto.sh
#!/bin/bash
#!/bin/bash
#------------------------------------------#
# FileName: ssh_auto.sh
# Revision: 1.1.0
# Date: 2017-07-14 04:50:33
# Author: vinsent
# Email: [email protected]
# Website: www.vinsent.cn
# Description: This script can achieve ssh password-free login,
# and can be deployed in batches, configuration
#------------------------------------------#
# Copyright: 2017 vinsent
# License: GPL 2+
#------------------------------------------#
[ ! -f
/root/
.
ssh
/id_rsa
.pub ] &&
ssh
-keygen -t rsa -p
''
&>
/dev/null
# 密钥对不存在则创建密钥
while
read
line;
do
ip=`
echo
$line |
cut
-d
" "
-f1`
# 提取文件中的ip
user_name=`
echo
$line |
cut
-d
" "
-f2`
# 提取文件中的用户名
pass_word=`
echo
$line |
cut
-d
" "
-f3`
# 提取文件中的密码
expect <<EOF
spawn
ssh
-copy-
id
-i
/root/
.
ssh
/id_rsa
.pub $user_name@$ip
# 复制公钥到目标主机
expect {
"yes/no"
{ send
"yes\n"
;exp_continue}
# expect 实现自动输入密码
"password"
{ send
"$pass_word\n"
}
}
expect eof
EOF
done
<
/root/host_ip
.txt
# 读取存储ip的文件
pscp.pssh -h
/root/host_ip
.txt
/root/your_scripts
.sh
/root
# 推送你在目标主机进行的部署配置
pssh -h
/root/host_ip
.txt -i
bash
/root/your_scripts
.sh
# 进行远程配置,执行你的配置脚本
host_ip.txt files can be manually written (of course this does not seem automation) you can use the scan tool to scan your network host, and then with awk and other tools to generate the file. ip address is login username password file example:
[root@vinsent app]
# cat host_ip.txt
172.18.14.123 root 123456
172.18.254.54 root 123456
...
Of course, the above script may be slightly rough, but the functionality is entirely achievable.