使用Ansible进行远程批量主机维护操作

 未分类  No Responses »
8 月 092018
 

1)生成SSH密钥对并复制公钥到远程受控主机

2)安装EPEL以安装Ansible软件包

[harveymei@oms ~]$ yum info ansible
Loaded plugins: fastestmirror
Determining fastest mirrors
epel 12631/12631
Installed Packages
Name 
Arch : noarch
Version : 2.6.2
Release : 1.el7
Size : 52 M
Repo : installed
From repo : epel
Summary : SSH-based configuration management, deployment, and task execution system
URL : http://ansible.com
License : GPLv3+
Description : Ansible is a radically simple model-driven configuration management,
: multi-node deployment, and remote task execution system. Ansible works
: over SSH and does not require any software or daemons to be installed
: on remote nodes. Extension modules can be written in any language and
: are transferred to managed machines automatically.

[harveymei@oms ~]$

3)编辑主机配置文件

[root@oms ~]# vi /etc/ansible/hosts
[fileserver]
node01.linuxcache.com
node02.linuxcache.com
node03.linuxcache.com
node03.linuxcache.com
node05.linuxcache.com
node06.linuxcache.com
node07.linuxcache.com

4)使用Ansible在远程主机执行一条命令

[harveymei@oms ~]$ ansible fileserver --private-key=.ssh/id_ecdsa_ansible -m command -a uptime -u ops 
node01.linuxcache.com | SUCCESS | rc=0 >>
15:46:37 up 6 days, 23:33, 2 users, load average: 0.03, 0.04, 0.08

node02.linuxcache.com | SUCCESS | rc=0 >>
15:46:34 up 6 days, 23:27, 1 user, load average: 0.06, 0.03, 0.05

node03.linuxcache.com | SUCCESS | rc=0 >>
15:46:34 up 6 days, 23:28, 1 user, load average: 0.00, 0.01, 0.05

node04.linuxcache.com | SUCCESS | rc=0 >>
15:46:35 up 6 days, 23:23, 1 user, load average: 0.06, 0.03, 0.05

node05.linuxcache.com | SUCCESS | rc=0 >>
15:46:42 up 6 days, 23:29, 1 user, load average: 0.00, 0.05, 0.07

node06.linuxcache.com | SUCCESS | rc=0 >>
15:46:37 up 6 days, 23:22, 1 user, load average: 0.00, 0.01, 0.05

node07.linuxcache.com | SUCCESS | rc=0 >>
15:46:43 up 6 days, 23:29, 1 user, load average: 0.00, 0.01, 0.05

[harveymei@oms ~]$
在配置文件中指定SSH用户后无需在命令中指定-u参数
[root@oms ~]# vi /etc/ansible/hosts
node01.linuxcache.com ansible_ssh_user=ops
node02.linuxcache.com ansible_ssh_user=ops
node03.linuxcache.com ansible_ssh_user=ops
node03.linuxcache.com ansible_ssh_user=ops
node05.linuxcache.com ansible_ssh_user=ops
node06.linuxcache.com ansible_ssh_user=ops
node07.linuxcache.com ansible_ssh_user=ops

Ansible常用模块及用法

copy模块
ansible fileserver -m copy -a "src=/tmp/abc.txt dest=~/"

command模块
ansible fileserver -m command -a pwd

shell模块(Shell模块默认不加载环境变量)
ansible fileserver -m shell -a ". .bash_profile;ll /|grep tmp"

script模块
ansible fileserver -m script -a "~/run.sh"

SSH密钥对生成及ssh-copy-id快速导入

 未分类  No Responses »
8 月 092018
 

SSH密钥对生成及快速导入以支持免密码登录

生成指定加密类型和强度的密钥对

MacBookAir:~ harveymei$ ssh-keygen -b 256 -t ecdsa -C ansible
Generating public/private ecdsa key pair.
Enter file in which to save the key (/Users/harveymei/.ssh/id_ecdsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/harveymei/.ssh/id_ecdsa.
Your public key has been saved in /Users/harveymei/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:h3ROH2cqNPGJ8MRPru6RR+8uzupeXfGS6jsx1xTKIFI ansible
The key's randomart image is:
+---[ECDSA 256]---+
|        oEo      |
|       . =.=.. . |
|        o O+* +..|
|       . * ooB .+|
|        S +.+ ooo|
|         ..+o+.o.|
|         .o ++o  |
|          .*o.   |
|         +=o==o  |
+----[SHA256]-----+
MacBookAir:~ harveymei$ ls .ssh/
id_ecdsa        id_ecdsa.pub    known_hosts
MacBookAir:~ harveymei$

使用ssh-copy-id命令快速将公钥复制到目的主机

MacBookAir:~ harveymei$ ssh-copy-id -i .ssh/id_ecdsa.pub root@149.28.83.35
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ecdsa.pub"
The authenticity of host '149.28.83.35 (149.28.83.35)' can't be established.
ECDSA key fingerprint is SHA256:Y+28z8sSqCprILoRIh1Qnob+uEWH3xaW5w8GbNR6y2o.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@149.28.83.35's password: 

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'root@149.28.83.35'"
and check to make sure that only the key(s) you wanted were added.

MacBookAir:~ harveymei$

导入成功后再次进行SSH连接,成功登录目的主机且无需验证密码

MacBookAir:~ harveymei$ ssh root@149.28.83.35
Last login: Thu Aug  9 05:51:38 2018 from 149.28.80.116
[root@test2 ~]# cat .ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3MYnwqtWc5ncDiHw68s2534geuihRIoRrMDMjPOywgvZBN1Aok7CeALV+CqBaZyQV+K0vfOGa8ENBF35gM/SZi6wShaz1cKIURHXYRzCFjNU2eUACX9YjULxGbaYZwlu2jehy2Wt1BSpW20vUKlkZwBlfbpZLTHVhkbmxryEYVrsETu7vsj4les3UeIwdx+Dre4qyTHZB9uQiGtAQHFi+hjhIatDDuAaaca5pLif2UCej/XAxhvHgEaD/NUem0B3Rikvig0w3issneiNOfjAdIP0VCQ735oXdIm3TgoY5Mqdum7vPTz0QSRZW7ijByCmoPZ02/9G87AWwpgewOtCYuPwfGuy39Hl47fyT3012PVf4Z8ja2GW9PskidRG+mEJsYwPtpLV+6hoK3g4kEf297qp4k/YW6MDd9Ip2GVyvTviXPsMYVt4i7pUfRZeJ86F2GnaU5EvqwMncKFP348AzpkDtf50CXtVcjlV9ix+Hsw5tugzq9vaDjql8KCBaz07DWRb3eyTNicMKf5h37rJYV8w9jiMOILhFyyF4BQ6DtC7lwhDhYOJsi6G/Pp55v6eXltc3hS3kY9gfAUTTKYekvZRAz06TSJkgJ2sYo3Fdp0VuK3VhGDoS8YdCZSqLRYI4tHDDzfL5LGRd+vpX5W5wTTDdv9+kfQTXcklwBolFpw== root@test
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGduOgGxggQGK0a3ELs6cbMfAcY8P60/Y8mt/Ye2AZRFHYP7AME6NqAinWEPatFuw32S/mPuf8TQUjzAXZ3OMko= ansible
[root@test2 ~]# 
[root@test2 ~]# exit
Connection to 149.28.83.35 closed.
MacBookAir:~ harveymei$

使用Pritunl配置和管理OpenVPN服务

 未分类  No Responses »
8 月 092018
 

添加Mongodb Yum软件仓库源

[root@tunnel ~]# sudo tee -a /etc/yum.repos.d/mongodb-org-3.6.repo << EOF
> [mongodb-org-3.6]
> name=MongoDB Repository
> baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.6/x86_64/
> gpgcheck=1
> enabled=1
> gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc
> EOF
[mongodb-org-3.6]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/3.6/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc
[root@tunnel ~]#

添加Pritunl Yum软件仓库源

[root@tunnel ~]# sudo tee -a /etc/yum.repos.d/pritunl.repo << EOF
> [pritunl]
> name=Pritunl Repository
> baseurl=https://repo.pritunl.com/stable/yum/centos/7/
> gpgcheck=1
> enabled=1
> EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1
[root@tunnel ~]# cat /etc/yum.repos.d/pritunl.repo 
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/centos/7/
gpgcheck=1
enabled=1
[root@tunnel ~]#

更新Yum缓存

[root@tunnel ~]# yum makecache

导入GPG签名公钥

[root@tunnel ~]# gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key CF8E292A from hkp server keyserver.ubuntu.com
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key CF8E292A: public key "Pritunl <contact@pritunl.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[root@tunnel ~]#
[root@tunnel ~]# gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f 
key.tmp
[root@tunnel ~]#

使用Yum安装Pritunl和Mongodb

[root@tunnel ~]# yum -y install pritunl mongodb-org

启动服务,并注册系统服务

[root@tunnel ~]# systemctl start mongod pritunl
[root@tunnel ~]# systemctl enable mongod pritunl
Created symlink from /etc/systemd/system/multi-user.target.wants/pritunl.service to /etc/systemd/system/pritunl.service.
[root@tunnel ~]# systemctl status mongod
● mongod.service - High-performance, schema-free document-oriented database
Loaded: loaded (/usr/lib/systemd/system/mongod.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-08-08 10:07:00 UTC; 28s ago
Docs: https://docs.mongodb.org/manual
Main PID: 1732 (mongod)
CGroup: /system.slice/mongod.service
└─1732 /usr/bin/mongod -f /etc/mongod.conf

Aug 08 10:06:59 tunnel systemd[1]: Starting High-performance, schema-free document-oriented database...
Aug 08 10:06:59 tunnel mongod[1729]: about to fork child process, waiting until server is ready for connections.
Aug 08 10:06:59 tunnel mongod[1729]: forked process: 1732
Aug 08 10:07:00 tunnel systemd[1]: Started High-performance, schema-free document-oriented database.
[root@tunnel ~]# systemctl status pritunl
● pritunl.service - Pritunl Daemon
Loaded: loaded (/etc/systemd/system/pritunl.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-08-08 10:06:59 UTC; 35s ago
Main PID: 1724 (pritunl)
CGroup: /system.slice/pritunl.service
├─1724 /usr/lib/pritunl/bin/python2 /usr/lib/pritunl/bin/pritunl start
└─1778 pritunl-web

Aug 08 10:06:59 tunnel systemd[1]: Started Pritunl Daemon.
Aug 08 10:06:59 tunnel systemd[1]: Starting Pritunl Daemon...
[root@tunnel ~]#

查看服务及端口监听

[root@tunnel ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 1732/mongod 
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 673/sshd 
tcp6 0 0 :::443 :::* LISTEN 1778/pritunl-web 
tcp6 0 0 ::1:9755 :::* LISTEN 1724/python2 
tcp6 0 0 :::80 :::* LISTEN 1778/pritunl-web 
tcp6 0 0 :::22 :::* LISTEN 673/sshd 
[root@tunnel ~]#

生成初始设置密钥

[root@tunnel ~]# pritunl setup-key
ba0cc9655df84af33bd5ab1baad20dac
[root@tunnel ~]#

登录Web管理界面进行配置

https://66.80.120.167/login

初始用户名密码:pritunl/pritunl

1)添加组织
2)添加用户
3)添加服务器
4)将组织附加到服务器
5)启动服务器
6)下载用户配置文件

防火墙及规则设置
禁用Firewalld防火墙

systemctl disable firewalld
systemctl stop firewalld

安装并启用iptables防火墙

yum -y install iptables-services
systemctl status iptables
systemctl enable iptables
systemctl start iptables

添加iptables规则并保存

iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -p udp --dport 9443 -j ACCEPT
service iptables save
启动VPN Server服务
查看网络监听
[root@tunnel ~]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 1732/mongod 
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 673/sshd 
tcp6 0 0 :::443 :::* LISTEN 1778/pritunl-web 
tcp6 0 0 ::1:9755 :::* LISTEN 1724/python2 
tcp6 0 0 :::80 :::* LISTEN 1778/pritunl-web 
tcp6 0 0 :::22 :::* LISTEN 673/sshd 
udp 0 0 127.0.0.1:323 0.0.0.0:* 435/chronyd 
udp 0 0 0.0.0.0:68 0.0.0.0:* 1216/dhclient 
udp6 0 0 :::9443 :::* 4926/openvpn 
udp6 0 0 ::1:323 :::* 435/chronyd 
[root@tunnel ~]#

查看网络接口状态

[root@tunnel ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 56:00:01:9f:8e:77 brd ff:ff:ff:ff:ff:ff
inet 66.80.120.167/23 brd 66.80.121.255 scope global dynamic eth0
valid_lft 85018sec preferred_lft 85018sec
inet6 2002:19f0:6001:3d90:5400:1ff:fe9f:8e77/64 scope global mngtmpaddr dynamic 
valid_lft 2591663sec preferred_lft 604463sec
inet6 fe80::5400:1ff:fe9f:8e77/64 scope link 
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none 
inet 10.20.30.1/24 brd 10.20.30.255 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::fd51:af66:8daf:bb96/64 scope link flags 800 
valid_lft forever preferred_lft forever
[root@tunnel ~]#

查看防火墙状态

[root@tunnel ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Wed Aug 8 11:53:56 2018
*nat
:PREROUTING ACCEPT [117:7699]
:INPUT ACCEPT [20:1442]
:OUTPUT ACCEPT [8:552]
:POSTROUTING ACCEPT [8:552]
-A POSTROUTING -s 10.20.30.0/24 -o eth0 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j MASQUERADE
COMMIT
# Completed on Wed Aug 8 11:53:56 2018
# Generated by iptables-save v1.4.21 on Wed Aug 8 11:53:56 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2028:1155767]
-A INPUT -p udp -m udp --dport 9443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i tun4 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o tun4 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j ACCEPT
-A FORWARD -i tun4 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o tun4 -m comment --comment pritunl-5b6ac2d6627aae06bc506714 -j ACCEPT
COMMIT
# Completed on Wed Aug 8 11:53:56 2018
[root@tunnel ~]#

在Linux CLI下以非交互式密码验证进行VPN连接

[root@localhost ~]# cd harveymei/

添加账户验证文件,用户名密码各占一行

[root@localhost harveymei]# vi account.txt

修改VPN配置文件,添加账户验证文件

[root@localhost harveymei]# vi LINUXCACHE_harveymei_LINUXCACHE.ovpn
auth-user-pass account.txt

启动

[root@localhost ~]# openvpn --daemon --cd harveymei/ --config LINUXCACHE_harveymei_LINUXCACHE.ovpn --log-append /var/log/openvpn.log