SSH批量管理項(xiàng)目如何一鍵一秒鐘完成：一秒完成

1.ssh-keygen非交互式創(chuàng)建秘鑰對：

具體命令：

ssh-keygen -f ~/.ssh/id_rsa -P '' -p

參數(shù)講解：

ssh-keygen:密鑰對創(chuàng)建工具
[-P old-passphrase] ：密碼
[-f output_keyfile ]：輸出的秘鑰文件
[-q ]：不輸出信息
[-t dsa ]：指定秘鑰類型

2.ssh-copy-id不需要提示yes/no分發(fā)秘鑰

具體命令：

ssh-copy-id -f -i ~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no 172.16.1.8

參數(shù)講解：

ssh-copy-id -f -i ~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no root172.16.1.8
ssh-copy-id [-f] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname
說明：
-f ：force mode 強(qiáng)制
[-i [identity_file]] 指定秘鑰文件
[[-o <ssh -o options>] ...] 指定ssh參數(shù)選項(xiàng)谎仲。

3.sshpass工具：指定密碼文件非人工交互分發(fā)秘鑰

具體命令：

sshpass -p123456 ssh-copy-id -f -i ~/.ssh_rsaput "-o StrictHostKeyChecking=no" 172.16.1.7

參數(shù)講解：

[root@web02 ~]# sshpass -help
Usage: sshpass [-f|-d|-p|-e] [-hV] command parameters
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.7
sshpass [-f|-d|-p|-e] [-hV] command parameters

-p password   Provide password as argument (security unwise)    #指定用戶密碼操作

4.一鍵配置實(shí)戰(zhàn)

把web02作為分發(fā)服務(wù)器：
web02（8）-->m01（61）
web02（8）-->web01（7）

ssh-keygen -f ~/.ssh/id_rsa  -P '' -q
ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.7
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.7

#!/bin/bash
#yum install sshpass -y
ssh-keygen -f ~/.ssh/id_rsa  -P '' -q
for ip in 7 61
do
  sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done
#test
ssh 172.16.1.7 "ifconfig eth0"
ssh 172.16.1.61 "ifconfig eth0"

一俩檬、ansible自動(dòng)化管理實(shí)戰(zhàn)

1.ansible介紹

ssh秘鑰認(rèn)證+腳本批量管理鲤妥。
特點(diǎn)：簡單终抽、使用
看起來比較low秕狰，需要人工寫腳本柬唯，類似實(shí)時(shí)復(fù)制的inotify工具隐砸。
2013以前這種方式很普遍。

2.批量管理工具歷史

SSH+腳本------> CFEngine------> Puppet------> saltack----------------------------> ansible
08年以前 -------->07-08年--------->10-13年------>14-17年（Python開發(fā)）------>16- (python開發(fā))

3.為什么用ansible吏颖？

簡單搔体、方便、容易學(xué)習(xí)半醉、功能同樣強(qiáng)大疚俱。
ansible有配置文件，可以多線程直接實(shí)現(xiàn)缩多。
不需要寫腳本呆奕，類似實(shí)時(shí)復(fù)制的sersync。

4.什么是ansible衬吆？

ansible是一個(gè)用來遠(yuǎn)程管理服務(wù)器的工具軟件梁钾。
ansible是一個(gè)用來批量部署遠(yuǎn)程主機(jī)上服務(wù)的工具。這里“遠(yuǎn)程主機(jī)（Remote Host）”是指任何可以通過SSH登錄的主機(jī)逊抡，所以它既可以使遠(yuǎn)程虛擬機(jī)或物理機(jī)姆泻，也可以是本地主機(jī)。
ansible通過SSH協(xié)議實(shí)現(xiàn)管理節(jié)點(diǎn)與遠(yuǎn)程節(jié)點(diǎn)之間的通信。理論上來說拇勃，只要能通過SSH登錄到遠(yuǎn)程主機(jī)來完成的操作四苇，都可以通過ansible實(shí)現(xiàn)批量自動(dòng)化操作。
涉及管理操作：復(fù)制文件潜秋、安裝服務(wù)蛔琅、服務(wù)啟動(dòng)定制管理、配置管理等等峻呛。

5.為什么要用批量管理工具運(yùn)維罗售？

提高效率，百度幾萬臺(tái)服務(wù)器钩述，阿里幾十萬臺(tái)服務(wù)器寨躁。
如何省錢？
SSD+SATA 熱點(diǎn)存儲(chǔ)

6.ansible特點(diǎn)

ansible基于Python語言實(shí)現(xiàn)牙勘，有Paramiko和PyYAML兩個(gè)關(guān)鍵模塊構(gòu)建职恳。
Shell、Python是Linux運(yùn)維學(xué)員避諱的兩門語言方面。

1）安裝部署過程特別簡單放钦，學(xué)習(xí)曲線很平坦
2）不需要單獨(dú)安裝客戶端，只是利用現(xiàn)有的SSHD服務(wù)（協(xié)議）即可
3）不需要服務(wù)端（no server）
4)ansible playbook恭金，采用yaml配置操禀，提前編排自動(dòng)化任務(wù)
5）ansible功能模塊較多，對于自動(dòng)化的場景支持豐富横腿。

7.ansible架構(gòu)介紹

1颓屑、連接插件connectior plugins用于連接主機(jī) 用來連接被管理端
2、核心模塊 core modules 連接主機(jī)實(shí)現(xiàn)操作耿焊， 它依賴于具體的模塊來做具體的事情
3揪惦、自定義模塊 custom modules器腋，根據(jù)自己的需求編寫具體的模塊
4榜苫、插件 plugins抗悍，完成模塊功能的補(bǔ)充
5、劇本 playbooks，ansible的配置文件,將多個(gè)任務(wù)定義在劇本中，由ansible自動(dòng)執(zhí)行
6、主機(jī)清單 inventor，定義ansible需要操作主機(jī)的范圍
最重要的一點(diǎn)是 ansible是模塊化的 它所有的操作都依賴于模塊

8.ansible實(shí)踐環(huán)境準(zhǔn)備

61（m01）====>31(nfs01)
61（m01） ====>41(backup)

9.安裝ansible

m01管理機(jī)：

yum install epel-release -y
yum install ansible -y

#如果有l(wèi)ibselinux-python就不執(zhí)行下面的命令了咧党。
#rpm -qa |grep libselinux-python
#yum install libselinux-python -y

其他所有機(jī)器：

#rpm -qa |grep libselinux-python
#yum install libselinux-python -y

10.zhuji 列表配置

ssh列表實(shí)現(xiàn)方法：

for n  in 7 8
do 
 echo 172.16.1.$n
done

/etc/ansible/hosts主機(jī)資產(chǎn)清單文件聪舒，用于定義被管理主機(jī)的認(rèn)證信息 

例如:ssh登錄用戶名止吁、密碼以及key相關(guān)信息俄删。如何配置Inventory文件
1.主機(jī)支持主機(jī)名通配以及正則表達(dá)式，例如web[1:3].oldboy.com代表三臺(tái)主機(jī)
2.主機(jī)支持基于非標(biāo)準(zhǔn)的ssh端口，例如web1.oldboyedu.com:6666
3.主機(jī)支持指定變量庐椒，可對個(gè)別主機(jī)的特殊配置，如登陸用戶\密碼
4.主機(jī)組支持指定變量[group_name:vars]，同時(shí)支持嵌套組[game:children]

實(shí)踐：

cp /etc/ansible/hosts{,.ori}
cat >/etc/ansible/hosts<<EOF
[oldboy]
172.16.1.31
172.16.1.41

[oldgirl]
172.16.1.31
172.16.1.41
172.16.1.51
EOF
cat /etc/ansible/hosts

/etc/ansible/ansible.cfg #ansible的配置文件

11.

直接執(zhí)行如下命令會(huì)報(bào)錯(cuò)：

ansible oldboy -m command -a "free -m"

基于SSH秘鑰認(rèn)證的前提下：

如果沒有做SSH秘鑰認(rèn)證炬灭，可以把用戶名寫到
/etc//ansible/hosts
[oldboy_pass]
172.16.1.7 ansible_ssh_user=root ansible_ssh_pass=123456
172.16.1.8 ansible_ssh_user=root ansible_ssh_pass=123456

ansible oldboy -m command -a "free -m"
要想成功，先解決yes/no的問題靡菇。
1.ssh 連接一遍

ssh 172.16.1.31

2.ssh -o 參數(shù)

ansible關(guān)閉ssh首次連接時(shí)的yes/no提示重归。

使用ssh連接時(shí)，可以使用-o參數(shù)將StrictHostKeyChecking設(shè)置為no厦凤，避免使用ssh連接時(shí)避免首次連接時(shí)讓輸入yes/no部分的提示鼻吮。

方法一：修改/etc/ansible/ansible.cfg中的374行。

369 [ssh_connection]
370 
371 # ssh arguments to use
372 # Leaving off ControlPersist will result in poor performance, so use
373 # paramiko on older platforms rather than removing it, -C controls compression use
374 #ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s

374行改為：
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no

方法二：修改/etc/ansible/ansible.cfg中的71行较鼓。

70 # uncomment this to disable SSH key host checking
71 #host_key_checking = False
71行的注釋取消：host_key_checking = False

目標(biāo)：ansible是不是需要面秘鑰認(rèn)證（ssh免秘鑰認(rèn)證）椎木？YES

[root@m01 ~]# cat /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.7

還原/etc/ansibleansible.cfg配置，重啟服務(wù)器:

[root@m01 ~]# ansible oldboy -m command -a "free -m"
The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established.
ECDSA key fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.
ECDSA key fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.
Are you sure you want to continue connecting (yes/no)? The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
ECDSA key fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.
ECDSA key fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.
Are you sure you want to continue connecting (yes/no)?

解決yes/no不需要輸入問題:

修改ansible.cfg 374行：（/etc/ansible/ansible.cfg）
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no

再執(zhí)行博烂，報(bào)錯(cuò)：

[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.7 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,password).", 
    "unreachable": true
}
172.16.1.31 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", 
    "unreachable": true
}

解決公鑰問題：

ssh-keygen -f ~/.ssh/id_rsa  -P '' -q
for ip in 7
do
  sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done
#test
ssh 172.16.1.7 "ifconfig eth0"

執(zhí)行ansible命令：

[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.31 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", 
    "unreachable": true
}
172.16.1.7 | CHANGED | rc=0 >>
              total        used        free      shared  buff/cache   available
Mem:            972          69         807           7          95         771
Swap:           767           0         767

for ip in 31
do
  sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done
#test
ssh 172.16.1.31 "ifconfig eth0"

[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.7 | CHANGED | rc=0 >>
              total        used        free      shared  buff/cache   available
Mem:            972          69         807           7          95         771
Swap:           767           0         767

172.16.1.31 | CHANGED | rc=0 >>
              total        used        free      shared  buff/cache   available
Mem:            972          71         804           7          96         768
Swap:           767           0         767

驗(yàn)證：刪除公鑰香椎，是不是不可以了？
重啟后禽篱，不行畜伐，重啟前可以

[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.7 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,password).", 
    "unreachable": true
}
172.16.1.31 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Could not create directory '/root/.ssh'.\r\nWarning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", 
    "unreachable": true
}

修改Host增加用戶和密碼：

[root@m01 ~]# cat /etc/ansible/hosts
#[oldboy]
#172.16.1.31
#172.16.1.7

[oldboy_pass]
172.16.1.31 ansible_ssh_user=root ansible_ssh_pass=123456
172.16.1.7 ansible_ssh_user=root ansible_ssh_pass=123456

結(jié)果：
[root@m01 ~]# ansible oldboy_pass -m command -a "free -m"
172.16.1.31 | CHANGED | rc=0 >>
              total        used        free      shared  buff/cache   available
Mem:            972          79         791           7         101         758
Swap:           767           0         767

172.16.1.7 | CHANGED | rc=0 >>
              total        used        free      shared  buff/cache   available
Mem:            972          69         806           7          95         771
Swap:           767           0         767

結(jié)論：使用SSH連接：
密碼認(rèn)證: host里主機(jī)后面加密碼 Paramiko模塊 重點(diǎn)：
秘鑰認(rèn)證：提前發(fā)公鑰，才能用ansible. SSHPASS工具

特殊端口：

[oldboy]
172.16.1.7  ansible_port=52113  ansible_user=root ansible_ssh_pass=123456
172.16.1.8  ansible_port=52113  ansible_user=root ansible_ssh_pass=123456

12.基于SSH秘鑰認(rèn)證的實(shí)踐

一鍵創(chuàng)建及分發(fā)秘鑰：

#!/bin/bash
ssh-keygen -f ~/.ssh/id_rsa  -P '' -q
for ip in 7 8 41 31
do
  sshpass -p123456 ssh-copy-id -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done

[root@m01 ~]# cat /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.41
172.16.1.7

[root@m01 ~]# ansible oldboy -m command -a "free -m" #和前面sh cmd.sh "free -m"

13.ansible命令參數(shù)：

-m MODULE_NAME谆级，模塊名字烤礁，默認(rèn)command
-a MODULE_ARGS讼积，模塊參數(shù)
-f FORKS 并發(fā)進(jìn)程數(shù)，默認(rèn)5個(gè)
-i INVENTORY （dufauit=/etc/ansible/hosts）指定主機(jī)列表文件

ansible
ansible-doc
ansible-playbook
ansible-galaxy

14.ansible模塊查看和幫助

查找模塊：

ansible-doc -l #模塊就是Linux命令了脚仔。

查看某個(gè)模塊的具體參數(shù)幫助：

ansible-doc -s command #linux命令參數(shù)

1.command模塊

1）功能說明：

command Executes a command on a remote node
功能說明： 執(zhí)行一個(gè)命令在遠(yuǎn)程節(jié)點(diǎn)上

操作實(shí)踐：

ansible oldboy -m command -a "free -m"
ansible oldboy -m command -a "df -h"
ansible oldboy -m command -a "ls /root"
ansible oldboy -m command -a "cat redhat-release"
ansible oldboy -m command -a "cat /etc/redhat-release"
最通用的功能勤众。

[root@m01 ~]# ansible oldboy -m command -a "cat /etc/redhat-release"
172.16.1.7 | CHANGED | rc=0 >>
CentOS Linux release 7.6.1810 (Core) 

172.16.1.31 | CHANGED | rc=0 >>
CentOS Linux release 7.6.1810 (Core) 

172.16.1.41 | CHANGED | rc=0 >>
CentOS Linux release 7.6.1810 (Core) 

[root@m01 ~]# cat /server/scripts/cmd.sh 
for n in 31 41
do
   echo "=====172.16.1.$n======"
   ssh 172.16.1.$n "$1"
done
[root@m01 ~]# sh /server/scripts/cmd.sh "cat /etc/redhat-release"
=====172.16.1.31======
CentOS Linux release 7.6.1810 (Core) 
=====172.16.1.41======
CentOS Linux release 7.6.1810 (Core) 

特殊：不支持的東西，例如 > < | &等 $HOME鲤脏，替代方案用shell模塊
ansible oldboy -m shell -a "ps -ef|grep ssh"
ansible oldboy -m shell -a "echo oldboy >/tmp/a.log"

2）常用參數(shù)說明及實(shí)踐

[root@m01 ~]# ansible-doc -s command
- name: Executes a command on a remote node
  command:
      argv:                  # Allows the user to provide the command as a list vs. a string.  Only the
                               string or the list form can be provided, not
                               both.  One or the other must be provided.
      chdir:                 # Change into this directory before running the command.
      creates:               # A filename or (since 2.0) glob pattern. If it already exists, this step
                               *won't* be run.
      free_form:             # (required) The command module takes a free form command to run.  There is no
                               parameter actually named 'free form'. See the
                               examples!
      removes:               # A filename or (since 2.0) glob pattern. If it already exists, this step *will*  be run.
      stdin:                 # Set the stdin of the command directly to the specified value.
      warn:                  # If command_warnings are on in ansible.cfg, do not warn about this particular
                               line if set to `no'.

參數(shù)：chdir=/tmp配置相當(dāng)于cd /tmp
[root@m01 ~]# ansible oldboy -m command -a "pwd chdir=/etc"
ansible oldboy -m shell -a "cd /etc/;pwd"
參數(shù)：creates=/etc 相當(dāng)于條件測試 [ -e /etc ]||pwd 和下面removes相反
[root@m01 ~]# ansible oldboy -m command -a "pwd creates=/etc"
參數(shù)：removes=/root 相當(dāng)于條件測試 [ -e /root ]&&ls /root
ansible oldboy -m command -a "ls /root removes=/root"
ansible oldboy -m shell -a "[ -d /etc ]||pwd"
[root@m01 ~]# ansible oldboy -m command -a "cat /etc/hosts removes=/etc/hosts"
參數(shù)：warn=False 忽略警告
[root@m01 ~]# ansible oldboy -m command -a "chmod 000 /etc/hosts warn=False"