1域滥、總結(jié)ssh常用參數(shù)罚渐、用法
ssh命令是ssh客戶端唇辨，允許實(shí)現(xiàn)對(duì)遠(yuǎn)程系統(tǒng)經(jīng)驗(yàn)證地加密安全訪問(wèn)。ssh客戶端配置文件是：/etc/ssh/ssh_config
ssh命令配合的常見(jiàn)選項(xiàng)：
-p port：遠(yuǎn)程服務(wù)器監(jiān)聽(tīng)的端口

 ssh 192.168.1.8 -p 2222

-b 指定連接的源IP

ssh 192.168.1.8 -p 2222 -b 192.168.1.88

-v 調(diào)試模式

ssh 192.168.1.8 -p 2222 -v

-C 壓縮方式
-X 支持x11轉(zhuǎn)發(fā)
支持將遠(yuǎn)程linux主機(jī)上的圖形工具在當(dāng)前設(shè)備使用
-t 強(qiáng)制偽tty分配锉罐，如：ssh -t remoteserver1 ssh -t remoteserver2 ssh
remoteserver3
-o option 如：-o StrictHostKeyChecking=no
-i <file> 指定私鑰文件路徑帆竹，實(shí)現(xiàn)基于key驗(yàn)證，默認(rèn)使用文件： ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, _{/.ssh/id_ed25519氓鄙，}/.ssh/id_rsa等

2馆揉、總結(jié)sshd服務(wù)常用參數(shù)。
服務(wù)器端的配置文件: /etc/ssh/sshd_config
常用參數(shù)：

Port                                                                 #端口號(hào)
ListenAddress ipLoginGraceTime 2m            #寬限期
PermitRootLogin yes                     #默認(rèn)ubuntu不允許root遠(yuǎn)程ssh登錄
StrictModes yes                               #檢查.ssh/文件的所有者抖拦，權(quán)限等
MaxAuthTries   6     
MaxSessions  10                                   #同一個(gè)連接最大會(huì)話
PubkeyAuthentication yes                       #基于key驗(yàn)證
PermitEmptyPasswords no                     #空密碼連接
PasswordAuthentication yes                    #基于用戶名和密碼連接
GatewayPorts no
ClientAliveInterval 10                                        #單位:秒
ClientAliveCountMax 3                                     #默認(rèn)3
UseDNS yes                                                         #提高速度可改為no
GSSAPIAuthentication yes                              #提高速度可改為no
MaxStartups                                          #未認(rèn)證連接最大值升酣，默認(rèn)值10
Banner /path/file                     #以下可以限制可登錄用戶的辦法：
AllowUsers user1 user2 user3
DenyUsers
AllowGroups

（科學(xué)上網(wǎng)的方法不要往博客寫(xiě)，訪問(wèn)量超過(guò)一萬(wàn)态罪，博客會(huì)被封噩茄。）
3、PAM和google模塊實(shí)現(xiàn)ssh雙因子安全驗(yàn)證复颈。

4绩聘、使用chrony實(shí)現(xiàn)內(nèi)網(wǎng)時(shí)間同步（一臺(tái)node1從外網(wǎng)同步時(shí)間，其余機(jī)器從node1同步時(shí)間）耗啦。
node1:10.0.0.7 node2:10.0.08
node1:
安裝chrony

yum install chrony -y

修改chrony.conf文件凿菩，加入時(shí)間服務(wù)器為 ntp.aliyun.com, 修改允許10.0.0.0網(wǎng)段的主機(jī)同步。

[root@node1 ~]# cat /etc/chrony.conf 
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server ntp.aliyun.com iburst
......

# Allow NTP client access from local network.
allow 10.0.0.0/24

# Serve time even if not synchronized to a time source.
local stratum 10

重啟服務(wù)

 systemctl restart chronyd

[root@node1 ~]# chronyc sources -v
210 Number of sources = 1

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* 203.107.6.88                  2   6   377    55   -243us[ -531us] +/-   22ms

node2
安裝chrony

[root@node2 ~]# dnf install chrony -y

修改chrony.conf的同步主機(jī)

pool 10.0.0.7 iburst 

[root@node2 ~]# chronyc sources -v
210 Number of sources = 1

  .-- Source mode  '^' = server, '=' = peer, '#' = local clock.
 / .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| /   '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
||                                                 .- xxxx [ yyyy ] +/- zzzz
||      Reachability register (octal) -.           |  xxxx = adjusted offset,
||      Log2(Polling interval) --.      |          |  yyyy = measured offset,
||                                \     |          |  zzzz = estimated error.
||                                 |    |           \
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* 10.0.0.7                      3   6    17    12  -2982ns[  -38us] +/-  134ms

5帜讲、利用cobbler實(shí)現(xiàn)系統(tǒng)自動(dòng)化安裝衅谷。
環(huán)境準(zhǔn)備
兩臺(tái)主機(jī)
一臺(tái)主機(jī)：CentOS 7 充當(dāng) Cobbler，http似将，dhcp获黔，tftp 服務(wù)器，并關(guān)閉防火墻和SELinux
一臺(tái)主機(jī)：充當(dāng)測(cè)試機(jī)在验，用于實(shí)現(xiàn)自動(dòng)化安裝Linux系統(tǒng)
安裝相關(guān)包并啟動(dòng)服務(wù)

[root@centos7 ~]#yum install cobbler dhcp -y
[root@centos7 ~]#systemctl enable --now cobblerd httpd tftp dhcpd

** 修改cobbler相關(guān)的配置 **

[root@localhost ~]#cobbler check
The following are potential configuration items that you may want to fix:

1 : The 'server' field in /etc/cobbler/settings must be set to something other than localhost, or kickstarting features will not work.  This should be a resolvable hostname or IP for the boot server as reachable by all machines that will use it.
2 : For PXE to be functional, the 'next_server' field in /etc/cobbler/settings must be set to something other than 127.0.0.1, and should match the IP of the boot server on the PXE network.
3 : change 'disable' to 'no' in /etc/xinetd.d/tftp
4 : Some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version of the syslinux package installed and can ignore this message entirely.  Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements.
5 : enable and start rsyncd.service with systemctl
6 : debmirror package is not installed, it will be required to manage debian deployments and repositories
7 : ksvalidator was not found, install pykickstart
8 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one
9 : fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them

Restart cobblerd and then run 'cobbler sync' to apply changes.

#默認(rèn)安裝好的系統(tǒng)root密碼為cobbler


#根據(jù)以上提示玷氏，只需要做1，2腋舌，8這三項(xiàng)即可盏触，修改下面四行
[root@centos7 ~]#vim /etc/cobbler/settings
next_server：< tftp服務(wù)器的 IP 地址>
server：<cobbler服務(wù)器的 IP 地址>
manage_dhcp：1  #設(shè)置為1，表示通過(guò)cobbler生成dhcpd.conf配置文件
[root@centos7 ~]#systemctl restart cobblerd

實(shí)現(xiàn)dhcp服務(wù)

#修改dhcp的模版文件下面的行块饺，用來(lái)生成dhcp的配置文件
#vi /etc/cobbler/dhcp.template
subnet 10.0.0.0 netmask 255.255.255.0 {
     option routers             10.0.0.2;
     option domain-name-servers 114.114.114.114;
     option subnet-mask         255.255.255.0;
     range dynamic-bootp        10.0.0.200 10.0.0.250;   

[root@localhost ~]#cobbler sync
task started: 2021-08-16_123044_sync
task started (id=Sync, time=Mon Aug 16 12:30:44 2021)
running pre-sync triggers
cleaning trees
removing: /var/lib/tftpboot/grub/images
copying bootloaders
trying hardlink /usr/share/syslinux/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0
trying hardlink /usr/share/syslinux/menu.c32 -> /var/lib/tftpboot/menu.c32
trying hardlink /usr/share/syslinux/memdisk -> /var/lib/tftpboot/memdisk
copying distros to tftpboot
copying images
generating PXE configuration files
generating PXE menu structure
rendering DHCP files
generating /etc/dhcp/dhcpd.conf
rendering TFTPD files
generating /etc/xinetd.d/tftp
cleaning link caches
running post-sync triggers
running python triggers from /var/lib/cobbler/triggers/sync/post/*
running python trigger cobbler.modules.sync_post_restart_services
running: dhcpd -t -q
received on stdout: 
received on stderr: 
running: service dhcpd restart
received on stdout: 
received on stderr: Redirecting to /bin/systemctl restart dhcpd.service

running shell triggers from /var/lib/cobbler/triggers/sync/post/*
running python triggers from /var/lib/cobbler/triggers/change/*
running python trigger cobbler.modules.manage_genders
running python trigger cobbler.modules.scm_track
running shell triggers from /var/lib/cobbler/triggers/change/*
*** TASK COMPLETE ***
[root@localhost ~]#systemctl start dhcpd

下載啟動(dòng)的相關(guān)文件

#cobbler get-loaders

[root@localhost ~]#ll /var/lib/cobbler/loaders
total 0
-rw-r--r-- 1 root root 0 Aug 16 12:33 COPYING.elilo
-rw-r--r-- 1 root root 0 Aug 16 12:36 COPYING.syslinux
-rw-r--r-- 1 root root 0 Aug 16 12:35 COPYING.yaboot
-rw-r--r-- 1 root root 0 Aug 16 12:36 elilo-ia64.efi
-rw-r--r-- 1 root root 0 Aug 16 12:40 grub-x86_64.efi
-rw-r--r-- 1 root root 0 Aug 16 12:40 grub-x86.efi
-rw-r--r-- 1 root root 0 Aug 16 12:39 menu.c32
-rw-r--r-- 1 root root 0 Aug 16 12:39 pxelinux.0
-rw-r--r-- 1 root root 0 Aug 16 12:32 README
-rw-r--r-- 1 root root 0 Aug 16 12:37 yaboot

[root@localhost loaders]#tree /var/lib/tftpboot/
/var/lib/tftpboot/
├── boot
│   └── grub
│       └── menu.lst
├── etc
├── grub
│   ├── efidefault
│   ├── grub-x86_64.efi
│   ├── grub-x86.efi
│   └── images -> ../images
├── images
├── images2
├── memdisk
├── menu.c32
├── ppc
├── pxelinux.0
├── pxelinux.cfg
│   └── default
├── s390x
│   └── profile_list
└── yaboot

10 directories, 10 files

修改菜單的標(biāo)題信息

[root@localhost loaders]#vim /etc/cobbler/pxe/pxedefault.template

DEFAULT menu
PROMPT 0
MENU TITLE Cobbler | http://www.magedu.com/    

#cobbler sync

導(dǎo)入CentOS系統(tǒng)的安裝文件赞辩，生成相應(yīng)的YUM源

[root@localhost misc]#mount /dev/sr0 /mnt
mount: /dev/sr0 is write-protected, mounting read-only
[root@localhost misc]#df -h
Filesystem               Size  Used Avail Use% Mounted on
/dev/mapper/centos-root  100G  1.4G   99G   2% /
devtmpfs                 475M     0  475M   0% /dev
tmpfs                    487M     0  487M   0% /dev/shm
tmpfs                    487M  7.8M  479M   2% /run
tmpfs                    487M     0  487M   0% /sys/fs/cgroup
/dev/mapper/centos-data   50G   33M   50G   1% /data
/dev/sda1               1014M  146M  869M  15% /boot
tmpfs                     98M     0   98M   0% /run/user/0
/dev/sr0                 4.3G  4.3G     0 100% /mnt

#cobbler import --name=centos-7.6-x86_64 --path=/mnt --arch=x86_64

準(zhǔn)備 kickstart文件,并關(guān)聯(lián)至指定的YUM源

root@localhost kickstarts]#cat /var/lib/cobbler/kickstarts/centos7.cfg
ignoredisk --only-use=sda
zerombr
text
reboot
clearpart --all --initlabel
selinux --disabled
firewall --disabled
url --url=$tree #注意此行必須指定
keyboard --vckeymap=us --xlayouts='us'
lang en_US.UTF-8
network --bootproto=dhcp --device=ens160 --ipv6=auto --activate
network --hostname=centos7-test
rootpw "Centos" 
firstboot --enable
skipx
services --disabled="chronyd"
timezone Asia/Shanghai --isUtc --nontp
part / --fstype="xfs" --ondisk=sda --size=102400
part /data --fstype="xfs" --ondisk=sda --size=51200
part swap --fstype="swap" --ondisk=sda --size=2048
part /boot --fstype="ext4" --ondisk=sda --size=1024
%packages
@^minimal-environment
kexec-tools
%end
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end

#將kickstart文件，關(guān)聯(lián)指定的YUM源和生成菜單列表
#cobbler profile add --name=CentOS-7.6_test --distro=CentOS-7.6-x86_64 --kickstart=/var/lib/cobbler/kickstarts/centos7.cfg

#刪除默認(rèn)生成的菜單
#cobbler profile remove --name=centos-7.6-x86_64

[root@localhost kickstarts]#cobbler profile list
   CentOS-7.6_test

測(cè)試客戶端基于Cobbler實(shí)現(xiàn)自動(dòng)安裝

image.png