1、实现sshd免密登录 - 基于密钥的登录方式 首先在客户端生成一对密钥(ssh-keygen [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-f output_keyfile]) 此时在家目录.ssh目录下会生成私钥id_rsa和公钥id_rsa.pub
[root@localhost ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:Tk01JizN1kpk+xFcGp/qnPVdefmW6I4jfDPbqEWftOw root@localhost.localdomain The key's randomart image is: +---[RSA 2048]----+ | =+o*.. | | ..*=o* . | | +o.o o | | o.. o o| | S ..o..oo| | o .o+o+.*| | o .+* .=| | o.=* . | | .++*E | +----[SHA256]-----+ 将客户端的公钥使用ssh-copy-id拷贝到服务端,此命令会将上面生成的id_rsa.pub通过ssh协议传输至目标主机并写入至.ssh/authorized_keys文件中 `/usr/bin/ssh-copy-id [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname` [root@localhost ~]# ssh-copy-id 192.168.79.37 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.79.37's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '192.168.79.37'" and check to make sure that only the key(s) you wanted were added. 在服务端主机上查看~/.ssh/authorized_keys文件可看到之前传输过来的公钥的信息 [root@localhost .ssh]# cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEuRTkUHW3eczYi/adaPZfOxu/9wOHwzeVAqOx5qmaesaVmwkrhlscweKsEjjQxJlJlNx0mDxOBOFEluA4eaE4D9vySj9JZU+2/UJiWeX4OoDZqToAGJEHOoIKTmMAdxNXXemVgRm0PxrPa/F4baTA7h7cd46nRMvihbbRipagJTQ0ghqE5n6muh1KS2ogzr9CZJXz4HWt0fH6vCZXjjz6qrVJQVmZKFyvzA6RLo1eY1IX7NS1/iXgHiT5jziciUgaMkMT7GXHwX2e+TsLRTfvnMKavjAjh2DFslodXa7Y3V34/zJ8BaziXhSqN6H9vm2hyT7WAB2NPZL1dS+m0VLT root@localhost.localdomain当客户端再次发送一个包含ip、用户名的连接请求时,服务器端收到请求后,会到authorized_keys中查找,如果有相应的IP和用户,就会随机生成一个字符串,之后用从客户端拷贝过来的公钥进行加密,然后发给客户端。客户端收到公钥加密后的信息后使用私钥进行解密,然后将解密后的字符串返回给服务端,服务端收到返回的字符串后与之前生成的字符串及逆行对比,如果一致就允许免密登录。
2、编译安装dropbear实现SSH登录 下载源码dropbear-2016.74.tar.bz2
[root@localhost ~]# tar -jxf dropbear-2017.75.tar.bz2 [root@localhost ~]# cd dropbear-2016.74/ [root@localhost dropbear-2016.74]# yum -y groupinstall Development\ Tools [root@localhost dropbear-2016.74]# yum -y install zlib-devel [root@localhost dropbear-2016.74]# ./configure [root@localhost dropbear-2016.74]# make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" [root@localhost dropbear-2016.74]# make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install [root@localhost dropbear-2016.74]# mkdir /etc/dropbear [root@localhost dropbear-2016.74]# dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -s 2048 Generating key, this may take a while... Public key portion is: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCJZgWAutctKrGVb0VJfDPduZp9cTRBIQzHK7ZKkAw4wCl+V8Obs4wlw37PbQJnfrtm5A7kaZcrremPyVc9P5RStrQzV683gBvU8TECHFZXXdQoODazuS3rMFeoUYXppuukCKhOv1kXsBn3GG2k3bvZ5m+pl+WKoPtpOoVT01DcvHzczqa8aZBmDc1cA25NiCuu494wDG0fA4Xs1qHmNzNH6BzS6kSUAD9dCXxxpwd4vcRqsQwzpHB5/dj6emSV+lgmvfwdxBWBnCznlx4JZuv3CiCjrzOkxMgQWdLVDK3V/uDUS6kt2POy/BCKJAR0ej8DdbKSMVx7wHBqqt7BlUvn root@localhost.localdomain Fingerprint: md5 52:98:d6:3c:1a:e1:49:2a:78:a6:34:3d:e5:c5:c6:34 [root@localhost dropbear-2016.74]# dropbear -p :2222在客户端使用ssh -p 2222 root@192.168.79.37即可通过tcp/2222端口连接至服务端 3、实现单个用户及用户组使用sudo执行所有命令
sudo配置文件主要有/etc/sudoers和/etc/sudoers.d/* 日志文件为/var/log/secure,其中可看到授权用户使用sudo权限在何时做何操作,达到安全审计的作用,/etc/sudoers为只读文件,可使用命令vido对文件/etc/sudoers进行更改。 对单个用户进行授权: 在配置文件第99行下面是对用户所设的权限策略,如下所示
99 ## Allow root to run any commands anywhere 100 root ALL=(ALL) ALL 101 wang ALL=(root) ALL其格式为用户名 主机名=(可授权使用的用户身份) 以授权身份可执行的命令 根据格式对相应用户进行授权,上面对用户wang做了授权操作,允许其在任意一台主机上可使用sudo命令以root用户执行所有命令 对用户组进行授权: 在配置文件第106行下面是对用户组所设的权限策略,如下所示:
106 ## Allows people in group wheel to run all commands 107 %wheel ALL=(ALL) ALL 108 %test ALL=(root) ALL格式与对单用户授权基本相同,不同之处在于用户组的表达方式为组名前加一个’%’,以表示对用户组进行授权。 配置文件下面还有一些注释掉的策略可作为参考 如# %wheel ALL=(ALL) NOPASSWD: ALL:允许用户组中的用户不输入口令使用sudo授权 # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom:允许用户组中的成员以root用户身份挂载和卸载cdrom # %users localhost=/sbin/shutdown -h now:允许用户组中的成员使用shutdown -h now命令关闭系统
4、简述rsync用于那些场景,并对比scp有什么优点? rsync命令可基于ssh与rsh服务实现高效率的远程系统之间复制文件,使用安全的shell连接作为传输方式,在效率上要比scp高,其只复制不同的文件,会对时间戳及其他文件属性进行校验,若文件的时间戳信息发生改变内容未变化也当作是不同的文件
rsync - a fast, versatile, remote (and local) file-copying tool rsync [OPTION...] SRC... [DEST]rsync命令常用选项: -n:模拟复制过程,不会真正进行复制,只是进行模拟测试 -v:显示详细过程 -r:递归复制目录树 -p:保留权限 -t:保留时间戳 -g:保留组信息 -o:保留所有者信息 -l:将软连接文件本身进行复制(默认) -L:将软链接文件指向的文件复制 -A:保留ACL属性 -X:保留SELinux属性 -a:存档,相当于-rlptgdD,但不保留ACL和SELinux属性
5、搭建DHCP服务,实现自动获取ip地址
[root@localhost ~]# yum -y install dhcp [root@localhost ~]# cp /usr/share/doc/dhcp*/dhcpd.conf.example /etc/dhcp/dhcpd.conf [root@localhost ~]# vim /etc/dhcp/dhcpd.conf 随便找位置更改或添加 subnet 192.168.79.0 netmask 255.255.255.0 { range 192.168.79.130 192.168.79.154; option routers 192.168.79.1; } [root@localhost ~]# systemctl restart dhcp [root@localhost ~]# systemctl enable dhcp Created symlink from /etc/systemd/system/multi-user.target.wants/dhcpd.service to /usr/lib/systemd/system/dhcpd.service. [root@localhost ~]# iptables -F [root@localhost ~]# setenforce 0此时服务端的dhcp已搭建完成,在客户端上更改网络设置,将ip获取方式更改为dhcp,重新启动网络服务即可(使用ifup/ifdown也可以),此时再查看客户端的ip地址即可发现ip地址为配置的dhcp服务配置文件中设定地址池中的地址
6、搭建PXE实现自动化安装系统
安装前准备:关闭防火墙和selinux
[root@localhost ~]# yum -y install httpd tftp-server.x86_64 dhcp syslinux system-config-kickstart.noarch [root@localhost ~]# systemctl restart httpd [root@localhost ~]# systemctl enable httpd [root@localhost ~]# mkdir /var/www/html/centos7 [root@localhost ~]# mount /dev/sr0 /var/www/html/centos7 [root@localhost ~]# vim development.repo [development] #centos7中必须要将repo更名为development,否则在system-config-kickstarts选择安装包时会报错 name=development baseurl=file:///media enable=1 gpgcheck=0 [root@localhost ~]# cp anaconda-ks.cfg /var/www/html/ks/ks7.cfg [root@localhost ~]# vim /var/www/html/ks/ks7.cfg #version=DEVEL # System authorization information # Use CDROM installation media url --url=http://192.168.79.7/centos7 # Use graphical install text # Run the Setup Agent on first boot # Keyboard layouts keyboard --vckeymap=us --xlayouts='us' # System language lang en_US.UTF-8 # Network information network --bootproto=dhcp --device=ens33 --onboot=off --ipv6=auto --no-activate network --hostname=localhost.localdomain # Root password rootpw --iscrypted $6$dT.m5jP3xxCrMtiZ$qe53ctKWMBKxmEwDCInr/MWSEdXCb1Y1YGJqZKsnbJ1ece2Dk3gsAJI5P2J8hhrrUjO.3kQH7.s6/BvBRkN3y0 # System services services --disabled="chronyd" # System timezone timezone Asia/Shanghai --isUtc --nontp user --name=wang --password=$6$wS/J8DAIJb0mZqBd$HenQYrs7Y5vYND71I14OvwddFPPGS.asKmXmxR059DyVDuGhxOGDP3Sr0R103WsRM9tQ5hLk.157a72sUINpH. --iscrypted --gecos="wang" # X Window System configuration information # System bootloader configuration bootloader --location=mbr --boot-drive=sda # Partition clearing information clearpart --all --initlabel zerombr # Disk partitioning information part / --fstype="xfs" --ondisk=sda --size=30720 part /home --fstype="xfs" --ondisk=sda --size=20480 part swap --fstype="swap" --ondisk=sda --size=4096 part /data --fstype="xfs" --ondisk=sda --size=51200 part /boot --fstype="xfs" --ondisk=sda --size=2048 reboot %packages @^graphical-server-environment @base @core @desktop-debugging @dial-up @fonts @gnome-desktop @guest-agents @guest-desktop-agents @hardware-monitoring @input-methods @internet-browser @multimedia @print-client @x11 %end [root@localhost ~]# mkdir /var/lib/tftpboot/pxelinux.cfg [root@localhost ~]# cp /usr/share/syslinux/{pxelinux.0,menu.c32} /var/lib/tftpboot/ [root@localhost ~]# cp /media/isolinux/{vmlinuz,initrd.img} /var/lib/tftpboot/ [root@localhost ~]# cp /media/isolinux/isolinux.cfg /var/lib/tftpboot/pxelinux.cfg/default [root@localhost ~]# tree /var/lib/tftpboot /var/lib/tftpboot ├── initrd.img ├── menu.c32 ├── pxelinux.0 ├── pxelinux.cfg │ └── default └── vmlinuz 1 directory, 5 files [root@localhost ~]# vim /var/lib/tftpboot/pxelinux.cfg/default #启动时的菜单选项文件 default menu.c32 timeout 600 menu title PXE INSTALL MENU label auto menu default menu label ^Auto Install Centos7 kernel vmlinuz append initrd=initrd.img ks=http://192.168.79.7/ks/ks7.cfg label local menu label ^Boot from local drive localboot 0xffff [root@localhost ~]# systemctl restart tftp.socket7、搭建Cobbler实现自动化安装系统 cobbler工作流程
客户端配置从网络启动后,开机会广播请求dhcp服务器(cobbler server)一个ip地址dhcp服务器(cobbler server)收到请求后发送response,包括ip地址客户端拿到ip地址后再向cobbler server发送请求OS引导文件的请求cobbler server告诉客户端OS引导文件的名字和TFTP server的ip和port客户端通过上面告知的TFTP server地址通信,下载引导文件客户端执行该引导文件,确定加载信息,选择要安装的OS,期间会再向cobbler server请求kickstart文件和OS imagecobbler server发送请求的kickstart文件和OS iamge客户端加载kickstart客户端接收OS image并安装 [root@centos7 ~]# yum -y install tftp-server httpd cobbler* [root@centos7 ~]# yum -y install syslinux [root@centos7 ~]# cp /usr/share/syslinux/{pxelinux.0,menu.c32} /var/lib/tftpboot/ [root@centos7 ~]# cp /media/isolinux/{vmlinuz,initrd.img} /var/lib/tftpboot/ [root@centos7 ~]# cp /media/isolinux/isolinux.cfg /var/lib/tftpboot/pxelinux.cfg/default [root@centos7 ~]# mount /dev/sr0 /var/www/html/centos7/ [root@centos7 ~]# mount /dev/sr0 /var/www/html/centos/centos7/ [root@centos7 ~]# systemctl restart dhcpd [root@centos7 ~]# systemctl enable dhcpd [root@centos7 ~]# [root@centos7 ~]# systemctl restart cobblerd.service [root@centos7 ~]# systemctl enable tftp.socket [root@centos7 ~]# systemctl restart tftp.socket [root@centos7 ~]# [root@centos7 ~]# vim /etc/collber/settings next_server: 192.168.79.7 server: 192.168.79.7 manage_dhcp: 1 default_password_crypted: "$1$tTAShIRf$2wdumClrUhaX1EaqfuUZ9." [root@centos7 ~]# [root@centos7 ~]# [root@centos7 ~]# systemctl restart cobbler [root@centos7 ~]# cobbler check #以下报错需根据具体情况进行更改 The following are potential configuration items that you may want to fix: 1 : The 'server' field in /etc/cobbler/settings must be set to something other than localhost, or kickstarting features will not work. This should be a resolvable hostname or IP for the boot server as reachable by all machines that will use it. 2 : For PXE to be functional, the 'next_server' field in /etc/cobbler/settings must be set to something other than 127.0.0.1, and should match the IP of the boot server on the PXE network. 3 : SELinux is enabled. Please review the following wiki page for details on ensuring cobbler works correctly in your SELinux environment: https://github.com/cobbler/cobbler/wiki/Selinux 4 : change 'disable' to 'no' in /etc/xinetd.d/tftp 5 : Some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version of the syslinux package installed and can ignore this message entirely. Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements. 6 : enable and start rsyncd.service with systemctl 7 : debmirror package is not installed, it will be required to manage debian deployments and repositories 8 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one 9 : fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them Restart cobblerd and then run 'cobbler sync' to apply changes. [root@centos7 ~]# cobbler get-loaders #从网上下载需要的文件,加载必要的文件 [root@centos7 ~]# cobbler sync #复制文件至/var/lib/tftpboot,生成dhcp配置文件,生成应答文件/var/lib/tftpboot/pxelinux.cfg/default [root@centos7 ~]# vim /etc/cobbler/dhcp.template #将subnet改为自己设定网段的即可 subnet 192.168.79.0 netmask 255.255.255.0 { option routers 192.168.79.1; option domain-name-servers 8.8.8.8; option subnet-mask 255.255.255.0; range dynamic-bootp 192.168.79.130 192.168.79.131; default-lease-time 21600; max-lease-time 43200; next-server $next_server; class "pxeclients" { [root@centos7 ~]# vim /var/lib/cobbler/kickstarts/ks7.cfg #自己导入的ks应答文件 #version=DEVEL # System authorization information # Use CDROM installation media url --url=http://192.168.79.7/centos7 # Use graphical install text # Run the Setup Agent on first boot # Keyboard layouts keyboard --vckeymap=us --xlayouts='us' # System language lang en_US.UTF-8 # Network information network --bootproto=dhcp --device=ens33 --onboot=off --ipv6=auto --no-activate network --hostname=localhost.localdomain # Root password rootpw --iscrypted $6$dT.m5jP3xxCrMtiZ$qe53ctKWMBKxmEwDCInr/MWSEdXCb1Y1YGJqZKsnbJ1ece2Dk3gsAJI5P2J8hhrrUjO.3kQH7.s6/BvBRkN3y0 # System services services --disabled="chronyd" # System timezone timezone Asia/Shanghai --isUtc --nontp user --name=wang --password=$6$wS/J8DAIJb0mZqBd$HenQYrs7Y5vYND71I14OvwddFPPGS.asKmXmxR059DyVDuGhxOGDP3Sr0R103WsRM9tQ5hLk.157a72sUINpH. --iscrypted --gecos="wang" # X Window System configuration information # System bootloader configuration bootloader --location=mbr --boot-drive=sda # Partition clearing information clearpart --all --initlabel zerombr # Disk partitioning information part / --fstype="xfs" --ondisk=sda --size=30720 part /home --fstype="xfs" --ondisk=sda --size=20480 part swap --fstype="swap" --ondisk=sda --size=4096 part /data --fstype="xfs" --ondisk=sda --size=51200 part /boot --fstype="xfs" --ondisk=sda --size=2048 reboot %packages @^graphical-server-environment @base @core @desktop-debugging @dial-up @fonts @gnome-desktop @guest-agents @guest-desktop-agents @hardware-monitoring @input-methods @internet-browser @multimedia @print-client @x11 %end [root@centos7 ~]# cobbler profile add --name=centos7.5-x86_64 --distro=Centos-7.5-x86_64 --kickstart=/var/lib/cobbler/kickstarts/ks7.cfg #将ks应答文件与操作系统相关联,生成新的启动菜单 [root@centos7 cobbler]# cobbler report #查看cobbler报告 distros: #发行版 ========== Name : centos7.5-x86_64 Architecture : x86_64 TFTP Boot Files : {} Breed : redhat Comment : Fetchable Files : {} Initrd : /var/www/cobbler/ks_mirror/centos7.5-x86_64/images/pxeboot/initrd.img Kernel : /var/www/cobbler/ks_mirror/centos7.5-x86_64/images/pxeboot/vmlinuz Kernel Options : {} Kernel Options (Post Install) : {} Kickstart Metadata : {'tree': 'http://@@http_server@@/cblr/links/centos7.5-x86_64'} Management Classes : [] OS Version : rhel7 Owners : ['admin'] Red Hat Management Key : <<inherit>> Red Hat Management Server : <<inherit>> Template Files : {} profiles: #属性 ========== Name : centos7.5-x86_64 TFTP Boot Files : {} Comment : DHCP Tag : default Distribution : centos7.5-x86_64 Enable gPXE? : 0 Enable PXE Menu? : 1 Fetchable Files : {} Kernel Options : {} Kernel Options (Post Install) : {} Kickstart : /var/lib/cobbler/kickstarts/ks.cfg Kickstart Metadata : {} Management Classes : [] Management Parameters : <<inherit>> Name Servers : [] Name Servers Search Path : [] Owners : ['admin'] Parent Profile : Internal proxy : Red Hat Management Key : <<inherit>> Red Hat Management Server : <<inherit>> Repos : [] Server Override : <<inherit>> Template Files : {} Virt Auto Boot : 1 Virt Bridge : xenbr0 Virt CPUs : 1 Virt Disk Driver Type : raw Virt File Size(GB) : 5 Virt Path : Virt RAM (MB) : 512 Virt Type : kvm ....cobbler引导文件为/var/lib/tftpboot/pxelinux.cfg/default,更改后需要重启cobbler并同步才能使之生效。 在使用cobbler进行安装时选择从网络启动即可
在使用cobbler-web进行管理时需要使用epel源安装cobbler-web组件,其中会包含/etc/httpd/conf.d/cobbler_web.conf配置文件,默认使用https协议。重启cobbler后登录https://server/cobbler_web即可,但是在实验过程中发现会报错,返回码为500,如下图所示 参照https://blog.51cto.com/12643266/2339793?source=dra可解决此问题
[root@centos7 pxe]# tailf /var/log/httpd/ssl_error_log [Mon May 27 13:44:41.609361 2019] [:error] [pid 3214] [remote 192.168.79.10:212] self._setup(name) [Mon May 27 13:44:41.609372 2019] [:error] [pid 3214] [remote 192.168.79.10:212] File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 41, in _setup [Mon May 27 13:44:41.609389 2019] [:error] [pid 3214] [remote 192.168.79.10:212] self._wrapped = Settings(settings_module) [Mon May 27 13:44:41.609394 2019] [:error] [pid 3214] [remote 192.168.79.10:212] File "/usr/lib/python2.7/site-packages/django/conf/__init__.py", line 110, in __init__ [Mon May 27 13:44:41.609402 2019] [:error] [pid 3214] [remote 192.168.79.10:212] mod = importlib.import_module(self.SETTINGS_MODULE) [Mon May 27 13:44:41.609409 2019] [:error] [pid 3214] [remote 192.168.79.10:212] File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module [Mon May 27 13:44:41.609898 2019] [:error] [pid 3214] [remote 192.168.79.10:212] __import__(name) [Mon May 27 13:44:41.609910 2019] [:error] [pid 3214] [remote 192.168.79.10:212] File "/usr/share/cobbler/web/settings.py", line 89, in <module> [Mon May 27 13:44:41.609957 2019] [:error] [pid 3214] [remote 192.168.79.10:212] from django.conf.global_settings import TEMPLATE_CONTEXT_PROCESSORS [Mon May 27 13:44:41.609980 2019] [:error] [pid 3214] [remote 192.168.79.10:212] ImportError: cannot import name TEMPLATE_CONTEXT_PROCESSORS根据大佬的解释此报错是因为python-django版本问题
[root@centos7 pxe]# sed -n '38,41p' /usr/share/cobbler/web/settings.py if django.VERSION[0] == 1 and django.VERSION[1] < 4: ADMIN_MEDIA_PREFIX = '/media/' else: STATIC_URL = '/media/' [root@centos7 pxe]# sed -n '89p' /usr/share/cobbler/web/settings.py from django.conf.global_settings import TEMPLATE_CONTEXT_PROCESSORS解决方法如下
wget https://bootstrap.pypa.io/get-pip.py #下载pip.py python get-pip.py #调用本地python运行pip.py脚本 pip install Django==1.8.9 #安装pip python -c "import django; print(django.get_version())" #查看pip版本号 systemctl restart httpd #重启httpd