通過一個實驗案例來說明shell腳本一鍵部署多種服務的方法。
實驗場景
初創公司是一家新成立的創業公司, 公司根據業務需求準備部署一個小型網絡, 包含四
臺服務器和若干客戶機。考慮到後期需要在全國多個城市開分公司, 公司希望通過 Shell 的方式, 可以在不同的分支機構進行快速複製現有網絡。
實驗拓撲
實驗要求
在管理員 PC 上編寫 Shell 腳本, 實現一鍵部署。 實現以下項目需求:
- 分別部署防火牆、 DHCP 服務器、 DNS 服務器和 FTP 服務器
- 防火牆使用 Firewalld 服務, 並允許來自內網客戶端( 172.16.1.0/24) 對服務器的訪問。同時防火牆作爲公司的邊界設備, 要允許內網客戶端( 172.16.1.0/24) 對互聯網web服務器的訪問。
- Firewalld 上配置 DHCP 中繼服務, 使內網客戶端( 172.16.1.0/24) 可以動態獲取由 DHCP服務器分配的 IP 地址。
- 內網客戶端( 172.16.1.0/24) 可以通過 DNS Server 解析 bdqn.com 中的域名。
- 網客戶端( 192.168.1.0/24) 可以通過被動模式以匿名身份訪問 FTP Server, 並且具備上
傳、 下載、 修改目錄以及刪除權限
實現步驟
配置SSH免密訪問
在管理員PC上生成祕鑰對
ssh-keygen
爲了可以將管理員PC上生成的公鑰上傳到其他網段的服務器,需要在網關服務器(firewalld)開啓路由轉發 功能和地址僞裝
echo "1" > /proc/sys/net/ipv4/ip_forward #路由轉發
firewall-cmd --add-masquerade #地址僞裝
上傳公鑰至其他服務器
命令ssh-copy-id IP地址
驗證免密連接
編寫main.sh
腳本,並完成調試(最終執行的腳本)
#!/bin/bash
Admin_IP=172.16.1.10
FW_IP=172.16.1.2
DHCP_Server_IP=192.168.1.10
DHCP_relay_IP=172.16.1.2
DNS_Server_IP=192.168.1.20
FTP_Server_IP=192.168.1.30
source ./firewall.sh
source ./yum.sh
source ./dhcp.sh
source ./dhcrelay.sh
source ./dns.sh
source ./ftp.sh
賦予可執行權限
chmod +x main.sh
編寫firewall.sh
腳本,並完成調試
#!/bin/bash
FW_cmd="ssh $FW_IP"
route=`$FW_cmd cat /proc/sys/net/ipv4/ip_forward`
if test $route != 0
then
$FW_cmd "echo 1 > /proc/sys/net/ipv4/ip_forward"
echo "route on firewall is open"
fi
$FW_cmd firewall-cmd --zone=internal --query-interface=ens33 &> /dev/null
if test $? != 0
then
$FW_cmd ferewall-cmd --permanent --zone=internal --add-interface=ens33 &> /dev/null
fi
$FW_cmd firewall-cmd --zone=dmz --query-interface=ens37 &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --zone=dmz --add-interface=ens37 &> /dev/null
fi
$FW_cmd firewall-cmd --zone=external --query-interface=ens38 &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --zone=external --add-interface=ens38 &> /dev/null
fi
#ftp
$FW_cmd firewall-cmd --permanent --direct --query-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
fi
$FW_cmd firewall-cmd --permanent --direct --query-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 20000:20100 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 20000:20100 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
fi
#ssh
$FW_cmd firewall-cmd --permanent --direct --query-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 22 -j ACCEPT &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -p tcp --dport 22 -j ACCEPT &> /dev/null
fi
#dns
$FW_cmd firewall-cmd --permanent --direct --query-rule ipv4 filter FORWARD_direct 0 -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD_direct 0 -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT &> /dev/null
fi
#端口轉發
$FW_cmd firewall-cmd --permanent --zone=external --query-forward-port=port=22:proto=tcp:toport=22:toaddr=$Admin_IP &> /dev/null
if test $? != 0
then
$FW_cmd firewall-cmd --permanent --zone=external --add-forward-port=port=22:proto=tcp:toport=22:toaddr=$Admin_IP &> /dev/null
fi
$FW_cmd firewall-cmd --reload &> /dev/null
echo "firewalld rules are ok!"
賦予可執行權限
chmod +x firewall.sh
編寫yum.sh
腳本,並完成調試
在編寫完後,一定要現將每一臺服務器上/etc/yum.repos.d/
目錄下的文件手動移動到其他目錄,如:
cd /etc/yum.repos.d
mkdir repo
mv * repo
以下是腳本內容:
#!/bin/bash
ServerIP="$FW_IP $DHCP_Server_IP $DNS_Server_IP $FTP_Server_IP"
for i in $ServerIP
do
cmd="ssh $i"
$cmd 'df | grep /dev/cdrom' > /dev/null
if test $? == 0
then
$cmd 'umount /dev/cdrom' &> /dev/null
$cmd 'umount /mnt' &> /dev/null
fi
$cmd 'mount /dev/cdrom /mnt' &> /dev/null
$cmd 'echo "[local]" >> /etc/yum.repos.d/local.repo'
$cmd 'echo "name=local" >> /etc/yum.repos.d/local.repo'
$cmd 'echo "baseurl=file:///mnt" >> /etc/yum.repos.d/local.repo'
$cmd 'echo "enabled=1" >> /etc/yum.repos.d/local.repo'
$cmd 'echo "gpgcheck=0" >> /etc/yum.repos.d/local.repo'
$cmd 'yum clean all' &> /dev/null
$cmd 'yum makecache' &> /dev/null
if test $? == 0
then
echo "yum is ok($i)"
else
echo "yum is failed($i)"
fi
done
賦予可執行權限
chmod +x yum.sh
編寫dhcp.sh
腳本,並完成調試
#!/bin/bash
DHCP_Server_cmd="ssh $DHCP_Server_IP"
$DHCP_Server_cmd "rpm -qa | grep dhcp-4" &> /dev/null
if [ $? -eq 0 ]
then
$DHCP_Server_cmd yum -y remove dhcp &> /dev/null
fi
$DHCP_Server_cmd yum -y install dhcp &> /dev/null
if [ $? -eq 0 ]
then
$DHCP_Server_cmd 'echo "subnet 172.16.1.0 netmask 255.255.255.0 {" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "range 172.16.1.100 172.16.1.200;" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd ' echo "option domain-name-servers 192.168.1.20;" >> /etc/dhcp/dhcpd.conf‘
$DHCP_Server_cmd 'echo "option routers 172.16.1.2;" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "}" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd 'echo "subnet 192.168.1.0 netmask 255.255.255.0 {}" >> /etc/dhcp/dhcpd.conf'
$DHCP_Server_cmd systemctl enable firewalld &> /dev/null
$DHCP_Server_cmd systemctl restart firewalld &> /dev/null
$DHCP_Server_cmd firewall-cmd --permanent --zone=public --query-service=dhcp &> /dev/null
if test $? != 0
then
$DHCP_Server_cmd firewall-cmd --permanent --add-service=dhcp &> /dev/null
$DHCP_Server_cmd firewall-cmd --reload &> /dev/null
fi
$DHCP_Server_cmd systemctl enable dhcpd &> /dev/null
$DHCP_Server_cmd systemctl restart dhcpd &> /dev/null
if test $? != 0
then
echo "dhcpd boot error!"
else
echo "DHCP Server is ok"
fi
else
echo "dhcp install error!!!"
fi
賦予可執行權限
chmod +x dhcp.sh
編寫dhcrelay.sh
腳本,並完成調試
#!/bin/bash
DHCP_relay_cmd="ssh $DHCP_relay_IP"
$DHCP_relay_cmd "rpm -qa | grep dhcp-4" &> /dev/null
if [ $? -eq 0 ]
then
$DHCP_relay_cmd yum -y remove dhcp &> /dev/null
fi
$DHCP_relay_cmd yum -y install dhcp &> /dev/null
$DHCP_relay_cmd "sed -i 's/--no-pid/& 192.168.1.10/' /usr/lib/systemd/system/dhcrelay.service"
$DHCP_relay_cmd systemctl enable dhcrelay &> /dev/null
$DHCP_relay_cmd systemctl start dhcrelay &> /dev/null
if [ $? -eq 0 ]
then
echo "dhcrelay is ok!"
else
echo "dhcrelay boot error!"
fi
賦予可執行權限
chmod +x dhcrelay.sh
編寫dns.sh
腳本,並完成調試
#!/bin/bash
DNS_Server_cmd="ssh $DNS_Server_IP"
$DNS_Server_cmd "rpm -qa | grep '^bind-9'" &> /dev/null
if [ $? -eq 0 ]
then
$DNS_Server_cmd yum -y remove bind &> /dev/null
fi
$DNS_Server_cmd 'yum -y install bind*' &> /dev/null
$DNS_Server_cmd sed -i 's/127.0.0.1/any/g' /etc/named.conf
$DNS_Server_cmd sed -i 's/localhost/any/g' /etc/named.conf
$DNS_Server_cmd sed -i 's/\"\.\"/\"bdqn.com\"/g' /etc/named.conf
$DNS_Server_cmd sed -i 's/hint/master/g' /etc/named.conf
$DNS_Server_cmd sed -i 's/named.ca/bdqn.zone/g' /etc/named.conf
$DNS_Server_cmd touch /var/named/bdqn.zone
$DNS_Server_cmd chown root.named /var/named/bdqn.zone
$DNS_Server_cmd 'echo "\$TTL 1D" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "@ IN SOA bdqn.com. admin.bdqn.com. (200 1H 15M 1W 1D)" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "@ IN NS www.bdqn.com." >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "www IN A 192.168.1.20" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "dhcp IN A 192.168.1.10" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "ftp IN A 192.168.1.30" >> /var/named/bdqn.zone'
$DNS_Server_cmd 'echo "dns IN A 192.168.1.20" >> /var/named/bdqn.zone'
$DNS_Server_cmd systemctl enable firewalld &> /dev/null
$DNS_Server_cmd systemctl restart firewalld &> /dev/null
$DNS_Server_cmd firewall-cmd --permanent --zone=public --query-service=dns &> /dev/null
if test $? != 0
then
$DNS_Server_cmd firewall-cmd --permanent --zone=public --add-service=dns &> /dev/null
$DNS_Server_cmd firewall-cmd --reload
fi
$DNS_Server_cmd systemctl enable named &> /dev/null
$DNS_Server_cmd systemctl restart named &> /dev/null
if test $? != 0
then
echo named boot error
else
echo named is ok
fi
賦予可執行權限
chmod +x dns.sh
編寫ftp.sh
腳本,並完成調試
#!/bin/bash
FTP_Server_cmd="ssh $FTP_Server_IP"
$FTP_Server_cmd 'rpm -qa | grep vsftpd' &> /dev/null
if [ $? -eq 0 ]
then
$FTP_Server_cmd yum -y remove vsftpd &> /dev/null
fi
$FTP_Server_cmd yum -y install vsftpd &> /dev/null
# 備份原配置文件
$FTP_Server_cmd "mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak"
$FTP_Server_cmd 'grep -v "#" /etc/vsftpd/vsftpd.conf_bak > /etc/vsftpd/vsftpd.conf'
# 修改配置文件
$FTP_Server_cmd 'echo "anon_umask=022" >> /etc/vsftpd/vsftpd.conf'
$FTP_Server_cmd 'echo "anon_upload_enable=YES" >> /etc/vsftpd/vsftpd.conf'
$FTP_Server_cmd 'echo "anon_mkdir_write_enable=YES" >> /etc/vsftpd/vsftpd.conf'
$FTP_Server_cmd 'echo "anon_other_write_enable=YES" >> /etc/vsftpd/vsftpd.conf'
$FTP_Server_cmd 'echo "pasv_max_port=20100" >> /etc/vsftpd/vsftpd.conf'
$FTP_Server_cmd 'echo "pasv_min_port=20000" >> /etc/vsftpd/vsftpd.conf'
$FTP_Server_cmd chmod 777 /var/ftp/pub/
$FTP_Server_cmd systemctl enable firewalld &> /dev/null
$FTP_Server_cmd systemctl restart firewalld &> /dev/null
$FTP_Server_cmd firewall-cmd --permanent --zone=public --query-service=ftp &> /dev/null
if test $? != 0
then
$FTP_Server_cmd firewall-cmd --permanent --add-service=ftp &> /dev/null
$FTP_Server_cmd firewall-cmd --reload &> /dev/null
fi
$FTP_Server_cmd systemctl enable vsftpd &> /dev/null
$FTP_Server_cmd systemctl restart vsftpd &> /dev/null
if [ $? -eq 0 ]
then
echo "ftp is ok!"
else
echo "ftp boot error!"
fi
賦予可執行權限
chmod +x ftp.sh
運行main.sh
腳本實現一鍵部署
./main.sh
運行結果:
從運行結果看,所有服務已經部署成功
提示: 如果在運行腳本的過程中出現報錯,可執行bash -x mian.sh
命令來顯示詳細過程來查看具體錯誤
爲了驗證一鍵部署是否成功,在服務器上進行查看
服務正常都啓動了,就說明yum也成功了
驗證
驗證內網訪問外網
驗證DHCP
驗證DNS
驗證FTP