一、需求分析
當生產環境中,有成百上千臺服務器時,分發公鑰是一個很大的工作量,一個一個上傳到目標服務器,這種方式很low,可以使用saltstack來進行分發公鑰,操作簡單,吃着火鍋,唱着歌,就啪啪啪,把公鑰分發完畢
二、操作步驟
1、環境準備
在自己筆記本上搭建兩臺虛擬機
在linux-node1上安裝master和minion,在linux-node2上安裝minion
IP 主機名 操作系統 192.168.56.11 linux-node1 centos7 192.168.56.12 linux-node2 centos7
2、saltstack安裝
安裝步驟請參考:
http://jackyxin.blog.51cto.com/1976631/1833762
3、生成公鑰
[root@linux-node1 ~/.ssh]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 92:da:be:87:31:2f:84:ad:62:30:11:82:9d:9b:15:32 root@linux-node1 The key's randomart p_w_picpath is: +--[ RSA 2048]----+ |..E... | |+ oo. | |.. + | |. o . | | . oo S | |o .o=. | | o .o.= | | o ..o o | | . . o+ | +-----------------+ [root@linux-node1 ~/.ssh]#
爲了方便管理,最好將id_rsa.pub裏面的內容複製一份,保存到新的文件內。如authorized_keys。 注意,將authorized_keys的讀寫屬性設置爲700
[root@linux-node1 ~/.ssh]# cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDzV14ZJQIaOyJrimkteda8yUoPqC2sb7+Zt4Dpc/DUX2rgczxw6W9m2nTZdY4vYeHtWf/T1mn8J/92a9/49GFvIsJl6cqC3ndftlIv3OJgtR8npLqTzqi3hnrEK8Yp9crsfi3NumCf/qM3GXRyKRFW5psACsq5Jw8KD4aSjrQoUnDnL4OeNdefyP2DKDtq9rcfKyiQmAbPvdo8jYuylCIwF4YzOWSAHdaXOE4Swuk7aMY1BIUOeJWjFEHTR0YoT7RqszaT8QrCo1CFmpHZDKtMstzNVcrk6hMAw5MfZcaH1HFhsUIDPOdU4MRvxcYnlFBfyl+1UFjXZxPq9fcTCf+X root@linux-node1 [root@linux-node1 ~/.ssh]# vi authorized_keys [root@linux-node1 ~/.ssh]# [root@linux-node1 ~/.ssh]# [root@linux-node1 ~/.ssh]# [root@linux-node1 ~/.ssh]# ll total 16 -rw-r--r-- 1 root root 398 Aug 18 14:06 authorized_keys -rw------- 1 root root 1679 Aug 18 13:49 id_rsa -rw-r--r-- 1 root root 398 Aug 18 13:49 id_rsa.pub -rw-r--r-- 1 root root 351 Jul 31 20:27 known_hosts [root@linux-node1 ~/.ssh]# chmod 700 authorized_keys [root@linux-node1 ~/.ssh]# ll total 16 -rwx------ 1 root root 398 Aug 18 14:06 authorized_keys -rw------- 1 root root 1679 Aug 18 13:49 id_rsa -rw-r--r-- 1 root root 398 Aug 18 13:49 id_rsa.pub -rw-r--r-- 1 root root 351 Jul 31 20:27 known_hosts [root@linux-node1 ~/.ssh]#
4、將公鑰放置到salt的文件目錄下
注意:在我的/etc/salt/master文件內,file_roots設置爲 /srv/salt,這是saltstack的base環境。
創建/srv/salt/ssh專門用於存放公鑰
[root@linux-node1 ~/.ssh]# mkdir /srv/salt/ssh [root@linux-node1 ~/.ssh]# cp /root/.ssh/authorized_keys /srv/salt/ssh/
5、公鑰分發
第一步:在linux-node1上添加信任列表
[root@linux-node1 ~/.ssh]# salt 'linux-node1*' ssh.set_known_host root 192.168.56.12 linux-node1.example.com: ---------- new: ---------- enc: ecdsa-sha2-nistp256 fingerprint: c5:fc:4b:ee:24:bd:15:f8:72:e1:2f:84:b8:19:6b:2a hostname: |1|1kc2RQfUyyygjdfOeyMkVmhsdPY=|vHAhF4l0Ze6D0G0S1JUfniWU9vs= key: AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGcdOBIR8ADP7/ji8/A3SI4TMCBGCf9qVVIhqFKf6isQUAoQ2BH+Ubw6jM/NssaIFJ7aL5Sv14KvrRclBHJdqWE= old: None status: updated [root@linux-node1 ~/.ssh]#
第二步:將linux-node1的公鑰分發到linux-node2上
[root@linux-node1 /srv/salt/ssh]# salt 'linux-node2*' ssh.set_auth_key_from_file root salt:///ssh/authorized_keys linux-node2.example.com: new
第三步:測試連接
[root@linux-node1 /srv/salt/ssh]# ssh 192.168.56.12 Last login: Thu Aug 18 02:09:21 2016 from 192.168.56.1 -bash: None: command not found [root@linux-node2 ~]#
到此可以看到,我們已經實現了無交互登陸。
關於ssh.set_known_host和ssh.set_auth_key_from_file的講解,請參考 https://www.unixhot.com/docs/saltstack/ref/modules/all/salt.modules.ssh.html#module-salt.modules.ssh
6、常見報錯
如果報錯,請查看日誌。
很有可能是salt的base環境沒設對,就容易導致下面的錯誤
比如剛開始,我的/etc/salt/master裏面設置file_roots錯誤
file_roots: base: - /srv/salt/base prod: - /srv/salt/prod base環境設置的與分發命令不符,導致分發失敗
錯誤如下: [root@linux-node1 ~/.ssh]# salt 'linux-node2*' ssh.set_auth_key_from_file root salt://ssh/authorized_keys linux-node2.example.com: Passed invalid arguments to ssh.set_auth_key_from_file: coercing to Unicode: need string or buffer, bool found Add a key to the authorized_keys file, using a file as the source. CLI Example: .. code-block:: bash salt '*' ssh.set_auth_key_from_filesalt://ssh_keys/.id_rsa.pub [root@linux-node1 ~/.ssh]#