centos7搭建Postfix Centos7搭建双因素ssh

ansible参考

第一步：如果中控机使用的是 CentOS 7 系统，执行以下命令：

yum -y install epel-release git curl sshpass && \
yum -y install python2-pip

注：如果需要根据创建的用户进行免密可执行以下操作1~4，如果只是root用户可跳过直接执行后面的 以 root 用户登录中控机，执行以下步骤： 1、创建 tidb 用户。

useradd -m -d /home/tidb tidb

2、设置 tidb 用户密码。

passwd tidb

3、配置 tidb 用户 sudo 免密码，将 tidb ALL=(ALL) NOPASSWD: ALL 添加到文件末尾即可。

visudo

tidb ALL=(ALL) NOPASSWD: ALL

4、生成 SSH key。

执行 su 命令，从 root 用户切换到 tidb 用户下。

su - tidb

第二步：创建用户 SSH key

提示 Enter passphrase 时直接回车即可。执行成功后，SSH 私钥文件为 /home/tidb/.ssh/id_rsa，SSH 公钥文件为 /home/tidb/.ssh/id_rsa.pub。

ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/tidb/.ssh/id_rsa):
Created directory '/home/tidb/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tidb/.ssh/id_rsa.
Your public key has been saved in /home/tidb/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:eIBykszR1KyECA/h0d7PRKz4fhAeli7IrVphhte7/So tidb@172.16.10.49
The key's randomart image is:
+---[RSA 2048]----+
|=+o+.o.          |
|o=o+o.oo         |
| .O.=.=          |
| . B.B +         |
|o B * B S        |
| * + * +         |
|  o + .          |
| o  E+ .         |
|o   ..+o.        |
+----[SHA256]-----+

第三步：在中控机器上安装 Ansible 及其依赖

[tidb@dev10 tidb-ansible]$ vim requirements.txt
[tidb@dev10 tidb-ansible]$ cat requirements.txt
ansible==2.7.11
jinja2>=2.9.6
jmespath>=0.9.0

以 tidb 用户登录中控机，请务必按以下方式通过 pip 安装 Ansible 及其相关依赖的指定版本，否则会有兼容问题。目前，TiDB release-2.0、release-2.1、release-3.0 及最新开发版本兼容 Ansible 2.4 ~ 2.7.11 (2.4 ≤ Ansible ≤ 2.7.11)。

在中控机器上安装 Ansible 及其依赖。

cd /home/tidb/tidb-ansible && \
sudo pip install -r ./requirements.txt

如果报错：

……
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-DS7hbY/ansible/

解决方案：

sudo python -m pip install --upgrade --force pip 
sudo pip install setuptools==33.1.1

查看 Ansible 的版本。

ansible --version

第四步：在中控机上配置部署机器 SSH 互信及 sudo 规则

以 tidb 用户登录中控机，然后执行以下步骤：

1、将你的部署目标机器 IP 添加到 hosts.ini 文件的 [servers] 区块下。 username = tidb 根据自身创建的用户修改

cd /home/tidb/tidb-ansible && \
vi hosts.ini

[servers]
172.16.10.1
172.16.10.2
172.16.10.3
172.16.10.4
172.16.10.5
172.16.10.6

[all:vars]
username = tidb
ntp_server = pool.ntp.org

ansible-playbook脚本文件create_users.yml tidb用户所用create_users.yml

[tidb@dev10 tidb-ansible]$ vim create_users.yml
[tidb@dev10 tidb-ansible]$ cat create_users.yml

---

- hosts: all
  tasks:
    - name: create user
      user: name={{ username }} shell=/bin/bash createhome=yes

    - name: set authorized key
      authorized_key:
        user: "{{ username }}"
        key: "{{ lookup('file', '/home/{{ username }}/.ssh/id_rsa.pub') }}"
        state: present

    - name: update sudoers file
      lineinfile:
        dest: /etc/sudoers
        insertafter: EOF
        line: '{{ username }} ALL=(ALL) NOPASSWD: ALL'
        regexp: '^{{ username }} .*'
        state: present

root用户所用create_users.yml

---

- hosts: all
  tasks:
    - name: create user
      user: name={{ username }} shell=/bin/bash createhome=yes

    - name: set authorized key
      authorized_key:
        user: "{{ username }}"
        key: "{{ lookup('file', '/{{ username }}/.ssh/id_rsa.pub') }}"
        state: present

    - name: update sudoers file
      lineinfile:
        dest: /etc/sudoers
        insertafter: EOF
        line: '{{ username }} ALL=(ALL) NOPASSWD: ALL'
        regexp: '^{{ username }} .*'
        state: present

2、执行以下命令，按提示输入部署目标机器的 root 用户密码。

ansible-playbook -i hosts.ini create_users.yml -u root -k

该步骤将在部署目标机器上创建 tidb 用户，并配置 sudo 规则，配置中控机与部署目标机器之间的 SSH 互信。

报错：

"msg": "Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host's fingerprint to your known_hosts file to manage this host."

解决：

export ANSIBLE_HOST_KEY_CHECKING=False

---

---

在部署目标机器上安装 NTP（时区同步） 服务

注意：

如果你的部署目标机器时间、时区设置一致，已开启 NTP 服务且在正常同步时间，此步骤可忽略。 执行文件 deploy_ntp.yml

---

- hosts: all
  tasks:
    - name: get facts
      setup:

    - name: RedHat family Linux distribution - make sure ntp, ntpstat have been installed
      yum:
        name: "{{ item }}"
        state: present
      with_items:
        - ntp
      when:
        - ansible_os_family == "RedHat"

    - name: RedHat family Linux distribution - make sure ntpdate have been installed
      yum:
        name: "{{ item }}"
        state: present
      with_items:
        - ntpdate
      when:
        - ansible_os_family == "RedHat"
        - ntp_server is defined

    - name: Debian family Linux distribution - make sure ntp, ntpstat have been installed
      apt:
        name: "{{ item }}"
        state: present
      with_items:
        - ntp
        - ntpstat
      when:
        - ansible_os_family == "Debian"

    - name: Debian family Linux distribution - make sure ntpdate have been installed
      apt:
        name: "{{ item }}"
        state: present
      with_items:
        - ntpdate
      when:
        - ansible_os_family == "Debian"
        - ntp_server is defined

    - name: RedHat family Linux distribution - make sure ntpd service has been stopped
      service:
        name: ntpd
        state: stopped
      when:
        - ansible_os_family == "RedHat"
        - ntp_server is defined

    - name: Debian family Linux distribution - make sure ntp service has been stopped
      service:
        name: ntp
        state: stopped
      when:
        - ansible_os_family == "Debian"
        - ntp_server is defined

    - name: Adjust Time | start to adjust time with {{ ntp_server }}
      shell: ntpdate {{ ntp_server }}
      when: ntp_server is defined

    - name: RedHat family Linux distribution - make sure ntpd service has been started
      service:
        name: ntpd
        state: started
      when:
        - ansible_os_family == "RedHat"

    - name: Debian family Linux distribution - Make sure ntp service has been started
      service:
        name: ntp
        state: started
      when:
        - ansible_os_family == "Debian"

以 tidb 用户登录中控机，执行以下命令：

cd /home/tidb/tidb-ansible && \
ansible-playbook -i hosts.ini deploy_ntp.yml -u tidb -b

该步骤将在部署目标机器上使用系统自带软件源联网安装并启动 NTP 服务，服务使用安装包默认的 NTP server 列表，见配置文件 /etc/ntp.conf 中 server 参数。如果使用默认的 NTP server，你的机器需要连接外网。

为了让 NTP 尽快开始同步，启动 NTP 服务前，系统会执行 ntpdate 命令，与用户在 hosts.ini 文件中指定的 ntp_server 同步日期与时间。默认的服务器为 pool.ntp.org，也可替换为你的 NTP server。

检测 NTP 服务是否正常

[tidb@dev10 tidb-ansible]$ ansible -i hosts.ini all -m shell -a 'systemctl status ntpd.service'

172.160.180.52 | CHANGED | rc=0 >>
● ntpd.service - Network Time Service
   Loaded: loaded (/usr/lib/systemd/system/ntpd.service; disabled; vendor preset: disabled)
   Active: active (running) since 三 2019-10-16 08:58:05 CST; 9min ago
  Process: 1767 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 1768 (ntpd)
    Tasks: 1
   Memory: 1.3M
   CGroup: /system.slice/ntpd.service
           └─1768 /usr/sbin/ntpd -u ntp:ntp -g
   ......

执行如下命令所有节点都提示 synchronised to NTP server 服务表示同步成功

[tidb@dev10 tidb-ansible]$ ansible -i hosts.ini all -m shell -a 'ntpstat'
172.160.180.52 | CHANGED | rc=0 >>
synchronised to NTP server (193.182.111.141) at stratum 3
   time correct to within 179 ms
   polling server every 1024 s

   ......

---

NTP开机自启动

[tidb@dev10 tidb-ansible]$ ansible -i hosts.ini all -m shell -a 'systemctl enable ntpd.service && systemctl start ntpd.service' -b

yum安装ansible

CentOS用户,需要 配置 EPEL

yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

sudo yum install ansible

ansible