暂无图片
暂无图片
暂无图片
暂无图片
暂无图片

华为GaussDB T 建立互信

墨天轮 2019-09-28
733

建立互信

集群在安装过程中,需要在集群中的主机间执行命令,传送文件等操作。因此,在普通用户安装前需要确保互信是连通的。执行前置脚本gs_preinstall中会先建立root用户间的互信,然后创建普通用户,并建立普通用户间的互信。如果使用gs_preinstall建立互信失败,请参考此章节内容,使用脚本建立互信或者手工建立互信。

前提条件

  • SSH服务已打开。
  • SSH端口不会被防火墙关闭。
  • 配置文件中各主机名称和IP配置正确。
  • 所有机器节点间网络畅通。
  • 如果为普通用户建立互信,需要提前在各主机创建相同用户并设置相同密码。
  • 如果各主机安装并启动了SELinux服务,需要确保/root和/home目录安全上下文为默认值(root目录:system_u:object_r:home_root_t:s0,home目录:system_u:object_r:admin_home_t:s0)或者关闭掉SELinux服务。

    检查系统SELinux状态的方法:执行命令getenforce,如果返回结果是Enforcing ,说明SELinux安装并启用。

    检查目录安全上下文的命令:

    ls -ldZ /root | awk '{print $4}'
    ls -ldZ /home | awk '{print $4}'

    恢复目录安全上下文命令:

    restorecon -r -vv /home/
    restorecon -r -vv /root/

使用工具建立互信

集群各主机的要创建互信的用户密码一致时,使用工具建立互信。

  • 以需要创建互信的用户身份,登录任一主机。
  • 创建需要建立互信的主机IP列表。

    plat1:/opt/software> vim hostfile 192.168.0.1 192.168.0.2 192.168.0.3

  • 执行gs_sshexkey。

    plat1:/opt/software/gaussdb/script#gs_sshexkey -f /opt/software/hostfile

示例

  • 普通用户建立互信。
    各主机用户密码相同情况下建立互信。Gauss@234为用户密码。
    [omm@plat1 script]#gs_sshexkey -f /opt/software/hostfile -W Gauss@234 Checking network information. All nodes in the network are Normal. Successfully checked network information. Creating SSH trust. Creating the local key file. Successfully created the local key files. Appending local ID to authorized_keys. Successfully appended local ID to authorized_keys. Updating the known_hosts file. Successfully updated the known_hosts file. Appending authorized_key on the remote node. Successfully appended authorized_key on all remote node. Checking common authentication file content. Successfully checked common authentication content. Distributing SSH trust file to all node. Successfully distributed SSH trust file to all node. Verifying SSH trust on all hosts. Successfully verified SSH trust on all hosts. Successfully created SSH trust.
  • root用户建立互信。

    各主机用户密码相同情况下建立互信。Gauss@234为用户密码。

    [root@plat1 script]#./gs_sshexkey -f /opt/software/hostfile -W Gauss@234 Checking network information. All nodes in the network are Normal. Successfully checked network information. Creating SSH trust. Creating the local key file. Successfully created the local key files. Appending local ID to authorized_keys. Successfully appended local ID to authorized_keys. Updating the known_hosts file. Successfully updated the known_hosts file. Appending authorized_key on the remote node. Successfully appended authorized_key on all remote node. Checking common authentication file content. Successfully checked common authentication content. Distributing SSH trust file to all node. Successfully distributed SSH trust file to all node. Verifying SSH trust on all hosts. Successfully verified SSH trust on all hosts. Successfully created SSH trust.
    各主机用户密码相同情况下,在交互式模式下建立互信。
    [root@plat1 script]#./gs_sshexkey -f /opt/software/hostfile Please enter password for current user[root]. Password: Checking network information. All nodes in the network are Normal. Successfully checked network information. Creating SSH trust. Creating the local key file. Successfully created the local key files. Appending local ID to authorized_keys. Successfully appended local ID to authorized_keys. Updating the known_hosts file. Successfully updated the known_hosts file. Appending authorized_key on the remote node. Successfully appended authorized_key on all remote node. Checking common authentication file content. Successfully checked common authentication content. Distributing SSH trust file to all node. Successfully distributed SSH trust file to all node. Verifying SSH trust on all hosts. Successfully verified SSH trust on all hosts. Successfully created SSH trust.

手工建立互信

集群各主机的root密码不一致时,无法使用gs_preinstall和gs_sshexkey建立互信,请按照本节内容手工建立互信。

本节以在三个主机plat1、plat2、plat3上建立互信为例,详细介绍手工建立互信的步骤。为更多主机建立互信与此步骤相同。

建立互信的过程中需要生成四个文件,authorized_keys、id_rsa、id_rsa.pub、known_hosts,请勿删除或破坏这些文件。

  • 进入集群中的各个节点,在每个主机上分别按照如下操作进行。

    vi /etc/ssh/sshd_config

    进入该文件,执行以下设置。

    RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys

  • 重启sshd_config文件。

    /bin/systemctl reload sshd.service

  • 重启集群的各个主机。
  • 在主机plat1上,生成秘钥。

    plat1:~ #ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: d5:35:46:33:27:22:09:f0:1e:12:a7:87:fa:33:3f:ab root@plat1 The key's randomart image is: +--[ RSA 2048]----+ | o.o.....O .| | * .o + * | | + + . . | | . + o | | . S | | . | | + | | +. | | E.oo | +-----------------+

  • 在主机plat1上,生成plat1的root用户授权文件。

    plat1:~ #cat .ssh/id_rsa.pub >> .ssh/authorized_keys

  • plat1plat2plat3的公钥,写入到plat1的known_hosts文件中。

    plat1:~ #ssh-keyscan -t rsa plat1 >> ~/.ssh/known_hosts #plat1 SSH-2.0-OpenSSH_5.1 plat1:~ # ssh-keyscan -t rsa plat2 >> ~/.ssh/known_hosts #plat2 SSH-2.0-OpenSSH_5.1 plat1:~ #ssh-keyscan -t rsa plat3 >> ~/.ssh/known_hosts #plat3 SSH-2.0-OpenSSH_5.1

  • plat1上的互信文件分发到plat2plat3上。

    plat1:~ #scp -r .ssh plat2:~ Password: authorized_keys 100% 796 0.8KB/s 00:00 id_rsa 100% 1675 1.6KB/s 00:00 id_rsa.pub 100% 398 0.4KB/s 00:00 known_hosts 100% 1089 1.1KB/s 00:00 plat1:~ #scp -r .ssh plat3:~ Password: authorized_keys 100% 796 0.8KB/s 00:00 id_rsa 100% 1675 1.6KB/s 00:00 id_rsa.pub 100% 398 0.4KB/s 00:00 known_hosts 100% 1089 1.1KB/s 00:00

  • 查看互信是否建成功。

    plat1:~ #ssh plat2 Last login: Tue Jan 5 10:28:18 2016 from plat1 Huawei's internal systems must only be used for conducting Huawei's business or for purposes authorized by Huawei management.Use is subject to audit at any time by Huawei management. plat2:~ #exit logout Connection to plat2 closed. plat1:~ #

说明:

互信建立成功后,如果删除known_hosts文件,互信仍然可以使用,但会有告警提示。如果需要规避告警提示,请将/etc/ssh/ssh_config配置文件中,StrictHostKeyChecking参数设置为no。

「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。

评论