KingbaseES V8R6集群运维案例之---修改ssh端口后脚本创建互信
案例分析:
在KingbaseES V8R6集群部署时,需要建立节点之间ssh互信(或者使用securecmdd工具),在有的生产环境,为了安全起见会修改ssh的默认端口;KingbaseES V8R6集群部署提供了脚本用于创建ssh互信,如果修改了系统的ssh端口号后,也需要修改对应的脚本。
适用版本:
KingbaseES V8R6
一、集群节点信息
[root@node101 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.101 node101
192.168.1.102 node102
192.168.1.103 node103
二、配置系统修改ssh端口
[root@node101 ~]# cat /etc/ssh/sshd_config|grep -i port
# If you want to change the port on a SELinux system, you have to tell
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
Port 222
[root@node101 ~]# cat /etc/services|grep ssh
ssh 222/tcp # The Secure Shell (SSH) Protocol
ssh 222/udp # The Secure Shell (SSH) Protocol
---如上所示,将ssh默认端口22改为222。
三、系统测试ssh连接
[root@node101 ~]# ssh -p 222 node102
root@node102's password:
Last login: Tue May 23 14:41:48 2023 from 192.168.1.101
[kingbase@node102 ~]$ ssh node101 -p 222
kingbase@node101's password:
Last login: Tue May 23 14:42:51 2023 from 192.168.1.102
---如上所示,可以通过ssh 222端口建立连接。
三、修改部署脚本ssh端口
1、查看脚本文件
# 如下所示,trust_cluster.sh用于创建ssh互信。
[kingbase@node101 r6_install]$ ls -lh
total 264M
-rw-rw-r-- 1 kingbase kingbase 261M Apr 7 2022 db.zip
-rw-rw-r-- 1 kingbase kingbase 9.0K Aug 8 2022 install.conf
-rwxr-x--- 1 kingbase kingbase 3.4K Apr 7 14:07 license.dat
-rw-rw-r-- 1 kingbase kingbase 2.1M Apr 7 2022 securecmdd.zip
-rwxrwxr-x 1 kingbase kingbase 3.3K Apr 7 2022 trust_cluster.sh
-rwxr-xr-x 1 kingbase kingbase 87K Aug 8 2022 V8R6_cluster_install.sh
2、查看脚本中ssh配置
如下所示:trust_cluster.sh脚本中指定ssh端口的位置,需要读取install.conf文件中ssh_port参数。
3、修改配置文件install.conf和脚本
[kingbase@node101 r6_install]$ cat install.conf |grep ssh_port
ssh_port="222" # the port of ssh, default is 22
[kingbase@node101 r6_install]$ cat trust_cluster.sh |grep 222
[ "${ssh_port}"x = ""x ] && ssh_port=222
ssh -q -o Batchmode=yes -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o ServerAliveInterval=2 -o ServerAliveCountMax=5 -p 222 root@localhost "/bin/true 2>/dev/null || /usr/bin/true 2>/dev/null"
四、执行脚本创建ssh互信
[root@node101 ~]# cd /home/kingbase/r6_install/
[root@node101 r6_install]# sh trust_cluster.sh
Generating public/private rsa key pair.
Your identification hasbeen saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:yYAYwVk2GWG4ywfSWftgnmz8BUAbYWR5eW4Ftor9Dw0 root@node101
The key's randomart image is:
+---[RSA 2048]----+
| .oB#* .o. |
| +B==o.... |
| ..+o+.o.. |
|. = +o.+o. |
| o B.+ooE |
| o B ...o |
| o . .o . |
| . o |
| . |
+----[SHA256]-----+
root@192.168.1.102's password:
root@192.168.1.102's password:
Generating public/private rsa key pair.
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:IskHNGjXdEmbN+ONH7XWDOBimvD3cdsLYFRidNDMYBk root@node102
The key's randomart image is:
+---[RSA 2048]----+
| .oo..o..EXo |
| o......ooo+= |
| . .. . o *.. o |
| . o o *.* . = |
| + o S +o+ + o|
| o . ..o.= o |
| o.. .|
| . .|
| . |
+----[SHA256]-----+
root@192.168.1.102's password:
authorized_keys 100% 394 739.7KB/s 00:00
id_rsa 100% 1679 4.0MB/s 00:00
id_rsa.pub 100% 394 1.5MB/s 00:00
known_hosts 100% 372 1.1MB/s 00:00
The authenticity of host '[192.168.1.101]:222 ([192.168.1.101]:222)' can't be established.
ECDSA key fingerprint is SHA256:ACjDx1phzBUWGNOtXaeDl+NS6L5FGdUKXh4kjzWwVyk.
ECDSA key fingerprint is MD5:bb:98:fe:fb:94:fc:cf:3c:99:72:7f:09:91:25:64:23.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.101]:222' (ECDSA) to the list of known hosts.
五、测试ssh互信
如下所示,root用户及kingbase用户的ssh互信创建成功。
[root@node101 r6_install]# ssh node102
Last login: Tue May 23 14:44:29 2023 from 192.168.1.101
[root@node101 r6_install]# su - kingbase
Last login: Tue May 23 14:44:53 CST 2023 on pts/0
[kingbase@node101 ~]$ ssh node102
Last login: Tue May 23 14:43:48 2023 from 192.168.1.101
[kingbase@node102 ~]$ ssh node101
Last login: Tue May 23 14:49:36 2023 from 192.168.1.102
[kingbase@node101 r6_install]$ ssh -p 222 root@node102
Last login: Tue May 23 14:48:35 2023 from 192.168.1.101
六、总结
对于集群环境修改了ssh端口后,注意系统和脚本都要做相应的修改,才能完成ssh互信的创建。
KINGBASE研究院