KingbaseES V8R6集群运维案例之---修改ssh端口后脚本创建互信

案例分析:
在KingbaseES V8R6集群部署时,需要建立节点之间ssh互信(或者使用securecmdd工具),在有的生产环境,为了安全起见会修改ssh的默认端口;KingbaseES V8R6集群部署提供了脚本用于创建ssh互信,如果修改了系统的ssh端口号后,也需要修改对应的脚本。

适用版本:
KingbaseES V8R6

一、集群节点信息

[root@node101 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.1.101   node101
192.168.1.102   node102
192.168.1.103   node103

二、配置系统修改ssh端口

[root@node101 ~]# cat /etc/ssh/sshd_config|grep -i port
# If you want to change the port on a SELinux system, you have to tell
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
Port 222

[root@node101 ~]# cat /etc/services|grep ssh
ssh             222/tcp                          # The Secure Shell (SSH) Protocol
ssh             222/udp                          # The Secure Shell (SSH) Protocol

---如上所示,将ssh默认端口22改为222。

三、系统测试ssh连接

[root@node101 ~]# ssh -p 222 node102
root@node102's password:
Last login: Tue May 23 14:41:48 2023 from 192.168.1.101

[kingbase@node102 ~]$ ssh node101 -p 222
kingbase@node101's password:
Last login: Tue May 23 14:42:51 2023 from 192.168.1.102

---如上所示,可以通过ssh 222端口建立连接。

三、修改部署脚本ssh端口

1、查看脚本文件

# 如下所示,trust_cluster.sh用于创建ssh互信。
[kingbase@node101 r6_install]$ ls -lh
total 264M
-rw-rw-r-- 1 kingbase kingbase 261M Apr  7  2022 db.zip
-rw-rw-r-- 1 kingbase kingbase 9.0K Aug  8  2022 install.conf
-rwxr-x--- 1 kingbase kingbase 3.4K Apr  7 14:07 license.dat
-rw-rw-r-- 1 kingbase kingbase 2.1M Apr  7  2022 securecmdd.zip
-rwxrwxr-x 1 kingbase kingbase 3.3K Apr  7  2022 trust_cluster.sh
-rwxr-xr-x 1 kingbase kingbase  87K Aug  8  2022 V8R6_cluster_install.sh

2、查看脚本中ssh配置
如下所示:trust_cluster.sh脚本中指定ssh端口的位置,需要读取install.conf文件中ssh_port参数。

3、修改配置文件install.conf和脚本

[kingbase@node101 r6_install]$ cat install.conf |grep ssh_port
ssh_port="222"                    # the port of ssh, default is 22

[kingbase@node101 r6_install]$ cat trust_cluster.sh |grep 222
[ "${ssh_port}"x = ""x ] && ssh_port=222
ssh -q -o Batchmode=yes -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o ServerAliveInterval=2 -o ServerAliveCountMax=5 -p 222 root@localhost "/bin/true 2>/dev/null || /usr/bin/true 2>/dev/null"

四、执行脚本创建ssh互信

[root@node101 ~]# cd /home/kingbase/r6_install/
[root@node101 r6_install]# sh trust_cluster.sh
Generating public/private rsa key pair.
Your identification hasbeen saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:yYAYwVk2GWG4ywfSWftgnmz8BUAbYWR5eW4Ftor9Dw0 root@node101
The key's randomart image is:
+---[RSA 2048]----+
| .oB#* .o.       |
|  +B==o....      |
| ..+o+.o..       |
|. = +o.+o.       |
| o B.+ooE        |
|  o B ...o       |
|   o . .o .      |
|      .  o       |
|          .      |
+----[SHA256]-----+
root@192.168.1.102's password:
root@192.168.1.102's password:
Generating public/private rsa key pair.
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:IskHNGjXdEmbN+ONH7XWDOBimvD3cdsLYFRidNDMYBk root@node102
The key's randomart image is:
+---[RSA 2048]----+
|   .oo..o..EXo   |
|  o......ooo+=   |
| . .. . o *.. o  |
|   . o o *.* . = |
|    + o S +o+ + o|
|     o . ..o.= o |
|            o.. .|
|              . .|
|               . |
+----[SHA256]-----+
root@192.168.1.102's password:
authorized_keys                                                                100%  394   739.7KB/s   00:00
id_rsa                                                                         100% 1679     4.0MB/s   00:00
id_rsa.pub                                                                     100%  394     1.5MB/s   00:00
known_hosts                                                                    100%  372     1.1MB/s   00:00
The authenticity of host '[192.168.1.101]:222 ([192.168.1.101]:222)' can't be established.
ECDSA key fingerprint is SHA256:ACjDx1phzBUWGNOtXaeDl+NS6L5FGdUKXh4kjzWwVyk.
ECDSA key fingerprint is MD5:bb:98:fe:fb:94:fc:cf:3c:99:72:7f:09:91:25:64:23.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.1.101]:222' (ECDSA) to the list of known hosts.

五、测试ssh互信

如下所示,root用户及kingbase用户的ssh互信创建成功。
[root@node101 r6_install]# ssh node102
Last login: Tue May 23 14:44:29 2023 from 192.168.1.101

[root@node101 r6_install]# su - kingbase
Last login: Tue May 23 14:44:53 CST 2023 on pts/0

[kingbase@node101 ~]$ ssh node102
Last login: Tue May 23 14:43:48 2023 from 192.168.1.101

[kingbase@node102 ~]$ ssh node101
Last login: Tue May 23 14:49:36 2023 from 192.168.1.102


[kingbase@node101 r6_install]$ ssh -p 222 root@node102
Last login: Tue May 23 14:48:35 2023 from 192.168.1.101

六、总结

对于集群环境修改了ssh端口后,注意系统和脚本都要做相应的修改,才能完成ssh互信的创建。

posted @ 2023-09-18 15:36  KINGBASE研究院  阅读(94)  评论(0编辑  收藏  举报