我想在 cluster1 的所有 Web 服务器上执行一些操作。但如果我告诉 Fabric
fab -R cluster1,webserver ...
它将在 cluster1 的所有机器以及所有 Web 服务器(所有集群)上执行。我能做些什么?
我正在尝试将 SSH 密钥与 Fabric 一起使用,而不是每次运行时都必须输入密码fab。我们所有的主机都共享同一个/etc/ssh/ssh_known_hosts文件,其中包含它们所有的公共 rsa 密钥,而且我能够在没有密码的情况下从一台主机到另一台主机进行 SSH。
我必须遵循我的环境变量设置fabfile.py:
env.use_ssh_config = True
env.ssh_config_path = '/etc/ssh/ssh_config'
env.key_filename = '/etc/ssh/ssh_host_rsa_key'
我fab test以 root 身份运行一个简单的命令:
def test:
run('uname -s')
我已经浏览了所有文档并进行了大量搜索,但我没有看到使用密钥和配置的示例/etc/ssh;这些示例通常展示如何使用 configs 和 keys in ~/.ssh/,所以我可能误解了如何使用这些设置。
这是一个调试:
root@beef:~> fab test
[chicken] Executing task 'test'
[chicken] run: uname -s
DEBUG:ssh.transport:starting thread (client mode): 0x141c710L
INFO:ssh.transport:Connected (version 1.99, client OpenSSH_5.1)
DEBUG:ssh.transport:kex algos:['diffie-hellman-group-exchange-sha256', 'diffie-hellman-group-exchange-sha1', 'diffie-hellman-group14-sha1', 'diffie-hellman-group1-sha1'] server key:['ssh-rsa', 'ssh-dss'] client encrypt:['aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'arcfour128', 'arcfour256', 'arcfour', 'aes192-cbc', 'aes256-cbc', '[email protected]', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr'] server encrypt:['aes128-cbc', '3des-cbc', 'blowfish-cbc', 'cast128-cbc', 'arcfour128', 'arcfour256', 'arcfour', 'aes192-cbc', 'aes256-cbc', '[email protected]', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr'] client mac:['hmac-md5', 'hmac-sha1', '[email protected]', 'hmac-ripemd160', '[email protected]', 'hmac-sha1-96', 'hmac-md5-96'] server mac:['hmac-md5', 'hmac-sha1', '[email protected]', 'hmac-ripemd160', '[email protected]', 'hmac-sha1-96', 'hmac-md5-96'] client compress:['none', '[email protected]', 'zlib'] server compress:['none', '[email protected]', 'zlib'] client lang:[''] server lang:[''] kex follows?False
DEBUG:ssh.transport:Ciphers agreed: local=aes128-ctr, remote=aes128-ctr
DEBUG:ssh.transport:using kex diffie-hellman-group1-sha1; server key type ssh-rsa; cipher: local aes128-ctr, remote aes128-ctr; mac: local hmac-sha1, remote hmac-sha1; compression: local none, remote none
DEBUG:ssh.transport:Switch to new keys ...
DEBUG:ssh.transport:Adding ssh-rsa host key for chicken: 56f3f71a494013976c183844d342ed1b
[chicken] Login password for 'root':
系统日志chicken说
Jun 22 13:48:47 chicken sshd[7328]:未收到来自 172.xxx 的标识字符串
所以我没有传递正确的密钥文件或其他东西......
更新
我从 Fabric 用户邮件列表收到了一些故障排除提示。
我可以看到,当我从 shell 连接到 ssh 客户端时,客户端请求连接方法为“无”,然后是“基于主机”。Fabric(或 Paramiko)似乎立即请求公钥。请注意每个示例中选择的连接方法:
登录成功
root@beef:~> ssh -t -i /etc/ssh/ssh_host_rsa_key chicken uname -s
root@chicken:~> /usr/sbin/sshd -d
...snip...
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "root"
debug1: userauth-request for user root service ssh-connection method hostbased
debug1: attempt 1 failures 0
debug1: userauth_hostbased: cuser root chost beef. pkalg ssh-dss slen 55
debug1: PAM: setting PAM_RHOST to "beef"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Failed hostbased for root from 172.x.x.x port 54623 ssh2
debug1: userauth-request for user root service ssh-connection method hostbased
debug1: attempt 2 failures 1
debug1: userauth_hostbased: cuser root chost beef. pkalg ssh-rsa slen 271
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Accepted hostbased for root from 172.x.x.x port 54623 ssh2
通过 Fabric 登录失败
root@beef:~ > fab test
root@chicken:~> /usr/sbin/sshd -d
...snip...
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 0 failures 0
debug1: PAM: initializing for "root"
debug1: PAM: setting PAM_RHOST to "beef"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for root from 172.x.x.x port 54630 ssh2
所以...问题:有什么方法可以将 hostbased 指定为 Fabric/Paramiko 中的首选连接方法?
我有一对 Brocade 交换机,它们之间运行着 ISL。我想知道当其中一个 ISL 端口从 E_PORT 变为其他任何端口(尤其是 U_PORT)时是否可能收到警报。我打算在管理箱上编写一个 /sh 脚本,该管理箱将每 15 分钟运行一次 portshow 命令,如果它没有看到我需要的东西,请给我发电子邮件,但必须有一种更简单的方法。您如何监控 ISL 端口?
问题
- 是否有更安全/更好的方式通过 Python 脚本以非交互方式设置用户密码?我当前的解决方案使用
chpasswdFabric脚本。另一种选择是在Fabric脚本中使用Pexpect 。 - 我当前设置密码的方法是否存在安全问题?我看到的潜在安全问题是密码在我的本地终端上显示为明文,如下所示
[xxx.xx.xx.xxx] run: echo "johnsmith:supersecretpassw0rd" | chpasswd:
由于我只在笔记本电脑上运行Fabric脚本,我认为这不是安全问题,但我对其他人的输入感兴趣。
背景
我使用Fabric创建了一个 Python 脚本来配置一个新构建的Slicehost Ubuntu 切片。如果您不熟悉 Fabric,它使用Python SSH2 客户端Paramiko来提供“用于应用程序部署或系统管理任务”的远程访问。
我让Fabric脚本做的第一件事就是创建一个新的管理员用户并设置他们的密码。与Pexpect不同,Fabric 无法处理远程系统上的交互命令,因此我需要以非交互方式设置用户密码。目前,我正在使用chpasswd命令,它将用户名和密码读取为明文。
当前代码
# Fabric imports and host configuration excluded for brevity
root_password = getpass.getpass("Root's password given by SliceManager: ")
admin_username = prompt("Enter a username for the admin user to create: ")
admin_password = getpass.getpass("Enter a password for the admin user: ")
env.user = 'root'
env.password = root_password
# Create the admin group and add it to the sudoers file
admin_group = 'admin'
run('addgroup {group}'.format(group=admin_group))
run('echo "%{group} ALL=(ALL) ALL" >> /etc/sudoers'.format(
group=admin_group)
)
# Create the new admin user (default group=username); add to admin group
run('adduser {username} --disabled-password --gecos ""'.format(
username=admin_username)
)
run('adduser {username} {group}'.format(
username=admin_username,
group=admin_group)
)
# Set the password for the new admin user
run('echo "{username}:{password}" | chpasswd'.format(
username=admin_username,
password=admin_password)
)
本地系统终端 I/O
$ fab config_rebuilt_slice
Root's password given by SliceManager:
Enter a username for the admin user to create: johnsmith
Enter a password for the admin user:
[xxx.xx.xx.xxx] run: addgroup admin
[xxx.xx.xx.xxx] out: Adding group `admin' (GID 1000) ...
[xxx.xx.xx.xxx] out: Done.
[xxx.xx.xx.xxx] run: echo "%admin ALL=(ALL) ALL" >> /etc/sudoers
[xxx.xx.xx.xxx] run: adduser johnsmith --disabled-password --gecos ""
[xxx.xx.xx.xxx] out: Adding user `johnsmith' ...
[xxx.xx.xx.xxx] out: Adding new group `johnsmith' (1001) ...
[xxx.xx.xx.xxx] out: Adding new user `johnsmith' (1000) with group `johnsmith' ...
[xxx.xx.xx.xxx] out: Creating home directory `/home/johnsmith' ...
[xxx.xx.xx.xxx] out: Copying files from `/etc/skel' ...
[xxx.xx.xx.xxx] run: adduser johnsmith admin
[xxx.xx.xx.xxx] out: Adding user `johnsmith' to group `admin' ...
[xxx.xx.xx.xxx] out: Adding user johnsmith to group admin
[xxx.xx.xx.xxx] out: Done.
[xxx.xx.xx.xxx] run: echo "johnsmith:supersecretpassw0rd" | chpasswd
[xxx.xx.xx.xxx] run: passwd --lock root
[xxx.xx.xx.xxx] out: passwd: password expiry information changed.
Done.
Disconnecting from [email protected]... done.