mycpen

Mycpen

记录学习历程与受益知识
github
telegram
bilibili
HomeArchives

22_Linux Basics - ansible1

#Linux#Ansible27
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article discusses Linux basics related to Ansible. It covers topics such as SELinux, establishing connections, SSH access control using TCP Wrappers, and SSH tunneling. It provides examples and explanations for each topic.

1. selinux, established#

Example 1: Permanently modify selinux
--------------------------------------------------------------------------------------------
[root@cPen_A ~]# vim /etc/selinux/config 
SELINUX=disabled
============================================================================================
Example: Troubleshooting connection issues  4.00 - 9.00 not completed
ps -ef | grep sshd
lsof -i:2233
cat /etc/services

[root@cPen_B ~]# netstat -anplut | grep ssh
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:2233            0.0.0.0:*               LISTEN      911/sshd            
tcp        0     36 192.168.0.31:2233       192.168.0.42:54290      ESTABLISHED 1402/sshd: root [pr 
tcp6       0      0 :::2233                 :::*                    LISTEN      911/sshd            
udp        0      0 192.168.0.31:68         192.168.0.250:67        ESTABLISHED 893/NetworkManager  
[root@cPen_B ~]# netstat -aplut | grep ssh
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:infocrypt       0.0.0.0:*               LISTEN      911/sshd            
tcp        0     36 cPen_B:infocrypt        192.168.0.42:54290      ESTABLISHED 1402/sshd: root [pr 
tcp6       0      0 [::]:infocrypt          [::]:*                  LISTEN      911/sshd            
udp        0      0 cPen_B:bootpc           192.168.0.250:bootps    ESTABLISHED 893/NetworkManager 
##############################################################################################################
Example 2: Check how many connections the current system has (establish)
--------------------------------------------------------------------------------------------
[root@cPen_B ~]# netstat -anplut | grep -E "ESTABLISHED|LISTEN|TIME_WAIT" | awk -F" " '{print $6}' | sort | uniq -c
      2 ESTABLISHED
      2 LISTEN
#-------------------------------------------------------------------------------
[root@cPen_B ~]# netstat -anplut
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:2233            0.0.0.0:*               LISTEN      911/sshd            
tcp        0    232 192.168.0.31:2233       192.168.0.42:54290      ESTABLISHED 1402/sshd: root [pr 
#-------------------------------------------------------------------------------------------------------------
# pstree  View the relationship between processes
# netstat  View current network connections

2. SSH Access Control#

SSH uses TCP Wrappers to implement access control # Note: Implement access control

Main configuration files

  • /etc/hosts.allow
  • /etc/hosts.deny

image-20220826172246758

Services that TCP Wrappers can control

  • Services managed by super daemon (xinetd) # Note: Daemon services
  • Services that support the libwrap.so module

Access control principles of TCP Wrappers

  • First check the hosts.allow file; if a matching policy is found, access is allowed

  • Otherwise, continue to check the hosts.deny file; if a matching policy is found, access is denied

  • If neither file has a matching policy, access is allowed

Note: Control at the daemon process level#

image-20220826172422236

Example: /etc/hosts.deny
---------------------------------------------------------------------------------------------------------------------------------
[root@cPen_A ~]# vim /etc/hosts.deny 
sshd:192.168.0.31    
# Note: Access control, deny 192.168.0.31 No need to restart the service, there is a daemon to control it

Note: The host public key is under /etc/ssh/ Default uses ecdsa mode#

Note: What is in the known_hosts file The front is the IP address, the back is the public key#

Note: authorized_keys Place trusted public keys#

3. SSH Tunnel#

# Note: Local port forwarding

CSDN https://www.cnblogs.com/keerya/p/7612715.html

Port forwarding: Hosts A, C, B. Host B has an nginx service on port 80; Host A cannot directly access Host B, but Host A can access Host C, and Host C can access Host B (A-->C-->B); A can ssh to C, A jumps to C, and then accesses B's port 80 (nginx). Now, establish a tunnel on Host C, the tunnel opens port 15577 to connect to B's port 80, accessing port 15577 on A is equivalent to accessing B's port 80 mapping

Note: SSH tunnel is used for situations where direct access is not possible; the second considers encrypted transmission#

[root@cPen_C ~]# lsof -i:15577              # Note: Operate on host C, port 15577 is not occupied
[root@cPen_C ~]# ssh -g -L 15577:192.168.0.39:80 sanchuang@192.168.0.39 -p 2233
# Note: 192.168.0.39 is the IP address of host B               # Note: Open a tunnel on host C, port is 15577
[root@cPen_A ~]# curl 192.168.0.48:15577  # Note: Simulate network access (use curl to access port 80 nginx page)
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">  # Note: Returned content
# Note: 192.168.0.48 is the IP address of the intermediate host C              # Note: Pay attention to the firewall  iptables -F
# Note: Accessing port 15577 on the intermediate host C is forwarded to port 80 on the right host B
# Note: Note that it cannot be bound to the local loopback address 127.0.0.1 can only access itself (so -g) -g allows access from all local IPs
# Note: -L is local port forwarding
# Note: Generally, up to 65535 ports can be opened

# Summary: SSH Tunnel

Port Forwarding

  1. Turn off the firewall

  2. Turn off selinux

# Local Port Forwarding

ssh -g -L 15577:192.168.0.39:80 192.168.0.39 -p 2233 # Note: Execute on host C to map host B's port 80 to local port 15577*#

Host B's port 80 Host B

Experimental environment:

Host A: 192.168.0.132

Host C: 192.168.0.48

Host B: 192.168.0.39

Execute on host C: [root@cPen_C ~]# ssh -g -L 15577:192.168.0.39:80 192.168.0.39 -p 2233

Map host B's port 80 to local port 15577

Accessing port 15577 on host C is equivalent to accessing port 80 on host B

# Remote Port Forwarding

ssh -R 15566:192.168.0.39:80 -fN 192.168.0.132 -p 2233 # Note: On host C, map host B's port 80 to host A's port 15566#

Host B Port 80 Host A

Remote port forwarding: Execute on host C: [root@C .ssh]# ssh -R 15566:192.168.0.39:80 -fN 192.168.0.132 -p 2233

Map host B's port 80 to host A's port 15566

Accessing port 15566 on host A is equivalent to accessing port 80 on host B

Note: Host A 192.168.0.132#

Note: Host B 192.168.0.39#

Note: Establish a remote channel on host C, start port 15566 for host A on host C, mapped to host B#

[root@cPen_A ~]# lsof -i:15566                 # Note: Host A opens port 15566
sshd    2067 root    8u  IPv6  38604      0t0  TCP localhost:15566 (LISTEN)  # Note: Listening on the local loopback address
sshd    2067 root    9u  IPv4  38605      0t0  TCP localhost:15566 (LISTEN)
[root@cPen_A ~]# curl 127.0.0.1:15566         # Note: Access local port 15566 mapped to host B's port 80
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> # Returned content

4. Ansible Service#

Ansible is the name of an automation operation and maintenance tool

Developed based on Python, it combines the advantages of many operation and maintenance tools (puppet, fabric, saltstack), achieving batch system configuration, program deployment, batch command execution, etc.

.--------------------------------------------------------------------------------------------------------------------------------------------

Linux operation and maintenance: Automation (scripts), intelligence, platformization

Linux operation and maintenance personnel, manual operation and maintenance is not advisable

A series of operation and maintenance tools have emerged, and ansible is one of them

.--------------------------------------------------------------------------------------------------------------------------------------------

Daily operation and maintenance:

  1. Software installation

  2. Service configuration

  3. Running scripts

  4. Upgrading

  5. Backup

.--------------------------------------------------------------------------------------------------------------------------------------------

Ansible is developed based on Python and relies on three key components: paramiko, PyYaml, and jinja

Based on the ssh protocol, as long as... not completed

Other services need to deploy agents, while ansible only needs to be deployed to the server, as long as the keys of hundreds of thousands of machines are uploaded to other machines#

Note: glibc The underlying library of the kernel#

.--------------------------------------------------------------------------------------------------------------------------------------------

# Experimental Environment

a: 192.168.0.132 (ansible)

c: 192.168.0.48

b: 192.168.0.39

Prerequisite for the experiment, ensure passwordless authentication, see ssh service for details

a --> b, a --> c a can log in to b and c without a password

1. Install ansible on a

[root@cPen_A .ssh]# yum install epel-release # Note: Install epel repository

[root@cPen_A .ssh]# yum install ansible # Note: Install ansible

2. Configuration

Configuration directory:

/etc/ansible/ansible.cfg

The main configuration file for ansible, this file mainly defines the roles_path path, host inventory path, connection methods for hosts in the inventory, etc. Most of the default configurations are sufficient for our daily use; if special configurations are needed, you can modify them yourself

/etc/ansible/hosts

This configuration file is the default host inventory configuration file, which can be redefined through ansible.cfg

Backup the /etc/ansible/hosts file

Edit the /etc/ansible/hosts file

Add the hosts to be managed to the webser group#

If the port for ssh login is not 22, you need to specify the port number in the configuration file#

[root@cPen_A ansible]# cp hosts{,.bak}  # Note: Backup
[root@cPen_A ansible]# ls
ansible.cfg  hosts  hosts.bak  roles
[root@cPen_A ansible]# >hosts            # Note: Clear the old one
[root@cPen_A ansible]# vim hosts            
[webser]
192.168.0.31:2233
192.168.0.55

Components of ansible:

​ 1. host inventory --# Define clients, can classify clients: db type, web type... etc.

​ 2. playbook --# Playbook Let the hosts complete certain tasks according to the playbook I provide

​ 3. module --# Module Implement individual functional programs

​ 4. plugin --# Plugin Implement some additional small functions

.--------------------------------------------------------------------------------------------------------------------------------------------

[root@cPen_A /]# cd /etc
[root@cPen_A etc]# ls | grep ansible
ansible
[root@cPen_A etc]# cd ansible
[root@cPen_A ansible]# ls
ansible.cfg  hosts  roles                          # Note: Host defines the inventory
[root@cPen_A ansible]# less ansible.cfg 
#inventory      = /etc/ansible/hosts              # Note: Host inventory
#library        = /usr/share/my_modules/
#module_utils   = /usr/share/my_module_utils/
#remote_tmp     = ~/.ansible/tmp
……
[root@cPen_A ansible]# less hosts 
## [webservers]                      # Note: [Brackets] webservers group name  Access control for this group
## alpha.example.org
## beta.example.org
## 192.168.1.100
## 192.168.1.110

3. Using ansible
-m  Specify module name

HOST-PATTERN          # Match host pattern, e.g., all means all hosts
-m MOD_NAME           # Module name   e.g.: ping
-a MOD_ARGS          # Parameters for module execution
-f FORKS             # Generate several subprocesses for execution
-C                    # (Do not execute, simulate run)
-u Username          # Username for a specific host
-c  CONNECTION       # Connection method (default smart)

.--------------------------------------------------------------------------------------------------------------------------------------------

ansible Main execution program, generally used for command line execution
ansible-playbook Execute tasks in the playbook
ansible-doc Get help information for each module

.--------------------------------------------------------------------------------------------------------------------------------------------

[root@cPen_A ~]# ansible -h                  # Note: ansible -h help document

#-------------------------------------------------------------------------
[root@cPen_A ~]# ansible
………………
ansible: error: too few arguments
[root@cPen_A ~]# which ansible
/usr/bin/ansible
[root@cPen_A ~]# ls -al /bin/ansible
lrwxrwxrwx 1 root root 20 Nov 24 16:41 /bin/ansible -> /usr/bin/ansible-2.7
Ansible
[root@cPen_A ~]# ansible all -m shell -a "ip a"  # Note: Match all hosts using shell module to execute ip a
# Note: Specify ansible... not completed to execute commands
[root@cPen_A ~]# ansible all -m shell -a "mkdir /tmp/sc"
……
192.168.0.55 | CHANGED | rc=0 >>              # Note: Return 0 indicates execution success
……
[root@cPen_A ~]# ansible webser -m shell -a "mkdir /tmp/sc"  # Note: Match webser group
192.168.0.55 | FAILED | rc=1 >>                  # Note: Return 1 indicates execution failure
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.