ansible批量升级OpenSSH版本
Ansible 运维自动化
|
|
800
|
0

CentOS Linux release 7.9.2009 (Core) 默认的OpenSSH版本是OpenSSH_7.4p1,YUM提供的最新版本也是 OpenSSH_7.4p1,对OpenSSH升级,须采用编译部署的方式。

[root@ansible-centos7-shanghai-area0 roles]# vim update_openssh.yaml
---
- name: OpenSSH_7.4p1版本升级至OpenSSH_8.5p1版本
  hosts: open
  user: root
  gather_facts: false
  roles:
  - openssh_update

[root@ansible-centos7-shanghai-area0 roles]# vim  openssh_update/vars/main.yaml

open_ssh_package: openssh-8.4p1.tar.gz
open_ssl_package: openssl-1.1.1g.tar.gz

[root@ansible-centos7-shanghai-area0 roles]# cat openssh_update/tasks/main.yaml
---
- import_tasks: install.yaml

[root@ansible-centos7-shanghai-area0 roles]#  cat openssh_update/tasks/install.yaml
---
- name:部署 telnet、xinetd服务
  yum:
    name: ['telnet','telnet-server','xinetd']
    state: present
- name: 启动telnet、xinetd服务并配置开机启动
  service:
    name: "{{ item }}"
    state: started
    enabled: yes
  loop:
  - xinetd
  - telnet.socket
- name: 对/etc/securetty文件进行备份
  shell:
    cmd: cp -rf /etc/securetty /etc/securetty.bak$(date +%Y%m%d)
- name: 在/etc/securetty文件中添加其他终端设备
  blockinfile:
    dest: /etc/securetty
    block: "pts/0\npts/1\npts/2\npts/3\npts/4"
- name: 重启xinetd服务
  service:
    name: xinetd
    state: restarted
  notify:                                # 需要确保telnet成功运行才能进行后面的升级工作,否则升级失败,telnet没没有运行,无法远程连接服务器
  - telnet 服务运行中,即将进行升级

[root@ansible-centos7-shanghai-area0 roles]# cat openssh_update/handlers/main.yaml
---
- name: 部署编译环境
  yum:
    name: ['gcc','gcc-c++','glibc','make','autoconf','openssl','openssl-devel','pcre-devel','pam-devel']
    state: present
  listen: telnet 服务运行中,即将进行升级
- name: 部署软件包pam,zlib
  shell:
    cmd: yum -y install pam* zlib*
  listen: telnet 服务运行中,即将进行升级
- name: 将openssh、openssl解压到/opt目录
  unarchive:
    src: "{{ item }}"
    dest: /opt/
  loop:
  - "{{ open_ssh_package }}"
  - "{{ open_ssl_package }}"
  listen: telnet 服务运行中,即将进行升级
- name: 备份openssl文件
  shell:
    cmd: mv /usr/bin/openssl /usr/bin/openssl_bak;mv /usr/include/openssl /usr/include/openssl_bak
  listen: telnet 服务运行中,即将进行升级
- name: 编译安装openssl
  shell:
    cmd: ./config shared --prefix=/usr/local/ssl && make && make install
    chdir: /opt/openssl-1.1.1k
  listen: telnet 服务运行中,即将进行升级
- name: 设置openssl指令的软链接
  shell:
    cmd: 'ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl;ln -s /usr/local/ssl/include/openssl /usr/include/openssl'
  listen: telnet 服务运行中,即将进行升级
- name: 加载openssl模块
  shell:
    cmd: echo "/usr/local/ssl/lib" >> /etc/ld.so.conf;/sbin/ldconfig
  listen: telnet 服务运行中,即将进行升级
- name: 备份/etc/ssh、/etc/pam.d/sshd.pam
  shell:
    cmd: mv /etc/ssh /etc/ssh.$(date +%Y%m%d);cp -rf /etc/pam.d/sshd.pam /etc/pam.d/sshd.pam.$(date +%Y%m%d) || echo "ansible_ens33['ipv4']['address']上暂无这个文件。"
  listen: telnet 服务运行中,即将进行升级
- name: 编译安装openssh
  shell:
    cmd: ./configure --prefix=/usr --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl   --with-zlib   --with-md5-passwords   --with-pam  && make && make install
    chdir: /opt/openssh-8.5p1
  listen: telnet 服务运行中,即将进行升级
- name: 替换新的sshd_config
  shell:
    cmd: cp -rf /opt/openssh-8.5p1/sshd_config /etc/ssh/sshd_config
  listen: telnet 服务运行中,即将进行升级
- name: override default of no subsystems
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: .*Subsystem.*sftp-server
    line: Subsystem       sftp    /usr/libexec/openssh/sftp-server
  listen: telnet 服务运行中,即将进行升级
- name: 关闭DNS解析
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: .*UseDNS
    line: UseDNS no
  listen: telnet 服务运行中,即将进行升级
- name: 允许root远程登录
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: .*PermitRootLogin
    line: PermitRootLogin yes
  listen: telnet 服务运行中,即将进行升级
- name: 添加banner路径
  lineinfile:
    dest: /etc/ssh/sshd_config
    insertafter: ^#Banner none
    line: Banner /etc/sshbanner
  listen: telnet 服务运行中,即将进行升级
- name: 复制sshd.init和sshd.pam
  shell:
    cmd: cp -a contrib/redhat/sshd.init /etc/init.d/sshd;cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
    chdir: /opt/openssh-8.5p1
  listen: telnet 服务运行中,即将进行升级
- name: 将sshd添加到chkconfig进行管理
  shell:
    cmd: chmod +x /etc/init.d/sshd;chkconfig --add sshd;chkconfig sshd on;systemctl enable sshd
  listen: telnet 服务运行中,即将进行升级
- name: 备份sshd.service并重启sshd服务
  shell:
    cmd: mv  /usr/lib/systemd/system/sshd.service  /opt/;mv  /usr/lib/systemd/system/sshd.socket  /opt/;systemctl daemon-reload;service sshd restart
  listen: telnet 服务运行中,即将进行升级
- name: 检查版本,确认是否升级成功
  shell:
    cmd: ssh -V;openssl version
  register: check
  listen: telnet 服务运行中,即将进行升级
- name: 查询更新后的版本信息
  debug:
    var: check
    verbosity: 0
  listen: telnet 服务运行中,即将进行升级

[root@ansible-centos7-shanghai-area0 roles]# ls
openssh_update  update_openssh.yaml
[root@ansible-centos7-shanghai-area0 roles]# ansible-playbook --syntax-check update_openssh.yaml  # 检查yaml语法

playbook: update_openssh.yaml

[root@ansible-centos7-shanghai-area0 roles]# ansible-playbook -i /etc/ansible/hosts  -e hosts=192.168.122.102  /etc/ansible/roles/update_openssh.yaml  # 运行 
[WARNING]: Found variable using reserved name: hosts

PLAY [OpenSSH_7.4p1版本升级至OpenSSH_8.5p1版本] *******************************************************************************************************************************************************************************************************

TASK [openssh_update : 部署 telnet、xinetd服务] *****************************************************************************************************************************************************************************************************
changed: [192.168.122.102]

TASK [openssh_update : 启动telnet、xinetd服务并配置开机启动] *********************************************************************************************************************************************************************************************
changed: [192.168.122.102] => (item=xinetd)
changed: [192.168.122.102] => (item=telnet.socket)

TASK [openssh_update : 对/etc/securetty文件进行备份] **************************************************************************************************************************************************************************************************
changed: [192.168.122.102]

TASK [openssh_update : 在/etc/securetty文件中添加其他终端设备] *******************************************************************************************************************************************************************************************
changed: [192.168.122.102]

TASK [openssh_update : 重启xinetd服务] **********************************************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 部署编译环境] ***************************************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 部署软件包pam,zlib] ***********************************************************************************************************************************************************************************************
[WARNING]: Consider using the yum module rather than running 'yum'.  If you need to use command because yum is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this
message.
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 将openssh、openssl解压到/opt目录] ****************************************************************************************************************************************************************************
changed: [192.168.122.102] => (item=openssh-8.5p1.tar.gz)
changed: [192.168.122.102] => (item=openssl-1.1.1k.tar.gz)

RUNNING HANDLER [openssh_update : 备份openssl文件] **********************************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 编译安装openssl] **********************************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 设置openssl指令的软链接] ******************************************************************************************************************************************************************************************
[WARNING]: Consider using the file module with state=link rather than running 'ln'.  If you need to use command because file is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg
to get rid of this message.
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 加载openssl模块] **********************************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 备份/etc/ssh、/etc/pam.d/sshd.pam] ***************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 编译安装openssh] **********************************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 替换新的sshd_config] ******************************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : override default of no subsystems] ************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 关闭DNS解析] **************************************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 允许root远程登录] ***********************************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 添加banner路径] ***********************************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 复制sshd.init和sshd.pam] *************************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 将sshd添加到chkconfig进行管理] ***************************************************************************************************************************************************************************************
[WARNING]: Consider using the file module with mode rather than running 'chmod'.  If you need to use command because file is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to
get rid of this message.
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 备份sshd.service并重启sshd服务] **********************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 检查版本,确认是否升级成功] ********************************************************************************************************************************************************************************************
changed: [192.168.122.102]

RUNNING HANDLER [openssh_update : 查询更新后的版本信息] **************************************************************************************************************************************************************************************************
ok: [192.168.122.102] => {
    "check": {
        "changed": true, 
        "cmd": "ssh -V;openssl version", 
        "delta": "0:00:00.043766", 
        "end": "2021-04-16 12:10:53.211888", 
        "failed": false, 
        "rc": 0, 
        "start": "2021-04-16 12:10:53.168122", 
        "stderr": "OpenSSH_8.5p1, OpenSSL 1.1.1k  25 Mar 2021", 
        "stderr_lines": [
            "OpenSSH_8.5p1, OpenSSL 1.1.1k  25 Mar 2021"
        ], 
        "stdout": "OpenSSL 1.1.1k  25 Mar 2021", 
        "stdout_lines": [
            "OpenSSL 1.1.1k  25 Mar 2021"
        ]
    }
}

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
192.168.122.102            : ok=24   changed=23   unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[root@ansible-centos7-shanghai-area0 roles]#

IDC 升级应用

[root@devops-centos7-shanghai-area1 roles]# cat /root/scripts/ssh-keygen_copy.sh 
#!/bin/bash
host=$(cat /root/host)
for i in $host
do
/usr/bin/expect <<-EOF
spawn ssh-copy-id root@$i
expect "connecting"
send "yes\n"
expect "password"
send "111111\n"
expect eof
EOF
done # 通过expect 交互下发滚动密钥

[root@devops-centos7-shanghai-area1 roles]# tree
.
├── openssh_update
│   ├── files
│   │   ├── openssh-8.5p1.tar.gz
│   │   └── openssl-1.1.1k.tar.gz
│   ├── handlers
│   │   └── main.yaml
│   ├── tasks
│   │   ├── install.yaml
│   │   └── main.yaml
│   └── vars
│       └── main.yaml
└── update_openssh.yaml

5 directories, 7 files

[root@devops-centos7-shanghai-area1 roles]# ansible-playbook  update_openssh.yaml # update_openssh.yaml 中指定主机分组即可

PLAY [OpenSSH_7.4p1版本升级至OpenSSH_8.5p1版本] ******************************************************************************************************************************************************************************************************

TASK [openssh_update : 安装telnet、xinetd] ****************************************************************************************************************************************************************************************************
changed: [172.17.1.11]
changed: [172.17.1.12]

TASK [openssh_update : 启动telnet、xinetd,并设置开机启动] ********************************************************************************************************************************************************************************************
changed: [172.17.1.11] => (item=xinetd)
changed: [172.17.1.12] => (item=xinetd)
changed: [172.17.1.11] => (item=telnet.socket)
changed: [172.17.1.12] => (item=telnet.socket)

TASK [openssh_update : 备份/etc/securetty文件] *************************************************************************************************************************************************************************************************
changed: [172.17.1.12]
changed: [172.17.1.11]

TASK [openssh_update : 在/etc/securetty文件添加其他终端设备] ******************************************************************************************************************************************************************************************
changed: [172.17.1.11]
changed: [172.17.1.12]

TASK [openssh_update : 重启xinetd服务] *********************************************************************************************************************************************************************************************************
changed: [172.17.1.11]
changed: [172.17.1.12]

RUNNING HANDLER [openssh_update : 部署编译环境] **************************************************************************************************************************************************************************************************
changed: [172.17.1.12]
changed: [172.17.1.11]

RUNNING HANDLER [openssh_update : 部署软件包pam,zlib] *******************************************************************************************************************************************************************************************
[WARNING]: Consider using the yum module rather than running 'yum'.  If you need to use command because yum is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of
this message.
changed: [172.17.1.11]
changed: [172.17.1.12]

RUNNING HANDLER [openssh_update : 将openssh、openssl解压到/opt目录] *******************************************************************************************************************************************************************************
changed: [172.17.1.12] => (item=openssh-8.5p1.tar.gz)
changed: [172.17.1.11] => (item=openssh-8.5p1.tar.gz)
changed: [172.17.1.12] => (item=openssl-1.1.1k.tar.gz)
changed: [172.17.1.11] => (item=openssl-1.1.1k.tar.gz)

RUNNING HANDLER [openssh_update : 备份openssl文件] *********************************************************************************************************************************************************************************************
changed: [172.17.1.12]
changed: [172.17.1.11]

RUNNING HANDLER [openssh_update : 编译安装openssl] *********************************************************************************************************************************************************************************************
changed: [172.17.1.11]
changed: [172.17.1.12]

RUNNING HANDLER [openssh_update : 设置openssl指令的软链接] *****************************************************************************************************************************************************************************************
[WARNING]: Consider using the file module with state=link rather than running 'ln'.  If you need to use command because file is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg
to get rid of this message.
changed: [172.17.1.11]
changed: [172.17.1.12]

RUNNING HANDLER [openssh_update : 加载openssl模块] *********************************************************************************************************************************************************************************************
changed: [172.17.1.11]
changed: [172.17.1.12]

RUNNING HANDLER [openssh_update : 备份/etc/ssh、/etc/pam.d/sshd.pam] **************************************************************************************************************************************************************************
changed: [172.17.1.11]
changed: [172.17.1.12]

RUNNING HANDLER [openssh_update : 编译安装openssh] *********************************************************************************************************************************************************************************************
changed: [172.17.1.12]
changed: [172.17.1.11]

RUNNING HANDLER [openssh_update : 替换新的sshd_config] *****************************************************************************************************************************************************************************************
changed: [172.17.1.11]
changed: [172.17.1.12]

RUNNING HANDLER [openssh_update : override default of no subsystems] ***********************************************************************************************************************************************************************
changed: [172.17.1.12]
changed: [172.17.1.11]

RUNNING HANDLER [openssh_update : 关闭DNS解析] *************************************************************************************************************************************************************************************************
changed: [172.17.1.12]
changed: [172.17.1.11]

RUNNING HANDLER [openssh_update : 允许root远程登录] **********************************************************************************************************************************************************************************************
changed: [172.17.1.12]
changed: [172.17.1.11]

RUNNING HANDLER [openssh_update : 添加banner路径] **********************************************************************************************************************************************************************************************
changed: [172.17.1.11]
changed: [172.17.1.12]

RUNNING HANDLER [openssh_update : 复制sshd.init和sshd.pam] ************************************************************************************************************************************************************************************
changed: [172.17.1.11]
changed: [172.17.1.12]

RUNNING HANDLER [openssh_update : 将sshd添加到chkconfig进行管理] ***********************************************************************************************************************************************************************************
[WARNING]: Consider using the file module with mode rather than running 'chmod'.  If you need to use command because file is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to
get rid of this message.
changed: [172.17.1.12]
changed: [172.17.1.11]

RUNNING HANDLER [openssh_update : 备份sshd.service并重启sshd服务] *********************************************************************************************************************************************************************************
changed: [172.17.1.11]
changed: [172.17.1.12]

RUNNING HANDLER [openssh_update : 检查版本,确认是否升级成功] *******************************************************************************************************************************************************************************************
changed: [172.17.1.12]
changed: [172.17.1.11]

RUNNING HANDLER [openssh_update : 查询更新后的版本信息] **********************************************************************************************************************************************************************************************
ok: [172.17.1.11] => {
    "check": {
        "changed": true, 
        "cmd": "ssh -V;openssl version", 
        "delta": "0:00:00.010642", 
        "end": "2021-04-19 14:38:47.334222", 
        "failed": false, 
        "rc": 0, 
        "start": "2021-04-19 14:38:47.323580", 
        "stderr": "OpenSSH_8.5p1, OpenSSL 1.1.1k  25 Mar 2021", 
        "stderr_lines": [
            "OpenSSH_8.5p1, OpenSSL 1.1.1k  25 Mar 2021"
        ], 
        "stdout": "OpenSSL 1.1.1k  25 Mar 2021", 
        "stdout_lines": [
            "OpenSSL 1.1.1k  25 Mar 2021"
        ]
    }
}
ok: [172.17.1.12] => {
    "check": {
        "changed": true, 
        "cmd": "ssh -V;openssl version", 
        "delta": "0:00:00.015121", 
        "end": "2021-04-19 14:38:47.290111", 
        "failed": false, 
        "rc": 0, 
        "start": "2021-04-19 14:38:47.274990", 
        "stderr": "OpenSSH_8.5p1, OpenSSL 1.1.1k  25 Mar 2021", 
        "stderr_lines": [
            "OpenSSH_8.5p1, OpenSSL 1.1.1k  25 Mar 2021"
        ], 
        "stdout": "OpenSSL 1.1.1k  25 Mar 2021", 
        "stdout_lines": [
            "OpenSSL 1.1.1k  25 Mar 2021"
        ]
    }
}

PLAY RECAP *********************************************************************************************************************************************************************************************************************************
172.17.1.11                : ok=24   changed=23   unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
172.17.1.12                : ok=24   changed=23   unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
上一篇
下一篇

推荐文章

ansible批量升级CentOS7
ansible批量部署ntp时间同步
ansible批量升级sudo版本
ansible批量部署zabbix-agent
运维自动化之Ansible进阶Playbook使用指南
运维自动化之Ansible