运维开发网
广告位招商联系QQ:123077622
 
广告位招商联系QQ:123077622

chrony内网时间同步以及利用PXE和cobbler实现自动化系统部署

运维开发网 https://www.qedev.com 2021-05-18 14:01 出处:51CTO 作者:puppydong
chrony内网时间同步以及利用PXE和cobbler实现自动化系统部署,chrony内网时间同步以及详细介绍了利用PXE和cobbler实现自动化系统部署

1 常用PAM模块

1.1 pam_shells 模块

功能:检查有效shell

帮助:man pam_shells

案例:不允许使用/bin/csh的用户本地登录

[[email protected] pam.d]# cat /etc/shells
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash

[[email protected] pam.d]# /bin/csh
-bash: /bin/csh: No such file or directory
[[email protected] pam.d]# yum install -y csh

[[email protected] pam.d]# rpm -ql csh
package csh is not installed
[[email protected] pam.d]# rpm -ql tcsh
/bin/csh
/bin/tcsh
/usr/share/doc/tcsh-6.18.01
/usr/share/doc/tcsh-6.18.01/BUGS
/usr/share/doc/tcsh-6.18.01/Copyright
/usr/share/doc/tcsh-6.18.01/FAQ
/usr/share/doc/tcsh-6.18.01/Fixes
/usr/share/doc/tcsh-6.18.01/NewThings
/usr/share/doc/tcsh-6.18.01/README
/usr/share/doc/tcsh-6.18.01/WishList
/usr/share/doc/tcsh-6.18.01/complete.tcsh
/usr/share/man/man1/csh.1.gz
/usr/share/man/man1/tcsh.1.gz

[[email protected] pam.d]# cat /etc/shells   #安装后自动添加到shells文件中
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/bin/tcsh
/bin/csh
[[email protected] pam.d]# /bin/csh
[[email protected] pam.d]# exit
exit
[[email protected] pam.d]# getent passwd mage
mage:x:2008:2008::/home/mage:/bin/bash
[[email protected] pam.d]# chsh -s /bin/csh mage     #切换mage用户为csh shell
Changing shell for mage.
Shell changed.
[[email protected] pam.d]# getent passwd mage
mage:x:2008:2008::/home/mage:/bin/csh

[[email protected] pam.d]# grep pam_shells *
vmtoolsd:auth       required         pam_shells.so
vmtoolsd:account    required         pam_shells.so
[[email protected] pam.d]# vim su
[[email protected] pam.d]# cat su    #添加auto和account到su文件中
#%PAM-1.0
auth       required         pam_shells.so
account    required         pam_shells.so

[[email protected] pam.d]# su - mage
Last login: Mon Dec 14 16:17:55 CST 2020 on pts/0
[[email protected] ~]$ echo $SHELL
/bin/csh
[[email protected] ~]$ exit
logout
[[email protected] pam.d]# vim /etc/shells
[[email protected] pam.d]# cat /etc/shells   #注销掉/bin/csh,要是有/usr/bin/csh也一并注销
/bin/sh
/bin/bash
/usr/bin/sh
/usr/bin/bash
/bin/tcsh
#/bin/csh

[[email protected] pam.d]# su - mage     #再次切换mage用户,显示输入密码(正常root切换到普通用户是不需要口令的),其实是验证pam模块不通过
Password:
#查看访问日志,开始切换到mage正常,后来就验证失败
[[email protected] pam.d]# tail /var/log/secure
May 11 14:06:22 centos7 su: pam_unix(su-l:session): session opened for user mage by root(uid=0)
May 11 14:06:38 centos7 su: pam_unix(su-l:session): session closed for user mage
May 11 14:07:19 centos7 su: pam_unix(su-l:auth): authentication failure; logname=root uid=0 euid=0 tty=pts/0 ruser=root rhost=  user=mage
May 11 14:07:26 centos7 su: pam_unix(su-l:auth): authentication failure; logname=root uid=0 euid=0 tty=pts/0 ruser=root rhost=  user=mage
[[email protected] pam.d]#

1.2 pam_securetty.so模块

功能:只允许root用户在/etc/securetty列出的安全终端上登陆

案例:CentOS7 允许root在telnet登陆

注意:CentOS8没有调用此模块,所以默认允许root远程登录telnet

#查看哪个文件调用pam_securetty模块
[[email protected] pam.d]# grep pam_securetty /etc/pam.d/*
/etc/pam.d/login:auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
/etc/pam.d/remote:auth       required     pam_securetty.so
#查看哪个文件包含remote
[[email protected] pam.d]# grep remote /etc/pam.d/*
/etc/pam.d/sshd:# Used with polkit to reauthorize users in remote sessions
/etc/pam.d/sshd:# Used with polkit to reauthorize users in remote sessions
#root用户登录时,允许使用的终端方式
[[email protected] pam.d]# cat /etc/securetty

[[email protected] ~]# tty   #默认都是pts,未包含在/etc/securetty中,就不能使用root远程登录
/dev/pts/0

#测试
#安装telnet-server
[[email protected] pam.d]# yum install -y telnet-server
[[email protected] pam.d]# systemctl start telnet.socket
[[email protected] pam.d]# ss -ntl |grep 23
State       Recv-Q Send-Q          Local Address:Port        Peer Address:Port
LISTEN      0      128                      [::]:23                  [::]:*

[[email protected] ~]# yum install -y telnet
[[email protected] ~]# telnet 192.168.209.12
Trying 192.168.209.12...
Connected to 192.168.209.12.
Escape character is '^]'.

Kernel 3.10.0-1127.8.2.el7.x86_64 on an x86_64
centos7 login: mage         #普通用户可以登录成功
Password:
Last login: Tue May 11 14:06:22 on pts/0
[[email protected] ~]$ exit
Connection closed by foreign host.
[[email protected] ~]# telnet 192.168.209.12
Trying 192.168.209.12...
Connected to 192.168.209.12.
Escape character is '^]'.

Kernel 3.10.0-1127.8.2.el7.x86_64 on an x86_64
centos7 login: root         #root用户不行,从下面的日志文件中,可以看到,验证失败
Password:
Login incorrect

[[email protected] pam.d]# tail /var/log/secure
May 11 14:37:47 centos7 login: LOGIN ON pts/2 BY mage FROM ::ffff:192.168.209.109
May 11 14:37:52 centos7 login: pam_unix(remote:session): session closed for user mage
May 11 14:37:59 centos7 login: pam_securetty(remote:auth): access denied: tty 'pts/2' is not secure !
May 11 14:38:01 centos7 login: pam_succeed_if(remote:auth): requirement "uid >= 1000" not met by user "root"
May 11 14:38:04 centos7 login: FAILED LOGIN 1 FROM ::ffff:192.168.209.109 FOR root, Authentication failure

1.3 pam_nologin.so 模块

功能:如果/etc/nologin文件存在,将导致非root用户不能登陆,当该用户登陆时,会显示/etc/nologin文件内容,并拒绝登陆

[[email protected] pam.d]# grep nologin *
login:account    required     pam_nologin.so
remote:account    required     pam_nologin.so
sshd:account    required     pam_nologin.so
[[email protected] pam.d]# ll /etc/nologin
ls: cannot access /etc/nologin: No such file or directory
[[email protected] pam.d]# touch /etc/nologin    #只要创建了该文件,就生效,非root用户就不能登录了

[[email protected] ~]# ssh [email protected]
[email protected]'s password:
Connection closed by 192.168.209.12 port 22

[[email protected] ~]# tail -f /var/log/secure
May 11 16:02:20 centos7 sshd[58681]: Failed password for mage from 192.168.209.109 port 39116 ssh2
May 11 16:02:20 centos7 sshd[58681]: fatal: Access denied for user mage by PAM account configuration [preauth]

#修改su文件,添加nologin模块,无法切换到所有普通用户
[[email protected] pam.d]# cat su
#%PAM-1.0
account    required     pam_nologin.so
[[email protected] pam.d]# su - mage     #就无法切换到普通用户了

su: Authentication failure  #

#在nologin文件中添加拒绝登录时的提示信息
[[email protected] pam.d]# cat /etc/nologin
pam_nologin deny login

[[email protected] pam.d]# su - mage     #显示拒绝登录的提示信息
pam_nologin deny login
su: Authentication failure

1.4 pam_limits.so模块

功能:在用户级别实现对其可使用的资源的限制,例如:可打开的文件数量,可运行的进程数量,可用内存空间


#login和sshd(远程)等都直接或间接调用了该模块
[[email protected] pam.d]# cat login
account    include      system-auth
password   include      system-auth
session    include      system-auth
[[email protected] pam.d]# cat sshd
account    include      password-auth
password   include      password-auth
session    include      password-auth

修改限制的实现方式:

(1) ulimit命令,立即生效,但无法保存

-n #每个进程最多的打开的文件描述符个数
-u #最大用户进程数
-S #使用 soft(软)资源限制
-H #使用 hard(硬)资源限制

范例:

[[email protected] pam.d]# type ulimit
ulimit is a shell builtin
[[email protected] pam.d]# ulimit -a
open files                      (-n) 1024       #最多打开文件的个数

#测试
#环境准备
[[email protected] ~]# yum install httpd
[[email protected] ~]# systemctl start httpd
[[email protected] ~]# echo hello >/var/www/html/index.html
[[email protected] ~]# systemctl disable --now firewalld

#1 先打开100个链接,正常访问
[[email protected] pam.d]# ab -c 100 -n 1000 http://192.168.209.109/

#超过1024个链接后,就提示打开文件太多
[[email protected] pam.d]# ab -c 1024 -n 2000 http://192.168.209.109/
This is ApacheBench, Version 2.3 <$Revision: 1430300 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 192.168.209.109 (be patient)
socket: Too many open files (24)

#修改openfiles文件个数
[[email protected] pam.d]# ulimit -n
1024
[[email protected] pam.d]# ulimit -n 102400      #修改为102400,但只在当前会话有效(重启后恢复原值),再打开一个会话窗口,也不起作用
[[email protected] pam.d]# ulimit -n
102400
[[email protected] pam.d]# ulimit -a
open files                      (-n) 102400

#再次测试,正常

#2 永久生效,需修改limit.conf配置文件

(2) 配置文件:

/etc/security/limits.conf
/etc/security/limits.d/*.conf

配置文件格式:

#每行一个定义
<domain> <type> <item> <value>

格式说明:

应用于哪些对象

Username    #单个用户
@group      #组内所有用户
*           #所有用户
%           #仅用于限制 maxlogins limit, 可以使用 %group 语法。只用 % 相当于 * 对所有用户maxsyslogins limit限制。%group 表示限制此组中的所有用户总的最大登录数

限制的类型

Soft    #软限制,普通用户自己可以修改
Hard    #硬限制,由root用户设定,且通过kernel强制生效
-       #二者同时限定

限制的资源

nofile  #所能够同时打开的最大文件数量,默认为1024
nproc   #所能够同时运行的进程的最大数量,默认为1024

范例:ulimit命令修改用户打开的文件个数

[[email protected] ~]#ulimit -n
1024
[[email protected] ~]#ulimit -n 1048577
-bash: ulimit: open files: cannot modify limit: Operation not permitted
[[email protected] ~]#ulimit -n 1048576  #最多能打开的文件个数是2^20个
[[email protected] ~]#echo 2^20|bc
1048576

范例:限制用户最多打开的文件数和运行进程数,并持久保存

[[email protected] ~]#cat /etc/pam.d/system-auth|grep limits
session required pam_limits.so

#用户wang可打开102400个文件,mage可打开8888个文件
[[email protected] ~]#cat /etc/security/limits.conf |grep ^[^#]
wang            -       nofile          102400
mage            -       nofile          88888

[[email protected] ~]#su - wang
[[email protected] ~]$ulimit -n
102400

范例:修改用户打开的进程数

#在limits.conf文件中添加限制wang帐号开启5个进程
[[email protected] ~]#cat /etc/security/limits.conf |grep ^[^#]
wang            -       nproc           5

#查看用户开启的进程,目前wang用户没有开启进程
[[email protected] ~]#pgrep -u wang

#测试,再打开一个终端,切换到wang帐号
[[email protected] ~]#su - wang
Last login: Sat Apr 10 14:10:28 CST 2021 on pts/0
[[email protected] ~]$
[[email protected] ~]#pgrep -lu wang     #开启了一个进程
1465 bash
[[email protected] ~]$bash   #多开启几个,就会提示错误
[[email protected] ~]$bash
[[email protected] ~]$bash
bash: fork: retry: No child processes
bash: fork: retry: No child processes
bbash: fork: retry: No child processes
[[email protected] ~]#pgrep -lu wang     #查看最多有5个进程
1465 bash   
1493 bash
1514 bash
1535 bash
1536 bash

范例:限制mage用户最大的同时登录次数

[[email protected] ~]#tail -1 /etc/security/limits.conf
mage            -       maxlogins       2

#使用alt+f2,f3等多切换几个窗口,使用mage登录,第三个登录后,就会出现如下信息
Too many logins for 'mage'
Permission denied

[[email protected] ~]#who    #查看mage已经有两次登录了
mage     tty1         2021-05-11 22:05
mage     tty4         2021-05-11 22:05
root     pts/0        2021-05-11 22:05 (192.168.100.1)

chrony内网时间同步以及利用PXE和cobbler实现自动化系统部署

1.5 pam_google_authenticator模块

功能:实现SSH登录的两次身份验证,先验证APP的数字码,再验证root用户的密码,都通过才可以登

录。目前只支持口令验证,不支持基于key验证

官方网站:https://github.com/google/google-authenticator-android

范例:

  1. 在手机应用市场搜索:身份验证器或authenticator,并安装APP

  2. 安装google-authenticator
#安装epel
yum install -y epel-release.noarch
yum makecache
#安装google authenticator
yum install -y google-authenticator.x86_64

google-authenticator
  1. 访问生成的url

    https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth:[email protected][email protected]main

  2. 打开用身份验证器APP,扫网页上的二维码,进行绑定手机
  3. 继续上面的安装配置向导,输入手机APP上的数字,后续都回答 y 即可
  4. 修改/etc/pam.d/sshd文件,将google的PAM模块加入进去实现
#/etc/pam.d/sshd文件,修改或添加下行保存
#auth required pam_google_authenticator.so
sed -i '1a\auth required pam_google_authenticator.so' /etc/pam.d/sshd
#编辑/etc/ssh/sshd_config找到下行
#ChallengeResponseAuthentication no
#更改为
#ChallengeResponseAuthentication yes
sed -i 's/.*ChallengeResponseAuthentication.*/ChallengeResponseAuthentication
yes/' /etc/ssh/sshd_config
#重启SSH服务
service sshd restart
  1. ssh 当前主机,可看到提示,输入手机APP上显示的数字码和root密码,可以登录,否则失败
  2. 临时口令存放在/root/.google_authenticator中,用一次删除一个,可手动加入使用

    Your new secret key is: RLRN2AB47R4CVTCI4UZHUSTGZE

    Your verification code is 735809

    Your emergency scratch codes are:

    40246557

    98061088

    14253522

    20582068

    89046199

2 时间同步服务

加密和安全当前都离不开时间的同步,否则各种网络服务可能不能正常运行

2.1 时间同步服务

时间同步服务:

多主机协作工作时,各个主机的时间同步很重要,时间不一致会造成很多重要应用的故障,如:加密协议,日志,集群等, 利用NTP(Network Time Protocol) 协议使网络中的各个计算机时间达到同步。

目前NTP协议属于运维基础架构中必备的基本服务之一。

时间同步软件实现:

  • ntp
  • chrony

2.1.1 ntp:

将系统时钟和世界协调时UTC同步,精度在局域网内可达0.1ms,在互联网上绝大多数的地方精度可以达到1-50ms。官网:http://www.ntp.org

2.1.2 chrony:

实现NTP协议的的自由软件。可使系统时钟与NTP服务器,参考时钟(例如GPS接收器)以及使用手表和键盘的手动输入进行同步。还可以作为NTPv4(RFC 5905)服务器和对等体运行,为网络中的计算机提供时间服务。设计用于在各种条件下良好运行,包括间歇性和高度拥挤的网络连接,温度变化(计算机时钟对温度敏感),以及不能连续运行或在虚拟机上运行的系统。

通过Internet同步的两台机器之间的典型精度在几毫秒之内,在LAN上,精度通常为几十微秒。利用硬件时间戳或硬件参考时钟,可实现亚微秒的精度

2.2 chrony

2.2.1 chrony介绍

chrony 的优势:

  • 更快的同步只需要数分钟而非数小时时间,从而最大程度减少了时间和频率误差,对于并非全天24 小时运行的虚拟计算机而言非常有用
  • 能够更好地响应时钟频率的快速变化,对于具备不稳定时钟的虚拟机或导致时钟频率发生变化的节能技术而言非常有用
  • 在初始同步后,它不会停止时钟,以防对需要系统时间保持单调的应用程序造成影响在应对临时非对称延迟时(例如,在大规模下载造成链接饱和时)提供了更好的稳定性
  • 无需对服务器进行定期轮询,因此具备间歇性网络连接的系统仍然可以快速同步时钟

chrony官网:https://chrony.tuxfamily.org

chrony官方文档:https://chrony.tuxfamily.org/documentation.html

2.2.2 chrony 文件组成

包:chrony

两个主要程序:chronyd和chronyc

  • chronyd:后台运行的守护进程,用于调整内核中运行的系统时钟和时钟服务器同步。它确定计算机增减时间的比率,并对此进行补偿
  • chronyc:命令行用户工具,用于监控性能并进行多样化的配置。它可以在chronyd实例控制的计算机上工作,也可在一台不同的远程计算机上工作

服务unit 文件: /usr/lib/systemd/system/chronyd.service

监听端口: 323/udp,123/udp

配置文件: /etc/chrony.conf

2.2.3 配置文件chrony.conf

server - 可用于时钟服务器,iburst 选项当服务器可达时,发送一个八个数据包而不是通常的一个数据
包。 包间隔通常为2秒,可加快初始同步速度
driftfile - 根据实际时间计算出计算机增减时间的比率,将它记录到一个文件中,会在重启后为系统时钟
作出补偿
rtcsync - 启用内核模式,系统时间每11分钟会拷贝到实时时钟(RTC)
allow / deny - 指定一台主机、子网,或者网络以允许或拒绝访问本服务器
cmdallow / cmddeny - 可以指定哪台主机可以通过chronyd使用控制命令
bindcmdaddress - 允许chronyd监听哪个接口来接收由chronyc执行的命令
makestep - 通常chronyd将根据需求通过减慢或加速时钟,使得系统逐步纠正所有时间偏差。在某些特定
情况下,系统时钟可能会漂移过快,导致该调整过程消耗很长的时间来纠正系统时钟。该指令强制chronyd在
调整期大于某个阀值时调整系统时钟
local stratum 10 - 即使server指令中时间服务器不可用,也允许将本地时间作为标准时间授时给其
它客户端

查看chrony服务配置

[[email protected] ~]# yum install -y chrony
[[email protected] ~]# grep ^[^#] /etc/chrony.conf
pool 2.centos.pool.ntp.org iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
keyfile /etc/chrony.keys
leapsectz right/UTC
logdir /var/log/chrony

[[email protected] ~]#grep ^[^#] /etc/chrony.conf
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
logdir /var/log/chrony

以centos8作为企业内部的ntp服务器,连接网上的阿里云ntp同步,企业内部的服务器都与centos8这台ntp服务器同步。

1 先配置centos8为ntp服务器
[[email protected] ~]# yum install -y chrony
[[email protected] ~]# systemctl start chronyd
#配置网络上的阿里云ntp服务器
[[email protected] ~]# cat /etc/chrony.conf |grep ^pool
pool ntp.aliyun.com iburst
pool ntp1.aliyun.com iburst

#测试,先修改日期
[[email protected] ~]# date -s '-1 year'
Tue May 12 20:39:36 CST 2020
#执行ntp同步
[[email protected] ~]# chronyc sources -v
210 Number of sources = 3

^* 203.107.6.88                  2   6    17     1  +3796us[+5393us] +/-   25ms
^- 120.25.115.20                 2   6     7     2  -3818us[ -8760h] +/-   29ms
[[email protected] ~]# date
Wed May 12 20:40:24 CST 2021

2 再配置centos7(100.7)上的ntp,指向centos8服务器(192.168.100.8)
[[email protected] ~]#cat /etc/chrony.conf |grep server
# Use public servers from the pool.ntp.org project.
#server 3.centos.pool.ntp.org iburst
server 192.168.100.8 iburst         #指向100.8的centos8服务器
[[email protected] ~]#systemctl restart chronyd
[[email protected] ~]#date
Tue May 12 20:52:31 CST 2020
[[email protected] ~]#chronyc sources -v     #同步
210 Number of sources = 1

^? 192.168.100.8                 0   8     0     -     +0ns[   +0ns] +/-    0ns
#同步多次不成功
[[email protected] ~]#tail -f /var/log/messages
May 12 20:59:08 centos7 systemd: Time has been changed
May 12 20:59:19 centos7 chronyd[1410]: Backward time jump detected!
May 12 20:59:19 centos7 systemd: Stopping NTP client/server...
May 12 20:59:19 centos7 chronyd[1410]: Can't synchronise: no selectable sources
May 12 20:59:19 centos7 chronyd[1410]: chronyd exiting

#打开允许同步的网段,重启服务,同步成功
[[email protected] ~]# cat /etc/chrony.conf |grep ^allow
allow 192.168.100.0/24
[[email protected] ~]#systemctl restart chronyd
#客户端再次同步,成功
[[email protected] ~]#chronyc sources -v
210 Number of sources = 1

^* 192.168.100.8                 3   6    17    17   +101us[ +243us] +/-   22ms
[[email protected] ~]#date
Wed May 12 20:53:55 CST 2021
[[email protected] ~]#tail -f /var/log/messages
May 12 21:00:22 centos7 systemd: Started NTP client/server.
May 12 21:00:27 centos7 chronyd[1504]: Selected source 192.168.100.8
May 12 21:00:27 centos7 chronyd[1504]: System clock wrong by 31536000.002753 seconds, adjustment started
May 12 21:00:27 centos7 chronyd[1504]: System clock was stepped by 31536000.002753 seconds
May 12 21:00:27 centos7 systemd: Time has been changed

3 利用 PXE 实现自动化系统部署

3.1 PXE介绍

PXE:Preboot Excution Environment,预启动执行环境,是由Intel公司研发,基于Client/Server的网

络模式,支持远程主机通过网络从远端服务器下载映像,并由此支持通过网络启动操作系统,可以引导

和安装Windows,Linux等多种操作系统

3.2 在 CentOS 8 上实现PXE自动化安装 CentOS 6,7,8

3.2.1 安装前准备

关闭防火墙和SELinux,DHCP服务器静态IP

网络要求:关闭Vmware软件中的DHCP服务,基于NAT模式

注意:CentOS 7,8使用 1G 内存会提示空间不足,建议2G

3.2.2 实施步骤

#1 准备yum 源和相关目录,首先虚拟机创建3个光驱,分别对应6,7,8的光盘,启动系统
mkdir -pv /var/www/html/centos/{6,7,8}/os/x86_64/
mount /dev/sr0 /var/www/html/centos/8/os/x86_64/ &>/dev/null
mount /dev/sr1 /var/www/html/centos/7/os/x86_64/ &>/dev/null
mount /dev/sr2 /var/www/html/centos/6/os/x86_64/ &>/dev/null

#2 安装相关软件包并启动
dnf -y install dhcp-server tftp-server httpd sysLinux-nonLinux  &>/dev/null

#3 配置DHCP服务
cat > /etc/dhcp/dhcpd.conf &>/dev/null <<EOF
option domain-name "magedu.com";
option domain-name-servers 180.76.76.76,223.6.6.6;
default-lease-time 86400;
max-lease-time 106400;
log-facility local7;
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.101 192.168.100.200;
option routers 192.168.100.2;
next-server 192.168.100.8;
filename "pxeLinux.0";
}
EOF
[ $? -eq 0 ] && echo "dhcpd.conf is ok" || echo "dhcpd.conf is false"

#4 启动相关服务
systemctl enable --now httpd tftp dhcpd &>/dev/null
[ $? -eq 0 ] && echo "httpd tftp dhcpd service is ok" || echo "httpd tftp dhcpd service is false"

#5 准备kickstart文件
mkdir -p /var/www/html/ks/
cat > /var/www/html/ks/centos6.cfg <<EOF6
install
text
reboot
url --url=http://192.168.100.8/centos/6/os/x86_64/
lang en_US.UTF-8
keyboard us
network --onboot yes --device eth0 --bootproto dhcp --noipv6
rootpw --iscrypted $6$/.x1dBD0lSMoDCS/$W5TxBxknP0dANWJDY2d7zZj7/8OL97pGPDoxMNf15Yj1AIi1D1mstvqA7VqQ4kZAojj9olKGJZMLvgM5QoG6E1
firewall --disabled
authconfig --enableshadow --passalgo=sha512
seLinux --disabled
timezone Asia/Shanghai
bootloader --location=mbr --driveorder=sda --append="crashkernel=auto rhgb quiet"
zerombr
clearpart --all --initlabel
part /boot --fstype=ext4 --size=1024
part / --fstype=ext4 --size=20000
part /data --fstype=ext4 --size=10000
part swap --size=2048
%packages
@core
@server-policy
@workstation-policy
autofs
vim-enhanced
%end
%post
useradd wang
echo magedu | passwd --stdin wang &> /dev/null
#mkdir /etc/yum.repos.d/bak
#mv /etc/yum.repos.d/* /etc/yum.repos.d/bak
#cat > /etc/yum.repos.d/base.repo <<EOF
#[base]
#name=base
#baseurl=file:///misc/cd
#gpgcheck=0
#EOF
%end
EOF6

cat > /var/www/html/ks/centos7.cfg <<EOF7
install
xconfig --startxonboot
keyboard --vckeymap=us --xlayouts='us'
rootpw --iscrypted $6$/.x1dBD0lSMoDCS/$W5TxBxknP0dANWJDY2d7zZj7/8OL97pGPDoxMNf15Yj1AIi1D1mstvqA7VqQ4kZAojj9olKGJZMLvgM5QoG6E1
url --url="http://192.168.100.8/centos/7/os/x86_64"
lang en_US
auth --useshadow --passalgo=sha512
text
firstboot --enable
seLinux --disabled
skipx
services --disabled="chronyd"
ignoredisk --only-use=sda
firewall --disabled
network --bootproto=dhcp --device=ens33
reboot
timezone Asia/Shanghai --nontp
bootloader --append="crashkernel=auto" --location=mbr --boot-drive=sda
zerombr
clearpart --all --initlabel
part swap --fstype="swap" --ondisk=sda --size=2048
part / --fstype="xfs" --ondisk=sda --size=10240
part /boot --fstype="xfs" --ondisk=sda --size=1024
part /data --fstype="xfs" --ondisk=sda --size=20480
%post
useradd wang
echo magedu|passwd wang --stdin &>/dev/null
%end
%packages
@core
%end
EOF7

cat > /var/www/html/ks/centos8.cfg <<EOF8
ignoredisk --only-use=sda
zerombr
text
reboot
clearpart --all --initlabel
seLinux --disabled
firewall --disabled
url --url=http://192.168.100.8/centos/8/os/x86_64/
keyboard --vckeymap=us --xlayouts='us'
lang en_US.UTF-8
network --bootproto=dhcp --device=ens160 --ipv6=auto --activate
network --hostname=centos8.magedu.com
rootpw --iscrypted $6$j9YhzDUnQVnxaAk8$qv7rkMcPAEbV5yvwsP666DXWYadd3jYjkA9fpxAo9qYotjGGBUclCGoP1TRvgHBpqgc5n0RypMsPTQnVDcpO01
firstboot --enable
skipx
services --disabled="chronyd"
timezone Asia/Shanghai --isUtc --nontp
user --name=wang --password=$6$j9YhzDUnQVnxaAk8$qv7rkMcPAEbV5yvwsP666DXWYadd3jYjkA9fpxAo9qYotjGGBUclCGoP1TRvgHBpqgc5n0RypMsPTQnVDcpO01 --iscrypted --gecos="wang"
part / --fstype="xfs" --ondisk=sda --size=10240
part /data --fstype="xfs" --ondisk=sda --size=20480
part swap --fstype="swap" --ondisk=sda --size=2048
part /boot --fstype="ext4" --ondisk=sda --size=1024
%packages
@^minimal-environment
kexec-tools
%end
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end
EOF8

#6 准备CentOS6,7,8各自的内核相关文件
mkdir /var/lib/tftpboot/centos{6,7,8} -p
cp /var/www/html/centos/6/os/x86_64/isoLinux/{vmlinuz,initrd.img} /var/lib/tftpboot/centos6
cp /var/www/html/centos/7/os/x86_64/isoLinux/{vmlinuz,initrd.img} /var/lib/tftpboot/centos7
cp /var/www/html/centos/8/os/x86_64/isoLinux/{vmlinuz,initrd.img} /var/lib/tftpboot/centos8
cp /usr/share/sysLinux/{pxeLinux.0,menu.c32} /var/lib/tftpboot/
#以下三个文件是CentOS8安装所必须文件,CentOS6,7则不需要
cp /var/www/html/centos/8/os/x86_64/isoLinux/{ldLinux.c32,libcom32.c32,libutil.c32} /var/lib/tftpboot/

#7 准备启动菜单文件
#生成安装菜单文件
mkdir /var/lib/tftpboot/pxeLinux.cfg/ -p
cat > /var/lib/tftpboot/pxeLinux.cfg/default &>/dev/null <<EOF
default menu.c32
timeout 600
menu title Install CentOS Linux
label Linux8
menu label Auto Install CentOS Linux ^8
kernel centos8/vmlinuz
append initrd=centos8/initrd.img ks=http://192.168.100.8/ks/centos8.cfg
label Linux7
menu label Auto Install CentOS Linux ^7
kernel centos7/vmlinuz
append initrd=centos7/initrd.img ks=http://192.168.100.8/ks/centos7.cfg
label Linux6
menu label Auto Install CentOS Linux ^6
kernel centos6/vmlinuz
append initrd=centos6/initrd.img ks=http://192.168.100.8/ks/centos6.cfg
label manual
menu label ^Manual Install CentOS Linux 8.0
kernel centos8/vmlinuz
append initrd=centos8/initrd.img
inst.repo=http://192.168.100.8/centos/8/os/x86_64/
label rescue
menu label ^Rescue a CentOS Linux system 8
kernel centos8/vmlinuz
append initrd=centos8/initrd.img
inst.repo=http:/192.168.100.8/centos/8/os/x86_64/ rescue
label local
menu default
menu label Boot from ^local drive
localboot 0xffff
EOF

最终目录结构如下

#最终目录结构如下
[[email protected] ~]# tree /var/lib/tftpboot/
/var/lib/tftpboot/
├── centos6
│   ├── initrd.img
│   └── vmlinuz
├── centos7
│   ├── initrd.img
│   └── vmlinuz
├── centos8
│   ├── initrd.img
│   └── vmlinuz
├── ldLinux.c32
├── libcom32.c32
├── libutil.c32
├── menu.c32
├── pxeLinux.0
└── pxeLinux.cfg
    └── default

4 directories, 12 files

3.2.3 测试客户端基于PXE实现自动安装

新准备一台主机,设置网卡引导,可看到启动菜单,并实现自动安装,如图所示

chrony内网时间同步以及利用PXE和cobbler实现自动化系统部署

4 利用cobbler实现自动化安装

4.1 Cobbler简介

Cobbler是一款Linux生态的自动化运维工具,基于Python2开发,用于自动化批量部署安装操作系统;其提供基于CLI的管理方式和WEB配置界面,其中WEB配置界面是基于Python2和Django框架开发。另外,cobbler还提供了API,方便二次开发。Cobbler属于C/S模型(客户端/服务器模型)

Cobbler主要用于快速网络安装Linux操作系统,支持众多的Linux发行版如:Red Hat、Fedora、CentOS、Debian、Ubuntu和SuSE等,甚至支持windows的安装

Cobbler实质是PXE的二次封装,将多种安装参数封装到一起,并提供统一的管理方法

4.2 Cobbler的相关服务

使用Cobbler安装系统需要一台专门提供各种服务的服务器,提供的服务包括(HTTP/FTP/NFS,TFTP,DHCP),也可以将这几个服务分别部署到不同服务器。事实上在实际应用中,总是将不同的服务分别部署到专门的服务器。

Cobbler是在HTTP、TFTP、DHCP等各种服务的基础上进行相关操作的,实际安装的大体过程类似于基于PXE的网络安装:客户端(裸机)开机使用网卡引导启动,其请求DHCP分配一个地址后从TFTP服务器获取启动文件,加载到客户端本地内存中运行,并显示出可安装的系统列表;在人为的选定安装的操作系统类型后,客服端会到HTTP服务器下载相应的系统安装文件并执行自动安装。

4.3 实战案例:CentOS 7 基于cobbler实现系统的自动化安装

4.3.1 环境准备

两台主机

一台主机:CentOS 7 充当 Cobbler,http,dhcp,tftp 服务器,并关闭防火墙和SELinux

一台主机:充当测试机,用于实现自动化安装linux系统

网络要求:关闭Vmware软件中的NAT模式中的DHCP服务,两个主机网卡基于NAT模式

4.3.2 安装相关包并启动服务

[root@c7-cobbler ~]# yum install cobbler dhcp -y
[root@c7-cobbler ~]# systemctl enable --now cobblerd httpd tftp dhcpd

4.3.3 修改cobbler相关的配置

#根据提示信息,只需要修改一下3项即可,密码使用默认cobbler
[root@c7-cobbler ~]# sed -i 's/server: 127.0.0.1/server: 192.168.100.7/' /etc/cobbler/settings
[root@c7-cobbler ~]# sed -i 's/next_server: 127.0.0.1/next_server: 192.168.100.7/' /etc/cobbler/settings
[root@c7-cobbler ~]# sed -i 's/manage_dhcp: 0/manage_dhcp: 1/' /etc/cobbler/settings
[root@c7-cobbler ~]# systemctl restart cobblerd

[root@c7-cobbler ~]# cat /etc/cobbler/settings |grep ^server
server: 192.168.100.7
[root@c7-cobbler ~]# cat /etc/cobbler/settings |grep ^next_server
next_server: 192.168.100.7
[root@c7-cobbler ~]# cat /etc/cobbler/settings |grep ^manage
manage_dhcp: 1

4.3.4 实现dhcp服务

#修改dhcp模板文件相关配置,生成自己的dhcp配置文件
[root@c7-cobbler ~]# sed -i '/^subnet/s/192.168.1.0/192.168.100.0/' /etc/cobbler/dhcp.template
[root@c7-cobbler ~]# sed -i 's/192.168.1.5/192.168.100.2/' /etc/cobbler/dhcp.template
[root@c7-cobbler ~]# sed -i '/domain-name-servers/s/192.168.1.1/180.76.76.76,192.168.100.2/' /etc/cobbler/dhcp.template
[root@c7-cobbler ~]# sed -i 's/192.168.1.100/192.168.100.101/' /etc/cobbler/dhcp.template
[root@c7-cobbler ~]# sed -i 's/192.168.1.254/192.168.100.200/' /etc/cobbler/dhcp.template

[root@c7-cobbler ~]# cobbler sync
[root@c7-cobbler ~]# systemctl start dhcpd
[root@c7-cobbler ~]# ss -nltup
Netid State      Recv-Q Send-Q      Local Address:Port          Peer Address:Port
udp   UNCONN     0      0    *:67     *:*       users:(("dhcpd",pid=7375,fd=7))
udp   UNCONN     0      0    :::69   :::*       users:(("systemd",pid=1,fd=38))
tcp   LISTEN     0      128  *:22     *:*       users:(("sshd",pid=6464,fd=3))
tcp   LISTEN     0      128  :::80   :::*       users:(("httpd",pid=6990,fd=4)

4.3.5 下载启动的相关文件

[root@c7-cobbler ~]# cobbler get-loaders

[root@c7-cobbler ~]# ls /var/lib/cobbler/loaders/
COPYING.elilo  COPYING.sysLinux  COPYING.yaboot  elilo-ia64.efi  grub-x86_64.efi  grub-x86.efi  menu.c32  pxeLinux.0  README  yaboot
[root@c7-cobbler ~]# cobbler sync
[root@c7-cobbler ~]# tree /var/lib/tftpboot/
/var/lib/tftpboot/
├── boot
│   └── grub
│       └── menu.lst
├── etc
├── grub
│   ├── efidefault
│   ├── grub-x86_64.efi
│   ├── grub-x86.efi
│   └── images -> ../images
├── images
├── images2
├── memdisk
├── menu.c32
├── ppc
├── pxeLinux.0
├── pxeLinux.cfg
│   └── default
├── s390x
│   └── profile_list
└── yaboot

10 directories, 10 files

4.3.6 修改菜单的标题信息(可选)

[root@c7-cobbler ~]# sed -i 's/cobbler.github.io/www.magedu.com/' /etc/cobbler/pxe/pxedefault.template
[root@c7-cobbler ~]# cobbler sync
[root@c7-cobbler kickstarts]# cat /var/lib/tftpboot/pxeLinux.cfg/default
DEFAULT menu
PROMPT 0
MENU TITLE Cobbler | http://www.magedu.com/
TIMEOUT 200
TOTALTIMEOUT 6000
ONTIMEOUT local

LABEL local
        MENU LABEL (local)
        MENU DEFAULT
        LOCALBOOT -1

LABEL centos-6.10-x86_64
        kernel /images/centos-6.10-x86_64/vmlinuz
        MENU LABEL centos-6.10-x86_64
        append initrd=/images/centos-6.10-x86_64/initrd.img ksdevice=bootif lang=  kssendmac text  ks=http://192.168.100.7/cblr/svc/op/ks/profile/centos-6.10-x86_64
        ipappend 2

LABEL centos-7.9-x86_64
        kernel /images/centos-7.9-x86_64/vmlinuz
        MENU LABEL centos-7.9-x86_64
        append initrd=/images/centos-7.9-x86_64/initrd.img ksdevice=bootif lang=  kssendmac text  ks=http://192.168.100.7/cblr/svc/op/ks/profile/centos-7.9-x86_64
        ipappend 2

LABEL centos-8.2-x86_64
        kernel /images/centos-8.2-x86_64/vmlinuz
        MENU LABEL centos-8.2-x86_64
        append initrd=/images/centos-8.2-x86_64/initrd.img ksdevice=bootif lang=  kssendmac text  ks=http://192.168.100.7/cblr/svc/op/ks/profile/centos-8.2-x86_64
        ipappend 2

MENU end

[root@c7-cobbler ~]# cobbler sync

4.3.7 导入CentOS系统的安装文件,生成相应的YUM源

[root@c7-cobbler ~]# lsblk
NAME   MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda      8:0    0  80G  0 disk
├─sda1   8:1    0   1G  0 part /boot
├─sda2   8:2    0   2G  0 part [SWAP]
├─sda3   8:3    0  17G  0 part /
└─sda4   8:4    0  60G  0 part
sr0     11:0    1   7G  0 rom
sr1     11:1    1  10G  0 rom
[root@c7-cobbler ~]# mkdir -p /mnt/centos{6,7,8}
[root@c7-cobbler ~]# mount /dev/sr0 /mnt/centos7
[root@c7-cobbler ~]# cobbler import --name=centos-7.9-x86_64 --path=/mnt/centos7 --arch=x86_64
[root@c7-cobbler ~]# mount /dev/sr1 /mnt/centos8
[root@c7-cobbler ~]# cobbler import --name=centos-8.2-x86_64 --path=/mnt/centos8 --arch=x86_64
[root@c7-cobbler ~]# mount /dev/sr2 /mnt/centos6
[root@c7-cobbler ~]# cobbler import --name=centos-6.10-x86_64 --path=/mnt/centos6 --arch=x86_64

[root@c7-cobbler ~]# du -sh /var/www/cobbler/ks_mirror/*
3.8G    /var/www/cobbler/ks_mirror/centos-6.10-x86_64
9.6G    /var/www/cobbler/ks_mirror/centos-7.9-x86_64
7.8G    /var/www/cobbler/ks_mirror/centos-8.2-x86_64
16K     /var/www/cobbler/ks_mirror/config

[root@c7-cobbler ~]# cobbler distro list
   centos-6.10-x86_64
   centos-7.9-x86_64
   centos-8.2-x86_64
[root@c7-cobbler ~]# cobbler profile list
   centos-6.10-x86_64
   centos-7.9-x86_64
   centos-8.2-x86_64

#默认生成的是最小化安装

4.3.8 准备 kickstart文件,并关联至指定的YUM源

[root@c7-cobbler ~]# vim /var/lib/cobbler/kickstarts/centos8.cfg
[root@c7-cobbler ~]# cat /var/lib/cobbler/kickstarts/centos8.cfg
ignoredisk --only-use=sda
zerombr
text
reboot
clearpart --all --initlabel
seLinux --disabled
firewall --disabled
url --url=$tree
keyboard --vckeymap=us --xlayouts='us'
lang en_US.UTF-8
network --bootproto=dhcp --device=ens160 --ipv6=auto --activate
network --hostname=centos8.magedu.com
rootpw --iscrypted $6$/.x1dBD0lSMoDCS/$W5TxBxknP0dANWJDY2d7zZj7/8OL97pGPDoxMNf15Yj1AIi1D1mstvqA7VqQ4kZAojj9olKGJZMLvgM5QoG6E1
firstboot --enable
skipx
services --disabled="chronyd"
timezone Asia/Shanghai --isUtc --nontp
user --name=wang --password=$6$oUfb/02CWfLb5l8f$sgEZeR7c7DpqfpmFDH6huSmDbW1XQNR4qKl2EPns.gOXqlnAIgv9pTogtFVaDtEpMOC.SWXKYqxfVtd9MCwxb1 --iscrypted --gecos="wang"
part / --fstype="xfs" --ondisk=sda --size=10240
part /data --fstype="xfs" --ondisk=sda --size=5120
part swap --fstype="swap" --ondisk=sda --size=2048
part /boot --fstype="ext4" --ondisk=sda --size=1024
%packages
@^minimal-environment
kexec-tools
%end
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end

[root@c7-cobbler kickstarts]# cat > /var/lib/cobbler/kickstarts/centos7.cfg <<EOF7
install
xconfig --startxonboot
keyboard --vckeymap=us --xlayouts='us'
rootpw --iscrypted $6$/.x1dBD0lSMoDCS/$W5TxBxknP0dANWJDY2d7zZj7/8OL97pGPDoxMNf15Yj1AIi1D1mstvqA7VqQ4kZAojj9olKGJZMLvgM5QoG6E1
url --url=\$tree
lang en_US
auth --useshadow --passalgo=sha512
text
firstboot --enable
seLinux --disabled
skipx
services --disabled="chronyd"
ignoredisk --only-use=sda
firewall --disabled
network --bootproto=dhcp --device=ens33
reboot
timezone Asia/Shanghai --nontp
bootloader --append="crashkernel=auto" --location=mbr --boot-drive=sda
zerombr
clearpart --all --initlabel
part swap --fstype="swap" --ondisk=sda --size=2048
part / --fstype="xfs" --ondisk=sda --size=10240
part /boot --fstype="xfs" --ondisk=sda --size=1024
part /data --fstype="xfs" --ondisk=sda --size=20480
%post
useradd wang
echo magedu|passwd wang --stdin &>/dev/null
%end
%packages
@core
%end
EOF7

[root@c7-cobbler ~]# cat > /var/lib/cobbler/kickstarts/centos6.cfg <<EOF6
install
text
reboot
url --url=\$tree
lang en_US.UTF-8
keyboard us
network --onboot yes --device eth0 --bootproto dhcp --noipv6
rootpw --iscrypted $6$/.x1dBD0lSMoDCS/$W5TxBxknP0dANWJDY2d7zZj7/8OL97pGPDoxMNf15Yj1AIi1D1mstvqA7VqQ4kZAojj9olKGJZMLvgM5QoG6E1
firewall --disabled
authconfig --enableshadow --passalgo=sha512
seLinux --disabled
timezone Asia/Shanghai
bootloader --location=mbr --driveorder=sda --append="crashkernel=auto rhgb quiet"
zerombr
clearpart --all --initlabel
part /boot --fstype=ext4 --size=1024
part / --fstype=ext4 --size=20000
part /data --fstype=ext4 --size=10000
part swap --size=2048
%packages
@core
@server-policy
@workstation-policy
autofs
vim-enhanced
%end
%post
useradd wang
echo magedu | passwd --stdin wang &> /dev/null
#mkdir /etc/yum.repos.d/bak
#mv /etc/yum.repos.d/* /etc/yum.repos.d/bak
#cat > /etc/yum.repos.d/base.repo <<EOF
#[base]
#name=base
#baseurl=file:///misc/cd
#gpgcheck=0
#EOF
%end
EOF6

其他操作:

#将kickstart文件,关联指定的YUM源和生成菜单列表
[root@centos7 ~]#cobbler profile add --name=CentOS-8.1_test --distro=CentOS-8.1-
x86_64 --kickstart=/var/lib/cobbler/kickstarts/centos8.cfg
[root@centos7 ~]#cobbler profile add --name=CentOS-7.7_test --distro=CentOS-7.7-
x86_64 --kickstart=/var/lib/cobbler/kickstarts/centos7.cfg
#删除默认生成的菜单
[root@centos7 ~]#cobbler profile remove --name=centos-8.1-x86_64
[root@centos7 ~]#cobbler profile remove --name=centos-7.7-x86_64
[root@centos7 ~]#cobbler profile list
CentOS-7.7_test
CentOS-8.1_test
#删除默认的菜单列表
[root@centos7 ~]#cobbler profile remove --name=CentOS8.0-x86_64

4.3.9 测试客户端基于Cobbler实现自动安装

新建虚拟机,选择网络启动,进入如下界面,选择相应的centos版本安装。完成后,输入cobbler密码进入系统。

chrony内网时间同步以及利用PXE和cobbler实现自动化系统部署

扫码领视频副本.gif

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号