更新时间:2023-03-17 GMT+08:00

gs_sshexkey

背景信息

集群在安装过程中,需要在集群中的节点间执行命令,传送文件等操作。因此,安装前需要确保互信是连通的。GaussDB(DWS)提供了gs_sshexkey工具来帮助用户建立互信。

root用户互信可能会存在安全隐患,因此建议用户在使用完成后,立即删除各主机上root用户的互信。

前提条件

  • 确保ssh服务打开。
  • 确保ssh端口不会被防火墙关闭。
  • 确保xml文件中各主机名称和IP配置正确。
  • 确保所有机器节点间网络畅通。
  • 如果为普通用户建立互信,需要提前在各主机创建相同用户并设置密码。
  • 如果各主机安装并启动了SELinux服务,需要确保/root和/home目录安全上下文为默认值(root目录:system_u:object_r:home_root_t:s0,home目录:system_u:object_r:admin_home_t:s0)或者关闭掉SELinux服务。

    检查系统SELinux状态的方法:执行命令getenforce,如果返回结果是Enforcing ,说明SELinux安装并启用。

    检查目录安全上下文的命令:

    ls -ldZ  /root | awk '{print $4}'
    ls -ldZ  /home | awk '{print $4}'

    恢复目录安全上下文命令:

    restorecon -r -vv /home/
    restorecon -r -vv /root/

语法

  • 建立互信
    gs_sshexkey -f HOSTFILE [-W PASSWORD] [...] [--skip-hostname-set] [-l LOGFILE] [--uuid=uvalue] [--logAction=action] [--logStep=num]
  • 显示帮助信息
    gs_sshexkey -? | --help
  • 显示版本号信息
    gs_sshexkey -V | --version

参数说明

  • -f

    主机列表,列出所有需要建立互信主机的IP。

    确保hostfile文件中只配置正确的主机IP,不包含其它信息。

  • -W, --password=PASSWORD

    待建互信用户的密码。如果不指定该参数则在建立互信过程中需要交互式输入用户密码。如果各个主机的用户密码不一样时则使用多个-W参数,密码顺序和IP地址需要一一对应,交互式情况下则依次输入对应主机的密码。

    密码不能包含";","'","$"3个特殊字符。

  • -l

    指定日志文件的保存路径。

    取值范围:任意存在的可访问的绝对路径。

  • --skip-hostname-set

    是否将“-f”参数文件中IP与其hostname的映射关系写入“/etc/hosts”文件中。默认写入,如果指定该参数则不写入。

  • -?, --help

    显示帮助信息。

  • -V, --version

    显示版本号信息。

  • --uuid=uvalue

    设置日志文件中的追踪标志。

    取值范围:字符串,且由大写或者小写字母、数字、中划线组成,长度为36个字符。

  • --logAction=action

    设置日志文件中的工具行为标签。

    取值范围:字符串。

  • --logStep=num

    设置日志文件中的工具步骤标签。

    取值范围:正整数。

示例

如下是为root用户建立互信的示例。

  • 用户密码相同情况下,非交互式模式使用以下命令建立互信。

    {password}替换为root用户的密码。

    ./gs_sshexkey -f /opt/software/hostfile -W {password}
    Checking network information.
    All nodes in the network are Normal.
    Successfully checked network information.
    Creating SSH trust.
    Creating the local key file.
    Appending local ID to authorized_keys.
    Successfully appended local ID to authorized_keys.
    Updating the known_hosts file.
    Successfully updated the known_hosts file.
    Appending authorized_key on the remote node.
    Successfully appended authorized_key on all remote node.
    Checking common authentication file content.
    Successfully checked common authentication content.
    Distributing SSH trust file to all node.
    Successfully distributed SSH trust file to all node.
    Verifying SSH trust on all hosts.
    Successfully verified SSH trust on all hosts.
    Successfully created SSH trust.
  • 用户密码不同情况下,非交互式模式使用以下命令建立互信。

    {password1}为主机列表中第一台主机的root密码,{password2}为主机列表中第二台主机的root密码。

    ./gs_sshexkey -f /opt/software/hostfile -W {password} -W {password1} -W {password2}
    Checking network information.
    All nodes in the network are Normal.
    Successfully checked network information.
    Creating SSH trust.
    Creating the local key file.
    Appending local ID to authorized_keys.
    Successfully appended local ID to authorized_keys.
    Updating the known_hosts file.
    Successfully updated the known_hosts file.
    Appending authorized_key on the remote node.
    Successfully appended authorized_key on all remote node.
    Checking common authentication file content.
    Successfully checked common authentication content.
    Distributing SSH trust file to all node.
    Successfully distributed SSH trust file to all node.
    Verifying SSH trust on all hosts.
    Successfully verified SSH trust on all hosts.
    Successfully created SSH trust.
  • 用户密码相同情况下,交互式模式使用以下命令建立互信。
    gs_sshexkey -f /opt/software/hostfile
    Please enter password for current user[root].
    Password: 
    Checking network information.
    All nodes in the network are Normal.
    Successfully checked network information.
    Creating SSH trust.
    Creating the local key file.
    Appending local ID to authorized_keys.
    Successfully appended local ID to authorized_keys.
    Updating the known_hosts file.
    Successfully updated the known_hosts file.
    Appending authorized_key on the remote node.
    Successfully appended authorized_key on all remote node.
    Checking common authentication file content.
    Successfully checked common authentication content.
    Distributing SSH trust file to all node.
    Successfully distributed SSH trust file to all node.
    Verifying SSH trust on all hosts.
    Successfully verified SSH trust on all hosts.
    Successfully created SSH trust.
  • 用户密码不同情况下,交互式模式使用以下命令建立互信。
    gs_sshexkey -f /opt/software/hostfile
    Please enter password for current user[root].
    Password: 
    Notice :The password of some nodes is incorrect.
    Please enter password for current user[root] on the node[10.180.10.112].
    Password: 
    Please enter password for current user[root] on the node[10.180.10.113].
    Password: 
    Checking network information.
    All nodes in the network are Normal.
    Successfully checked network information.
    Creating SSH trust.
    Creating the local key file.
    Appending local ID to authorized_keys.
    Successfully appended local ID to authorized_keys.
    Updating the known_hosts file.
    Successfully updated the known_hosts file.
    Appending authorized_key on the remote node.
    Successfully appended authorized_key on all remote node.
    Checking common authentication file content.
    Successfully checked common authentication content.
    Distributing SSH trust file to all node.
    Successfully distributed SSH trust file to all node.
    Verifying SSH trust on all hosts.
    Successfully verified SSH trust on all hosts.
    Successfully created SSH trust.