首页 > 其他分享 >SRE云计算作业四

SRE云计算作业四

时间:2023-01-09 23:32:26浏览次数:37  
标签:rocky SRE CA 作业 192.168 lxc 计算 lxcnihao root

1、编写脚本实现登陆远程主机。(使用expect和shell脚本两种形式)

1.1 expect形式:

[root@lxc-rocky-8 lxcnihao]# vim expectl2

#!/usr/bin/expect
set ip [lindex $argv 0]
set user [lindex $argv 1]
set password [lindex $argv 2]
spawn ssh $user@$ip
expect {
"yes/no" { send "yes\n";exp_continue }
"password" { send "$password\n" }
}
interact

[root@lxc-rocky-8 lxcnihao]# expect expectl2 192.168.8.142 root root
spawn ssh [email protected]
[email protected]'s password:
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Fri Dec 2 16:26:02 2022 from 192.168.8.144
[root@lxc-centos ~]#

1.2 shell脚本形式:

[root@lxc-rocky-8 lxcnihao]# vim expectl3.sh
#!/bin/bash
ip=$1
user=$2
password=$3
expect <<EOF
spawn ssh $user@$ip
expect {
"yes/no" { send "yes\n";exp_continue }
"password" { send "$password\n" }
}
expect eof
EOF

[root@lxc-rocky-8 lxcnihao]# bash expectl3.sh 192.168.8.142 root root
spawn ssh [email protected]
[email protected]'s password:
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Fri Dec 2 16:41:27 2022 from 192.168.8.144

2、生成10个随机数保存于数组中,并找出其最大值和最小值

[root@lxc-rocky-8 ~]# vim RandomNum.sh
#!/bin/bash
declare -i min max
declare -a nums
for ((i=0;i<10;i++));do
nums[$i]=$RANDOM
[ $i -eq 0 ] && max=${nums[0]} && min=${nums[0]} && continue
[ ${nums[$i]} -gt $max ] && max=${nums[$i]} && continue
[ ${nums[$i]} -lt $min ] && min=${nums[$i]}
done
echo "RANDOM: ${nums[*]}"
echo Max = $max
echo Min = $min

3、输入若干个数值存入数组中,采用冒泡算法进行升序或降序排序

[root@lxc-rocky-8 lxcnihao]# vim MaoPaoFa.sh
#!/bin/sh
echo "请输入数字:"
read -a nums
for (( i=0 ; i<${#nums[*]} ; i++ ))
do
for (( j=${#nums[*]} - 1 ; j>i ; j-- ))
do
if [[ ${nums[j]} -lt ${nums[j-1]} ]]
then
t=${nums[j]}
nums[j]=${nums[j-1]}
nums[j-1]=$t
fi
done
done
echo "输出结果如下:"
echo ${nums[*]}
~

输出结果如下:

[root@lxc-rocky-8 lxcnihao]# bash MaoPaoFa.sh 
请输入数字:
55 44 12 77 88 66 33 99
输出结果如下:
12 33 44 55 66 77 88 99

4、总结查看系统负载的几种命令,总结top命令的指标大概什么含义(不要求全部写出来)

4.1查看系统负载的几种命令

[root@lxc-rocky-8 ~]# uptime
15:48:24 up 25 min, 1 user, load average: 0.00, 0.00, 0.00


[root@lxc-rocky-8 ~]# w
15:47:18 up 23 min, 1 user, load average: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.8.1 15:23 1.00s 0.06s 0.00s w


[root@lxc-rocky-8 ~]# top
top - 15:49:01 up 25 min, 1 user, load average: 0.00, 0.00, 0.00
Tasks: 209 total, 2 running, 207 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.2 us, 0.3 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.2 hi, 0.0 si, 0.0 st
MiB Mem : 1785.4 total, 1161.7 free, 273.7 used, 350.0 buff/cache
MiB Swap: 2076.0 total, 2076.0 free, 0.0 used. 1356.0 avail Mem

4.2 top命令指标

top - 15:49:01     :当前时间
up 25 min :持续运行时间
1 user :登陆用户数量
load average: 0.00, 0.00, 0.00 :系统1分钟、5分钟、15分钟负载
Tasks: 209 total :总进程数量
2 running :正在运行的进程数量
207 sleeping :休眠状态的进程数量
0 stopped :停止状的进程数量
0 zombie :僵尸态的进程数量
%Cpu(s): 0.2 us(用户空间占比), 0.3 sy(内核空间), 0.0 ni(优先级占比), 99.3 id(空闲CPU占比), 0.0 wa(IO等待占比)
0.2 hi(硬中断占比), 0.0 si(软中断), 0.0 st(被偷盗占比)
MiB Mem : 1785.4 total(总物理内存), 1161.7 free(空闲物理内存), 273.7 used(已使用物理内存量),
350.0 buff/cache(内核缓存内存)
MiB Swap: 2076.0 total(交换区总量), 2076.0 free(交换区空闲量), 0.0 used(交换区已使用).
1356.0 avail Mem

5、编写脚本,使用for和while分别实现192.168.8.0/24网段内,地址是否能够ping通,若ping通则输出”success!”,若ping不通则输出”fail!

5.1  for循环方法

[root@lxc-rocky-8 ~]# cd /home/lxcnihao
[root@lxc-rocky-8 lxcnihao]# vim serch_ip.sh
#!/bin/bash
NET=192.168.8
cat /dev/null > hosts.txt

for i in {1..254};do
if ping -c1 -W1 $NET.$i &> /dev/null ;then
echo ping $NET.$i success!
else echo ping $NET.$i fail!
fi
done

5.1部分输出结果如下:

[root@lxc-rocky-8 lxcnihao]# bash serch_ip.sh
ping 192.168.8.1 success!
ping 192.168.8.2 success!
ping 192.168.8.3 fail!
ping 192.168.8.4 fail!
ping 192.168.8.5 fail!

5.2 while循环方法

[root@lxc-rocky-8 lxcnihao]# vim serch_ip2.sh
#!/bin/bash
NET=192.168.8
cat /dev/null > hosts.txt

i=1
while [ $i -le 254 ];do
if ping -c1 -W1 $NET.$i &> /dev/null ;then
echo ping $NET.$i success!
else echo ping $NET.$i fail!
fi
let i++
done

5.2部分输出结果如下:

[root@lxc-rocky-8 lxcnihao]# bash serch_ip2.sh
ping 192.168.8.139 fail!
ping 192.168.8.140 fail!
ping 192.168.8.141 fail!
ping 192.168.8.142 success!
ping 192.168.8.143 fail!
ping 192.168.8.144 success!
ping 192.168.8.145 fail!

6、每周的工作日1:30,将/etc备份至/backup目录中,保存的文件名称格式 为“etcbak-yyyy-mm-dd-HH.tar.xz”,其中日期是前一天的时间

[root@lxc-rocky-8 lxcnihao]# vim back.sh
#!/bin/bash
mkdir /home/lxcnihao/backup
T=etcbak-`date -d '-1 day' +%Y-%m-%d-%H`
tar -jcvf /home/lxcnihao/backup/$T.tar.xz /etc/ &> /dev/null
[root@lxc-rocky-8 lxcnihao]# crontab -e
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
30 1 * * 1-5 bash /home/lxcnihao/back.sh
[root@lxc-rocky-8 lxcnihao]# date -s "2022-12-07 01:29:00"
[root@lxc-rocky-8 lxcnihao]# ll backup
total 4092
-rw-r--r--. 1 root root 4187198 Jan 6 01:30 etcbak-2022-12-06-01.tar.xz

7, 使用awk以冒号分隔获取/etc/passwd文件第一列

[root@lxc-rocky-8 ~]# awk -F: '{print $1}' /etc/passwd
root
bin
daemon
...

8, 创建私有CA并进行证书申请,有实践过程和结果。

8.1、创建CA所需要的m目录和文件

[root@lxc-rocky-8 CA]#mkdir /etc/pki/CA/certs
[root@lxc-rocky-8 CA]#mkdir /etc/pki/CA/crl
[root@lxc-rocky-8 CA]#mkdir /etc/pki/CA/newcerts
[root@lxc-rocky-8 CA]#mkdir /etc/pki/CA/private
[root@lxc-rocky-8 CA]#touch /etc/pki/CA/index.txt
[root@lxc-rocky-8 CA]#echo 01 > /etc/pki/CA/serial

[root@lxc-rocky-8 CA]#tree /etc/pki/CA
/etc/pki/CA
├── certs
├── crl
├── index.txt
├── newcerts
├── private
└── serial

8.2、生成私钥

[root@lxc-rocky-8 CA]#openssl genrsa -out private/cakey.pem 
Generating RSA private key, 2048 bit long modulus (2 primes)
......................................................................................................+++++
...+++++
e is 65537 (0x010001)

8.3、生成C自签名证书 

[root@lxc-rocky-8 CA]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem  -days 36500 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:N69
Common Name (eg, your name or your server's hostname) []:ca.magedu.org
Email Address []:[email protected]

8.4、为客户(www.key)生产私钥

[root@lxc-rocky-8 ~]#openssl genrsa -out /home/lxcnihao/www.key
Generating RSA private key, 2048 bit long modulus (2 primes)
................................+++++
.........................................................................................+++++
e is 65537 (0x010001)

8.5、为需要使用证书的客户生成证书申请文件

[root@lxc-rocky-8 ~]#openssl req -new -key /home/lxcnihao/www.key -out /home/lxcnihao/www.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:GZ
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:N70
Common Name (eg, your name or your server's hostname) []:www.magedu.org
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

8.6、在CA签署证书并将证书颁发给客户

[root@lxc-rocky-8 ~]#openssl ca -in /home/lxcnihao/www.csr -out /etc/pki/CA/certs/www.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 9 08:17:55 2023 GMT
Not After : Apr 19 08:17:55 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = guangdong
organizationName = magedu
organizationalUnitName = N70
commonName = www.magedu.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7A:F6:CF:01:73:BC:6A:FF:45:33:6C:F0:CD:AB:B9:13:C9:A0:5A:88
X509v3 Authority Key Identifier:
keyid:83:01:E0:63:6D:D3:70:FF:ED:13:20:CC:39:C1:A7:DD:84:39:CD:1F

Certificate is to be certified until Apr 19 08:17:55 2023 GMT (100 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

8.7、证书吊销

[root@lxc-rocky-8 CA]#openssl ca -revoke /etc/pki/CA/newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated

8.8、生产证书吊销列表

[root@lxc-rocky-8 CA]#echo 01 > /etc/pki/CA/crlnumber
[root@lxc-rocky-8 CA]#openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

9, 总结ssh常用参数,用法。需要SSH交互原理分析,需要画图

9.1 ssh+IP,以当前的用户身份去登陆目标主机

[root@lxc-rocky-8 ~]#ssh 192.168.8.142

9.2 ssh+指定用户+IP,以指定用户去登陆目标主机

[root@lxc-rocky-8 ~]#ssh [email protected]

9.3 ssh -p+端口号,以指定端口号登陆目标主机,ssh默认端口号是22

[root@lxc-rocky-8 ~]#ssh -p 22 192.168.8.142

9.4 ssh key认证,远程登陆时不再依赖传统用户名和密码

[root@lxc-rocky-8 ~]#ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): yes
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in yes.
Your public key has been saved in yes.pub.
The key fingerprint is:
SHA256:NgqOq6vctLW4X6+/H9LR8Q8rZJHWaJ5w8/LDaikgWiY [email protected]
The key's randomart image is:
+---[RSA 3072]----+
| |
| + |
| . O.. |
| *.=o |
| . S .*.o. |
| oE.+o...o.+ o.|
| ...*.o o o..= .|
|. o.= o . o +o . |
|=+.=oo .o+o+. |
+----[SHA256]-----+
[root@lxc-rocky-8 ~]#ssh-copy-id 192.168.8.142

SRE云计算作业四_vim


10, 总结sshd服务常用参数。

[root@lxc-rocky-8 ~]#ssh-copy-id 192.168.8.142
#Port 22 # 端口号 建议修改
#AddressFamily any
#ListenAddress 0.0.0.0 # 监听IP地址
PermitRootLogin yes # ubuntu不允许root远程ssh登录
#PubkeyAuthentication yes #公钥验证
#PasswordAuthentication yes #传统密码验证
GSSAPIAuthentication no # 改no提高速度
#UseDNS no # 避免反向NDS解释

标签:rocky,SRE,CA,作业,192.168,lxc,计算,lxcnihao,root
From: https://blog.51cto.com/u_15716745/5998798

相关文章