批量升级openssh版本至OpenSSH_8.4p1
CentOS Linux release 7.8.2003(Core)默认的openssh版本是OpenSSH_7.4p1,yum提供的最新版本也是 OpenSSH_7.4p1,所以要对openssh升级,必须采用编译安装的方法,下面给大家分享一个可以一键升级的playbook。
准备工作
- 需要升级的机器需要配置好yum源
- 确认openssh版本是OpenSSH_7.4p1, OpenSSL 1.0.2k-fips(其他版本未必适用以下的playbook,如果不是这个版本,可以先yum安装到7.4,再执行以下playbook)
- 在管理节点的机器安装ansible,并配置好inventory,免密(之前已经分享过)
剧本内容
role的文件结构
[root@open-1 ansible]# tree roles/
roles/
├── openssh_update
│ ├── files
│ │ ├── openssh-8.4p1.tar.gz
│ │ └── openssl-1.1.1g.tar.gz
│ ├── handlers
│ │ └── main.yaml
│ ├── tasks
│ │ ├── install.yaml
│ │ └── main.yaml
│ └── vars
│ └── main.yaml
└── update_openssh.yaml
5 directories, 7 files
将两个tar包放到files目录(完整的资源已经上传–openssh升级)
update_openssh.yaml
[root@open-1 roles]# cat update_openssh.yaml
---
- name: 升级openssh版本到openssh8.4p1
hosts: open
user: root
gather_facts: false
roles:
- openssh_update
vars/main.yaml
[root@open-1 roles]# cat openssh_update/vars/main.yaml
open_ssh_package: openssh-8.4p1.tar.gz
open_ssl_package: openssl-1.1.1g.tar.gz
tasks/main.yaml
[root@open-1 roles]# cat openssh_update/tasks/main.yaml
---
- import_tasks: install.yaml
tasks/install.yaml
[root@open-1 roles]# cat openssh_update/tasks/main.yaml
---
- import_tasks: install.yaml
[root@open-1 roles]# cat openssh_update/tasks/install.yaml
---
- name: 安装telnet、xinetd
yum:
name: ['telnet','telnet-server','xinetd']
state: present
- name: 启动telnet、xinetd,并设置开机启动
service:
name: "{
{ item }}"
state: started
enabled: yes
loop:
- xinetd
- telnet.socket
- name: 备份/etc/securetty文件
shell:
cmd: cp -rf /etc/securetty /etc/securetty.bak$(date +%Y%m%d)
- name: 在/etc/securetty文件添加其他终端设备
blockinfile:
dest: /etc/securetty
block: "pts/0\npts/1\npts/2\npts/3\npts/4"
- name: 重启xinetd服务
service:
name: xinetd
state: restarted
notify: #要确保telnet成功启动后才能进行升级,否则如果升级失败,telnet又没启动,就无法远程连接服务器了
- telnet已经启动成功,可以进行升级
handlers/main.yaml
[root@open-1 roles]# cat openssh_update/handlers/main.yaml
---
- name: 安装编译环境
yum:
name: ['gcc','gcc-c++','glibc','make','autoconf','openssl','openssl-devel','pcre-devel','pam-devel']
state: present
listen: telnet已经启动成功,可以进行升级
- name: 安装pam,zlib
shell:
cmd: yum -y install pam* zlib*
listen: telnet已经启动成功,可以进行升级
- name: 将openssh、openssl的压缩包解压到/opt目录
unarchive:
src: "{
{ item }}"
dest: /opt/
loop:
- "{
{ open_ssh_package }}"
- "{
{ open_ssl_package }}"
listen: telnet已经启动成功,可以进行升级
- name: 备份openssl文件
shell:
cmd: mv /usr/bin/openssl /usr/bin/openssl_bak;mv /usr/include/openssl /usr/include/openssl_bak
listen: telnet已经启动成功,可以进行升级
- name: 编译安装openssl
shell:
cmd: ./config shared --prefix=/usr/local/ssl && make && make install
chdir: /opt/openssl-1.1.1g
listen: telnet已经启动成功,可以进行升级
- name: 设置openssl指令的软链接
shell:
cmd: 'ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl;ln -s /usr/local/ssl/include/openssl /usr/include/openssl'
listen: telnet已经启动成功,可以进行升级
- name: 加载openssl模块
shell:
cmd: echo "/usr/local/ssl/lib" >> /etc/ld.so.conf;/sbin/ldconfig
listen: telnet已经启动成功,可以进行升级
- name: 备份/etc/ssh、/etc/pam.d/sshd.pam
shell:
cmd: mv /etc/ssh /etc/ssh.$(date +%Y%m%d);cp -rf /etc/pam.d/sshd.pam /etc/pam.d/sshd.pam.$(date +%Y%m%d) || echo "ansible_ens33['ipv4']['address']上暂无这个文件。"
listen: telnet已经启动成功,可以进行升级
- name: 编译安装openssh
shell:
cmd: ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam && make && make install
chdir: /opt/openssh-8.4p1
listen: telnet已经启动成功,可以进行升级
- name: 替换新的sshd_config
shell:
cmd: cp -rf /opt/openssh-8.4p1/sshd_config /etc/ssh/sshd_config
listen: telnet已经启动成功,可以进行升级
- name: override default of no subsystems
lineinfile:
dest: /etc/ssh/sshd_config
regexp: .*Subsystem.*sftp-server
line: Subsystem sftp /usr/libexec/openssh/sftp-server
listen: telnet已经启动成功,可以进行升级
- name: 关闭DNS解析
lineinfile:
dest: /etc/ssh/sshd_config
regexp: .*UseDNS
line: UseDNS no
listen: telnet已经启动成功,可以进行升级
- name: 允许root远程登录
lineinfile:
dest: /etc/ssh/sshd_config
regexp: .*PermitRootLogin
line: PermitRootLogin yes
listen: telnet已经启动成功,可以进行升级
- name: 添加banner路径
lineinfile:
dest: /etc/ssh/sshd_config
insertafter: ^#Banner none
line: Banner /etc/sshbanner
listen: telnet已经启动成功,可以进行升级
- name: 拷贝sshd.init和sshd.pam
shell:
cmd: cp -a contrib/redhat/sshd.init /etc/init.d/sshd;cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chdir: /opt/openssh-8.4p1
listen: telnet已经启动成功,可以进行升级
- name: 将sshd交给chkconfig管理
shell:
cmd: chmod +x /etc/init.d/sshd;chkconfig --add sshd;chkconfig sshd on;systemctl enable sshd
listen: telnet已经启动成功,可以进行升级
- name: 备份sshd.service并重启sshd服务
shell:
cmd: mv /usr/lib/systemd/system/sshd.service /opt/;mv /usr/lib/systemd/system/sshd.socket /opt/;systemctl daemon-reload;service sshd restart
listen: telnet已经启动成功,可以进行升级
- name: 检查版本,确认是否升级成功
shell:
cmd: ssh -V;openssl version
register: check
listen: telnet已经启动成功,可以进行升级
- name: 更新后版本信息
debug:
var: check
verbosity: 0
listen: telnet已经启动成功,可以进行升级
语法检查
[root@open-1 roles]# ls
openssh_update update_openssh.yaml
[root@open-1 roles]# ansible-playbook --syntax-check update_openssh.yaml
playbook: update_openssh.yaml
运行
[root@open-1 roles]# ansible-playbook update_openssh.yaml
PLAY [升级openssh版本到openssh8.4p1] ************************************************************************************************************************************************************
TASK [openssh_update : 安装telnet、xinetd] ****************************************************************************************************************************************************
changed: [open-2]
changed: [open-3]
TASK [openssh_update : 启动telnet、xinetd,并设置开机启动] ********************************************************************************************************************************************
changed: [open-2] => (item=xinetd)
changed: [open-3] => (item=xinetd)
changed: [open-2] => (item=telnet.socket)
changed: [open-3] => (item=telnet.socket)
TASK [openssh_update : 备份/etc/securetty文件] *************************************************************************************************************************************************
changed: [open-3]
changed: [open-2]
TASK [openssh_update : 在/etc/securetty文件添加其他终端设备] ******************************************************************************************************************************************
changed: [open-3]
changed: [open-2]
TASK [openssh_update : 重启xinetd服务] *********************************************************************************************************************************************************
changed: [open-2]
changed: [open-3]
RUNNING HANDLER [openssh_update : 安装编译环境] **************************************************************************************************************************************************
changed: [open-3]
changed: [open-2]
RUNNING HANDLER [openssh_update : 安装pam,zlib] **********************************************************************************************************************************************
changed: [open-3]
changed: [open-2]
RUNNING HANDLER [openssh_update : 将openssh、openssl的压缩包解压到/opt目录] ***************************************************************************************************************************
changed: [open-3] => (item=openssh-8.4p1.tar.gz)
changed: [open-2] => (item=openssh-8.4p1.tar.gz)
changed: [open-3] => (item=openssl-1.1.1g.tar.gz)
changed: [open-2] => (item=openssl-1.1.1g.tar.gz)
RUNNING HANDLER [openssh_update : 备份openssl文件] *********************************************************************************************************************************************
changed: [open-2]
changed: [open-3]
RUNNING HANDLER [openssh_update : 编译安装openssl] *********************************************************************************************************************************************
changed: [open-3]
changed: [open-2]
RUNNING HANDLER [openssh_update : 设置openssl指令的软链接] *****************************************************************************************************************************************
changed: [open-3]
changed: [open-2]
RUNNING HANDLER [openssh_update : 加载openssl模块] *********************************************************************************************************************************************
changed: [open-3]
changed: [open-2]
RUNNING HANDLER [openssh_update : 备份/etc/ssh、/etc/pam.d/sshd.pam] **************************************************************************************************************************
changed: [open-3]
changed: [open-2]
RUNNING HANDLER [openssh_update : 编译安装openssh] *********************************************************************************************************************************************
changed: [open-2]
changed: [open-3]
RUNNING HANDLER [openssh_update : 替换新的sshd_config] *****************************************************************************************************************************************
changed: [open-2]
changed: [open-3]
RUNNING HANDLER [openssh_update : override default of no subsystems] ***********************************************************************************************************************
changed: [open-2]
changed: [open-3]
RUNNING HANDLER [openssh_update : 关闭DNS解析] *************************************************************************************************************************************************
changed: [open-3]
changed: [open-2]
RUNNING HANDLER [openssh_update : 允许root远程登录] **********************************************************************************************************************************************
changed: [open-3]
changed: [open-2]
RUNNING HANDLER [openssh_update : 添加banner路径] **********************************************************************************************************************************************
changed: [open-3]
changed: [open-2]
RUNNING HANDLER [openssh_update : 拷贝sshd.init和sshd.pam] ************************************************************************************************************************************
changed: [open-3]
changed: [open-2]
RUNNING HANDLER [openssh_update : 将sshd交给chkconfig管理] **************************************************************************************************************************************
changed: [open-3]
changed: [open-2]
RUNNING HANDLER [openssh_update : 备份sshd.service并重启sshd服务] *********************************************************************************************************************************
changed: [open-3]
changed: [open-2]
RUNNING HANDLER [openssh_update : 检查版本,确认是否升级成功] *******************************************************************************************************************************************
changed: [open-2]
changed: [open-3]
RUNNING HANDLER [openssh_update : 更新后版本信息] *************************************************************************************************************************************************
ok: [open-2] => {
"check": {
"changed": true,
"cmd": "ssh -V;openssl version",
"delta": "0:00:00.010729",
"end": "2020-12-23 09:43:04.779265",
"failed": false,
"rc": 0,
"start": "2020-12-23 09:43:04.768536",
"stderr": "OpenSSH_8.4p1, OpenSSL 1.1.1g 21 Apr 2020",
"stderr_lines": [
"OpenSSH_8.4p1, OpenSSL 1.1.1g 21 Apr 2020"
],
"stdout": "OpenSSL 1.1.1g 21 Apr 2020",
"stdout_lines": [
"OpenSSL 1.1.1g 21 Apr 2020"
]
}
}
ok: [open-3] => {
"check": {
"changed": true,
"cmd": "ssh -V;openssl version",
"delta": "0:00:00.010667",
"end": "2020-12-23 09:42:42.195868",
"failed": false,
"rc": 0,
"start": "2020-12-23 09:42:42.185201",
"stderr": "OpenSSH_8.4p1, OpenSSL 1.1.1g 21 Apr 2020",
"stderr_lines": [
"OpenSSH_8.4p1, OpenSSL 1.1.1g 21 Apr 2020"
],
"stdout": "OpenSSL 1.1.1g 21 Apr 2020",
"stdout_lines": [
"OpenSSL 1.1.1g 21 Apr 2020"
]
}
}
PLAY RECAP *********************************************************************************************************************************************************************************
open-2 : ok=24 changed=23 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
open-3 : ok=24 changed=23 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
可以看到,已经成功升级,原来配置的免密登录应该是无法登录了,把root/.ssh/konwn_hosts文件里面的记录删掉就能连接了。