>使用sudo权限创建一个新用户,并…
>从ssh访问中阻止root
然后我们继续通过新用户帐户配置系统.当然我们这样做是因为我们的日志充满了恶意的ssh root登录尝试.
但现在我们正在尝试使用Chef(厨师独奏与刀独奏和图书管理员 – 厨师)来构建服务器.一旦我们创建了阻止从root登录ssh的配方,我们就无法再次运行配方.
我看到了这个:
How to run chef-client vagrant provisioner from custom non-root user?
但似乎“root”在整个地方都是硬编码的,并且所接受的解决方案需要分支所有基本的烹饪书.
有关如何创建可重新运行的Chef设置的任何想法,包括禁用root ssh访问?
解决方法 使用非root帐户引导服务器并不罕见.正如@StephenKing指出的那样,刀支持这一点.以下是我的正常程序:ssh-copy-ID me@hostnameknife bootstrap hostname --ssh-user me --sudo --run-List role[desired_server_role]
但是,这个答案假设您正在使用厨师服务器(强烈推荐)….
您正在使用非标准刀插件来模拟此引导行为. documentation声明sudo将被“knife solo prepare”命令使用:
It will look up SSH information from ~/.ssh/config or in the file specifIEd by -F. You can also pass port information (-p),IDentity information (-i),or a password (-P). It will use sudo to run some of these commands and will prompt you for the password if it’s not supplIEd on the command line.
并且“knife solo bootstrap”命令似乎支持与标准引导程序类似的选项.
$knife solo bootstrap -h knife solo bootstrap [USER@]HOSTname [JsON] (options) --no-berkshelf Skip berks install --bootstrap-version VERSION The version of Chef to install -N,--node-name name The Chef node name for your new node --server-url URL Chef Server URL --chef-zero-port PORT Port to start chef-zero on -k,--key KEY API ClIEnt Key --[no-]color Use colored output,defaults to false on windows,true otherwise -c,--config CONfig The configuration file to use --defaults Accept default values for all questions -d,--disable-editing Do not open EDITOR,just accept the data as is -e,--editor EDITOR Set the editor to use for interactive commands -E,--environment ENVIRONMENT The Chef environment for your node --format FORMAT Which format to use for output --[no-]host-key-verify Verify host key,enabled by default. -i,--IDentity-file file The ssh IDentity file -j JsON_ATTRIBS,A JsON string to be added to node config (if it does not exist) --Json-attributes --no-librarian Skip librarian-chef install -z,--local-mode Point knife commands at local repository instead of server -u,--user USER API ClIEnt Username --omnibus-options "OPTIONS" Pass options to the install.sh script --omnibus-url URL URL to download install.sh from --omnibus-version VERSION Deprecated. Replaced with --bootstrap-version. --prerelease Install the pre-release Chef version --print-after Show the data after a destructive operation -r,--run-List RUN_List Comma separated List of roles/recipes to put to node config (if it does not exist) -F CONfig_file,Alternate location for ssh config file --ssh-config-file --ssh-IDentity file Deprecated. Replaced with --IDentity-file. -P,--ssh-password PASSWORD The ssh password -p,--ssh-port PORT The ssh port -x,--ssh-user USERname The ssh username -s,--startup-script file The startup script on the Remote Server containing variable deFinitions --sudo-command SUDO_COMMAND The command to use instead of sudo for admin privileges --sync-only Only sync the cookbook - do not run Chef -V,--verbose More verbose output. Use twice for max verbosity -v,--version Show chef version -W,--why-run Enable whyrun mode -y,--yes Say yes to all prompts for confirmation -h,--help Show this message
我注意到各种各样的时髦东西,包括使用厨师零的选项(现在在chef-client支持的功能).
希望这会有所帮助,但我建议考虑使用chef-server.站起来很容易,然后您将遵循使用厨师的标准方式.
更新
一个有趣的读物:
> The future of knife-solo
总结以上是内存溢出为你收集整理的Chef:部署一个禁用root ssh访问的服务器?全部内容,希望文章能够帮你解决Chef:部署一个禁用root ssh访问的服务器?所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)