当我们配置新的 linux 服务器时,我们
然后我们继续通过新用户帐户配置系统。当然,我们这样做是因为我们的日志中充满了恶意的 ssh root 登录尝试。
但现在我们正在尝试使用 Chef(chef solo、knife-solo 和 librarian-chef)来构建服务器。一旦我们创建了一个阻止从 root 进行 ssh 登录的配方,我们就不能再次运行这些配方。
我已经看到了: 如何从自定义非 root 用户运行 chef-client vagrant provisioner? 但似乎“root”在所有地方都是硬编码的,并且公认的解决方案需要分支所有基本的食谱。
关于如何创建包括禁用 root ssh 访问的可重新运行的 Chef 设置的任何想法?
使用非 root 帐户引导服务器并不罕见。正如@StephenKing 指出的那样,刀支持这一点。以下是我的正常程序:
ssh-copy-id me@hostname
knife bootstrap hostname --ssh-user me --sudo --run-list role[desired_server_role]
但是,此答案假定您使用的是厨师服务器(强烈推荐)....
您正在使用非标准刀插件来模拟这种引导行为。文档指出 sudo 将由“knife solo prepare”命令使用:
It will look up SSH information from ~/.ssh/config or in the file specified by -F. You can also pass port information (-p), identity information (-i), or a password (-P). It will use sudo to run some of these commands and will prompt you for the password if it's not supplied on the command line.
And the "knife solo bootstrap" command appears to support similar options to the standard bootstrap.
$ knife solo bootstrap -h
knife solo bootstrap [USER@]HOSTNAME [JSON] (options)
--no-berkshelf Skip berks install
--bootstrap-version VERSION The version of Chef to install
-N, --node-name NAME The Chef node name for your new node
--server-url URL Chef Server URL
--chef-zero-port PORT Port to start chef-zero on
-k, --key KEY API Client Key
--[no-]color Use colored output, defaults to false on Windows, true otherwise
-c, --config CONFIG The configuration file to use
--defaults Accept default values for all questions
-d, --disable-editing Do not open EDITOR, just accept the data as is
-e, --editor EDITOR Set the editor to use for interactive commands
-E, --environment ENVIRONMENT The Chef environment for your node
--format FORMAT Which format to use for output
--[no-]host-key-verify Verify host key, enabled by default.
-i, --identity-file FILE The ssh identity file
-j JSON_ATTRIBS, A JSON string to be added to node config (if it does not exist)
--json-attributes
--no-librarian Skip librarian-chef install
-z, --local-mode Point knife commands at local repository instead of server
-u, --user USER API Client Username
--omnibus-options "OPTIONS" Pass options to the install.sh script
--omnibus-url URL URL to download install.sh from
--omnibus-version VERSION Deprecated. Replaced with --bootstrap-version.
--prerelease Install the pre-release Chef version
--print-after Show the data after a destructive operation
-r, --run-list RUN_LIST Comma separated list of roles/recipes to put to node config (if it does not exist)
-F CONFIG_FILE, Alternate location for ssh config file
--ssh-config-file
--ssh-identity FILE Deprecated. Replaced with --identity-file.
-P, --ssh-password PASSWORD The ssh password
-p, --ssh-port PORT The ssh port
-x, --ssh-user USERNAME The ssh username
-s, --startup-script FILE The startup script on the remote server containing variable definitions
--sudo-command SUDO_COMMAND The command to use instead of sudo for admin privileges
--sync-only Only sync the cookbook - do not run Chef
-V, --verbose More verbose output. Use twice for max verbosity
-v, --version Show chef version
-W, --why-run Enable whyrun mode
-y, --yes Say yes to all prompts for confirmation
-h, --help Show this message
I notice all kinds of funky stuff including an option to use chef zero (a feature now supported in chef-client).
Hope this helps, but I'd advise considering the use of chef-server. It's easy to stand up and you will then be following a standard way of using chef.
An interesting read:
它也适用sudo(knife bootstrap当然,运行sudo chef-client)。