警告
本文最后更新于 2021-04-21,文中内容可能已过时。
以下是一片草稿,真的真的是我自己记录的。但是!我现在自己也看不懂了,我真是栓Q了,好像多了一个chroot初始没啥用
chroot系统
正常来说针对于文件共享的sftp应该是以用户为单位来做的,但这儿我却用的是组,这个其实是我测试用用户来做从来没有成功过,只能被迫用组
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
#!/bin/bash
#################################################
# author 0x5c0f
# date 2020-12-04
# email mail@0x5c0f.cc
# web blog.0x5c0f.cc
# version 1.0.0
# last update 2021-04-21
# descript Use : ./chroot.init.sh
#################################################
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
export PATH
# 用于在linux之间替代nfs系统
# chroot 系统根目录
CHROOTHOME="/chroot_sftp"
# sshfs
# 用户配置
SSHFSUID="1050"
SSHFSUSER="sshfs"
SSHFSROOT="/home/${SSHFSUSER}"
# sshfs chroot 映射目录
SSHFSCHROOTDIR="${CHROOTHOME}/sshfsdir"
# sshfs 本地共享目录
SSHFSLOCALSHARE="/mnt/sshfsdir"
function init_chroot(){
test ! -d ${CHROOTHOME} && {
mkdir -p ${CHROOTHOME}/{bin,usr,etc,lib64,home,dev,data}
mknod -m 666 ${CHROOTHOME}/dev/null c 1 3
mknod -m 666 ${CHROOTHOME}/dev/tty c 5 0
mknod -m 666 ${CHROOTHOME}/dev/zero c 1 5
mknod -m 666 ${CHROOTHOME}/dev/random c 1 8
chmod o+t ${CHROOTHOME}/dev/null ${CHROOTHOME}/dev/tty ${CHROOTHOME}/dev/zero ${CHROOTHOME}/dev/random
cd ${CHROOTHOME}/usr
ln -sf ../bin ./bin
ln -sf ../lib64 ./lib64
cp -p /bin/ls /bin/cat /bin/rm /bin/echo /bin/false /bin/touch /bin/vi /bin/mkdir ${CHROOTHOME}/bin/
for i in /bin/{ls,cat,echo,rm,false,touch,vi,mkdir}; do
list=$(ldd ${i} | egrep -o '/lib.*\.[0-9]')
for _so in $list; do
/bin/cp -v ${_so} ${CHROOTHOME}${_so}
done
done
}
}
function config_sshd(){
cat >> /etc/ssh/sshd_config <<EOE
Match $1 $2
ChrootDirectory $3
ForceCommand internal-sftp -l INFO -f AUTH
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication no
EOE
systemctl restart sshd
}
# 配置systemd管理模块
# $0 文件名 绑定目录 绑定目标目录 是否只读(默认为空: 读写)
# mount -o bind${4:+,ro} 绑定目录 绑定目标目录
function config_systemd(){
cat > /etc/systemd/system/$1 <<EOF
# Automatically generated by systemd-fstab-generator
[Unit]
SourcePath=/etc/fstab
Documentation=man:fstab(5) man:systemd-fstab-generator(8)
Before=local-fs.target
[Mount]
What=${2}
Where=${3}
Type=none
Options=defaults,bind${4:+,ro}
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now $1
}
# 初始化sftp可用组
function init_sshfs(){
# 初始sshd配置
config_sshd "User" $SSHFSUSER $SSHFSCHROOTDIR
# 创建sshfs共享用户
useradd -u ${SSHFSUID} -m -k $(mktemp -d) -d ${SSHFSROOT} -s /bin/false ${SSHFSUSER}
# 创建远程登陆密钥
su - ${SSHFSUSER} -s /bin/bash -c "ssh-keygen -f ~/.ssh/id_rsa -t rsa -b 4096 -N ''"
su - ${SSHFSUSER} -s /bin/bash -c "cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
# 创建chroot sshfs共享目录
mkdir -p ${CHROOTHOME}${SSHFSROOT}
# 绑定目录主目录
# mount -o ro,bind ${SSHFSROOT} ${CHROOTHOME}${SSHFSROOT}
# fstab
# cat >> /etc/fstab <<EOF
# ${SSHFSROOT} ${CHROOTHOME}${SSHFSROOT} none defaults,ro,bind 0 0
# EOF
SYSTEMDFNAME="${CHROOTHOME#/}${SSHFSROOT//\//-}.mount"
# 配置用户帐号映射
config_systemd "${SYSTEMDFNAME}" "${SSHFSROOT}" "${CHROOTHOME}${SSHFSROOT}" 1
# 配置sshfs目录映射
test ! -d ${SSHFSCHROOTDIR} && {
mkdir -p $SSHFSCHROOTDIR
}
test ! -d $SSHFSLOCALSHARE && {
mkdir -p $SSHFSLOCALSHARE
}
echo "sshfs 共享目录 " > $SSHFSLOCALSHARE/readme.md
TSSHFSCHROOTDIR=${SSHFSCHROOTDIR#/}
config_systemd "${TSSHFSCHROOTDIR//\//-}.mount" "${SSHFSLOCALSHARE}" "${SSHFSCHROOTDIR}"
# cat ${SSHFSROOT}/.ssh/id_rsa
}
init_chroot
# sshfs
init_sshfs
|
节点服务器配置
1
2
3
4
5
6
7
|
# 开机启动项
$> vim /etc/fstab
sshfsdir@10.0.2.30:/node21 /data/backup fuse.sshfs auto,reconnect,_netdev,user,idmap=user,identityfile=/etc/.ssh/sshfsdir,allow_other,default_permissions,uid=1002,gid=1002 0 0
# zabbix 监控
$> vim /opt/zabbix-agentd/etc/zabbix_agentd.conf.d/sshfs_status.conf
UserParameter=sshfs_status,/bin/systemctl is-active data-ltbstore.mount >& /dev/null && echo 0 || echo 1
|