- 论坛徽章:
- 1
|
9、 配置SSH
Configuring SSH on All Cluster Nodes
Before you install and use Oracle Real Application clusters, you must configure secure
shell (SSH) for the oracle user on all cluster nodes. Oracle Universal Installer uses
the ssh and scp commands during installation to run remote commands on and copy
files to the other cluster nodes. You must configure SSH so that these commands do
not prompt for a password.
Configuring SSH on Cluster Member Nodes
To configure SSH, you must first create RSA and DSA keys on each cluster node, and
then copy the keys from all cluster node members into an authorized keys file on each
node. To do this task, complete the following steps:
Create RSA and DSA keys on each node: Complete the following steps on each
node:
1. Log in as the oracle user.
2. If necessary, create the .ssh directory in the oracle user’s home directory and
set the correct permissions on it:
mkdir ~/.ssh
chmod 700 ~/.ssh
3. Enter the following commands to generate an RSA key for version 2 of the SSH
protocol:
/usr/bin/ssh-keygen -t rsa
At the prompts:
■ Accept the default location for the key file.
■ Enter and confirm a pass phrase that is different from the oracle user’s
password.
This command writes the public key to the ~/.ssh/id_rsa.pub file and the
private key to the ~/.ssh/id_rsa file. Never distribute the private key to anyone.
4. Enter the following commands to generate a DSA key for version 2 of the SSH
protocol:
/usr/bin/ssh-keygen -t dsa
At the prompts:
Accept the default location for the key file
■ Enter and confirm a pass phrase that is different from the oracle user’s
password
This command writes the public key to the ~/.ssh/id_dsa.pub file and the
private key to the ~/.ssh/id_dsa file. Never distribute the private key to
anyone.
Add keys to an authorized key file: Complete the following steps:
1. On the local node, determine if you have an authorized key file
(~/.ssh/authorized_keys). If the authorized key file already exists, then
proceed to step 2. Otherwise, enter the following commands:
touch ~/.ssh/authorized_keys
cd ~/.ssh
ls
You should see the id_dsa.pub and id_rsa.pub keys that you have created.
2. Using SSH, copy the contents of the ~/.ssh/id_rsa.pub and
~/.ssh/id_dsa.pub files to the file ~/.ssh/authorized_keys, and provide
the Oracle user password as prompted. This process is illustrated in the following
syntax example with a two-node cluster, with nodes node1 and node2, where the
Oracle user path is /home/oracle:
[oracle@rac1 .ssh]$ ssh rac1 cat /home/oracle/.ssh/id_rsa.pub >>authorized_keys
oracle@node1’s password:
[oracle@rac1 .ssh]$ ssh rac1 cat /home/oracle/.ssh/id_dsa.pub >>authorized_keys
[oracle@rac1 .ssh$ ssh rac2 cat /home/oracle/.ssh/id_rsa.pub >>authorized_keys
oracle@node2’s password:
[oracle@ rac1 .ssh$ ssh rac2 cat /home/oracle/.ssh/id_dsa.pub>>authorized_keys
oracle@node2’s password:
3. Use SCP (Secure Copy) or SFTP (Secure FTP) to copy the authorized_keys file
to the Oracle user .ssh directory on a remote node. The following example is with
SCP, on a node called node2, where the Oracle user path is /home/oracle:
[oracle@node1 .ssh]scp authorized_keys node2:/home/oracle/.ssh/
4. Repeat step 2 and 3 for each cluster node member. When you have added keys
from each cluster node member to the authorized_keys file on the last node you
want to have as a cluster node member, then use SCP to copy the complete
authorized_keys file back to each cluster node member
Note: Repeat this process for each node in the cluster
Note: The Oracle user’s /.ssh/authorized_keys file on every
node must contain the contents from all of the /.ssh/id_rsa.pub
and /.ssh/id_dsa.pub files that you generated on all cluster
nodes.
5. Change the permissions on the Oracle user’s /.ssh/authorized_keys file on
all cluster nodes:
chmod 600 ~/.ssh/authorized_keys
At this point, if you use ssh to log in to or run a command on another node, you
are prompted for the pass phrase that you specified when you created the DSA
key.
Enabling SSH User Equivalency on Cluster Member Nodes
To enable Oracle Universal Installer to use the ssh and scp commands without being
prompted for a pass phrase, follow these steps:
1. On the system where you want to run Oracle Universal Installer, log in as the
oracle user.
2. Enter the following commands:
exec /usr/bin/ssh-agent $SHELL
/usr/bin/ssh-add
3. At the prompts, enter the pass phrase for each key that you generated.
If you have configured SSH correctly, then you can now use the ssh or scp
commands without being prompted for a password or a pass phrase.
4. If you are on a remote terminal, and the local node has only one visual (which is
typical), then use the following syntax to set the DISPLAY environment variable:
Bourne, Korn, and Bash shells
$ export DISPLAY=hostname:0
C shell:
$ setenv DISPLAY 0
For example, if you are using the Bash shell, and if your hostname is node1, then
enter the following command:
$ export DISPLAY=node1:0
5. To test the SSH configuration, enter the following commands from the same
terminal session, testing the configuration of each cluster node, where
nodename1, nodename2, and so on, are the names of nodes in the cluster:
$ ssh nodename1 date
$ ssh nodename2 date
.
.
.
These commands should display the date set on each node.
If any node prompts for a password or pass phrase, then verify that the
~/.ssh/authorized_keys file on that node contains the correct public keys.
If you are using a remote client to connect to the local node, and you see a message
similar to "Warning: No xauth data; using fake authentication data for X11
forwarding," then this means that your authorized keys file is configured correctly,
but your ssh configuration has X11 forwarding enabled. To correct this, proceed to
step 6.
Note: The first time you use SSH to connect to a node from a
particular system, you may see a message similar to the following:
The authenticity of host 'node1 (140.87.152.153)' can't be
established.
RSA key fingerprint is
7z:ez:e7:f6:f4:f2:4f:8f:9z:79:85:62:20:90:92:z9.
Are you sure you want to continue connecting (yes/no)?
Enter yes at the prompt to continue. You should not see this
message again when you connect from this system to that node.
If you see any other messages or text, apart from the date, then the
installation can fail. Make any changes required to ensure that only
the date is displayed when you enter these commands.
You should ensure that any parts of login scripts that generate any
output, or ask any questions, are modified so that they act only
when the shell is an interactive shell
6. To ensure that X11 forwarding will not cause the installation to fail, create a
user-level SSH client configuration file for the Oracle software owner user, as
follows:
a. Using any text editor, edit or create the ~oracle/.ssh/config file.
b. Make sure that the ForwardX11 attribute is set to no. For example:
Host *
ForwardX11 no
7. You must run Oracle Universal Installer from this session or remember to repeat
steps 2 and 3 before you start Oracle Universal Installer from a different terminal
session.
Preventing Oracle Clusterware Installation Errors Caused by stty Commands
During an Oracle Clusterware installation, Oracle Universal Installer uses SSH (if
available) to run commands and copy files to the other nodes. During the installation,
hidden files on the system (for example, .bashrc or .cshrc) will cause installation errors
if they contain stty commands.
To avoid this problem, you must modify these files to suppress all output on STDERR,
as in the following examples:
■ Bourne, Bash, or Korn shell:
if [ -t 0 ]; then
stty intr ^C
fi
■ C shell:
test -t 0
if ($status == 0) then
stty intr ^C
endif
Note: The first time you use SSH to connect to a node from a
particular system, you may see a message similar to the following:
The authenticity of host 'node1 (140.87.152.153)' can't be
established.
RSA key fingerprint is
7z:ez:e7:f6:f4:f2:4f:8f:9z:79:85:62:20:90:92:z9.
Are you sure you want to continue connecting (yes/no)?
Enter yes at the prompt to continue. You should not see this
message again when you connect from this system to that node.
If you see any other messages or text, apart from the date, then the
installation can fail. Make any changes required to ensure that only
the date is displayed when you enter these commands.
You should ensure that any parts of login scripts that generate any
output, or ask any questions, are modified so that they act only
when the shell is an interactive shell
Note: When SSH is not available, the Installer uses the rsh and
rcp commands instead of ssh and scp.
If there are hidden files that contain stty commands that are loaded
by the remote shell, then OUI indicates an error and stops the
installation.
[ 本帖最后由 oldunix 于 2006-12-25 11:32 编辑 ] |
|
免费注册
发表于 2006-12-23 15:20
203:
