使用 SSH 检查 Consul

使用 SSH 检查 Consul

我有一台带有 dockerized Consul Agent (CA) 的服务器。在此 CA 中,我想从主机运行一个脚本,该脚本在服务检查中检查剩余的磁盘空间。

为此,我在CA中创建了一项服务:

{
  "service": {
    "name": "disk-usage-var-re7", 
    "tags": [
      "type:check",
      "env:re7"
    ],
    "checks": [
      {
        "id": "disk-usage-var-re7",
        "name": "Disk Usage /var RE7",
        "args": [
          "sh",
          "-c",
          "ssh consul@hostserver 'disk_usage.sh /dev/mapper/centos-var'"
        ],
        "interval": "5s",
        "timeout": "30s"
      }
    ]
  }
}

但是,当 Consul 运行他时,我收到了这个错误:Host key verification failed.

我正在使用 Consul(Alpine)的官方 Docker 镜像,版本 1.6.1,并且在容器中执行了以下命令:

docker exec consul apk add openssh
docker exec -it consul ssh-keygen -t rsa

docker cp consul:/root/.ssh/id_rsa.pub /tmp

su consul
umask 077 && mkdir ~/.ssh
umask 077 && touch ~/.ssh/authorized_keys
cat /tmp/id_rsa.pub > /home/consul/.ssh/authorized_keys
rm -f /tmp/id_rsa.pub

当我尝试

docker exec -it consul ssh consul@hostserver 'disk_usage.sh /dev/mapper/centos-var'

第一次,SSH 询问我:

The authenticity of host 'hostserver (::1)' can't be established.
ECDSA key fingerprint is SHA256:MlsT6sDr9xXuOurqBJu4e+a8m2De3Lu4ctJSB+5RNmk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'hostserver' (ECDSA) to the list of known hosts.

此后,脚本仍然有效。但无需 Consul 的检查。

我究竟做错了什么?

非常感谢。

答案1

好的,我发现发生了什么。容器中的默认用户是root,但启动 Consul 的用户是consul

因此,您必须以consul指定的用户身份运行容器-u consul,并使用正确的用户使用 ssh-keygen。

现在看看正确的命令:

docker exec -it -u consul consul ssh-keygen -t rsa

docker cp consul:/home/consul/.ssh/id_rsa.pub /tmp

su consul
cat /tmp/id_rsa.pub > /home/consul/.ssh/authorized_keys
rm -f /tmp/id_rsa.pub

脚本成功运行!

相关内容