前提
总是后知后觉,总是后知后觉。目前的现状是不论出现什么问题,都无法进行提前预警和在客户未知前介入处理。早上偶然和研发经理交流时突发灵感,写下此脚本,试图以此为开始进行提前的预警。
从生产k8s集群拿到realibox.cn的证书,在预发环境做daemon案例。
daemon案例
# pwd/yufa/zhengshu/testlltotal 32-rw-r--r-- 1 root wheel 465B 9 9 09:50 test-ingress.yaml-rw-r--r-- 1 root wheel 711B 9 9 09:47 test.yaml-rw-r--r-- 1 root wheel 3.5K 9 9 09:24 tls.crt-rw-r--r-- 1 root wheel 1.6K 9 9 09:25 tls.key# kubectl -n realibox create secret tls realibox-cn --key ./tls.key --cert ./tls.crt# cat test.yamlapiVersion: v1kind: Servicemetadata: name: tomcat namespace: realiboxspec: selector: app: tomcat release: canary ports: - name: http port: 8080 targetPort: 8080 - name: ajp port: 8009 targetPort: 8009---apiVersion: apps/v1kind: Deploymentmetadata: name: tomcat-deploy namespace: realiboxspec: replicas: 1 selector: matchLabels: app: tomcat release: canary template: metadata: labels: app: tomcat release: canary spec: containers: - name: tomcat image: tomcat:7-alpine ports: - name: httpd containerPort: 8080 - name: ajp containerPort: 8009# cat test-ingress.yamlapiVersion: extensions/v1beta1kind: Ingressmetadata: name: ingress-tomcat-tls namespace: realibox annotations: kubernets.io/ingress.class: "kong"spec: tls: - hosts: - "*.realibox.cn" #与secret证书的域名需要保持一致 secretName: realibox-cn #secret证书的名称 rules: - host: zisefeizhu.realibox.cn http: paths: - path: backend: serviceName: tomcat servicePort: 8080
编写检测域名过期小脚本
话不多说直接怼脚本
# cat check_daemon.sh#!/bin/bashsource /etc/profile#定义邮件发送列表maillist=( linkun@realibox.com #2350835860@qq.com)#发送邮件函数send_mail(){ SUBJECT="$1域名即将到期" if [ $2 -ge 0 ];then CONTENT="$1:此域名即将到期,剩余时间已不足$2天,请及时续期!" for mail in ${maillist[*]};do echo -e ""当前检测的域名:" $domain\n "剩余天数: " $days\n ${CONTENT} " | mail -s "${SUBJECT}" $mail done else day=$((-$2)) CONTENT="$1:此域名已到期,已超出$day天,请及时续费!" for mail in ${maillist[*]};do echo -e "${CONTENT}" | mail -s "${SUBJECT}" $mail done fi}#检测mails命令是否存在,不存在则安装mail包is_install_mail(){ which mail &> /dev/null if [ $? -ne 0 ];then yum install -y mail fi}is_install_mail#定义需要被检测的域名列表domainlist=( zisefeizhu.realibox.cn)#检测域名到期时间并通知for domain in ${domainlist[*]};do echo "当前检测的域名:" $domain #取出域名过期时间 end_time=$(echo | timeout 1 openssl s_client -servername $domain -connect $domain:443 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | awk -F '=' '{print $2}' ) ([ $? -ne 0 ] || [[ $end_time == '' ]]) && exit 10 end_times=`date -d "$end_time" +%s ` tmp=`date -d today +"%Y-%m-%d %T"` current_times=`date -d "$tmp" +"%s"` let left_time=$end_times-$current_times days=`expr $left_time / 86400` echo "剩余天数: " $days #转换成时间戳 end_times=`date -d "$end_time" +%s ` #以时间戳的形式显示当前时间 tmp=`date -d today +"%Y-%m-%d %T"` current_times=`date -d "$tmp" +"%s"` #域名到期剩余天数 let left_time=$end_times-$current_times days=`expr $left_time / 86400` echo "剩余天数: " $days if [ $days -lt 100 ]; then echo "https 证书有效期少于100天,存在风险" send_mail $domain $days fidone发送邮件设置
获取网易云邮箱授权码
配置发送邮箱人信息
安装postfix# yum -y install postfix# systemctl enable postfix设置发送邮箱信息# vim /etc/mail.rc......新增set from=1xxxxxx91@163.comset smtp=smtp.163.comset smtp-auth-user=1xxxxxx91@163.comset smtp-auth-password=ZXUxxxxExxCSQset smtp-auth=login# systemctl start postfix# echo "test" |mail -s "tesc message" 23xxxxx60@qq.com could not connect: 连接超时"/root/dead.letter" 11/308. . . message not sent.超时原因:阿里云服务器关闭了25端口,发送邮件连接不上服务器的缘故,而且官方不允许打开该端口网易163免费邮箱相关服务器信息:
所以除了换邮箱之外(端口不是25的,要么是国外不好申请,要么收费,摸摸口袋…)
以网易163邮箱为例,使用SSL下的465端口
请求数字证书mkdir -p /root/.certs/echo -n | openssl s_client -connect smtp.163.com:465 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/.certs/163.crtcertutil -A -n "GeoTrust SSL CA" -t "C,," -d ~/.certs -i ~/.certs/163.crt修稿邮件发送人设置# vim /etc/mail.rc......改增set from=1xxxxxx91@163.comset smtp=smtps://smtp.163.com:465set smtp-auth-user=1xxxxxx91@163.comset smtp-auth-password=ZXxxxGWRxxxCSQset smtp-auth=loginset ssl-verify=ignoreset nss-config-dir=/root/.certs重启测试# systemctl restart postfix# echo "test" |mail -s "title" linkun@realibox.com登陆邮箱验证
emmm。收到是收到了,但有个报错
证书不被信任,且命令行就此卡住,需要按键才能出现命令提示符# Error in certificate: Peer's certificate issuer is not recognized.处理此问题# cd /root/.certs/# ll 总用量 80-rw-r--r-- 1 root root 2415 9月 9 13:31 163.crt-rw------- 1 root root 65536 9月 9 13:35 cert8.db-rw------- 1 root root 16384 9月 9 13:35 key3.db-rw------- 1 root root 16384 9月 9 13:31 secmod.db# certutil -A -n "GeoTrust SSL CA - G3" -t "Pu,Pu,Pu" -d ./ -i 163.crt问题解决测试daemon案例
执行脚本
sh check_daemon.sh当前检测的域名: zisefeizhu.rxxxxx.cn剩余天数: 73剩余天数: 73https 证书有效期少于100天,存在风险验证
👌!
定时任务
# cat /etc/crontabSHELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/binMAILTO=root# For details see man 4 crontabs# Example of job definition:# .---------------- minute (0 - 59)# | .------------- hour (0 - 23)# | | .---------- day of month (1 - 31)# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# | | | | |# * * * * * user-name command to be executed#Timing execution /root/scripts/check_daemon.sh0 2 * * * root sh /root/scripts/check_daemon.sh
No comments:
Post a Comment