Kylin V10 离线升级 OpenSSH 10.3p1 + OpenSSL 3.0.20
生成的 RPM路径:~/rpmbuild/RPMS/x86_64/openssl-3.0.20-1.ky10.x86_64.rpm。生成的 RPM路径:~/rpmbuild/RPMS/x86_64/openssh-10.3p1-1.ky10.x86_64.rpm。准备一台与目标服务器完全相同的联网机器用于编译打包。若编译报错:清理之前失败的构建残留。若编译报错:清理之前失败的构建残留。
·
适用环境
- 操作系统:Kylin Linux Advanced Server V10 (Sword) x86_64
- 架构:x86_64
- 目标:在不联网的服务器上通过 RPM 包升级 OpenSSH
第一部分:在联网构建机上制作 RPM 包
准备一台与目标服务器完全相同的联网机器用于编译打包。
1. 安装打包工具及依赖
yum install -y rpm-build rpmdevtools gcc gcc-c++ make wget \
zlib-devel pam-devel perl
# 创建 ~/rpmbuild 目录结构
rpmdev-setuptree
2. 上传源码包
将以下两个文件上传到 /opt 目录:
- openssl-3.0.20.tar.gz
- openssh-10.3p1.tar.gz
3. 构建 OpenSSL 3.0.20 RPM
创建 ~/rpmbuild/SPECS/openssl.spec,内容如下:
%define debug_package %{nil}
Name: openssl
Version: 3.0.20
Release: 1%{?dist}
Summary: OpenSSL 3.0.20 for Kylin V10
License: Apache-2.0
URL: https://www.openssl.org/
Source0: %{name}-%{version}.tar.gz
BuildRequires: gcc, make, perl, zlib-devel
Requires: glibc, zlib
%description
OpenSSL 3.0.20 安装到 /usr/local/openssl,不覆盖系统自带版本。
%prep
%setup -q
%build
./config --prefix=%{_prefix}/local/openssl --openssldir=%{_prefix}/local/openssl shared zlib
make %{?_smp_mflags}
%install
rm -rf %{buildroot}
make install DESTDIR=%{buildroot}
%{__rm} -rf %{buildroot}%{_prefix}/local/openssl/lib/*.a
%files
%defattr(-,root,root,-)
%{_prefix}/local/openssl/
%post
# 自动配置动态链接器搜索路径
if [ -d /usr/local/openssl/lib64 ]; then
echo '/usr/local/openssl/lib64' > /etc/ld.so.conf.d/openssl.conf
elif [ -d /usr/local/openssl/lib ]; then
echo '/usr/local/openssl/lib' > /etc/ld.so.conf.d/openssl.conf
fi
/sbin/ldconfig
%postun
/sbin/ldconfig
%changelog构建RPM:
cp /opt/openssl-3.0.20.tar.gz ~/rpmbuild/SOURCES/
cd ~/rpmbuild/SPECS
rpmbuild -ba openssl.spec
若编译报错:清理之前失败的构建残留
cd ~/rpmbuild/SPECS
# 清理之前失败的构建残留
rm -rf ~/rpmbuild/BUILD/openssl-3.0.20
rm -rf ~/rpmbuild/BUILDROOT/openssl-3.0.20-*
# 重新构建
rpmbuild -ba openssl.spec
生成的 RPM路径:~/rpmbuild/RPMS/x86_64/openssl-3.0.20-1.ky10.x86_64.rpm
4. 构建 OpenSSH 10.3p1 RPM
创建 ~/rpmbuild/SPECS/openssh.spec,内容如下:
%undefine __brp_check_rpaths
%define debug_package %{nil}
Name: openssh
Version: 10.3p1
Release: 1%{?dist}
Summary: OpenSSH 10.3p1 for Kylin V10
License: BSD
URL: https://www.openssh.com/
Source0: %{name}-%{version}.tar.gz
BuildRequires: gcc, make, zlib-devel, pam-devel
Requires: openssl >= 3.0.0, pam, glibc
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description
OpenSSH 10.3p1 基于自定义 OpenSSL 构建,提供完整的服务单元文件。
%prep
%setup -q
%build
export CPPFLAGS="-I/usr/local/openssl/include"
export LDFLAGS="-L/usr/local/openssl/lib64"
export LD_LIBRARY_PATH="/usr/local/openssl/lib64:$LD_LIBRARY_PATH"
./configure --prefix=%{_prefix} \
--sysconfdir=%{_sysconfdir}/ssh \
--with-pam \
--with-zlib \
--with-ssl-dir=/usr/local/openssl
make %{?_smp_mflags}
%install
rm -rf %{buildroot}
export LD_LIBRARY_PATH="/usr/local/openssl/lib64:$LD_LIBRARY_PATH"
make install DESTDIR=%{buildroot}
# 安装 systemd 服务单元文件
mkdir -p %{buildroot}%{_unitdir}
cat > %{buildroot}%{_unitdir}/sshd.service << 'EOF'
[Unit]
Description=OpenSSH server daemon
After=network.target sshd-keygen.target
Wants=sshd-keygen.target
[Service]
Type=notify
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
EOF
cat > %{buildroot}%{_unitdir}/sshd-keygen.target << 'EOF'
[Unit]
Description=OpenSSH server key generation
PartOf=sshd.service
EOF
%files
%defattr(-,root,root,-)
%{_bindir}/ssh*
%{_bindir}/scp
%{_bindir}/sftp
%{_sbindir}/sshd*
%{_libexecdir}/sftp-server
%{_libexecdir}/ssh-keysign
%{_libexecdir}/ssh-pkcs11-helper
%{_libexecdir}/ssh-sk-helper
%{_libexecdir}/sshd-auth
%{_libexecdir}/sshd-session
%config(noreplace) %{_sysconfdir}/ssh/*
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man8/*
%{_unitdir}/sshd.service
%{_unitdir}/sshd-keygen.target
%pre
# 升级前停止旧服务(如果正在运行)
if [ $1 -ge 2 ]; then
systemctl stop sshd >/dev/null 2>&1 || :
fi
%post
# 刷新 systemd 配置,启用并启动服务
systemctl daemon-reload >/dev/null 2>&1 || :
if [ $1 -eq 1 ]; then
systemctl enable sshd >/dev/null 2>&1
fi
systemctl start sshd >/dev/null 2>&1 || :
%preun
# 完全卸载时停止并禁用服务
if [ $1 -eq 0 ]; then
systemctl stop sshd >/dev/null 2>&1 || :
systemctl disable sshd >/dev/null 2>&1 || :
fi
%postun
# 卸载完成后重新加载 systemd(清理残留)
systemctl daemon-reload >/dev/null 2>&1 || :
%changelog
构建:
cp /opt/openssh-10.3p1.tar.gz ~/rpmbuild/SOURCES/
cd ~/rpmbuild/SPECS
rpmbuild -ba openssh.spec
若编译报错:清理之前失败的构建残留
rm -rf ~/rpmbuild/BUILD/openssh-10.3p1
rm -rf ~/rpmbuild/BUILDROOT/openssh-10.3p1-*
cd ~/rpmbuild/SPECS
rpmbuild -ba openssh.spec
生成的 RPM路径:~/rpmbuild/RPMS/x86_64/openssh-10.3p1-1.ky10.x86_64.rpm
第二部分:在离线目标服务器上安装
将以下两个 RPM 包复制到目标服务器:
-
openssl-3.0.20-1.ky10.x86_64.rpm
-
openssh-10.3p1-1.ky10.x86_64.rpm
第一步:上传并安装软件
#安装openssl rpm -ivh --force --nodeps openssl-3.0.20-1.ky10.x86_64.rpm #openssh rpm -Uvh --force --nodeps openssh-10.3p1-1.ky10.x86_64.rpm #第二部:检查配置
-
/usr/sbin/sshd -t不兼容配置
-
# GSSAPIAuthentication yes # GSSAPICleanupCredentials yes # RSAAuthentication yes # RhostsRSAAuthentication yes # GSSAPIKexAlgorithms 或者 sed -i 's/^GSSAPIAuthentication/#&/' /etc/ssh/sshd_config sed -i 's/^GSSAPICleanupCredentials/#&/' /etc/ssh/sshd_config sed -i 's/^RSAAuthentication/#&/' /etc/ssh/sshd_config sed -i 's/^RhostsRSAAuthentication/#&/' /etc/ssh/sshd_config sed -i 's/^GSSAPIKexAlgorithms/#&/' /etc/ssh/sshd_config第三步:启动并验证
# systemctl restart sshd # 应显示 active (running) systemctl status sshd # 应输出 OpenSSH_10.3p1, OpenSSL 3.0.20、 ssh -V
openEuler 是由开放原子开源基金会孵化的全场景开源操作系统项目,面向数字基础设施四大核心场景(服务器、云计算、边缘计算、嵌入式),全面支持 ARM、x86、RISC-V、loongArch、PowerPC、SW-64 等多样性计算架构
更多推荐
10
0- 0
已为社区贡献1条内容
所有评论(0)