场景一
该案例主要适用场景为当你获取到一批新的内网主机用于建立某一个系统的集群,需要在集群中拿出一台当做ansible跳板机,用于后期做CD的工作,并要求将ansible主机与集群内其他主机都实现单向免密登录(即ansible机器ssh user@host_ip实现免密)则可以使用该文章中的方式进行配置。
个人认为相比使用ssh-copy-id
命令的话,使用ansible
功能实现会更加方便。
按照上述案例需要满足部署前提条件如下:
一、需要得到的信息:集群内所有主机的IP地址、所有主机的超级管理员root
权限及root
密码(配置ansible主机清单时需要);
备注:root
密码仅配置一次即可,一旦实现免密登录,后续可将集群内其他主机的root
密码更新并去掉ansible对root的免密。
二、集群中的ansible节点需要与ansible
受控节点主机正常使用22端口通信;
三、集群中的ansible节点可以正常登录root
用户下载ansible
;
上述案例步骤分析:
一、在ansible节点上安装并配置ansible
服务;
二、在ansible节点配置目标受控主机清单文件hosts
;
三、编写剧本并执行,以此实现ansible到各个目标节点免密;
1、Ansible节点的安装与配置
由于本人机器资源有限,肯定没有百台虚拟机啦,下面仅用四台主机做示范;各位“麻油”们见谅哈!三台虚拟机如下配置:
IP地址 | 主机名 | 角色 |
---|---|---|
192.168.233.13 | ANSIBLEM1 | Ansible控制节点 |
192.168.233.14 | ANSIBLES1 | Ansible受控制节点1 |
192.168.233.15 | ANSIBLES2 | Ansible受控制节点2 |
192.168.233.16 | ANSIBLES3 | Ansible受控制节点3 |
- 安装
ansible
[root@ANSIBLEM1 ~]# yum install -y ansible
- 更改ansible配置
[root@ANSIBLEM1 ~]# vim /etc/ansible/ansible.cfg
# 将[defaults]里面的 host_key_checking = False 和 remote_port = 22 前的#去掉,ssh在首次连接出现检查keys 的提示,通过设置,不会有这些提示
remote_port = 22
host_key_checking = False
2、配置Ansible管理的目标主机清单
- 创建主机清单文件
# 服务器上创建ansible用户
[root@ANSIBLEM1 ~]# useradd ansible
[root@ANSIBLEM1 ~]# passwd ansible
# 切换用户至ansible
[root@ANSIBLEM1 ~]# su - ansible
# 创建主机清单文件
[ansible@ANSIBLEM1 ~]$ mkdir -p /home/ansible/ansible_workspace/inventories/DEV
[ansible@ANSIBLEM1 ~]$ cd /home/ansible/ansible_workspace/inventories/DEV
[ansible@ANSIBLEM1 DEV]$ vim hosts
[all]
192.168.233.14
192.168.233.15
192.168.233.16
[ssh_key]
192.168.233.14 ansible_ssh_user=root ansible_ssh_pass='your_password'
192.168.233.15 ansible_ssh_user=root ansible_ssh_pass='your_password'
192.168.233.16 ansible_ssh_user=root ansible_ssh_pass='your_password'
# 主机列表中的ansible_ssh_user和ansible_ssh_pass变量意为远程主机当前存在的用户名及用户名的密码
- 测试配置的ansible主机清单文件是否可用
[ansible@ANSIBLEM1 DEV]$ ansible all -i /home/ansible/ansible_workspace/inventories/DEV/hosts -m ping -u root
192.168.233.15 | UNREACHABLE! => {
"changed": false,
"msg": "Invalid/incorrect password: Warning: Permanently added '192.168.233.15' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again.",
"unreachable": true
}
192.168.233.14 | UNREACHABLE! => {
"changed": false,
"msg": "Invalid/incorrect password: Warning: Permanently added '192.168.233.14' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again.",
"unreachable": true
}
192.168.233.16 | UNREACHABLE! => {
"changed": false,
"msg": "Invalid/incorrect password: Warning: Permanently added '192.168.233.16' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again.",
"unreachable": true
}
# 上述反馈说明主机清单已被ansible识别,但是暂未配置免密,所以报错:Permission denied
3、配置Ansible到各个目标节点免密
- 在ansible控制节点生成
key
# 使用 ansible 用户登录主机执行 ssh-keygen 命令生成私钥和公钥文件,一路回车即可
[ansible@ANSIBLEM1 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ansible/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ansible/.ssh/id_rsa.
Your public key has been saved in /home/ansible/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:njoTPg8vFUXJKbsVWG69JlPbHCbqr9sld6hJ8ij8J14 ansible@ANSIBLEM1
The key's randomart image is:
+---[RSA 2048]----+
| =oo |
| o.*. |
| +o.+ o |
| o..o B . |
| S++ + o |
| ..oo + . |
| ..+o o E + .|
| *+o .O.* . |
| .*o+*=* |
+----[SHA256]-----+
[ansible@ANSIBLEM1 ~]$ ll .ssh/
total 12
-rw------- 1 ansible ansible 1679 Sep 11 17:13 id_rsa
-rw-r--r-- 1 ansible ansible 399 Sep 11 17:13 id_rsa.pub
-rw-r--r-- 1 ansible ansible 528 Sep 11 17:11 known_hosts
- 编写一个剧本,下发ansible节点上的公钥至各个受控制服务器
[ansible@ANSIBLEM1 ~]$ cd /home/ansible/ansible_workspace
[ansible@ANSIBLEM1 ansible_workspace]$ vim push_key.yml
- hosts: ssh_key
remote_user: root
tasks:
- name: push ansible key
authorized_key: user=root key="{{ lookup('file', '/home/ansible/.ssh/id_rsa.pub') }}" state=present
- 执行剧本
[ansible@ANSIBLEM1 ansible_workspace]$ ansible-playbook push_key.yml -i /home/ansible/ansible_workspace/inventories/DEV/hosts
PLAY [ssh_key] *****************************************************************************************************************************
TASK [Gathering Facts] *********************************************************************************************************************
ok: [192.168.233.15]
ok: [192.168.233.16]
ok: [192.168.233.14]
TASK [push ansible key] ********************************************************************************************************************
changed: [192.168.233.15]
changed: [192.168.233.16]
changed: [192.168.233.14]
PLAY RECAP *********************************************************************************************************************************
192.168.233.14 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.233.15 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.233.16 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
- 测试ansible节点到受控制节点服务器的root用户是否实现免密
[ansible@ANSIBLEM1 ansible_workspace]$ ssh root@192.168.233.14
[root@ANSIBLES1 ~]#
[ansible@ANSIBLEM1 ansible_workspace]$ ssh root@192.168.233.15
[root@ANSIBLES2 ~]#
[ansible@ANSIBLEM1 ansible_workspace]$ ssh root@192.168.233.16
[root@ANSIBLES3 ~]#
上述测试可见已经实现了ansible到各个受控服务器的root免密。如果要取消ansible到受控制节点的root免密可以参考执行下列ansible剧本:
[ansible@ANSIBLEM1 ansible_workspace]$ vim del_ansible_key.yml
- hosts: ssh_key
remote_user: root
tasks:
- name: delete remote public key
authorized_key: user=root key="{{ lookup('file', '/home/ansible/devopskey/id_rsa.pub') }}" state=absent
[ansible@ANSIBLEM1 ansible_workspace]$ ansible-playbook del_ansible_key.yml -i /home/ansible/ansible_workspace/inventories/DEV/hosts
现在ansible与各个受控制节点服务器的root是免密的,显然是给高级“麻油”们,也就是管理者使用的。出于安全性考虑,一般不会允许集群部署人员对任何集群服务器拥有root的免密权限,所以就涉及到下面另一个场景:
场景二
PS:你身为集群的超级管理员,当你获取到一批新的主机,并且已为你搭建好了anisble环境,ansible控制节点已经与受控制节点上的root用户做好了免密(即ssh root@hosts_ip免密),但是你需要为使用集群进行系统部署工作的人创建一个普通用户,这个普通用户可以使用ansible节点上的某一个用户利用ansible服务管理集群内的受控制节点主机,这里以devops举例,后期部署人员需要在anisble上使用devops用户免密连接集群内其它主机上的普通用户tuser,以便后期系统的部署和维护;
按照上述案例做步骤分析:
一、在ansible节点使用root用户创建普通用户devops;
二、在ansible节点上配置devops用户与系统集群内其他主机上tuser用户的免密;
1、创建部署人员需要的用户
- 在ansible节点使用root用户创建普通用户devops
[root@ANSIBLEM1 ~]# useradd devops
[root@ANSIBLEM1 ~]# passwd devops
Changing password for user devops.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
- 切换至devops用户,生成秘钥对
[root@ANSIBLEM1 ~]# su - devops
[devops@ANSIBLEM1 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/devops/.ssh/id_rsa):
Created directory '/home/devops/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/devops/.ssh/id_rsa.
Your public key has been saved in /home/devops/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:220mn0IXgQ7s+/UoB0FV341lnwBHnoijUVIqrusbg6A devops@ANSIBLEM1
The key's randomart image is:
+---[RSA 2048]----+
| o.o ++=. o|
| * + = o==|
| . + * . +..=|
| . . + + . |
|. . .S. . . |
|o . . .oo.o |
|E. + .oo++o |
| + +=o.. |
| .+. +o |
+----[SHA256]-----+
[devops@ANSIBLEM1 ~]$ ll /home/devops/.ssh/id_rsa.pub
2、为获取用户公钥内容做准备
- 为拷贝devops公钥做准备,否则ansible用户无法获取到devops的公钥内容
# 这里的操作是为后面下发devops用户的公钥到各个受控制节点而做准备
[root@ANSIBLEM1 ~]# mkdir /home/ansible/devopskey/
[root@ANSIBLEM1 ~]# cp /home/devops/.ssh/id_rsa.pub /home/ansible/devopskey/
[root@ANSIBLEM1 ~]# chown -R ansible.ansible /home/ansible/devopskey
[root@ANSIBLEM1 ~]# su - ansible
[ansible@ANSIBLEM1 ~]$ cd devopskey/
[ansible@ANSIBLEM1 devopskey]$ ll
total 4
-rw-r--r-- 1 ansible ansible 398 Sep 12 23:38 id_rsa.pub
3、编辑剧本并执行实现ssh免密
- 使用ansible用户编辑下发devops用户公钥的剧本
[ansible@ANSIBLEM1 ~]$ cd ansible_workspace/
[ansible@ANSIBLEM1 ansible_workspace]$ vim push_key.yml
- hosts: ssh_key
remote_user: root
tasks:
- name: push devops key
authorized_key: user=tuser key="{{ lookup('file', '/home/ansible/devopskey/id_rsa.pub') }}" state=present
- 使用ansible用户执行剧本
[ansible@ANSIBLEM1 ansible_workspace]$ ansible-playbook push_devops_key.yml -i /home/ansible/ansible_workspace/inventories/DEV/hosts
PLAY [ssh_key] *********************************************************************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************************************************************
ok: [192.168.233.14]
ok: [192.168.233.15]
ok: [192.168.233.16]
TASK [push devops key] *************************************************************************************************************************************************
changed: [192.168.233.15]
changed: [192.168.233.14]
changed: [192.168.233.16]
PLAY RECAP *************************************************************************************************************************************************************
192.168.233.14 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.233.15 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.233.16 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
- 测试anisble节点上的devops是否已经实现了到受控制节点主机tuser用户的免密登录
[root@ANSIBLEM1 ~]# su - devops
[devops@ANSIBLEM1 ~]$ ssh tuser@192.168.233.14
The authenticity of host '192.168.233.14 (192.168.233.14)' can't be established.
ECDSA key fingerprint is SHA256:L1+uIG1eWm6TCZvm/D3NGUa9jYbK2kawhPSwZki8leY.
ECDSA key fingerprint is MD5:2a:37:d0:b3:a4:d1:6c:d6:96:d5:fe:1f:d2:58:5b:eb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.233.14' (ECDSA) to the list of known hosts.
Last login: Thu Sep 12 23:30:25 2024
[devops@ANSIBLEM1 ~]$ ssh tuser@192.168.233.15
The authenticity of host '192.168.233.15 (192.168.233.15)' can't be established.
ECDSA key fingerprint is SHA256:L1+uIG1eWm6TCZvm/D3NGUa9jYbK2kawhPSwZki8leY.
ECDSA key fingerprint is MD5:2a:37:d0:b3:a4:d1:6c:d6:96:d5:fe:1f:d2:58:5b:eb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.233.15' (ECDSA) to the list of known hosts.
Last login: Wed Sep 11 18:16:08 2024 from 192.168.233.13
[devops@ANSIBLEM1 ~]$ ssh tuser@192.168.233.16
The authenticity of host '192.168.233.16 (192.168.233.16)' can't be established.
ECDSA key fingerprint is SHA256:L1+uIG1eWm6TCZvm/D3NGUa9jYbK2kawhPSwZki8leY.
ECDSA key fingerprint is MD5:2a:37:d0:b3:a4:d1:6c:d6:96:d5:fe:1f:d2:58:5b:eb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.233.16' (ECDSA) to the list of known hosts.
Last login: Wed Sep 11 18:16:37 2024 from 192.168.233.13
备注:这里注意看在我们使用devops执行首次免密登录远程主机的tuser用户时就会需要输入yes
确认,因为devops不像是ansible用户,有/etc/ansible/ansible.cfg
配置文件可以跳过提示验证部分内容。所以首次连接需要输入yes
进行验证,有且仅有首次需要验证。