ansible的user模块
user模块–用户管理模块
参数 | 解释 |
---|---|
comment | 用户的备注,相当于useradd -C |
group | 用户的主组 |
groups | 用户的附加组 |
create_home | 要不要创建home目录 |
home | 指定用户的home目录 |
system | 是否创建系统账号(shell=nologin) |
uid | 指定账号的uid |
password | password: "{{ ‘密码’ |
添加用户
指定主组和附加组
---
- name: adduser
hosts: all
tasks:
- name: 添加用户
user:
name: devops_user
commpent: "用户的描述" #相当于useradd -C
password: "{{ '密码'|password_hash('sha512') }}"
shell: /bin/bash
groups: sys_admins,developers
# append参数会让groups中的两个组成为用户的附加组
append: yes
创建用户时创建密钥对
---
- name: 创建用户
hosts: all
tasks:
- name: 创建用户的密钥对
user:
name: user1
generate_ssh_key: yes
ssh_key_bits: 2040
ssh_key_file: .ssh/id_my_rsa
批量新建用户
---
- hosts: all
remote_user: root
tasks:
- user: name="{{item.name}}" group="{{item.group}}" password="{{'1234567'|password_hash('sha512')}}" update_password=always
with_items:
- {name: "omaidb", group: "root"}
- {name: "jemes", group: "root"}
- {name: "xiaoming", group: "apache"}
批量删除用户
---
- hosts: all
tasks:
- name: 批量删除用户
user:
name: "{{item.name}}"
state: absent
remove: yes
with_items:
- {name: "omaidb"}
- {name: "jemes"}
- {name: "xiaoming"}
group模块
参数 | 解释 |
---|---|
gid | 组id |
local | 强制使用本地平台的命令 |
name | 组名 |
state | present:创建,absent:删除 |
system | 创建系统组(几乎用不到) |
示例1
- name: 验证auditors组是否存在
group:
name: auditors
state: present
known_hosts模块
指定路径记录指纹,几乎用不到
实战中都使用ssh -o 来限制指纹
- name: copy host keys to remote_servers
known_hosts:
path: /etc/ssh/ssh_known_hosts
name: user1
key: "{{ lookup('file','pubkeys/user1') }}"
authorized_key模块
复制公钥,设置免密登录
- name: set authorized key
authorized_key:
user: user1
state: present
key: "{{ lookup('file','/home/user1/.ssh/id_rsa.pub') }}"
修改sudoers和禁止root用户登录
---
- name: 创建用户练习
hosts: all
vars_files:
- vars/users_vars.yml
tasks:
- name: 创建用户组
group:
name: webadmin
state: present
- name: 创建用户
user:
name: "{{ item.username }}"
groups: webadmin
loop: "{{ users }}"
- name: 复制公钥
authorized_key:
user: "{{ item.username }}"
state: present
key: "{{ lookup('file','files/'+ item.username + '.key.pub') }}"
loop: "{{ users }}"
- name: 修改sudoers以允许webadmin组免密sudo
copy:
content: "%webadmin ALL=(ALL) NOPASSWD: ALL"
dest: /etc/sudoers.d/webadmin
mode: 0440
- name: 关闭root的远程登录
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
notify: Restart sshd
handlers:
- name: Restart sshd
service:
name: sshd
state: restarted
第十四题
解法:
先再ansible.cfg中配置密码文件位置,即可直接执行plabook
vault_password_file = /home/greg/ansible/secret.txt
---
- name: create user
hosts: dev,test
vars_files:
- locker.yml
- user_list.yml
tasks:
- name: create group devops
group:
name: devops
state: present
- name: developer job
user:
name: "{{ item.name }}"
password: "{{ pw_developer|password_hash('sha512') }}"
groups: devops
loop: "{{ users }}"
when: item.job=='developer'
- name: manager
hosts: prod
vars_files:
- locker.yml
- user_list.yml
tasks:
- name: create opsmgr
group:
name: opsmgr
state: present
- name: manger
user:
name: "{{ item.name }}"
password: "{{ pw_manager|password_hash('sha512') }}"
groups: opsmgr
loop: "{{ users }}"
when: item.job=='manager'