背景
有小伙伴私信说:“数十台被控机,难道我们要把公钥(id_rsa.pub)一个个的往被控端去拷贝吗?”,挨个拷贝显然是不合理的。其次,在实际生产中我们是尽量避免直接使用root用户来操作的,更推荐使用普通用户,通过sudo提权的方式去执行。今天这篇文章就来说说这两个问题。
普通用户提权
场景描述:使用devops这个普通用户来操作ansible,所有被控端不存在devops这个用户,默认只有root用户,同时root用户密码均为123.
1. 在控制端创建devops用户,设置密码为123
[root@clinet ~]# useradd devops
[root@clinet ~]# passwd devops
Changing password for user devops.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
2. 切换为devops用户,生成公私钥
[root@clinet ~]# su - devops
[devops@clinet ~]$
[devops@clinet ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/devops/.ssh/id_rsa):
Created directory '/home/devops/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/devops/.ssh/id_rsa.
Your public key has been saved in /home/devops/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:9skhHmaQrxdOyG1bMomvPWsv77yAYAPW96TiOmN9pEw devops@clinet
The key's randomart image is:
+---[RSA 2048]----+
| |
| . . |
| o . + . |
| . . o X . |
| = = S o |
| oE+.% @ o |
| +.oo B + |
| +.+ .++o |
| ..o ...oB*. |
+----[SHA256]-----+
[devops@clinet ~]$
[devops@clinet ~]$ ll ~/.ssh/
total 8
-rw-------. 1 devops devops 1679 Nov 23 16:55 id_rsa
-rw-r--r--. 1 devops devops 395 Nov 23 16:55 id_rsa.pub
[devops@clinet ~]$
3. 通过playbook在被控端创建devops用户,以及拷贝公钥(此时操作的用户是root)
3.1 配置invertery
# 默认init_server组中的主机root密码一致且为123;如果不一致则需要将ansible_ssh_pass卸载每个组件后面
[root@clinet ansible_2]# cat hosts
[init_server]
192.168.194.129
192.168.194.130
192.168.194.131
[init_server:vars]
ansible_ssh_pass=123
[root@clinet ansible_2]#
3.2 测试连通性
[root@clinet ansible_2]# ansible all -m ping
192.168.194.129 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
192.168.194.130 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
192.168.194.131 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
[root@clinet ansible_2]#
4. 通过yml在被控端创建devops用户,并拷贝pub key
- hosts: all
tasks:
- name: creata user of devops
user:
name: devops
state: present
shell: /bin/bash
create_home: yes
- name: crate ~/.ssh dir
file:
path: /home/devops/.ssh
state: directory
mode: 0700
group: devops
owner: devops
- name: copy public key to all
copy:
src: /home/devops/.ssh/id_rsa.pub
dest: /home/devops/.ssh/authorized_keys
owner: devops
group: devops
mode: 0600
## 普通用户添加sudoers
- name: modify sudoers
lineinfile:
path: /etc/sudoers
insertafter: "^root ALL=(ALL) ALL$"
line: "devops ALL=(ALL) ALL"
backup: yes
5. 检查被控端用户以及秘钥
[root@route ~]# ls -l /home/devops/.ssh/
total 4
-rw------- 1 devops devops 395 Nov 23 16:59 authorized_keys
[root@route ~]# id devops
uid=1045(devops) gid=1045(devops) groups=1045(devops)
[root@route ~]#
6. 切换devops用户验证
[devops@clinet ansible]$ cat hosts |grep -v ^# |grep -v ^$
192.168.194.129
192.168.194.130
192.168.194.131
[devops@clinet ansible]$
[devops@clinet ansible]$ ansible all -m ping -u devops
192.168.194.129 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
192.168.194.130 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
192.168.194.131 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
[devops@clinet ansible]$
上述操作完成之后,就可以在invertery中将root密码的变量参数删除,后续使用普通用操作ansible的时候可以在playbook或者ansible.cfg中添加如下配置:
become=True 允许普通用户提权
become_method=sudo 提权方式为:sudo
become_user=root 提权用户为root
become_ask_pass=False 设置不询问输入密码
至此普通用户免密操作已经全部完成,在此操作中是先决条件如下:
1. 被控段有root用户,且密码一致;
1.1 当root密码一致的时候我们在inventory文件中可以直接通过组变量来传递root密码
1.2 当root密码不一致的时候,需要在inverter文件中,对应的主机传递对应的密码变量