Ansible安装，配置服务器免密登录问题

最新推荐文章于 2024-04-09 08:00:00 发布

xuewu777777

最新推荐文章于 2024-04-09 08:00:00 发布

阅读量335

点赞数

分类专栏： Ansible

本文链接：https://blog.csdn.net/xuewu777777/article/details/107543430

版权

Ansible 专栏收录该内容

2 篇文章 0 订阅

订阅专栏

1. yum安装ansible

参考https://www.w3cschool.cn/automate_with_ansible/automate_with_ansible-1khc27p1.html

yum install -y epel-release
yum install -y ansible

[root@testx yum.repos.d]# ansible --version

2. ansible配置文件路径

[root@testx yum.repos.d]# cd /etc/ansible/
[root@testx ansible]# ll
total 24
-rw-r–r--. 1 root root 19985 Jun 19 11:04 ansible.cfg
-rw-r–r--. 1 root root 1016 Jun 19 11:04 hosts
drwxr-xr-x. 2 root root 6 Jun 19 11:04 roles
2. Hello World
[root@testx ansible]# /bin/echo -e “[local]\nlocalhost ansible_connection=local” >> /etc/ansible/hosts
[root@testx ansible]# ansible localhost -m command -a ‘echo Hello World.’
localhost | CHANGED | rc=0 >>
Hello World.

3. mylog配置免密登录

主机A用mylog登录，并执行：
step1：
在机器A中生成私钥和公钥：
ssh-keygen -t rsa
此时在 ~/.ssh/ 目录下生成了公钥（id_rsa.pub）和私钥(id_rsa)

step2：
把机器A的公钥（id_rsa.pub）复制到机器B ~/.ssh/authorized_keys 文件里

scp ~/.ssh/id_rsa.pub mylog@192.168.189.131:/home/mylog/id_rsa.pub

scp ~/.ssh/id_rsa.pub username@host:/home/B/id_rsa.pub

进入机器B内把 /home/B/id_rsa.pub 文件内容加写进 ~/.ssh/authorized_keys 文件

step3：
修改机器B ~/.ssh/authorized_keys 文件的权限：
chmod 600 ~/.ssh/authorized_keys
chmod 700 /home/mylog/.ssh

在主机A上直接免密登录ssh mylog@192.168.189.131，无需输入密码
[mylog@testx ~]$ ssh mylog@192.168.189.131
Last login: Fri Jul 24 18:03:15 2020 from node1
[mylog@test-two ~]$ exit
logout
Connection to 192.168.189.131 closed.
[mylog@testx ~]$ ansible 192.168.189.131 -m shell -a “mkdir /tmp/1”
192.168.189.131 | UNREACHABLE! => {
“changed”: false,
“msg”: “Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).”,
“unreachable”: true
}

报错问题是由于ansible控制端配置文件里面用户设置导致的
[root@testx ~]# vi /etc/ansible/hosts
#[local]
#localhost ansible_connection=local
192.168.189.131 ansible_user=mylog

[root@testx ~]#
[root@testx ~]# vi /etc/ansible/ansible.cfg
[defaults]
#some basic default values…
hostfile = hosts
remote_user = mylog
host_key_checking = False

[root@testx ~]# exit
logout
[mylog@testx ~]$ ansible 192.168.189.131 -m shell -a “mkdir /tmp/1”
[WARNING]: Consider using the file module with state=directory rather than running ‘mkdir’. If you
need to use command because file is insufficient you can add ‘warn: false’ to this command task or set
‘command_warnings=False’ in ansible.cfg to get rid of this message.
192.168.189.131 | CHANGED | rc=0 >>

如果ansible服务端没有和远程主机做ssh信任关系, 则可以在hosts清单配置里直接指明用户名和密码.

如果使用普通用户, 并且允许sudo, 则需要提前在客户机里的/etc/sudoers文件里配置好该普通用户的sudo配置, 即允许该普通用户有sudo权限.

[root@testx ansible]# cat hosts
[test-host]
192.168.189.131 ansible_ssh_user=mylog ansible_ssh_pass=** ansible_ssh_port=22
192.168.189.133 ansible_ssh_user=mylog ansible_ssh_pass=** ansible_ssh_port=22

即192.168.189.133 客户机上要提前配置, 允许app用户具有sudo权限.

执行:
[root@testx ansible]# ansible test-host -m shell -a “hostname”
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
192.168.189.131 | CHANGED | rc=0 >>
test-two
192.168.189.133 | CHANGED | rc=0 >>
testx-three

批量配置免密登录

[root@zabbix-server ansible]# cat /etc/ansible/hosts
[test-host]
10.5.1.21 ansible_ssh_user=mylog ansible_ssh_pass= **
10.5.1.23 ansible_ssh_user=mylog ansible_ssh_pass= **

修改host_key_checking(默认是check的)：

vi /etc/ansible/ansible.cfg
host_key_checking = False

[root@zabbix-server ansible]# cat push.ssh.ymal
#Using alternate directory locations:

hosts: test-host
user: mylog
tasks:
- name: ssh-copy
  authorized_key: user=mylog key="{{ lookup(‘file’, ‘/home/mylog/.ssh/id_rsa.pub’) }}"
  tags:
  - sshkey

[root@zabbix-server ansible]# ansible-playbook push.ssh.ymal
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details

PLAY [test-host] ***************************************************************************************

TASK [Gathering Facts] *********************************************************************************
ok: [10.5.1.21]
ok: [10.5.1.23]

TASK [ssh-copy] ****************************************************************************************
changed: [10.5.1.21]
changed: [10.5.1.23]

PLAY RECAP *********************************************************************************************
10.5.1.21 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
10.5.1.23 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

测试是否分发成功
#查看各机器时间
ansible all -a date
#ansible all -m command -a date # 作用同上

#ping
ansible all -m ping

使用Ansible的user模块批量修改远程客户机的用户密码

由于在使用ansible修改用户密码的时候不能使用明文的方式，需要先加密，所以就需要使用一个方法对输入的明文的密码进行加密.

[root@ansible-server ~]# vim /opt/root_passwd.yaml

hosts: ssh-host
gather_facts: false
tasks:
- name: change user passwd
  user: name={{ item.name }} password={{ item.chpass | password_hash(‘sha512’) }} update_password=always
  with_items:
  - { name: ‘root’, chpass: ‘kevin@123’ }
  - { name: ‘app’, chpass: ‘bjop123’ }

注意上面在yaml文件中修改了远程客户机的root用户密码, app用户密码.
如果还想要修改其他用户密码, 则继续按照上面规则添加即可!

执行ansible-play
[root@ansible-server ~]# ansible-playbook /opt/root_passwd.yaml

方法二: 修改远程主机的单个用户密码使用此方法比较方便

编写playbook文件
[root@ansible-server ~]# vim /opt/root_passwd2.yaml

hosts: ssh-host
gather_facts: false
tasks:
- name: Change password
  user: name={{ name1 }} password={{ chpass | password_hash(‘sha512’) }} update_password=always

执行ansible-playbook, 使用-e参数传递用户名和密码给剧本，其中root为用户名，admin#123就是修改后的root密码
[root@ansible-server ~]# ansible-playbook /opt/root_passwd2.yaml -e “name1=root chpass=admin#123”

把hosts里面的文件全部ssh一次后，ansible server里面会生成known_hosts，里面记录ssh免密登录信息，之后去掉hosts文件里面的密码文件也可以直接免密登录这个IP

[mylog@zabbix-server .ssh]$ ll
total 16
-rw------- 1 mylog mylog 401 Jul 31 15:34 authorized_keys
-rw------- 1 mylog mylog 1679 Jul 28 16:59 id_rsa
-rw-r–r-- 1 mylog mylog 401 Jul 28 16:59 id_rsa.pub
-rw-r–r-- 1 mylog mylog 519 Jul 31 15:36 known_hosts

三、 Ansible其他脚本

准备playbook文件，yml结尾

3.1. 拷贝ssh :

rsync_key.yml

文件内容如下：

hosts: test
remote_user: test
tasks:
- name: copy ssh key
  authorized_key:
  user: test
  key: “{{ lookup(‘file’, ‘/home/test/.ssh/id_rsa.pub’) }}”

3.2. 传送key到远程服务器：

rsync_key2.yml

文件内容如下：

hosts: test
remote_user: test
tasks:
- name: mkdir /home/test/.ssh
  command: mdkir -p /home/test/.ssh
- name: copy ssh key
  copy: src=/home/test/.ssh/id_rsa.pub dest=/home/test/.ssh owner=test group=test mode=0644

3.3. 执行 playbook

-i test ，是指指定 ansible playbook 需要执行远程服务器， test 相对于默认的hosts文件

ansible-playbook -i test rsync_key.yml

ansible-playbook -i test rsync_key2.yml （不需要执行了，第一个足矣）

添加 hadoop用户

useradd.yml

hosts: hadoop_devops_hosts
remote_user: test
sudo: yes
vars:
user: hadoop

tasks:
- name: add user
  action: user name={{ user }} home=/home/{{ user }}
  tags:
- user

执行完后，查看下

ansible -i ./hosts hadoop_hosts -m shell -a “id hadoop”

接下来准备远程生成hadoop key

并在各服务器上，让 hadoop来去自如

四、Ansible远程安装lrzsz

[root@zabbix-server ansible]# cat push.ssh.ymal

hosts: IDC2
remote_user: mylog
become: yes
become_method: sudo
#become_user: root
tasks:
- name: install lrzsz
  shell: yum install lrzsz
  #action: yum name=lrzsz state=present
  #sudo: yes
  [root@zabbix-server ansible]# ansible-playbook push.ssh.ymal
  [WARNING]: Invalid characters were found in group names but not replaced, use -vvvv
  to see details

PLAY [IDC2] **************************************************************************

TASK [Gathering Facts] ***************************************************************
fatal: [10.5.10.103]: FAILED! => {“msg”: “Missing sudo password”}

PLAY RECAP ***************************************************************************
10.5.10.103 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

[root@zabbix-server ansible]#

####################### sudo设置 #######################
#通常使用-b可以切换用户身份，但是每次使用命令切换太麻烦，可以直接在配置文件中设置
[ans@node1 ansible]$ vim ansible.cfg
……
[privilege_escalation]
become=True #使用切换模式
become_method=sudo #模式为sudo
become_user=root #身份切换为root
become_ask_pass=False #询问密码关闭
#添加[privilege_escalation]模块
[root@node2 ~]# vim /etc/sudoers
……
ans ALL=(ALL) NOPASSWD: ALL
……
#仅在node2中设置sudo，查看测试结果

6. ansible servers上执行sudo远程安装，加-b

[mylog@zabbix-server ansible]$ ansible 10.5.11.232 -m yum -a ‘name=httpd state=present’ -b

7. ansible普通用户切换到root 0用户远程执行shell

ansible 10.5.11.233 -m shell -a “touch /tmp/0804.txt” --become-method su --become-user myroot

7.1 ansible playbook远程切换用户执行
[root@localhost ~]# cat /etc/ansible/test.yaml 
- hosts: lb
  become: yes
  become_user: root
  become_method: sudo 
  tasks:
  - name: start httpd
    service: name=httpd state=started

7.2 ansible远程切换用户执行命令
[root@localhost ~]# ansible lb -b --become-user root --become-method sudo -m service -a "name=httpd state=stopped"