Ansible实现百台服务器的免密配置
场景一该案例重要适用场景为当你获取到一批新的内网主机用于建立某一个体系的集群,需要在集群中拿出一台当做ansible跳板机,用于后期做CD的工作,并要求将ansible主机与集群内其他主机都实现单向免密登录(即ansible呆板ssh user@host_ip实现免密)则可以使用该文章中的方式举行配置。
个人认为相比使用ssh-copy-id命令的话,使用ansible功能实现会更加方便。
按照上述案例需要满足部署前提条件如下:
一、需要得到的信息:集群内全部主机的IP地点、全部主机的超级管理员root权限及root暗码(配置ansible主机清单时需要);
备注:root暗码仅配置一次即可,一旦实现免密登录,后续可将集群内其他主机的root暗码更新并去掉ansible对root的免密。
二、集群中的ansible节点需要与ansible受控节点主机正常使用22端口通信;
三、集群中的ansible节点可以正常登录root用户下载ansible;
上述案例步骤分析:
一、在ansible节点上安装并配置ansible服务;
二、在ansible节点配置目标受控主机清单文件hosts;
三、编写剧本并实行,以此实现ansible到各个目标节点免密;
1、Ansible节点的安装与配置
由于本人呆板资源有限,肯定没有百台假造机啦,下面仅用四台主机做树模;各位“麻油”们包涵哈!三台假造机如下配置:
IP地点主机名脚色192.168.233.13ANSIBLEM1Ansible控制节点192.168.233.14ANSIBLES1Ansible受控制节点1192.168.233.15ANSIBLES2Ansible受控制节点2192.168.233.16ANSIBLES3Ansible受控制节点3
[*]安装ansible
# yum install -y ansible
[*]更改ansible配置
# vim /etc/ansible/ansible.cfg
# 将里面的 host_key_checking = False 和 remote_port = 22 前的#去掉,ssh在首次连接出现检查keys 的提示,通过设置,不会有这些提示
remote_port = 22
host_key_checking = False
2、配置Ansible管理的目标主机清单
[*]创建主机清单文件
# 服务器上创建ansible用户
# useradd ansible
# passwd ansible
# 切换用户至ansible
# su - ansible
# 创建主机清单文件
$ mkdir -p /home/ansible/ansible_workspace/inventories/DEV
$ cd /home/ansible/ansible_workspace/inventories/DEV
$ vim hosts
192.168.233.14
192.168.233.15
192.168.233.16
192.168.233.14 ansible_ssh_user=root ansible_ssh_pass='your_password'
192.168.233.15 ansible_ssh_user=root ansible_ssh_pass='your_password'
192.168.233.16 ansible_ssh_user=root ansible_ssh_pass='your_password'
# 主机列表中的ansible_ssh_user和ansible_ssh_pass变量意为远程主机当前存在的用户名及用户名的密码
[*]测试配置的ansible主机清单文件是否可用
$ ansible all -i /home/ansible/ansible_workspace/inventories/DEV/hosts -m ping -u root
192.168.233.15 | UNREACHABLE! => {
"changed": false,
"msg": "Invalid/incorrect password: Warning: Permanently added '192.168.233.15' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again.",
"unreachable": true
}
192.168.233.14 | UNREACHABLE! => {
"changed": false,
"msg": "Invalid/incorrect password: Warning: Permanently added '192.168.233.14' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again.",
"unreachable": true
}
192.168.233.16 | UNREACHABLE! => {
"changed": false,
"msg": "Invalid/incorrect password: Warning: Permanently added '192.168.233.16' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again.",
"unreachable": true
}
# 上述反馈说明主机清单已被ansible识别,但是暂未配置免密,所以报错:Permission denied
3、配置Ansible到各个目标节点免密
[*]在ansible控制节点生成key
# 使用 ansible 用户登录主机执行 ssh-keygen 命令生成私钥和公钥文件,一路回车即可
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ansible/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ansible/.ssh/id_rsa.
Your public key has been saved in /home/ansible/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:njoTPg8vFUXJKbsVWG69JlPbHCbqr9sld6hJ8ij8J14 ansible@ANSIBLEM1
The key's randomart image is:
+-------+
| =oo |
| o.*. |
| +o.+ o|
| o..o B . |
| S++ + o|
| ..oo + . |
| ..+o o E + .|
| *+o .O.* . |
| .*o+*=* |
+---------+
$ ll .ssh/
total 12
-rw------- 1 ansible ansible 1679 Sep 11 17:13 id_rsa
-rw-r--r-- 1 ansible ansible399 Sep 11 17:13 id_rsa.pub
-rw-r--r-- 1 ansible ansible528 Sep 11 17:11 known_hosts
[*]编写一个剧本,下发ansible节点上的公钥至各个受控制服务器
$ cd /home/ansible/ansible_workspace
$ vim push_key.yml
- hosts: ssh_key
remote_user: root
tasks:
- name: push ansible key
authorized_key: user=root key="{{ lookup('file', '/home/ansible/.ssh/id_rsa.pub') }}" state=present
[*]实行剧本
$ ansible-playbook push_key.yml-i /home/ansible/ansible_workspace/inventories/DEV/hosts
PLAY *****************************************************************************************************************************
TASK *********************************************************************************************************************
ok:
ok:
ok:
TASK ********************************************************************************************************************
changed:
changed:
changed:
PLAY RECAP *********************************************************************************************************************************
192.168.233.14 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.233.15 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.233.16 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[*]测试ansible节点到受控制节点服务器的root用户是否实现免密
$ ssh root@192.168.233.14
#
$ ssh root@192.168.233.15
#
$ ssh root@192.168.233.16
#
上述测试可见已经实现了ansible到各个受控服务器的root免密。如果要取消ansible到受控制节点的root免密可以参考实行下列ansible剧本:
$ vim del_ansible_key.yml
- hosts: ssh_key
remote_user: root
tasks:
- name: delete remote public key
authorized_key: user=root key="{{ lookup('file', '/home/ansible/devopskey/id_rsa.pub') }}" state=absent
$ ansible-playbook del_ansible_key.yml-i /home/ansible/ansible_workspace/inventories/DEV/hosts
如今ansible与各个受控制节点服务器的root是免密的,显然是给高级“麻油”们,也就是管理者使用的。出于安全性考虑,一样平常不会允许集群部署职员对任何集群服务器拥有root的免密权限,所以就涉及到下面另一个场景:
场景二
PS:你身为集群的超级管理员,当你获取到一批新的主机,并且已为你搭建好了anisble情况,ansible控制节点已经与受控制节点上的root用户做好了免密(即ssh root@hosts_ip免密),但是你需要为使用集群举行体系部署工作的人创建一个平凡用户,这个平凡用户可以使用ansible节点上的某一个用户使用ansible服务管理集群内的受控制节点主机,这里以devops举例,后期部署职员需要在anisble上使用devops用户免密毗连集群内其它主机上的平凡用户tuser,以便后期体系的部署和维护;
按照上述案例做步骤分析:
一、在ansible节点使用root用户创建平凡用户devops;
二、在ansible节点上配置devops用户与体系集群内其他主机上tuser用户的免密;
1、创建部署职员需要的用户
[*]在ansible节点使用root用户创建平凡用户devops
# useradd devops
# passwd devops
Changing password for user devops.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[*]切换至devops用户,生成秘钥对
# su - devops
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/devops/.ssh/id_rsa):
Created directory '/home/devops/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/devops/.ssh/id_rsa.
Your public key has been saved in /home/devops/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:220mn0IXgQ7s+/UoB0FV341lnwBHnoijUVIqrusbg6A devops@ANSIBLEM1
The key's randomart image is:
+-------+
| o.o ++=. o|
| * + = o==|
| . + * . +..=|
| . . + + . |
|. . .S. . . |
|o . . .oo.o |
|E. + .oo++o |
| + +=o..|
|.+. +o |
+---------+
$ ll /home/devops/.ssh/id_rsa.pub
2、为获取用户公钥内容做准备
[*]为拷贝devops公钥做准备,否则ansible用户无法获取到devops的公钥内容
# 这里的操作是为后面下发devops用户的公钥到各个受控制节点而做准备
# mkdir /home/ansible/devopskey/
# cp /home/devops/.ssh/id_rsa.pub /home/ansible/devopskey/
# chown -R ansible.ansible /home/ansible/devopskey
# su - ansible
$ cd devopskey/
$ ll
total 4
-rw-r--r-- 1 ansible ansible 398 Sep 12 23:38 id_rsa.pub
3、编辑剧本并实行实现ssh免密
[*]使用ansible用户编辑下发devops用户公钥的剧本
$ cd ansible_workspace/
$ vim push_key.yml
- hosts: ssh_key
remote_user: root
tasks:
- name: push devops key
authorized_key: user=tuser key="{{ lookup('file', '/home/ansible/devopskey/id_rsa.pub') }}" state=present
[*]使用ansible用户实行剧本
$ ansible-playbook push_devops_key.yml-i /home/ansible/ansible_workspace/inventories/DEV/hosts
PLAY *********************************************************************************************************************************************************
TASK *************************************************************************************************************************************************
ok:
ok:
ok:
TASK *************************************************************************************************************************************************
changed:
changed:
changed:
PLAY RECAP *************************************************************************************************************************************************************
192.168.233.14 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.233.15 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.233.16 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[*]测试anisble节点上的devops是否已经实现了到受控制节点主机tuser用户的免密登录
# su - devops
$ ssh tuser@192.168.233.14
The authenticity of host '192.168.233.14 (192.168.233.14)' can't be established.
ECDSA key fingerprint is SHA256:L1+uIG1eWm6TCZvm/D3NGUa9jYbK2kawhPSwZki8leY.
ECDSA key fingerprint is MD5:2a:37:d0:b3:a4:d1:6c:d6:96:d5:fe:1f:d2:58:5b:eb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.233.14' (ECDSA) to the list of known hosts.
Last login: Thu Sep 12 23:30:25 2024
$ ssh tuser@192.168.233.15
The authenticity of host '192.168.233.15 (192.168.233.15)' can't be established.
ECDSA key fingerprint is SHA256:L1+uIG1eWm6TCZvm/D3NGUa9jYbK2kawhPSwZki8leY.
ECDSA key fingerprint is MD5:2a:37:d0:b3:a4:d1:6c:d6:96:d5:fe:1f:d2:58:5b:eb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.233.15' (ECDSA) to the list of known hosts.
Last login: Wed Sep 11 18:16:08 2024 from 192.168.233.13
$ ssh tuser@192.168.233.16
The authenticity of host '192.168.233.16 (192.168.233.16)' can't be established.
ECDSA key fingerprint is SHA256:L1+uIG1eWm6TCZvm/D3NGUa9jYbK2kawhPSwZki8leY.
ECDSA key fingerprint is MD5:2a:37:d0:b3:a4:d1:6c:d6:96:d5:fe:1f:d2:58:5b:eb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.233.16' (ECDSA) to the list of known hosts.
Last login: Wed Sep 11 18:16:37 2024 from 192.168.233.13
备注:这里注意看在我们使用devops实行初次免密登录远程主机的tuser用户时就会需要输入yes确认,由于devops不像是ansible用户,有/etc/ansible/ansible.cfg配置文件可以跳过提示验证部分内容。所以初次毗连需要输入yes举行验证,有且仅有初次需要验证。
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]