ansible - 如何在一个文件库中为多个主机定义 sudo 密码?
问题描述
我想在多个具有不同用户名和密码的 Linux 服务器上运行更新。我认为这是一个常见的用例,但文档中没有涵盖。有 SSH 身份验证,但我需要提升对更新过程的访问权限,而 Ansible 任务需要太多权限才能通过 sudoers 文件执行此操作。
如何从一个文件库中的清单中获取不同的ansible_password,以便我可以运行 playbook,只输入一个密码来解密所有 sudo 密码,并让它工作?
存货:
[servers]
1.2.3.4 ansible_user=user1 ansible_password=password1
1.2.3.5 ansible_user=user2 ansible_password=password2
1.2.3.6 ansible_user=user3 ansible_password=password3
剧本:
---
- hosts: servers
become: yes
become_method: sudo
gather_facts: false
vars:
verbose: false
log_dir: "/var/log/ansible/dist-upgrade/{{ inventory_hostname }}"
pre_tasks:
- name: Install python for Ansible
raw: sudo bash -c "test -e /usr/bin/python || (apt -qqy update && apt install -qy python-minimal)"
changed_when: false
tasks:
- name: Update packages
apt:
update_cache: yes
upgrade: dist
autoremove: no
register: output
- name: Check changes
set_fact:
updated: true
when: not output.stdout is search("0 upgraded, 0 newly installed")
- name: Display changes
debug:
msg: "{{ output.stdout_lines }}"
when: verbose or updated is defined
- block:
- name: "Create log directory"
file:
path: "{{ log_dir }}"
state: directory
changed_when: false
- name: "Write changes to logfile"
copy:
content: "{{ output.stdout }}"
dest: "{{ log_dir }}/dist-upgrade_{{ ansible_date_time.iso8601 }}.log"
changed_when: false
when: updated is defined
connection: local
解决方案
问:“我如何从一个文件库中的清单中获取不同的 ansible_password?”
A:可以使用set_fact
和添加解密后的变量。例如
- 从清单文件中删除密码
[servers]
1.2.3.4 ansible_user=user1
1.2.3.5 ansible_user=user2
1.2.3.6 ansible_user=user3
- 使用密码创建字典
shell> cat group_vars/servers/my_vault.yml
my_vault:
'1.2.3.4':
ansible_password: 'password1'
'1.2.3.5':
ansible_password: 'password2'
'1.2.3.6':
ansible_password: 'password3'
- 加密文件
shell> ansible-vault encrypt group_vars/servers/my_vault.yml
Encryption successful
shell> cat group_vars/servers/my_vault.yml
$ANSIBLE_VAULT;1.1;AES256
33613937636462643266613264333138376135313762663832393837616137323165363531666438
3564366531386130623162386332646366646561663763320a633533653631396637316138393339
66623531633936346363313965633565623566313264396636303136666432373037313666653630
3530343461616338370a323565346564383266323934376432383436646261313639663961343662
35336439646133333434363462616537323130373733363863646435376435343864323336323135
35623330303732666233313135643265393030386561306235303038353133386230336431396637
64663331316439336638646366636530626363353034326462393938363230386666303066383834
38643538343137633966336130393362303534666139373034356530303661643339623234356366
61316363333331613762663230616239643965333261353936373464366162646662323361626431
33663839386261313561396337393330616131663561646562373233373265646334383937386431
38386165653864363235646538353337373063376665386638653333646632316533363731663234
35663336663936653233
- 下面的剧本在第一次播放中将变量添加
ansible_password
到每个主机,并在第二次播放中使用它。例如
- hosts: servers
gather_facts: false
tasks:
- set_fact:
ansible_password: "{{ my_vault[inventory_hostname].ansible_password }}"
- hosts: servers
tasks:
- debug:
var: ansible_password
给
ok: [1.2.3.4] => {
"ansible_password": "password1"
}
ok: [1.2.3.5] => {
"ansible_password": "password2"
}
ok: [1.2.3.6] => {
"ansible_password": "password3"
}
推荐阅读
- variables - 是否可以在“route.params”的末尾使用变量。捕捉其他几个“router.params”?
- python - 替换文件夹名称的多个字符
- python - “ROS”如何通过 SSH 远程控制 Python 脚本
- d3.js - D3 js 更新图只是在后台而不是在顶部添加新点
- java - Eclipse:内联断点
- sql - postgresql 两个 NOT LIKE 子句返回错误结果
- c# - C#中的XML追加
- css - react-material kit-cant 在标题中添加徽标
- sql-server - SQL这个问题表是空白但是存储过程虽然成功
- javascript - 使用 JavaScript 中的 CapsLock 触发新的键盘事件