配置ansible学习环境实现以下要求
1.控制主机和受控主机通过root用户通过免密验证方式远程控住受控主机实施对应(普通命令,特权命令)任务
2.控制主机连接受控主机通过普通用户以免密验证远程控住受控主机实施指定(普通命令,特权命令)任务操作。
在控制主机生成密钥
[root@xixi ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:sHuk59eqgGlv45SwA5BBcE1nfIGux9jRrxGvA3ynWOs root@xixi
The key’s randomart image is:
±–[RSA 3072]----+
|=…o…o… |
| + .oo . |
|o …o |
| . ooo |
| . .…S+ |
| .o==+ + |
| .=oB . |
| . ++=* . . |
| oooE+… |
±—[SHA256]-----+
发送公钥到受控主机
[root@xixi ~]# ssh-copy-id -i server
[root@xixi ~]# ssh-copy-id -i node1
配置ansible.cfd文件
[root@xixi ~]# vim ansible.cfg
[defaults]
inventory=/etc/ansible/hosts //主机列表配置文件
remote_user=redhat //要在受管主机上登录的用户名称,没有指定则是当前用户
ask_pass=True //每次执行ansible命令是否询问ssh密码
测试
[root@xixi ~]# ansible all -a ‘whoami’
SSH password:
node1 | CHANGED | rc=0 >>
redhat
server | CHANGED | rc=0 >>
redhat
远程用户sudo提权
1、对redhat用户下放权限(特权升级也要做这一步)
[root@server ~]# vim /etc/sudoers
root ALL=(ALL) ALL
redhat ALL=(ALL) NOPASSWD: ALL //授权redhat用户在所有计算机上以所有用户身份免密执行所有命令
[root@node1 ~]# vim /etc/sudoers
root ALL=(ALL) ALL
redhat ALL=(ALL) NOPASSWD: ALL
2、设置默认sudo用户为root,关闭提权时的密码验证
[root@xixi ~]# vim ansible.cfg
[defaults]
inventory=/etc/ansible/hosts
remote_user=redhat
ask_pass=False
sudo_user=root //默认的sudo用户
ask_sudo_pass=False //提权时是否密码验证
3、测试
[root@xixi ~]# ansible all -a ‘sudo useradd h1’
server | CHANGED | rc=0 >>
node1 | CHANGED | rc=0 >>
[root@server ~]# id h1
uid=2002(h1) gid=2002(h1) groups=2002(h1)
[root@node1 ~]# id h1
uid=1001(h1) gid=1001(h1) groups=1001(h1)
特权升级
[root@xixi ~]# vim ansible.cfg
[defaults]
inventory=/etc/ansible/hosts
remote_user=redhat
ask_pass=False
sudo_user=root
ask_sudo_pass=False
//特权升级
[privilege_escalation]
become=True //连接后是否在受管主机上切换用户,默认会切换到root下
become_method=sudo //如何切换用户
become_user=root //受管主机切换到的哪个用户
become_ask_pass=False //是否为become_method提示输入密码
执行删除h1用户测试
[root@xixi ~]# ansible all -a ‘userdel h1’
server | CHANGED | rc=0 >>
node1 | CHANGED | rc=0 >>
[root@server ~]# id h1
id: ‘h1’: no such user
[root@node1 ~]# id h1
id: ‘h1’: no such user