ansible 用户模块始终显示已更改

Question

我正在努力正确使用 ansible 的用户模块。问题是每次我运行我的剧本时，我创建的用户 总是 显示为已更改，即使我已经创建了它们。

I found other people with the same issue here ，尽管我正在努力根据 github 线程实际修复它。可能是我不明白的最有用的评论👇

I can confirm that it only looked like a bug - adding the append option to two tasks made it so that they're not always undoing the work of the other, and fixed the permanently changed trigger. I did not need to add "group:"

这是我的剧本的样子:

- name: Generate all users for the environment
  user:
    createhome: yes
    state: present # to delete
    name: "{{ item.user }}"
    groups: "{{ 'developers' if item.role == 'developer' else 'customers' }}"
    password: "{{ generic_password | password_hash('sha512') }}"
    append: yes
  with_items:
    - "{{ users }}"

我的意图是让每个用户都属于他们自己的私有(private)组(用户私有(private)组)，但也有一个开发人员属于开发人员组。 使用当前配置，它可以工作，问题是 ansible 总是将用户报告为“已更改” .然后我将添加 developers分组到 sudoers 文件；因此我想将用户添加到 developers团体。

例如

vagrant@ubuntu-bionic:/home$ sudo su - nick
$ pwd
/home/nick
$ touch file.txt
$ ls -al
-rw-rw-r--  1 nick nick    0 Jul  3 12:06 file.txt

vagrant@ubuntu-bionic:/home$ cat /etc/group | grep 'developers'
developers:x:1002:nick,ldnelson,greg,alex,scott,jupyter

以下是其中一位用户在本地针对 vagrant 运行的详细输出:

changed: [192.168.33.10] => (item={'user': 'nick', 'role': 'developer', 'with_ga': False}) => {
    "append": true,
    "changed": true,
    "comment": "",
    "group": 1004,
    "groups": "developers",
    "home": "/home/nick",
    "invocation": {
        "module_args": {
            "append": true,
            "comment": null,
            "create_home": true,
            "createhome": true,
            "expires": null,
            "force": false,
            "generate_ssh_key": null,
            "group": null,
            "groups": [
                "developers"
            ],
            "hidden": null,
            "home": null,
            "local": null,
            "login_class": null,
            "move_home": false,
            "name": "nick",
            "non_unique": false,
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "password_lock": null,
            "remove": false,
            "seuser": null,
            "shell": null,
            "skeleton": null,
            "ssh_key_bits": 0,
            "ssh_key_comment": "ansible-generated on ubuntu-bionic",
            "ssh_key_file": null,
            "ssh_key_passphrase": null,
            "ssh_key_type": "rsa",
            "state": "present",
            "system": false,
            "uid": null,
            "update_password": "always"
        }
    },
    "item": {
        "role": "developer",
        "user": "nick",
        "with_ga": false
    },
    "move_home": false,
    "name": "nick",
    "password": "NOT_LOGGING_PASSWORD",
    "shell": "/bin/sh",
    "state": "present",
    "uid": 1002
}

应该是不相关的，但我正在向开发人员组添加一些，因为我打算授予某些命令的 sudo 访问权限。

Answer 1

generic_password | password_hash('sha512')不是幂等的。每次运行 password_hash 函数时，散列的盐值都会发生变化。
要使其具有幂等性，请使用特定的盐运行它

- name: Generate all users for the environment
  user:
    password: "{{ generic_password | password_hash('sha512', 'mysalt') }}"

，或仅更新密码 on_create

- name: Generate all users for the environment
  user:
    update_password: on_create

(或注册 return values 并声明 changed_when )。

考虑密码的外部管理，例如 Ansible Vault或 Passwordstore .有一个用于密码存储的查找插件。见 ansible-doc -t lookup passwordstore .另见我的 Passwordstore 的实现.