gpt4 book ai didi

ansible - 如何在一个文件库中为多个主机定义 sudo 密码?

转载 作者:行者123 更新时间:2023-12-05 03:55:51 25 4
gpt4 key购买 nike

我想在多台具有不同用户名和密码的 Linux 服务器上运行更新。我认为这是一个常见的用例,但文档中没有涉及。有 SSH 身份验证,但我需要提升对更新过程的访问权限,而 Ansible 任务需要太多权限才能通过 sudoers 文件执行此操作。

如何从一个文件库中的库存中获取不同的 ansible_password,以便我可以运行该剧本,仅输入一个密码来解密所有 sudo 密码,并使其正常运行?

库存:

[servers]
1.2.3.4 ansible_user=user1 ansible_password=password1
1.2.3.5 ansible_user=user2 ansible_password=password2
1.2.3.6 ansible_user=user3 ansible_password=password3

剧本:

---
- hosts: servers
become: yes
become_method: sudo
gather_facts: false
vars:
verbose: false
log_dir: "/var/log/ansible/dist-upgrade/{{ inventory_hostname }}"
pre_tasks:
- name: Install python for Ansible
raw: sudo bash -c "test -e /usr/bin/python || (apt -qqy update && apt install -qy python-minimal)"
changed_when: false
tasks:
- name: Update packages
apt:
update_cache: yes
upgrade: dist
autoremove: no
register: output

- name: Check changes
set_fact:
updated: true
when: not output.stdout is search("0 upgraded, 0 newly installed")

- name: Display changes
debug:
msg: "{{ output.stdout_lines }}"
when: verbose or updated is defined

- block:
- name: "Create log directory"
file:
path: "{{ log_dir }}"
state: directory
changed_when: false

- name: "Write changes to logfile"
copy:
content: "{{ output.stdout }}"
dest: "{{ log_dir }}/dist-upgrade_{{ ansible_date_time.iso8601 }}.log"
changed_when: false

when: updated is defined
connection: local

最佳答案

问题:“如何从一个文件库中的库存中获取不同的 ansible_password?”

A:用密码创建字典。例如,给定树

shell> tree .
.
├── ansible.cfg
├── group_vars
│   └── servers
│   ├── ansible_password.yml
│   └── my_vault.yml
├── hosts
└── pb.yml
  1. 从 list 文件中删除密码
shell> cat hosts
[servers]
1.2.3.4 ansible_user=user1
1.2.3.5 ansible_user=user2
1.2.3.6 ansible_user=user3
  1. 用密码创建字典
shell> cat group_vars/servers/my_vault.yml
my_vault:
1.2.3.4:
ansible_password: password1
1.2.3.5:
ansible_password: password2
1.2.3.6:
ansible_password: password3

并声明变量ansible_password

shell> cat group_vars/servers/ansible_password.yml 
ansible_password: "{{ my_vault[inventory_hostname].ansible_password }}"
  1. 加密文件
shell> ansible-vault encrypt group_vars/servers/my_vault.yml
Encryption successful

shell> cat group_vars/servers/my_vault.yml
$ANSIBLE_VAULT;1.1;AES256
3361393763646264326661326433313837613531376266383239383761...
3564366531386130623162386332646366646561663763320a63353365...
...
  1. 剧本
shell> cat pb.yml
- hosts: servers
tasks:
- debug:
var: ansible_password

给予

ok: [1.2.3.4] => 
ansible_password: password1
ok: [1.2.3.5] =>
ansible_password: password2
ok: [1.2.3.6] =>
ansible_password: password3

使用 pass标准的 unix 密码管理器

您可以使用pass 代替vault .例如,将密码放入pass

shell> pass 1.2.3.4/user1
password1

shell> pass 1.2.3.5/user2
password2

shell> pass 1.2.3.6/user3
password3

并使用查找插件 community.general.passwordstore。查看详情

shell> ansible-doc -t lookup community.general.passwordstore

删除文件 group_vars/servers/my_vault.yml 并更改 ansible_password 的声明

shell> cat group_vars/servers/ansible_password.yml
passwordstore_name: "{{ inventory_hostname }}/{{ ansible_user }}"
ansible_password: "{{ lookup('community.general.passwordstore',
passwordstore_name) }}"

上面的剧本会给出相同的结果。

关于ansible - 如何在一个文件库中为多个主机定义 sudo 密码?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59842933/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com