Ansible自动化部署

Ansible批量管理方式

Ansible批量管理主机有两种方式:

  • 传统的密码认证
  • 密钥管理

【配置基础环境】

1.安装ansible和依赖关系
[root@rsync-backup ~]# yum install ansible epel-release libselinux-python -y
[root@rsync-backup ~]# ansible --version
ansible 2.9.27
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Oct 14 2020, 14:45:30) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
2.添加被管理机器的IP地址
[root@rsync-backup ~]# tail -5 /etc/ansible/hosts 
[nginx-web]
10.0.0.30
[nfs]
10.0.0.50

手动使用SSH密码认证批量管理主机

在ansible管理机器上首次使用ssh密码来连接被管理机器,显示
[root@rsync-backup ~]# ansible nginx-web,nfs -a "hostname" -uroot -k
SSH password: 
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
10.0.0.50 | FAILED | rc=-1 >>
Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host's fingerprint to your known_hosts file to manage this host.
10.0.0.30 | FAILED | rc=-1 >>
Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host's fingerprint to your known_hosts file to manage this host.

 【解决办法】

手动访问客户端机器,在客户端~/.ssh/known_hosts生成指纹密钥
[root@rsync-backup ~]# ssh root@10.0.0.30
The authenticity of host '10.0.0.30 (10.0.0.30)' can't be established.
ECDSA key fingerprint is SHA256:oDTIv2dGDpRK75A1wq16dqYJXZR7llLgKjdjYynYjDQ.
ECDSA key fingerprint is MD5:08:91:e6:76:02:7f:c8:1b:04:9e:f4:c8:5d:12:3e:36.
Are you sure you want to continue connecting (yes/no)? yr^H
Please type 'yes' or 'no': yes
Warning: Permanently added '10.0.0.30' (ECDSA) to the list of known hosts.
root@10.0.0.30's password: 
Last login: Mon Jun  5 08:40:35 2023 from 10.0.0.1
[root@rsync-backup ~]# ssh root@10.0.0.50
The authenticity of host '10.0.0.50 (10.0.0.50)' can't be established.
ECDSA key fingerprint is SHA256:PM/hTYwsFv4BVyBizk+ISbUOaC3DCDXUqaQ1YVfmICw.
ECDSA key fingerprint is MD5:a5:55:13:ca:33:11:57:5e:71:12:c8:70:39:66:71:a8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.50' (ECDSA) to the list of known hosts.
root@10.0.0.50's password: 
Last login: Mon Jun  5 08:41:16 2023 from 10.0.0.1

【再次测试ansible命令】

[root@rsync-backup ~]# ansible nginx-web,nfs -a "hostname" -uroot -k
SSH password: 
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
10.0.0.50 | CHANGED | rc=0 >>
nfs
10.0.0.30 | CHANGED | rc=0 >>
nginx-web

 手动配置免密登录客户端机器,每次执行ansible命令都要输入root的用户密码,如果密码不一致,需要输入多次,可以在/etc/ansible/hosts主机列表文件中添加指定配置参数,实现远程管理主机的效果。

主机清单文件参数

参数参数类型参数说明
Ansible_host 通用连接 远程主机ip
ansible_port 设置SSH连接端口,默认22
Ansible_user 默认SSH远程连接的用户身份
Ansible_ssh_pass 连接控制 指定SSH远程主机密码

Ansible软件使用的前提是SSH+KEY免密验证的环境,如果没有配置也可以使用Ansible,如下

在ansible主机清单文件中配置用户名、密码
[root@rsync-backup ~]# tail -5 /etc/ansible/hosts 
[nginxweb]
10.0.0.30 ansible_ssh_user=root ansible_ssh_pass=123456
[nfs]
10.0.0.50 ansible_ssh_user=root ansible_ssh_pass=123456

此时可以不输入密码

[root@rsync-backup ~]# ansible nginxweb,nfs -a "hostname"
10.0.0.50 | CHANGED | rc=0 >>
nfs
10.0.0.30 | CHANGED | rc=0 >>
nginx-web

注意:因为客户机的用户名、密码写在ansible主机清单文件/etc/ansible/hosts 中,密码是明文的,所以这种密码认证并不安全,在生产环境中并不推荐使用

SSH密钥方式批量管理主机(生产案例中通常使用的方式)

[root@rsync-backup ~]# ssh-keygen -t rsa -b 4096 -C "rsync-backup" >/dev/null 2>&1
- `ssh-keygen`: 这是用于生成SSH密钥对的命令。

- `-t rsa`: `-t`选项指定要生成的密钥类型。在这个命令中,它指定生成RSA类型的密钥对。

- `-b 4096`: `-b`选项指定密钥的位数,这里设定为4096位。4096位是一种较高的安全级别,提供更强的密钥强度。

- `-C "rsync-backup"`: `-C`选项用于在生成的公钥中添加注释信息。在这个命令中,它将注释设置为"rsync-backup"- `>/dev/null 2>&1`: 这部分是将命令的输出重定向到`/dev/null`,以将输出丢弃。`> /dev/null`将标准输出重定向到空设备,`2>&1`将标准错误输出重定向到与标准输出相同的位置。这样,命令的输出和错误消息都会被丢弃,不会显示在终端上。
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
[root@rsync-backup ~]# ll ~/.ssh/
total 12
-rw-------. 1 root root 3243 Jun  5 09:52 id_rsa
-rw-r--r--. 1 root root  738 Jun  5 09:52 id_rsa.pub
-rw-r--r--. 1 root root  342 Jun  5 09:13 known_hosts

交互式分发公钥信息,把ssh服务创建的公钥信息分发到客户端机器

直接编写批量分发脚本,省时省力

[root@rsync-backup ansible]# cat distrubution.sh 
#!/bin/bash
rm -rf ~/.ssh/id_rsa*
ssh-keygen -f ~/.ssh/id_rsa -t rsa -b 4096 -C "rsync-backup" -P "" > /dev/null 2>&1
SSH_pass=123456
Key_path=~/.ssh/id_rsa.pub
hosts_IP=("10.0.0.30" "10.0.0.50")
for IP in ${hosts_IP[@]}
do
    sshpass -p$SSH_pass ssh-copy-id -i $Key_path -o "StrictHostKeyChecking=no" $IP
done
# 非交互式分发公钥命令需要用sshpass指定SSH密码,通过-o StrictHostKeyChecking=no 跳过SSH连接确认信息
[root@rsync-backup ansible]# sh distrubution.sh 
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '10.0.0.30'"
and check to make sure that only the key(s) you wanted were added.

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '10.0.0.50'"
and check to make sure that only the key(s) you wanted were added.

修改ansible主机列表文件,注释主机密码

[root@rsync-backup ansible]# tail -7 /etc/ansible/hosts 
[nginxweb]
#10.0.0.30 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.0.30
[nfs]
#10.0.0.50 ansible_ssh_user=root ansible_ssh_pass=123456
10.0.0.50

再次使用ansible命令,已经不需要输入密码了

[root@rsync-backup ansible]# ansible nginxweb,nfs -a "hostname"
10.0.0.30 | CHANGED | rc=0 >>
nginx-web
10.0.0.50 | CHANGED | rc=0 >>
nfs

 踩坑:failed to open ID file '/root/.ssh/id_rsa.pub': No such file or directory

在使用`ssh-keygen`命令生成RSA密钥对时,如果没有指定密钥文件的路径,它会将密钥文件保存在当前用户的`.ssh/`目录下。默认情况下,RSA私钥保存在`~/.ssh/id_rsa`文件中,而RSA公钥保存在`~/.ssh/id_rsa.pub`文件中。

在你的示例中,由于你是以`root`用户身份执行命令,生成的密钥文件将保存在`/root/.ssh/`目录下。因此,私钥将保存在`/root/.ssh/id_rsa`文件中,而公钥将保存在`/root/.ssh/id_rsa.pub`文件中。

请注意,不同的用户可能会有不同的默认路径。对于其他用户,默认的`.ssh/`目录通常是`~/.ssh/`(用户主目录下的`.ssh/`目录)。

posted @ 2023-06-05 22:54  Junwu’sblog  阅读(68)  评论(0编辑  收藏  举报