Ansible入门系列--普通用户执行playbook
Ansible使用普通用户远程执行任务
一、架构图
二、操作流程
1、被控端生成普通用户
#!/bin/bash function user00_init() { mkdir -p /data/home mkdir -p /data/corefile/ useradd -m -d /data/home/user00 -g users -u 30000 user00 chown user00:users /data/home/user00 chown user00:users /data/corefile/ usermod -G users -d /data/home/user00 user00 mkdir -p /data/home/user00/{bin,release,backup,log,soft} chown user00:users /data/home/user00/{bin,release,backup,log,soft} mkdir -p /data/home/user00/bin/pid/ chown user00:users /data/home/user00/bin/pid/ cp /root/.bash_profile /data/home/user00/ cp /root/.bashrc /data/home/user00/ chown user00:users /data/home/user00/.bashrc chown user00:users /data/home/user00/.bash_profile } user00_init
2、被控端普通用户sudo提权
ansible 10.8.66.23 -m lineinfile -a "path=/etc/sudoers line='user00 ALL=(ALL) NOPASSWD: ALL'"
3、主控端设置普通用户免密登录被控端
ssh-copy-id user00@10.8.66.23
4、普通用户执行脚本
[root@ansible /etc/ansible/roles/init/tasks]# cat /etc/ansible/roles/test.yml --- - hosts: testuser00 remote_user: user00 become: yes become_method: sudo tasks: # task 1 - name: test connection ping: register: message # task 11 - name: test user local_action: command whoami register: current_user # task 2 - name: print debug message debug: msg: "{{ current_user }}"
注意:如果有需要,可以使用sudo切换到root执行脚本。
5、设置用户和提权
remote_user = user00
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
[root@ansible ~]# cat /etc/ansible/ansible.cfg |grep -v "#"|grep -v ^$ [defaults] host_key_checking = False remote_user = user00 log_path = /var/log/ansible.log module_name = command [inventory] [privilege_escalation] become=True become_method=sudo become_user=root become_ask_pass=False [paramiko_connection] [ssh_connection] [persistent_connection] [accelerate] [selinux] [colors] [diff]
5、Ansible连接主机时常见错误
I. 对之前未连接的主机进行连结时报错如下:
[root@linux ~]# ansible webservers -m command -a 'ls ~' -k
SSH password:
120.76.25.191 | FAILED | rc=0 >>
Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host's fingerprint to your known_hosts file to manage this host.
解决步骤:修改ansible.cfg文件
1) vi /etc/ansible/ansible.cfg
2) 找到以下行,让host_key_checking=False这行生效
# uncomment this to disable SSH key host checking
host_key_checking = False
II. 在ansible安装完毕后一般需要以SSH的方式连接到需要进行管理的目标主机,一开始遇到了如下问题:
120.76.25.191 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n",
"unreachable": true
}
问题原因很简单,没有在ansible管理节点(即安装ansible的节点)上添加目标节点(即需要管理的节点)的ssh认证信息。
解决步骤:
1:管理节点生成SSH-KEY
#ssh-keygen
成功后在~/.ssh/路径下将生成ssh密钥文件:id_rsa及id_rsa.pub
2:添加目标节点的SSH认证信息
#ssh-copy-id root@目标节点IP
这里root是在目标节点上登录的用户,@符号后面接目标节点IP即可,之后会提示输入目标节点root用户密码,输入即可。
添加认证信息后,目标节点主机的~/.ssh/目录下将会出现一个authorized_keys文件,里面包含了ansible管理节点的公钥信息,可以检查一下是否存在。
3:在确定目标主机的SSH认证信息都已正确添加且目标主机的~/.ssh/目录都存在管理节点的公钥信息后,再执行之前出错的ansible ping指令:
#ansible -m ping all
120.76.25.191 | SUCCESS => {
"changed": false,
"ping": "pong"
}