关山初度尘未洗,策马扬鞭再奋蹄!这篇文章主要讲述Ansible之ansible.cfg相关的知识,希望能为你提供帮助。
管理配置文件
ansible.cfg可以通过修改ansible.cfg配置文件的设置定义Ansible安装的行为。
- 默认全局配置文件为/etc/ansible/ansible.cfg
- 如果自行创建ansible.cfg文件取代/etc/ansible/ansible.cfg,需要将/etc/ansible/ansible.cfg所有设置复制到创建的文件中,文件中未定义的设置将保持内置默认值,即使在全局配置文件/etc/ansible/ansible.cfg设为某个其他值也是如此。
- ansible运行时会先检查ansible命令的目录中是否有ansible.cfg文件,如果不存在该文件,则检查用户的主目录(~/.)中是否有ansible.cfg文件,在找不到其他配置文件时,使用全局/etc/ansible/ansible.cfg文件,如果都不存在,ansible包含它使用的默认值。
- 使用ANSIBLE_CONFIG环境变量指定配置文件位置,而此时指定的任何文件将覆盖所有其他配置文件。
- 配置文件中标题使用方括号[]括起
- 标题中部分都以键值对定义
- [default]
- [privilege_escalation]
[default]
inventory = ./inventory
remote_user = user
ask_pass = false[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false配置说明
| 键 | 值(描述) |
|---|---|
| inventory | 指定清单文件(inventory)的路径 |
| remote_user | 要在受管主机上登录的用户的名称。如果未指定,则使用当前用户的名称。 |
| ask_pass | 是否提示输入SSH密码。如果使用SSH公钥身份验证,则可以时false。 |
| become | 连接后是否自动在受管主机上切换用户(通常切换为root)。也可以通过play来指定。 |
| become_method | 如何切换用户(通常为sudo,这也是默认设置,但也可选su)。 |
| become_user | 要在受管主机上切换到的用户(通常时root,这也是默认值)。 |
| become_ask_pass | 是否需要为become_method提示输入密码。默认为false。 |
- 主机清单inventory中包含主机组和受管主机,所以要指定清单的位置。
- 要用哪种连接协议与受管理主机进行通信,默认采用SSH,以及是否需要非标准网络端口来连接服务器。
- 要在受管主机使用哪一个远程用户,可以是root或者某一个特权用户。
- 如果为非特权用户,是否尝试将特权升级为root以及如何进行升级。
- 是否提示输入ssh密码或sudo密码进行登录或获取特权。
- 在[defaults]部分,inventory指定可以直接指向单个或者多个静态清单文件和动态清单文件的某一目录。
- 默认情况下Ansible连接受管主机使用的用户名与运行Ansible命令的本地用户相同;如果指定不同的远程用户,请设置remote_user的参数为该用户名。
- Ansible默认采用SSH远程登录,如果为运行ansible的本地用户配置了ssh密钥,且可以在受管主机上进行远程用户身份验证,则ansible将自动登录;否则,可以通过设置ask_pass = true,将ansible配置为:提示本地用户输入由远程用户使用的密码。
- 【Ansible之ansible.cfg】要默认启用特权升级,可以在配置文件中设置指令become = true;当然如果运行临时命令或playbook时,可以通过各种方式覆盖它。
- become_method指令设置如何升级特权,有多个选项可用,但默认使用sudo。
- become_user指令设置要升级到的用户,默认为root。
- 如果所选的become_method机制要求用户输入密码才能升级特权,可以在配置文件中设置become_ask_pass = true指令。
文章图片
- 各主机间处于同一个网络环境,主机之前可以互相通信,且可以使用root用户远程连接。
- 每个主机只有一个用户存在,为root超级用户。
- 在控制节点创建普通用户,并生成SSH密钥对。
- 创建并修改ansible.cfg配置文件,配置超级用户通过输入密码登录受管主机,进行用户创建。
- 创建并配置playbook,创建普通用户,并复制公钥到受管主机,实现普通用户通过SSH密钥登录受管主机。
- 实现受管主机中普通用户免密切换root超级用户,以获取最高权限。
- 配置ansible.cfg,使用普通用户以密钥登录受管主机,然后免密切换到root用户。
[root@controller ~]# useradd sunyinpeng
[root@controller ~]# passwd sunyinpeng
Changing password for user sunyinpeng.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.为用户启用完整的sudo访问权限
# 在/etc/sudoers.d/目录中创建用户文件,并加入以下内容
[root@controller ~]# cd /etc/sudoers.d/
[root@controller sudoers.d]# touch user
[root@controller sudoers.d]# vim user
sunyinpengALL=(ALL)NOPASSWD:ALL# 测试
[sunyinpeng@controller ~]$ sudo su - root
[root@controller ~]#使用普通用户生成SSH密钥对
[sunyinpeng@controller ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sunyinpeng/.ssh/id_rsa):
Created directory /home/sunyinpeng/.ssh.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sunyinpeng/.ssh/id_rsa.
Your public key has been saved in /home/sunyinpeng/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:KHPrUtve9VZwKplgUfYwWHeCBMTwhhTZEZIqlcHG1vA sunyinpeng@controller
The keys randomart image is:
+---[RSA 3072]----+
|oo==O=OB.o .|
|Bo++=..= o |
|+ .E o..|
|. .. .o. .|
|o.o S. . o + |
|+..+ . .|
|..o.. . |
|... .. . ..|
|.... ...|
+----[SHA256]-----+
-----------------------------------------------------------------------------------------
# 查找公钥地址,并记住位置
# 注意上面显示的public即为公钥地址的位置,进入目录确认
[sunyinpeng@controller ~]$ cd /home/sunyinpeng/.ssh/
[sunyinpeng@controller .ssh]$ ls
id_rsaid_rsa.pub配置管理主机hosts文件
[sunyinpeng@controller demo]$ sudo vim /etc/hosts
127.0.0.1localhost localhost.localdomain localhost4 localhost4.localdomain4
::1localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.101servera
192.168.1.102serverb
192.168.1.103serverc
192.168.1.104serverd
192.168.1.105servere自定义ansible目录,并创建配置文件和主机清单在编写ansible playbook时,由于环境复杂,项目繁多,也就导致使用的功能和配置量大,难以管理;这个时候可以使用自定义目录,并在该目录配置ansible.cfg文件,执行ansible playbook任务,以便于管理。
配置并修改ansible.cfg
[sunyinpeng@controller ~]$ sudo mkdir -p /etc/opt/ansible/demo
[sunyinpeng@controller ~]$ sudo cp /etc/ansible/ansible.cfg /etc/opt/ansible/demo/
[sunyinpeng@controller demo]$ ls
ansible.cfg
[sunyinpeng@controller demo]$ sudo vim ansible.cfg
[defaults]
inventory= ./inventory
remote_user = root
ask_pass = true[privilege_escalation]
become = false创建inventory主机清单
[sunyinpeng@controller demo]$ sudo vim inventory
[client]
servera
serverb
serverc
serverd
servere创建playbook
[sunyinpeng@controller demo]$ sudo vim create_user.yml
---
- name: create users
hosts: client
tasks:
- name: create user
user:
name: "{{ item.user }}"
shell: /bin/bash
password: "{{ item.pass | password_hash(sha512)}}"
loop:
- { user: sunyinpeng, pass: 123}- name: Public key
authorized_key:
user: sunyinpeng
state: present
key: {{ item }}
with_file:
- /home/sunyinpeng/.ssh/id_rsa.pub- name: configure user-free authorization
copy:
content: "sunyinpengALL=(ALL)NOPASSWD:ALL"
dest: /etc/sudoers.d/user执行playbook
[sunyinpeng@controller demo]$ ls
ansible.cfgcreate_user.ymlinventory
[sunyinpeng@controller demo]$ sudo ansible-playbook create_user.yml
SSH password:PLAY [create users] ****************************************************************************************************TASK [Gathering Facts] *************************************************************************************************
ok: [serverd]
ok: [serverb]
ok: [servere]
ok: [serverc]
ok: [servera]TASK [create user] *****************************************************************************************************
changed: [servera] =>
(item={user: sunyinpeng, pass: 123})
changed: [serverd] =>
(item={user: sunyinpeng, pass: 123})
changed: [servere] =>
(item={user: sunyinpeng, pass: 123})
changed: [serverc] =>
(item={user: sunyinpeng, pass: 123})
changed: [serverb] =>
(item={user: sunyinpeng, pass: 123})TASK [Public key] ******************************************************************************************************
changed: [serverd] =>
(item=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDl/O95paWA8lyYVy90d39k/iZsqt+G8wT51vSWjqiu5CLRBpe02y+Llo3c8nZzYJP1x8GCK9OUp1QI9VWGYZHLEN8Haw9OWCr0Ava9jyiTITiCylCvCPXu0FADwkLnqogofVehivt5OQDr7lriTLoqSarn/5ZeDGsBq3yo2p1Ki1/clZFKX4FocV5UmbkBm1+RNKUv8bIxqgjUo/u+BGmNGs5FTVy/wt71IZ0MuPvimy4p5nSsum2nh1OwtpXMJ1c2531NM6WILMB3hvTjStq/hzUmeEpKSdvMoBGCDPhBCeYhqCYArj+3nMoBNXkFt4rzHpF7UnUJAJ8W/l/3i0XAMYBUflayUc1KKsEJEhccwams5jb2num6uoTaBJ+sSeMogMEz7EAGQJEclWyDqmkRYM4WZssZD6HcgDpu55y4kV9fAFwzyTlnvegCMBBor+Z61rDj0gqRbiH/Ji9UcJ+Cxqj6lTbnQaypQpQOgAX5XEKpABcs53+nJnbITPJ0BVk= sunyinpeng@controller)
changed: [serverc] =>
(item=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDl/O95paWA8lyYVy90d39k/iZsqt+G8wT51vSWjqiu5CLRBpe02y+Llo3c8nZzYJP1x8GCK9OUp1QI9VWGYZHLEN8Haw9OWCr0Ava9jyiTITiCylCvCPXu0FADwkLnqogofVehivt5OQDr7lriTLoqSarn/5ZeDGsBq3yo2p1Ki1/clZFKX4FocV5UmbkBm1+RNKUv8bIxqgjUo/u+BGmNGs5FTVy/wt71IZ0MuPvimy4p5nSsum2nh1OwtpXMJ1c2531NM6WILMB3hvTjStq/hzUmeEpKSdvMoBGCDPhBCeYhqCYArj+3nMoBNXkFt4rzHpF7UnUJAJ8W/l/3i0XAMYBUflayUc1KKsEJEhccwams5jb2num6uoTaBJ+sSeMogMEz7EAGQJEclWyDqmkRYM4WZssZD6HcgDpu55y4kV9fAFwzyTlnvegCMBBor+Z61rDj0gqRbiH/Ji9UcJ+Cxqj6lTbnQaypQpQOgAX5XEKpABcs53+nJnbITPJ0BVk= sunyinpeng@controller)
changed: [servere] =>
(item=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDl/O95paWA8lyYVy90d39k/iZsqt+G8wT51vSWjqiu5CLRBpe02y+Llo3c8nZzYJP1x8GCK9OUp1QI9VWGYZHLEN8Haw9OWCr0Ava9jyiTITiCylCvCPXu0FADwkLnqogofVehivt5OQDr7lriTLoqSarn/5ZeDGsBq3yo2p1Ki1/clZFKX4FocV5UmbkBm1+RNKUv8bIxqgjUo/u+BGmNGs5FTVy/wt71IZ0MuPvimy4p5nSsum2nh1OwtpXMJ1c2531NM6WILMB3hvTjStq/hzUmeEpKSdvMoBGCDPhBCeYhqCYArj+3nMoBNXkFt4rzHpF7UnUJAJ8W/l/3i0XAMYBUflayUc1KKsEJEhccwams5jb2num6uoTaBJ+sSeMogMEz7EAGQJEclWyDqmkRYM4WZssZD6HcgDpu55y4kV9fAFwzyTlnvegCMBBor+Z61rDj0gqRbiH/Ji9UcJ+Cxqj6lTbnQaypQpQOgAX5XEKpABcs53+nJnbITPJ0BVk= sunyinpeng@controller)
changed: [serverb] =>
(item=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDl/O95paWA8lyYVy90d39k/iZsqt+G8wT51vSWjqiu5CLRBpe02y+Llo3c8nZzYJP1x8GCK9OUp1QI9VWGYZHLEN8Haw9OWCr0Ava9jyiTITiCylCvCPXu0FADwkLnqogofVehivt5OQDr7lriTLoqSarn/5ZeDGsBq3yo2p1Ki1/clZFKX4FocV5UmbkBm1+RNKUv8bIxqgjUo/u+BGmNGs5FTVy/wt71IZ0MuPvimy4p5nSsum2nh1OwtpXMJ1c2531NM6WILMB3hvTjStq/hzUmeEpKSdvMoBGCDPhBCeYhqCYArj+3nMoBNXkFt4rzHpF7UnUJAJ8W/l/3i0XAMYBUflayUc1KKsEJEhccwams5jb2num6uoTaBJ+sSeMogMEz7EAGQJEclWyDqmkRYM4WZssZD6HcgDpu55y4kV9fAFwzyTlnvegCMBBor+Z61rDj0gqRbiH/Ji9UcJ+Cxqj6lTbnQaypQpQOgAX5XEKpABcs53+nJnbITPJ0BVk= sunyinpeng@controller)
changed: [servera] =>
(item=ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDl/O95paWA8lyYVy90d39k/iZsqt+G8wT51vSWjqiu5CLRBpe02y+Llo3c8nZzYJP1x8GCK9OUp1QI9VWGYZHLEN8Haw9OWCr0Ava9jyiTITiCylCvCPXu0FADwkLnqogofVehivt5OQDr7lriTLoqSarn/5ZeDGsBq3yo2p1Ki1/clZFKX4FocV5UmbkBm1+RNKUv8bIxqgjUo/u+BGmNGs5FTVy/wt71IZ0MuPvimy4p5nSsum2nh1OwtpXMJ1c2531NM6WILMB3hvTjStq/hzUmeEpKSdvMoBGCDPhBCeYhqCYArj+3nMoBNXkFt4rzHpF7UnUJAJ8W/l/3i0XAMYBUflayUc1KKsEJEhccwams5jb2num6uoTaBJ+sSeMogMEz7EAGQJEclWyDqmkRYM4WZssZD6HcgDpu55y4kV9fAFwzyTlnvegCMBBor+Z61rDj0gqRbiH/Ji9UcJ+Cxqj6lTbnQaypQpQOgAX5XEKpABcs53+nJnbITPJ0BVk= sunyinpeng@controller)TASK [configure user-free authorization] *******************************************************************************
changed: [serverd]
changed: [servere]
changed: [servera]
changed: [serverb]
changed: [serverc]PLAY RECAP *************************************************************************************************************
servera: ok=4changed=3unreachable=0failed=0skipped=0rescued=0ignored=0
serverb: ok=4changed=3unreachable=0failed=0skipped=0rescued=0ignored=0
serverc: ok=4changed=3unreachable=0failed=0skipped=0rescued=0ignored=0
serverd: ok=4changed=3unreachable=0failed=0skipped=0rescued=0ignored=0
servere: ok=4changed=3unreachable=0failed=0skipped=0rescued=0ignored=0测试
# 此时普通用户的公钥已经复制到受管机器中,可以测试免密登录了
[sunyinpeng@controller demo]$ ssh sunyinpeng@servera
Activate the web console with: systemctl enable --now cockpit.socketLast login: Fri Nov 19 05:27:35 2021 from 192.168.1.100最后配置ansible.cfg,实现普通用户免密登录系统后免密切换超级用户
# 配置ansible.cfg
[sunyinpeng@controller demo]$ sudo vim ansible.cfg
[defaults]
inventory= ./inventory
remote_user = sunyinpeng
ask_pass = false[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false# 为结果更明显,再编写一个playbook,使用root向受管主机安装apache httpd服务,写入welcome to apache
[sunyinpeng@controller demo]$ sudo vim install_httpd.yml
---
- name: install apache
hosts: client
tasks:
- name: stop firewalld
service:
name: firewalld
state: stopped
enabled: no
- name: setenforce 0
shell: "setenforce 0"
failed_when: false- name: installer apache
yum:
name: httpd
state: latest
- name: write index.html
copy:
content: " Welcome to apache!"
dest: /var/www/html/index.html
- name: restart httpd
service:
name: httpd
state: restarted# 执行该playbook
[sunyinpeng@controller demo]$ ls
ansible.cfgcreate_user.ymlinstall_httpd.ymlinventory
[sunyinpeng@controller demo]$ ansible-playbook install_httpd.ymlPLAY [install apache] **************************************************************************************************TASK [Gathering Facts] *************************************************************************************************
ok: [serverd]
ok: [servere]
ok: [serverb]
ok: [serverc]
ok: [servera]TASK [stop firewalld] **************************************************************************************************
ok: [servere]
ok: [servera]
ok: [serverc]
ok: [serverb]
ok: [serverd]TASK [setenforce 0] ****************************************************************************************************
changed: [serverd]
changed: [servere]
changed: [serverc]
changed: [serverb]
changed: [servera]TASK [installer apache] ************************************************************************************************
changed: [servera]
changed: [serverb]
changed: [servere]
changed: [serverc]
changed: [serverd]TASK [write index.html] ************************************************************************************************
changed: [servera]
changed: [serverb]
changed: [serverc]
changed: [serverd]
changed: [servere]TASK [restart httpd] ***************************************************************************************************
changed: [serverb]
changed: [servere]
changed: [serverc]
changed: [serverd]
changed: [servera]PLAY RECAP *************************************************************************************************************
servera: ok=6changed=4unreachable=0failed=0skipped=0rescued=0ignored=0
serverb: ok=6changed=4unreachable=0failed=0skipped=0rescued=0ignored=0
serverc: ok=6changed=4unreachable=0failed=0skipped=0rescued=0ignored=0
serverd: ok=6changed=4unreachable=0failed=0skipped=0rescued=0ignored=0
servere: ok=6changed=4unreachable=0failed=0skipped=0rescued=0ignored=0最终测试
[sunyinpeng@controller demo]$ curl http://servera
Welcome to apache!
[sunyinpeng@controller demo]$ curl http://serverb
Welcome to apache!
[sunyinpeng@controller demo]$ curl http://serverc
Welcome to apache!
[sunyinpeng@controller demo]$ curl http://serverd
Welcome to apache!
[sunyinpeng@controller demo]$ curl http://servere
Welcome to apache!推荐阅读
- IFIX 需要权限打开某个画面
- 庖丁解牛之Android平台RTSP|RTMP播放器设计
- CentOS8.3下配置环境变量,实现执行history的时候可以看到执行命令的时间
- 当SantuCommerce插件的iframe打开时,WordPress主题损坏
- WordPress主题开发-模板引擎[关闭]
- WordPress主题开发(单击按钮时不执行javascript代码)
- WordPress主题开发|||目录主题名称
- WordPress主题自定义文件位置
- WordPress速度优化问题