1) 在服务端安装ansible
1
|
[root@ansible-server ~]
# yum install -y ansible
|
2) 配置ansible到远程主机的ssh无密码信任关系 (authoried_keys
模块)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
批量实现多台服务器之间
ssh
无密码登录的相互信任关系, 可以参考之前的文章: https:
//www
.cnblogs.com
/kevingrace/p/9063745
.html
这里采用Ansible 实现批量建立互信, 方法如下:
首先要生成ansible服务端本机
ssh
的key
[root@ansible-server ~]
# ssh-keygen -t rsa //一路回车
[root@ansible-server ~]
# ls /root/.ssh/
id_rsa id_rsa.pub
====================================================
需要注意
ssh
建立互信的命令格式:
# ssh-copy-id -i ~/.ssh/id_rsa.pub username@[ip,hostname]
====================================================
在客户机比较多的情况下,使用
ssh
-copy-
id
命令的方法显然是有些费时,使用ansible-playbook 推送 ymal进行批量创建
ssh
互信关系就显得省事多了,
这里就使用到了ansible的authoried_keys 模块:
首先要配置ansible清单 (远程主机的密码这里为
"123456"
)
[root@ansible-server ~]
# vim /etc/ansible/hosts
................
................
[
ssh
-host]
172.16.60.204
172.16.60.205
172.16.60.206
172.16.60.207
[
ssh
-host:vars]
ansible_ssh_pass=
"123456"
==========================================================
发送公钥到目标机器命令格式如下:
# ansible ssh-host -m copy -a "src=/root/.ssh/id_rsa.pub dest=/root/.ssh/authorized_keys mode=600"
==========================================================
编写playbook文件
[root@ansible-server ~]
# vim /opt/ssh_key.yaml
---
- hosts:
ssh
-host
user: root
tasks:
- name:
ssh
-copy
authorized_key: user=root key=
"{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
注意上面yaml脚本中的
"ssh-key-host"
是在
/etc/ansible/hosts
清单文件里配置的远程客户机列表
这里做的是基于远程主机root用户的
ssh
互信
执行批量互信
[root@ansible-server ~]
# ansible-playbook /opt/ssh_key.yaml
PLAY [
ssh
-host] ************************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************
ok: [172.16.60.204]
ok: [172.16.60.205]
ok: [172.16.60.206]
ok: [172.16.60.207]
TASK [
ssh
-copy] ************************************************************************************************************************
changed: [172.16.60.205]
changed: [172.16.60.204]
changed: [172.16.60.206]
changed: [172.16.60.207]
PLAY RECAP *****************************************************************************************************************************
172.16.60.204 : ok=2 changed=1 unreachable=0 failed=0
172.16.60.205 : ok=2 changed=1 unreachable=0 failed=0
172.16.60.206 : ok=2 changed=1 unreachable=0 failed=0
172.16.60.207 : ok=2 changed=1 unreachable=0 failed=0
最后验证下
ssh
互信
[root@ansible-server ~]
# ansible -i /etc/ansible/hosts ssh-host -m shell -a "whoami"
172.16.60.204 | SUCCESS | rc=0 >>
root
172.16.60.205 | SUCCESS | rc=0 >>
root
172.16.60.207 | SUCCESS | rc=0 >>
root
172.16.60.206 | SUCCESS | rc=0 >>
root
至此, ansible批量创建到远程客户机的
ssh
信任关系已经实现了!
|
3) Ansible批量更新远程主机用户密码方法
方法一: 使用Ansible的user模块批量修改远程客户机的用户密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
由于在使用ansible修改用户密码的时候不能使用明文的方式,需要先加密,所以就需要使用一个方法对输入的明文的密码进行加密.
废话不多说了. 下面直接记录下操作方法:
[root@ansible-server ~]
# vim /opt/root_passwd.yaml
---
- hosts:
ssh
-host
gather_facts:
false
tasks:
- name: change user
passwd
user: name={{ item.name }} password={{ item.chpass | password_hash(
'sha512'
) }} update_password=always
with_items:
- { name:
'root'
, chpass:
'kevin@123'
}
- { name:
'app'
, chpass:
'bjop123'
}
注意上面在yaml文件中修改了远程客户机的root用户密码, app用户密码.
如果还想要修改其他用户密码, 则继续按照上面规则添加即可!
执行ansible-play
[root@ansible-server ~]
# ansible-playbook /opt/root_passwd.yaml
PLAY [
ssh
-host] ************************************************************************************************************************
TASK [change user
passwd
] **************************************************************************************************************
changed: [172.16.60.204] => (item={u
'chpass'
: u
'kevin@123'
, u
'name'
: u
'root'
})
changed: [172.16.60.205] => (item={u
'chpass'
: u
'kevin@123'
, u
'name'
: u
'root'
})
changed: [172.16.60.204] => (item={u
'chpass'
: u
'bjop123'
, u
'name'
: u
'app'
})
changed: [172.16.60.205] => (item={u
'chpass'
: u
'bjop123'
, u
'name'
: u
'app'
})
changed: [172.16.60.206] => (item={u
'chpass'
: u
'kevin@123'
, u
'name'
: u
'root'
})
changed: [172.16.60.206] => (item={u
'chpass'
: u
'bjop123'
, u
'name'
: u
'app'
})
changed: [172.16.60.207] => (item={u
'chpass'
: u
'kevin@123'
, u
'name'
: u
'root'
})
changed: [172.16.60.207] => (item={u
'chpass'
: u
'bjop123'
, u
'name'
: u
'app'
})
PLAY RECAP *****************************************************************************************************************************
172.16.60.204 : ok=1 changed=1 unreachable=0 failed=0
172.16.60.205 : ok=1 changed=1 unreachable=0 failed=0
172.16.60.206 : ok=1 changed=1 unreachable=0 failed=0
172.16.60.207 : ok=1 changed=1 unreachable=0 failed=0
|
方法二: 修改远程主机的单个用户密码使用此方法比较方便
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
编写playbook文件
[root@ansible-server ~]
# vim /opt/root_passwd2.yaml
---
- hosts:
ssh
-host
gather_facts:
false
tasks:
- name: Change password
user: name={{ name1 }} password={{ chpass | password_hash(
'sha512'
) }} update_password=always
执行ansible-playbook, 使用-e参数传递用户名和密码给剧本,其中root为用户名,admin
#123就是修改后的root密码
[root@ansible-server ~]
# ansible-playbook /opt/root_passwd2.yaml -e "name1=root chpass=admin#123"
PLAY [
ssh
-host] ************************************************************************************************************************
TASK [Change password] *****************************************************************************************************************
changed: [172.16.60.204]
changed: [172.16.60.205]
changed: [172.16.60.206]
changed: [172.16.60.207]
PLAY RECAP *****************************************************************************************************************************
172.16.60.204 : ok=1 changed=1 unreachable=0 failed=0
172.16.60.205 : ok=1 changed=1 unreachable=0 failed=0
172.16.60.206 : ok=1 changed=1 unreachable=0 failed=0
172.16.60.207 : ok=1 changed=1 unreachable=0 failed=0
|
方法三: 使用如下Ansible脚本, 适用于修改清单中部分远程主机的用户密码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
编写ansible-playbook脚本 (需要注意下面脚本中
"ens192"
是客户机ip所在的网卡设备名称, 这个要根据自己实际环境去配置, 比如eth0, eth1等)
[root@ansible-server ~]
# cat /opt/root_passwd4.yaml
- hosts:
test
-host
remote_user: root
tasks:
- name: change password
for
root
shell:
echo
'{{ item.password }}'
|
passwd
--stdin root
when: ansible_ens192.ipv4.address ==
'{{ item.ip }}'
with_items:
- { ip:
"172.16.60.220"
, password:
'haha@123'
}
- { ip:
"172.16.60.221"
, password:
'kevin@123'
}
- { ip:
"172.16.60.222"
, password:
'bobo@123'
}
执行ansible-playbook:
[root@ansible-server ansible]
# ansible-playbook /opt/root_passwd3.yaml
PLAY [
ssh
-host] ************************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************
ok: [172.16.60.204]
ok: [172.16.60.205]
ok: [172.16.60.206]
ok: [172.16.60.207]
TASK [change password
for
root] ********************************************************************************************************
[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: ansible_eth0.ipv4.address
==
'{{ item.ip }}'
[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: ansible_eth0.ipv4.address
==
'{{ item.ip }}'
skipping: [172.16.60.205] => (item={u
'ip'
: u
'172.16.60.204'
, u
'password'
: u
'haha@123'
})
[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: ansible_eth0.ipv4.address
==
'{{ item.ip }}'
skipping: [172.16.60.206] => (item={u
'ip'
: u
'172.16.60.204'
, u
'password'
: u
'haha@123'
})
skipping: [172.16.60.206] => (item={u
'ip'
: u
'172.16.60.205'
, u
'password'
: u
'kevin@123'
})
[WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: ansible_eth0.ipv4.address
==
'{{ item.ip }}'
skipping: [172.16.60.207] => (item={u
'ip'
: u
'172.16.60.204'
, u
'password'
: u
'haha@123'
})
skipping: [172.16.60.207] => (item={u
'ip'
: u
'172.16.60.205'
, u
'password'
: u
'kevin@123'
})
skipping: [172.16.60.207] => (item={u
'ip'
: u
'172.16.60.206'
, u
'password'
: u
'bobo@123'
})
changed: [172.16.60.205] => (item={u
'ip'
: u
'172.16.60.205'
, u
'password'
: u
'kevin@123'
})
skipping: [172.16.60.205] => (item={u
'ip'
: u
'172.16.60.206'
, u
'password'
: u
'bobo@123'
})
changed: [172.16.60.204] => (item={u
'ip'
: u
'172.16.60.204'
, u
'password'
: u
'haha@123'
})
skipping: [172.16.60.204] => (item={u
'ip'
: u
'172.16.60.205'
, u
'password'
: u
'kevin@123'
})
skipping: [172.16.60.204] => (item={u
'ip'
: u
'172.16.60.206'
, u
'password'
: u
'bobo@123'
})
changed: [172.16.60.206] => (item={u
'ip'
: u
'172.16.60.206'
, u
'password'
: u
'bobo@123'
})
PLAY RECAP *****************************************************************************************************************************
172.16.60.204 : ok=2 changed=1 unreachable=0 failed=0
172.16.60.205 : ok=2 changed=1 unreachable=0 failed=0
172.16.60.206 : ok=2 changed=1 unreachable=0 failed=0
172.16.60.207 : ok=1 changed=0 unreachable=0 failed=0
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
如果ansible服务端没有和远程主机做
ssh
信任关系, 则可以在hosts清单配置里直接指明用户名和密码.
如果使用普通用户, 并且允许
sudo
, 则需要提前在客户机里的
/etc/sudoers
文件里配置好该普通用户的
sudo
配置, 即允许该普通用户有
sudo
权限.
[root@ansible-server ~]
# vim /etc/ansible/hosts
................
[
test
-host]
172.16.60.220 ansible_ssh_user=root ansible_ssh_pass=123456 ansible_ssh_port=22
172.16.60.221 ansible_ssh_user=root ansible_ssh_pass=bo@123 ansible_ssh_port=22
172.16.60.222 ansible_ssh_user=app ansible_ssh_pass=bj@123 ansible_ssh_port=22 ansible_sudo_pass=bj@123
即172.16.60.220客户机上要提前配置, 允许app用户具有
sudo
权限.
执行:
[root@ansible-server ~]
# ansible test-host -m shell -a "hostname"
172.16.60.222 | SUCCESS | rc=0 >>
k8s-node02
172.16.60.220 | SUCCESS | rc=0 >>
k8s-master01
172.16.60.221 | SUCCESS | rc=0 >>
k8s-node01
[root@ansible-server ~]
# ansible -i /etc/ansible/hosts test-host -m shell -a "hostname"
172.16.60.222 | SUCCESS | rc=0 >>
k8s-node02
172.16.60.220 | SUCCESS | rc=0 >>
k8s-master01
172.16.60.221 | SUCCESS | rc=0 >>
k8s-node01
|