Fatal编程技术网
  • ansible/
  • Ansible 如何在一个文件库中为多个主机定义sudo密码?

Ansible 如何在一个文件库中为多个主机定义sudo密码?

ansible

Ansible 如何在一个文件库中为多个主机定义sudo密码?,ansible,Ansible,我想在多个Linux服务器上运行更新,这些服务器都有不同的用户名和密码。我认为这是一个常见的用例,但文档中没有介绍。 有SSH-auth,但我需要提升更新过程的访问权限,而Ansible任务需要太多的权限才能通过sudoers文件实现这一点 如何从一个文件库中的清单中获取不同的ansible_密码,以便运行playbook,只输入一个密码来解密所有sudo密码,并使其正常工作 库存: [servers] 1.2.3.4 ansible_user=user1 ansible_password

我想在多个Linux服务器上运行更新,这些服务器都有不同的用户名和密码。我认为这是一个常见的用例,但文档中没有介绍。 有SSH-auth,但我需要提升更新过程的访问权限,而Ansible任务需要太多的权限才能通过sudoers文件实现这一点

如何从一个文件库中的清单中获取不同的ansible_密码,以便运行playbook,只输入一个密码来解密所有sudo密码,并使其正常工作

库存:

[servers]
1.2.3.4    ansible_user=user1 ansible_password=password1
1.2.3.5    ansible_user=user2 ansible_password=password2
1.2.3.6    ansible_user=user3 ansible_password=password3
剧本:

---
- hosts: servers
  become: yes
  become_method: sudo
  gather_facts: false
  vars:
    verbose: false
    log_dir: "/var/log/ansible/dist-upgrade/{{ inventory_hostname }}"
  pre_tasks:
    - name: Install python for Ansible
      raw: sudo bash -c "test -e /usr/bin/python || (apt -qqy update && apt install -qy python-minimal)"
      changed_when: false
  tasks:
    - name: Update packages
      apt:
        update_cache: yes
        upgrade: dist
        autoremove: no
      register: output

    - name: Check changes
      set_fact:
        updated: true
      when: not output.stdout is search("0 upgraded, 0 newly installed")

    - name: Display changes
      debug:
        msg: "{{ output.stdout_lines }}"
      when: verbose or updated is defined

    - block:
      - name: "Create log directory"
        file:
          path: "{{ log_dir }}"
          state: directory
        changed_when: false

      - name: "Write changes to logfile"
        copy:
          content: "{{ output.stdout }}"
          dest: "{{ log_dir }}/dist-upgrade_{{ ansible_date_time.iso8601 }}.log"
        changed_when: false

      when: updated is defined
      connection: local

ansible\u用户
ansible\u密码
从您的资源清册中移出并移动到您的
主机变量
目录中。也就是说,使您的库存如下所示:

[servers]
1.2.3.4
1.2.3.5
1.2.3.6
然后
ansible vault创建主机变量/1.2.3.4.yml
并为其提供以下内容:

ansible_user: user1
ansible_password: password1
等等。将
ansible\u用户
ansible\u密码
从您的资源清册中移出并放入您的
主机变量
目录。也就是说,使您的库存如下所示:

[servers]
1.2.3.4
1.2.3.5
1.2.3.6
然后
ansible vault创建主机变量/1.2.3.4.yml
并为其提供以下内容:

ansible_user: user1
ansible_password: password1
对于清单中的其他主机,依此类推

问:“如何从同一文件库中的库存中获取不同的ansible_密码?”

答:可以使用
set\u fact
并添加解密的变量。比如说

- hosts: servers
  gather_facts: false
  tasks:
    - set_fact:
        ansible_password: "{{ my_vault[inventory_hostname].ansible_password }}"

- hosts: servers
  tasks:
  - debug:
      var: ansible_password
1) 从清单文件中删除密码

[servers]
1.2.3.4    ansible_user=user1
1.2.3.5    ansible_user=user2
1.2.3.6    ansible_user=user3
2) 用密码创建一个字典

$ cat group_vars/servers/my_vault.yml
my_vault:
  '1.2.3.4':
    ansible_password: 'password1'
  '1.2.3.5':
    ansible_password: 'password2'
  '1.2.3.6':
    ansible_password: 'password3'
3) 加密文件

$ ansible-vault encrypt group_vars/servers/my_vault.yml
Encryption successful
$ cat group_vars/servers/my_vault.yml
$ANSIBLE_VAULT;1.1;AES256
33613937636462643266613264333138376135313762663832393837616137323165363531666438
3564366531386130623162386332646366646561663763320a633533653631396637316138393339
66623531633936346363313965633565623566313264396636303136666432373037313666653630
3530343461616338370a323565346564383266323934376432383436646261313639663961343662
35336439646133333434363462616537323130373733363863646435376435343864323336323135
35623330303732666233313135643265393030386561306235303038353133386230336431396637
64663331316439336638646366636530626363353034326462393938363230386666303066383834
38643538343137633966336130393362303534666139373034356530303661643339623234356366
61316363333331613762663230616239643965333261353936373464366162646662323361626431
33663839386261313561396337393330616131663561646562373233373265646334383937386431
38386165653864363235646538353337373063376665386638653333646632316533363731663234
35663336663936653233
4) 下面的剧本将变量
ansible\u password
添加到第一个剧本中的每个主机,并在第二个剧本中使用它。比如说

- hosts: servers
  gather_facts: false
  tasks:
    - set_fact:
        ansible_password: "{{ my_vault[inventory_hostname].ansible_password }}"

- hosts: servers
  tasks:
  - debug:
      var: ansible_password
给予

问:“如何从同一文件库中的库存中获取不同的ansible_密码?”

答:可以使用
set\u fact
并添加解密的变量。比如说

- hosts: servers
  gather_facts: false
  tasks:
    - set_fact:
        ansible_password: "{{ my_vault[inventory_hostname].ansible_password }}"

- hosts: servers
  tasks:
  - debug:
      var: ansible_password
1) 从清单文件中删除密码

[servers]
1.2.3.4    ansible_user=user1
1.2.3.5    ansible_user=user2
1.2.3.6    ansible_user=user3
2) 用密码创建一个字典

$ cat group_vars/servers/my_vault.yml
my_vault:
  '1.2.3.4':
    ansible_password: 'password1'
  '1.2.3.5':
    ansible_password: 'password2'
  '1.2.3.6':
    ansible_password: 'password3'
3) 加密文件

$ ansible-vault encrypt group_vars/servers/my_vault.yml
Encryption successful
$ cat group_vars/servers/my_vault.yml
$ANSIBLE_VAULT;1.1;AES256
33613937636462643266613264333138376135313762663832393837616137323165363531666438
3564366531386130623162386332646366646561663763320a633533653631396637316138393339
66623531633936346363313965633565623566313264396636303136666432373037313666653630
3530343461616338370a323565346564383266323934376432383436646261313639663961343662
35336439646133333434363462616537323130373733363863646435376435343864323336323135
35623330303732666233313135643265393030386561306235303038353133386230336431396637
64663331316439336638646366636530626363353034326462393938363230386666303066383834
38643538343137633966336130393362303534666139373034356530303661643339623234356366
61316363333331613762663230616239643965333261353936373464366162646662323361626431
33663839386261313561396337393330616131663561646562373233373265646334383937386431
38386165653864363235646538353337373063376665386638653333646632316533363731663234
35663336663936653233
4) 下面的剧本将变量
ansible\u password
添加到第一个剧本中的每个主机,并在第二个剧本中使用它。比如说

- hosts: servers
  gather_facts: false
  tasks:
    - set_fact:
        ansible_password: "{{ my_vault[inventory_hostname].ansible_password }}"

- hosts: servers
  tasks:
  - debug:
      var: ansible_password
给予