Ansible 如何在一个文件库中为多个主机定义sudo密码?
我想在多个Linux服务器上运行更新,这些服务器都有不同的用户名和密码。我认为这是一个常见的用例,但文档中没有介绍。 有SSH-auth,但我需要提升更新过程的访问权限,而Ansible任务需要太多的权限才能通过sudoers文件实现这一点 如何从一个文件库中的清单中获取不同的ansible_密码,以便运行playbook,只输入一个密码来解密所有sudo密码,并使其正常工作 库存:Ansible 如何在一个文件库中为多个主机定义sudo密码?,ansible,Ansible,我想在多个Linux服务器上运行更新,这些服务器都有不同的用户名和密码。我认为这是一个常见的用例,但文档中没有介绍。 有SSH-auth,但我需要提升更新过程的访问权限,而Ansible任务需要太多的权限才能通过sudoers文件实现这一点 如何从一个文件库中的清单中获取不同的ansible_密码,以便运行playbook,只输入一个密码来解密所有sudo密码,并使其正常工作 库存: [servers] 1.2.3.4 ansible_user=user1 ansible_password
[servers]
1.2.3.4 ansible_user=user1 ansible_password=password1
1.2.3.5 ansible_user=user2 ansible_password=password2
1.2.3.6 ansible_user=user3 ansible_password=password3
剧本:
---
- hosts: servers
become: yes
become_method: sudo
gather_facts: false
vars:
verbose: false
log_dir: "/var/log/ansible/dist-upgrade/{{ inventory_hostname }}"
pre_tasks:
- name: Install python for Ansible
raw: sudo bash -c "test -e /usr/bin/python || (apt -qqy update && apt install -qy python-minimal)"
changed_when: false
tasks:
- name: Update packages
apt:
update_cache: yes
upgrade: dist
autoremove: no
register: output
- name: Check changes
set_fact:
updated: true
when: not output.stdout is search("0 upgraded, 0 newly installed")
- name: Display changes
debug:
msg: "{{ output.stdout_lines }}"
when: verbose or updated is defined
- block:
- name: "Create log directory"
file:
path: "{{ log_dir }}"
state: directory
changed_when: false
- name: "Write changes to logfile"
copy:
content: "{{ output.stdout }}"
dest: "{{ log_dir }}/dist-upgrade_{{ ansible_date_time.iso8601 }}.log"
changed_when: false
when: updated is defined
connection: local
将
ansible\u用户
和ansible\u密码
从您的资源清册中移出并移动到您的主机变量
目录中。也就是说,使您的库存如下所示:
[servers]
1.2.3.4
1.2.3.5
1.2.3.6
然后ansible vault创建主机变量/1.2.3.4.yml
并为其提供以下内容:
ansible_user: user1
ansible_password: password1
等等。将
ansible\u用户
和ansible\u密码
从您的资源清册中移出并放入您的主机变量
目录。也就是说,使您的库存如下所示:
[servers]
1.2.3.4
1.2.3.5
1.2.3.6
然后ansible vault创建主机变量/1.2.3.4.yml
并为其提供以下内容:
ansible_user: user1
ansible_password: password1
对于清单中的其他主机,依此类推
问:“如何从同一文件库中的库存中获取不同的ansible_密码?”
答:可以使用set\u fact
并添加解密的变量。比如说
- hosts: servers
gather_facts: false
tasks:
- set_fact:
ansible_password: "{{ my_vault[inventory_hostname].ansible_password }}"
- hosts: servers
tasks:
- debug:
var: ansible_password
1) 从清单文件中删除密码
[servers]
1.2.3.4 ansible_user=user1
1.2.3.5 ansible_user=user2
1.2.3.6 ansible_user=user3
2) 用密码创建一个字典
$ cat group_vars/servers/my_vault.yml
my_vault:
'1.2.3.4':
ansible_password: 'password1'
'1.2.3.5':
ansible_password: 'password2'
'1.2.3.6':
ansible_password: 'password3'
3) 加密文件
$ ansible-vault encrypt group_vars/servers/my_vault.yml
Encryption successful
$ cat group_vars/servers/my_vault.yml
$ANSIBLE_VAULT;1.1;AES256
33613937636462643266613264333138376135313762663832393837616137323165363531666438
3564366531386130623162386332646366646561663763320a633533653631396637316138393339
66623531633936346363313965633565623566313264396636303136666432373037313666653630
3530343461616338370a323565346564383266323934376432383436646261313639663961343662
35336439646133333434363462616537323130373733363863646435376435343864323336323135
35623330303732666233313135643265393030386561306235303038353133386230336431396637
64663331316439336638646366636530626363353034326462393938363230386666303066383834
38643538343137633966336130393362303534666139373034356530303661643339623234356366
61316363333331613762663230616239643965333261353936373464366162646662323361626431
33663839386261313561396337393330616131663561646562373233373265646334383937386431
38386165653864363235646538353337373063376665386638653333646632316533363731663234
35663336663936653233
4) 下面的剧本将变量ansible\u password
添加到第一个剧本中的每个主机,并在第二个剧本中使用它。比如说
- hosts: servers
gather_facts: false
tasks:
- set_fact:
ansible_password: "{{ my_vault[inventory_hostname].ansible_password }}"
- hosts: servers
tasks:
- debug:
var: ansible_password
给予
问:“如何从同一文件库中的库存中获取不同的ansible_密码?”
答:可以使用set\u fact
并添加解密的变量。比如说
- hosts: servers
gather_facts: false
tasks:
- set_fact:
ansible_password: "{{ my_vault[inventory_hostname].ansible_password }}"
- hosts: servers
tasks:
- debug:
var: ansible_password
1) 从清单文件中删除密码
[servers]
1.2.3.4 ansible_user=user1
1.2.3.5 ansible_user=user2
1.2.3.6 ansible_user=user3
2) 用密码创建一个字典
$ cat group_vars/servers/my_vault.yml
my_vault:
'1.2.3.4':
ansible_password: 'password1'
'1.2.3.5':
ansible_password: 'password2'
'1.2.3.6':
ansible_password: 'password3'
3) 加密文件
$ ansible-vault encrypt group_vars/servers/my_vault.yml
Encryption successful
$ cat group_vars/servers/my_vault.yml
$ANSIBLE_VAULT;1.1;AES256
33613937636462643266613264333138376135313762663832393837616137323165363531666438
3564366531386130623162386332646366646561663763320a633533653631396637316138393339
66623531633936346363313965633565623566313264396636303136666432373037313666653630
3530343461616338370a323565346564383266323934376432383436646261313639663961343662
35336439646133333434363462616537323130373733363863646435376435343864323336323135
35623330303732666233313135643265393030386561306235303038353133386230336431396637
64663331316439336638646366636530626363353034326462393938363230386666303066383834
38643538343137633966336130393362303534666139373034356530303661643339623234356366
61316363333331613762663230616239643965333261353936373464366162646662323361626431
33663839386261313561396337393330616131663561646562373233373265646334383937386431
38386165653864363235646538353337373063376665386638653333646632316533363731663234
35663336663936653233
4) 下面的剧本将变量ansible\u password
添加到第一个剧本中的每个主机,并在第二个剧本中使用它。比如说
- hosts: servers
gather_facts: false
tasks:
- set_fact:
ansible_password: "{{ my_vault[inventory_hostname].ansible_password }}"
- hosts: servers
tasks:
- debug:
var: ansible_password
给予