Python 如何仅在第一次通过时以根用户身份运行Ansible?
这是我试图通过Ansible逐步实现的目标:Python 如何仅在第一次通过时以根用户身份运行Ansible?,python,ubuntu,ssh,ansible,devops,Python,Ubuntu,Ssh,Ansible,Devops,这是我试图通过Ansible逐步实现的目标: SSH作为根 安装python(ubuntu中没有)和其他基本软件包 创建新的deployuser和config/etc/ssh/sshd\u config,以便PasswordAuhentication no和permitrologin no 重新启动ssh服务 稍后,我将用新任务、角色等更新我的playbook。因此,我希望在同一台服务器上重新运行playbook(该服务器已阻止root访问),这次只是作为新创建的用户访问 由于Ansible正试
deploy
user和config/etc/ssh/sshd\u config
,以便PasswordAuhentication no
和permitrologin no
root
访问),这次只是作为新创建的用户访问
由于Ansible正试图以root用户身份访问,因此预期会返回一个权限被拒绝的访问
问题:
- 我如何才能在第一次作为根用户进行传递,然后在下一次playbook运行时跳过根任务(pre_tasks)
一种选择是将其分成两个单独的剧本:一个用于供应,另一个用于其他
# playbook.yml
---
- name: Prepare server
hosts: webserver
gather_facts: False
pre_tasks:
- name: Install python for Ansible
remote_user: root
raw: type /usr/bin/python || (apt -y update && apt install -y python)
- name: Create user
remote_user: root
include_role:
name: deploy-user
roles:
# Future roles here
创建定义同一主机组的两个清单文件:
- 在第一个(
bootstrap
)中,定义ansible\u user=root
- 在第二个(
inventory
)中,定义ansible\u user=具有sudo\u权限的普通用户
将第二个(inventory
)定义为ansible.cfg
中的默认清单文件
每当需要引导新机器时,请使用-i引导
选项运行。在其他情况下,请忽略此选项。行下方的剧本将为您提供成为一个不同用户所需的一切,所有这些都在一个剧本中。如果您希望使用两个剧本来完成此操作,您可以执行相同的操作,只需拆分文件即可。您正在寻找的是Ansible的“成为”用户。这允许您成为任何人,只要您知道该用户的密码信息,您必须将其作为变量存储,但您已经将其作为变量存储在您的playbook中。我冒昧地向您展示了另一种方法,可以将密码传递到playbook,并在值传递到配置的机器之前对其进行加密。你不必用那部分来做底层的工作,我只是想扩展一下你的知识库。如果您已经知道其中一些内容,请道歉。我确实担心您关闭密码身份验证,而没有为新的“{{deploy_user}}”创建ssh密钥
我错过了您禁用root访问的部分。在这种情况下,我认为你最好的选择就是把剧本分开。
#roles/deploy-user/tasks/main.yml
---
- group:
name: deploy
state: present
- name: Create Deploy user
user:
name={{ deploy_user }}
comment="Deploy User"
groups="sudo,deploy"
password="{{ deploy_password | password_hash('sha512') }}"
shell=/bin/bash
update_password=on_create
- name: Set authorized key took from files
authorized_key:
user: "{{ deploy_user }}"
state: present
key: "{{ lookup('file', item) }}"
with_items:
- '{{ ssh_authorized_keys }}'
- name: Disallow password authentication
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
state: present
- name: Disallow root SSH access
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
state: present
- name: restart-sshd
remote_user: root
service: name=ssh state=restarted
---
- hosts: [some_server]
become: true
- vars_prompt:
- name: deploy_pass
prompt: "What is the password for the new user"
confirm: true
private: true
encrypt: "sha512_crypt"
salt_size: 7
- name: Create Deploy user
user:
name: "{{ deploy_user }}"
comment: "Deploy User"
groups: sudo, deploy
password: {{ deploy_password | password_hash('sha512') }}
shell=/bin/bash
update_password=on_create
- name: Set authorized key took from files
authorized_key:
user: "{{ deploy_user }}"
state: present
key: "{{ lookup('file', item) }}"
with_items:
- '{{ ssh_authorized_keys }}'
- name: Disallow password authentication
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
state: present
- name: Disallow root SSH access
lineinfile:
dest: /etc/ssh/sshd_config
regexp: "^PermitRootLogin"
line: "PermitRootLogin no"
state: present
- name: restart-sshd
remote_user: root
service: name=ssh state=restarted
python ubuntu ssh ansible devops
- hosts: [some_server]
become: true
become_user: "{{ deploy_user }}"