Ansible-构建用户级Ansible操作环境(续上一章)

一. 实验前准备:

1.1 给服务端主机连接另外两台主机客户端主机node1,node2做免密。


[root@ansible mnt]# yum install expect -y
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
dvd                                                                                                                                                 | 4.3 kB  00:00:00    
epel                                                                                                                                                | 4.7 kB  00:00:00    
Resolving Dependencies
......
Installed:
  expect.x86_64 0:5.45-14.el7_1                                                                                                                                            

Dependency Installed:
  tcl.x86_64 1:8.5.13-8.el7                                                                                                                                                

Complete!

[root@ansible mnt]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:AU9YrhxMy99A2C/m0K3xWCNQnf5zYHpyEa9ihQ5eZpk root@ansible
The key's randomart image is:
+---[RSA 2048]----+
|      o*=. .     |
|     ++B. o .    |
|      =o=+ + o   |
|     ..+B+E = .  |
|      o=S#.* +   |
|        = B * .  |
|         . = o   |
|                 |
|                 |
+----[SHA256]-----+

[root@node1 ~]# cat ssh_keygen.sh
#!/bin/bash
AUTOSSH()
{
/usr/bin/expect <<EOF
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.32.$i
expect {
"yes/no" { send "yesr";exp_continue }
"password" { send "westosr" }
}
 
expect eof
EOF
}
 
for i in 11 12
do
       AUTOSSH
done

[root@ansible mnt]# sh ssh_keygen.sh
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.32.11
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.25.32.11 (172.25.32.11)' can't be established.
ECDSA key fingerprint is SHA256:cxguNL6GA/BmJr4mD3W2Q2f6BkBBFPGKMPjOlEjWhDU.
ECDSA key fingerprint is MD5:fe:01:b4:23:61:3f:1e:c8:e4:6c:18:2c:0a:f8:c1:ae.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.32.11's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.25.32.11'"
and check to make sure that only the key(s) you wanted were added.

spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.32.12
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.25.32.12 (172.25.32.12)' can't be established.
ECDSA key fingerprint is SHA256:cxguNL6GA/BmJr4mD3W2Q2f6BkBBFPGKMPjOlEjWhDU.
ECDSA key fingerprint is MD5:fe:01:b4:23:61:3f:1e:c8:e4:6c:18:2c:0a:f8:c1:ae.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.32.12's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.25.32.12'"
and check to make sure that only the key(s) you wanted were added.

1.2 免密测验


[root@ansible mnt]# ssh 172.25.32.11
Last login: Sat Jul 23 15:35:36 2022 from foundation31.ilt.example.com
[root@node1 ~]# exit
logout
Connection to 172.25.32.11 closed.
[root@ansible mnt]# ssh 172.25.32.12
Last login: Sat Jul 23 15:35:50 2022 from foundation31.ilt.example.com
[root@node2 ~]# exit
logout
Connection to 172.25.32.12 closed.

2. 将之前对文件/etc/ansible/hosts添加的清单组还原


[root@ansible mnt]# vim /etc/ansible/hosts
[root@ansible mnt]# tail /etc/ansible/hosts
## db01.intranet.mydomain.net
## db02.intranet.mydomain.net
## 10.25.1.56
## 10.25.1.57

# Here's another example of host ranges, this time there are no
# leading 0s:

## db-[99:101]-node.example.com

3. 更改ssh_keygen.sh 文件


[root@ansible mnt]# cat ssh_keygen.sh
#!/bin/bash
AUTOSSH()
{
/usr/bin/expect <<EOF
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.32.$i
expect {
"yes/no" { send "yesr";exp_continue }
"password" { send "westosr" }
}
 
expect eof
EOF
}
 
for i in 11 12
do
       ssh -l root 172.25.32.$i rm -rf /root/.ssh
done

二. 开始实验

root用户中实验

1. 编辑ansible配置文件


[root@ansible mnt]# vim /etc/ansible/ansible.cfg
.......
 14 inventory       = /etc/ansible/hosts,/mnt/inventory
.......
 71 host_key_checking = False

2. 在文件inventory中书写清单


[root@ansible mnt]# cat inventory
[westos]
172.25.32.11
172.25.32.12

3. 使用ansible ping清单组中的ip地址;-k 输密码


[root@ansible mnt]# ansible westos -m ping -k
SSH password:
172.25.32.12 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
172.25.32.11 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

建立一个普通用户admin实验

1. 1建立普通用户admin


[root@ansible ansible]# useradd admin
[root@ansible ansible]# su - admin
[admin@ansible ~]$ mkdir .ansible
[admin@ansible ~]$ cd .ansible/

1.2. 书写清单


[admin@ansible .ansible]$ vim inventory
[admin@ansible .ansible]$ cat inventory
[westos]
172.25.32.11
 
[westos1]
172.25.32.12

1. 3. 编辑配置文件(此文件不存在,可以复制root用户里/etc/ansible/ansible.cfg)


[admin@ansible .ansible]$ cat ansible.cfg
[defaults]
inventory = ~/.ansible/inventory
host_key_checking = False
remote_user = admin
module_name = shell
[admin@ansible .ansible]$ ansible all --list   ##列出所有清单
  hosts (2):
    172.25.32.11
    172.25.32.12

1. 4.

使用ansible中shell模块给清单中的主机建立admin用户

[admin@ansible .ansible]$ ansible westos -m shell -a 'useradd admin' -k -u root   ##建立用户
SSH password:
172.25.32.11 | CHANGED | rc=0 >>

172.25.32.12 | CHANGED | rc=0 >>

[admin@ansible .ansible]$ ansible westos -m shell -a 'echo westos | passwd --stdin
admin' -k -u root    ##给建立的用户设置密码
SSH password:
172.25.32.11 | CHANGED | rc=0 >>
Changing password for user admin.
passwd: all authentication tokens updated successfully.
172.25.32.12 | CHANGED | rc=0 >>
Changing password for user admin.
passwd: all authentication tokens updated successfully.
[admin@ansible .ansible]$ ansible westos -m shell -a 'echo "admin ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' -k -u root     ##赋予新建用户权力
SSH password:
172.25.32.11 | CHANGED | rc=0 >>

172.25.32.12 | CHANGED | rc=0 >>

修改用户身份

1.1 查看用户身份为admin


[admin@ansible .ansible]$ ansible westos -m shell -a 'whoami' -k
SSH password:
172.25.32.11 | CHANGED | rc=0 >>
admin
172.25.32.12 | CHANGED | rc=0 >>
admin

1.2 修改用户身份为root


[admin@ansible .ansible]$ cat ansible.cfg
[defaults]
inventory = ~/.ansible/inventory
host_key_checking = False
remote_user = admin
module_name = shell

[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False

1.3 再次查看身份为root


[admin@ansible .ansible]$ ansible westos -m shell -a 'whoami' -k
SSH password:
172.25.32.12 | CHANGED | rc=0 >>
root
172.25.32.11 | CHANGED | rc=0 >>
root

1.4 查看目录地下的文件,正常是没有的


[admin@ansible .ansible]$ ansible westos -m shell -a 'ls /home/admin/.ssh' -k
SSH password:
172.25.32.11 | FAILED | rc=2 >>
ls: cannot access /home/admin/.ssh: No such file or directorynon-zero return code
172.25.32.12 | FAILED | rc=2 >>
ls: cannot access /home/admin/.ssh: No such file or directorynon-zero return code

1.5

给westos清单组名称下的ip建立多级目录

[admin@ansible .ansible]$ ansible westos -m shell -a 'mkdir -p  /home/admin/.ssh' -k
SSH password:
[WARNING]: Consider using the file module with state=directory rather than running 'mkdir'.  If you need to use command because file is insufficient you can add 'warn:
false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
172.25.32.12 | CHANGED | rc=0 >>

172.25.32.11 | CHANGED | rc=0 >>

1.6

修改westos清单组名称下的ip拥有者和拥有组

[admin@ansible .ansible]$ ansible westos -m shell -a 'chown admin.admin /home/admin/.ssh' -k
SSH password:
[WARNING]: Consider using the file module with owner rather than running 'chown'.  If you need to use command because file is insufficient you can add 'warn: false' to
this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
172.25.32.12 | CHANGED | rc=0 >>

172.25.32.11 | CHANGED | rc=0 >>

[admin@ansible .ansible]$ ansible westos -m shell -a 'chmod 700 /home/admin/.ssh' -k
SSH password:
[WARNING]: Consider using the file module with mode rather than running 'chmod'.  If you need to use command because file is insufficient you can add 'warn: false' to
this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
172.25.32.12 | CHANGED | rc=0 >>

172.25.32.11 | CHANGED | rc=0 >>

1.7 赋予权限


[admin@ansible .ansible]$ ansible westos -m shell -a 'chmod 700 /home/admin/.ssh' -k
SSH password:
[WARNING]: Consider using the file module with mode rather than running 'chmod'.  If you need to use command because file is insufficient you can add 'warn: false' to
this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
172.25.32.12 | CHANGED | rc=0 >>

172.25.32.11 | CHANGED | rc=0 >>

给ansible主机中的admin用户连接node1, node2 中新建的admin用户设置免密

1.1

生成密钥

[admin@ansible .ansible]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/id_rsa.
Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:HaC/KE02Yw3utHiGETWt+LATbrOgrqek6dAEM4tL/5U admin@ansible
The key's randomart image is:
+---[RSA 2048]----+
|      o..        |
|     . o..       |
|+   ..o.  .      |
|.=  +o.+ . .     |
|o....=O S .      |
|.+o *@.=..       |
|oo.+++BE.        |
|=.. o+.          |
|O=   .           |
+----[SHA256]-----+

1.2 远程传输刚才生成的密钥 src是复制的地方,dest是复制到哪里


[admin@ansible .ansible]$ ansible westos -m copy -a 'src=/home/admin/.ssh/id_rsa.pub dest=/home/admin/.ssh/authorized_keys mode=0600 owner=admin group=admin' -k
SSH password:
172.25.32.12 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": true,
    "checksum": "93959fdd05d54b7f3ca507b361419e3cb8b1e513",
    "dest": "/home/admin/.ssh/authorized_keys",
    "gid": 1000,
    "group": "admin",
    "md5sum": "7daa6a4595417e9067fc620299852039",
    "mode": "0600",
    "owner": "admin",
    "size": 395,
    "src": "/home/admin/.ansible/tmp/ansible-tmp-1658628612.95-15337-90791827283952/source",
    "state": "file",
    "uid": 1000
}
172.25.32.11 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": true,
    "checksum": "93959fdd05d54b7f3ca507b361419e3cb8b1e513",
    "dest": "/home/admin/.ssh/authorized_keys",
    "gid": 1000,
    "group": "admin",
    "md5sum": "7daa6a4595417e9067fc620299852039",
    "mode": "0600",
    "owner": "admin",
    "size": 395,
    "src": "/home/admin/.ansible/tmp/ansible-tmp-1658628612.94-15335-275291527424141/source",
    "state": "file",
    "uid": 1000
}

1.3

 连接清单组中包含的ip时,不需要输入密码

[admin@ansible .ansible]$ ssh -l admin 172.25.32.11
Last login: Sun Jul 24 02:10:14 2022 from vm10
[admin@node1 ~]$ exit
logout
Connection to 172.25.32.11 closed.
[admin@ansible .ansible]$ ssh -l admin 172.25.32.12
Last login: Sun Jul 24 02:10:13 2022 from vm10
[admin@node2 ~]$ exit
logout
Connection to 172.25.32.12 closed.
[admin@ansible .ansible]$ ansible westos -m ping
172.25.32.11 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
172.25.32.12 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

给清单组中的主机建立文件

1.1 建立文件


[admin@ansible .ansible]$ ansible westos -m shell -a 'touch /mnt/file{1..10}'
[WARNING]: Consider using the file module with state=touch rather than running 'touch'.  If you need to use command because file is insufficient you can add 'warn: false'
to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
172.25.32.12 | CHANGED | rc=0 >>

172.25.32.11 | CHANGED | rc=0 >>

1.2 在清单组中的主机查看建立的文件


node1:

[admin@node1 ~]$ cd /mnt
[admin@node1 mnt]$ ls
file1  file10  file2  file3  file4  file5  file6  file7  file8  file9

node2:

[admin@node2 ~]$ cd /mnt/
[admin@node2 mnt]$ ls
file1  file10  file2  file3  file4  file5  file6  file7  file8  file9

云野 » Ansible-构建用户级Ansible操作环境(续上一章)

发表回复