云野 Ansible-构建用户级Ansible操作环境(续上一章)
一. 实验前准备:
1.1 给服务端主机连接另外两台主机客户端主机node1,node2做免密。
[root@ansible mnt]# yum install expect -y
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
dvd | 4.3 kB 00:00:00
epel | 4.7 kB 00:00:00
Resolving Dependencies
......
Installed:
expect.x86_64 0:5.45-14.el7_1
Dependency Installed:
tcl.x86_64 1:8.5.13-8.el7
Complete!
[root@ansible mnt]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:AU9YrhxMy99A2C/m0K3xWCNQnf5zYHpyEa9ihQ5eZpk root@ansible
The key's randomart image is:
+---[RSA 2048]----+
| o*=. . |
| ++B. o . |
| =o=+ + o |
| ..+B+E = . |
| o=S#.* + |
| = B * . |
| . = o |
| |
| |
+----[SHA256]-----+
[root@node1 ~]# cat ssh_keygen.sh
#!/bin/bash
AUTOSSH()
{
/usr/bin/expect <<EOF
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.32.$i
expect {
"yes/no" { send "yesr";exp_continue }
"password" { send "westosr" }
}
expect eof
EOF
}
for i in 11 12
do
AUTOSSH
done
[root@ansible mnt]# sh ssh_keygen.sh
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.32.11
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.25.32.11 (172.25.32.11)' can't be established.
ECDSA key fingerprint is SHA256:cxguNL6GA/BmJr4mD3W2Q2f6BkBBFPGKMPjOlEjWhDU.
ECDSA key fingerprint is MD5:fe:01:b4:23:61:3f:1e:c8:e4:6c:18:2c:0a:f8:c1:ae.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.32.11's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@172.25.32.11'"
and check to make sure that only the key(s) you wanted were added.
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.32.12
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.25.32.12 (172.25.32.12)' can't be established.
ECDSA key fingerprint is SHA256:cxguNL6GA/BmJr4mD3W2Q2f6BkBBFPGKMPjOlEjWhDU.
ECDSA key fingerprint is MD5:fe:01:b4:23:61:3f:1e:c8:e4:6c:18:2c:0a:f8:c1:ae.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.32.12's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@172.25.32.12'"
and check to make sure that only the key(s) you wanted were added.
1.2 免密测验
[root@ansible mnt]# ssh 172.25.32.11
Last login: Sat Jul 23 15:35:36 2022 from foundation31.ilt.example.com
[root@node1 ~]# exit
logout
Connection to 172.25.32.11 closed.
[root@ansible mnt]# ssh 172.25.32.12
Last login: Sat Jul 23 15:35:50 2022 from foundation31.ilt.example.com
[root@node2 ~]# exit
logout
Connection to 172.25.32.12 closed.
2. 将之前对文件/etc/ansible/hosts添加的清单组还原
[root@ansible mnt]# vim /etc/ansible/hosts
[root@ansible mnt]# tail /etc/ansible/hosts
## db01.intranet.mydomain.net
## db02.intranet.mydomain.net
## 10.25.1.56
## 10.25.1.57
# Here's another example of host ranges, this time there are no
# leading 0s:
## db-[99:101]-node.example.com
3. 更改ssh_keygen.sh 文件
[root@ansible mnt]# cat ssh_keygen.sh
#!/bin/bash
AUTOSSH()
{
/usr/bin/expect <<EOF
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.32.$i
expect {
"yes/no" { send "yesr";exp_continue }
"password" { send "westosr" }
}
expect eof
EOF
}
for i in 11 12
do
ssh -l root 172.25.32.$i rm -rf /root/.ssh
done
二. 开始实验
root用户中实验
1. 编辑ansible配置文件
[root@ansible mnt]# vim /etc/ansible/ansible.cfg
.......
14 inventory = /etc/ansible/hosts,/mnt/inventory
.......
71 host_key_checking = False
2. 在文件inventory中书写清单
[root@ansible mnt]# cat inventory
[westos]
172.25.32.11
172.25.32.12
3. 使用ansible ping清单组中的ip地址;-k 输密码
[root@ansible mnt]# ansible westos -m ping -k
SSH password:
172.25.32.12 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
172.25.32.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
建立一个普通用户admin实验
1. 1建立普通用户admin
[root@ansible ansible]# useradd admin
[root@ansible ansible]# su - admin
[admin@ansible ~]$ mkdir .ansible
[admin@ansible ~]$ cd .ansible/
1.2. 书写清单
[admin@ansible .ansible]$ vim inventory
[admin@ansible .ansible]$ cat inventory
[westos]
172.25.32.11
[westos1]
172.25.32.12
1. 3. 编辑配置文件(此文件不存在,可以复制root用户里/etc/ansible/ansible.cfg)
[admin@ansible .ansible]$ cat ansible.cfg
[defaults]
inventory = ~/.ansible/inventory
host_key_checking = False
remote_user = admin
module_name = shell
[admin@ansible .ansible]$ ansible all --list ##列出所有清单
hosts (2):
172.25.32.11
172.25.32.12
1. 4.
使用ansible中shell模块给清单中的主机建立admin用户
[admin@ansible .ansible]$ ansible westos -m shell -a 'useradd admin' -k -u root ##建立用户
SSH password:
172.25.32.11 | CHANGED | rc=0 >>
172.25.32.12 | CHANGED | rc=0 >>
[admin@ansible .ansible]$ ansible westos -m shell -a 'echo westos | passwd --stdin
admin' -k -u root ##给建立的用户设置密码
SSH password:
172.25.32.11 | CHANGED | rc=0 >>
Changing password for user admin.
passwd: all authentication tokens updated successfully.
172.25.32.12 | CHANGED | rc=0 >>
Changing password for user admin.
passwd: all authentication tokens updated successfully.
[admin@ansible .ansible]$ ansible westos -m shell -a 'echo "admin ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' -k -u root ##赋予新建用户权力
SSH password:
172.25.32.11 | CHANGED | rc=0 >>
172.25.32.12 | CHANGED | rc=0 >>
修改用户身份
1.1 查看用户身份为admin
[admin@ansible .ansible]$ ansible westos -m shell -a 'whoami' -k
SSH password:
172.25.32.11 | CHANGED | rc=0 >>
admin
172.25.32.12 | CHANGED | rc=0 >>
admin
1.2 修改用户身份为root
[admin@ansible .ansible]$ cat ansible.cfg
[defaults]
inventory = ~/.ansible/inventory
host_key_checking = False
remote_user = admin
module_name = shell
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
1.3 再次查看身份为root
[admin@ansible .ansible]$ ansible westos -m shell -a 'whoami' -k
SSH password:
172.25.32.12 | CHANGED | rc=0 >>
root
172.25.32.11 | CHANGED | rc=0 >>
root
1.4 查看目录地下的文件,正常是没有的
[admin@ansible .ansible]$ ansible westos -m shell -a 'ls /home/admin/.ssh' -k
SSH password:
172.25.32.11 | FAILED | rc=2 >>
ls: cannot access /home/admin/.ssh: No such file or directorynon-zero return code
172.25.32.12 | FAILED | rc=2 >>
ls: cannot access /home/admin/.ssh: No such file or directorynon-zero return code
1.5
给westos清单组名称下的ip建立多级目录
[admin@ansible .ansible]$ ansible westos -m shell -a 'mkdir -p /home/admin/.ssh' -k
SSH password:
[WARNING]: Consider using the file module with state=directory rather than running 'mkdir'. If you need to use command because file is insufficient you can add 'warn:
false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
172.25.32.12 | CHANGED | rc=0 >>
172.25.32.11 | CHANGED | rc=0 >>
1.6
修改westos清单组名称下的ip拥有者和拥有组
[admin@ansible .ansible]$ ansible westos -m shell -a 'chown admin.admin /home/admin/.ssh' -k
SSH password:
[WARNING]: Consider using the file module with owner rather than running 'chown'. If you need to use command because file is insufficient you can add 'warn: false' to
this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
172.25.32.12 | CHANGED | rc=0 >>
172.25.32.11 | CHANGED | rc=0 >>
[admin@ansible .ansible]$ ansible westos -m shell -a 'chmod 700 /home/admin/.ssh' -k
SSH password:
[WARNING]: Consider using the file module with mode rather than running 'chmod'. If you need to use command because file is insufficient you can add 'warn: false' to
this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
172.25.32.12 | CHANGED | rc=0 >>
172.25.32.11 | CHANGED | rc=0 >>
1.7 赋予权限
[admin@ansible .ansible]$ ansible westos -m shell -a 'chmod 700 /home/admin/.ssh' -k
SSH password:
[WARNING]: Consider using the file module with mode rather than running 'chmod'. If you need to use command because file is insufficient you can add 'warn: false' to
this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
172.25.32.12 | CHANGED | rc=0 >>
172.25.32.11 | CHANGED | rc=0 >>
给ansible主机中的admin用户连接node1, node2 中新建的admin用户设置免密
1.1
生成密钥
[admin@ansible .ansible]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/id_rsa.
Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:HaC/KE02Yw3utHiGETWt+LATbrOgrqek6dAEM4tL/5U admin@ansible
The key's randomart image is:
+---[RSA 2048]----+
| o.. |
| . o.. |
|+ ..o. . |
|.= +o.+ . . |
|o....=O S . |
|.+o *@.=.. |
|oo.+++BE. |
|=.. o+. |
|O= . |
+----[SHA256]-----+
1.2 远程传输刚才生成的密钥 src是复制的地方,dest是复制到哪里
[admin@ansible .ansible]$ ansible westos -m copy -a 'src=/home/admin/.ssh/id_rsa.pub dest=/home/admin/.ssh/authorized_keys mode=0600 owner=admin group=admin' -k
SSH password:
172.25.32.12 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "93959fdd05d54b7f3ca507b361419e3cb8b1e513",
"dest": "/home/admin/.ssh/authorized_keys",
"gid": 1000,
"group": "admin",
"md5sum": "7daa6a4595417e9067fc620299852039",
"mode": "0600",
"owner": "admin",
"size": 395,
"src": "/home/admin/.ansible/tmp/ansible-tmp-1658628612.95-15337-90791827283952/source",
"state": "file",
"uid": 1000
}
172.25.32.11 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "93959fdd05d54b7f3ca507b361419e3cb8b1e513",
"dest": "/home/admin/.ssh/authorized_keys",
"gid": 1000,
"group": "admin",
"md5sum": "7daa6a4595417e9067fc620299852039",
"mode": "0600",
"owner": "admin",
"size": 395,
"src": "/home/admin/.ansible/tmp/ansible-tmp-1658628612.94-15335-275291527424141/source",
"state": "file",
"uid": 1000
}
1.3
连接清单组中包含的ip时,不需要输入密码
[admin@ansible .ansible]$ ssh -l admin 172.25.32.11
Last login: Sun Jul 24 02:10:14 2022 from vm10
[admin@node1 ~]$ exit
logout
Connection to 172.25.32.11 closed.
[admin@ansible .ansible]$ ssh -l admin 172.25.32.12
Last login: Sun Jul 24 02:10:13 2022 from vm10
[admin@node2 ~]$ exit
logout
Connection to 172.25.32.12 closed.
[admin@ansible .ansible]$ ansible westos -m ping
172.25.32.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
172.25.32.12 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
给清单组中的主机建立文件
1.1 建立文件
[admin@ansible .ansible]$ ansible westos -m shell -a 'touch /mnt/file{1..10}'
[WARNING]: Consider using the file module with state=touch rather than running 'touch'. If you need to use command because file is insufficient you can add 'warn: false'
to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
172.25.32.12 | CHANGED | rc=0 >>
172.25.32.11 | CHANGED | rc=0 >>
1.2 在清单组中的主机查看建立的文件
node1:
[admin@node1 ~]$ cd /mnt
[admin@node1 mnt]$ ls
file1 file10 file2 file3 file4 file5 file6 file7 file8 file9
node2:
[admin@node2 ~]$ cd /mnt/
[admin@node2 mnt]$ ls
file1 file10 file2 file3 file4 file5 file6 file7 file8 file9
