ansible批量推送密钥

2023-12-09 18:44:03

使用ansible管理大量主机时,除了可以使用expect进行批量推送外,还可以使用ansible自带的authorized_key模块。
1.配置ansible.cfg

# mkdir /root/ansible
# cp /etc/ansible.cfg .
# cat /etc/ansible.cfg
[defaults]
inventory      = hosts
host_key_checking = False

2.编辑ssh-setup.yml

# cat ssh-setup.yml
- hosts: all
  remote_user: root
  tasks:
  - name: Set authorized key taken from file
    authorized_key:
      user: root
      state: present
      key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"

3.编辑hosts

# cat hosts
[all]
192.168.134.82  ansible_ssh_pass="xxxxxx"
192.168.134.3   ansible_ssh_pass="xxxxxx"
192.168.134.4   ansible_ssh_pass="xxxxxx"

4.执行playbook

[root@jk01 ansible]# ansible-playbook ssh-setup.yml
PLAY [all] ********************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************
ok: [172.16.32.12]
ok: [192.168.134.3]
ok: [192.168.134.4]
ok: [192.168.134.82]
TASK [Set authorized key taken from file] *************************************************************************************
changed: [172.16.32.12]
changed: [192.168.134.4]
changed: [192.168.134.3]
changed: [192.168.134.82]
PLAY RECAP ********************************************************************************************************************
172.16.32.12               : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.168.134.3              : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.168.134.4              : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.168.134.82             : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

明显的缺陷在于密码是明文的,我们可以通过ansible-vault进行加密,加密分两个方向:
    1.只加密root密码
    2.加密整个playbook
情况1:
1.创建密码文件

将免密码验证的用户的密码写入到加密文件,执行playbook时直接调用,该文件创建时会被密码加密。
# ansible-vault create vault-ssh-pass.yml
New Vault password:
Confirm New Vault password:
在打开的文件中写入以下内容:
ansible_ssh_pass: XXXXX <<<<<免密用户密码
如果想再次编辑该文件,需要先输入加密密码:
ansible-vault edit vault-ssh-pass.yml

2.编辑playbook

# cat ssh-setup.yml
- hosts: all
  remote_user: root
  tasks:
  - name: Set authorized key taken from file
    authorized_key:
      user: root
      state: present
      key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"

3.执行playbook

[root@jk01 ansible]# ansible-playbook ssh-setup.yml --ask-vault-pass
PLAY [all] ********************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************
ok: [172.16.32.12]
ok: [192.168.134.4]
ok: [192.168.134.3]
ok: [192.168.134.82]
TASK [Set authorized key taken from file] *************************************************************************************
changed: [172.16.32.12]
changed: [192.168.134.4]
changed: [192.168.134.3]
changed: [192.168.134.82]
PLAY RECAP ********************************************************************************************************************
172.16.32.12               : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.168.134.3              : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.168.134.4              : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.168.134.82             : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

情况2:
1.加密playbook

# ansible-vault encrypt ssh-setup.yml --output=ssh-setup-en.yml
Encryption successful

2.查看加密文件

[root@jk01 ansible]# cat ssh-setup-en.yml
$ANSIBLE_VAULT;1.1;AES256
36626162383234366665323530303763643931383832306438306431363035306433646162626536
6362323230646433656361653436373331343331666537390a373561306664323433636437633734
65366131383034636333653230343634646537343565303662356233623861333062396364613937
6433653036366331630a306530623432323134383034366362363633643630346431346334666438
65633763346166663561323366626134383262666131626565623634313332646539643736343566
32353864636161653434616233323931306438663862316431376332346530643036653966666639
34393138376231326665313564383463393538396236396230656130343933383335303034613339
39393137626136346234653463303861666339353435313333343937343136366361323432306562
66386339393238663038393339316265393264616161396365316263616634383531323662386630
37623837303934373964343962653933353037336138646530313739393566616265383964316230
62396565373033363262636462643537303035616463363363643830623765353862616466323665
39636631363835623338663330303930613165323261313438636534626532613534386162343433
35333465346538626661643639636331343161323631393166353463633530363563663035313931
64376331393530323761316363373466396566616539313338303364326238366561396165633039
65386338626439646134346137383038663831633661383536623936636639373330363236363462
61376630383133633139616532386634376533303033373662383535653635366333363938653236
3063

3.执行playbook

[root@jk01 ansible]# ansible-playbook ssh-setup-en.yml
PLAY [all] ********************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************
ok: [172.16.32.12]
ok: [192.168.134.4]
ok: [192.168.134.3]
ok: [192.168.134.82]
TASK [Set authorized key taken from file] *************************************************************************************
changed: [172.16.32.12]
changed: [192.168.134.4]
changed: [192.168.134.3]
changed: [192.168.134.82]
PLAY RECAP ********************************************************************************************************************
172.16.32.12               : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.168.134.3              : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.168.134.4              : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
192.168.134.82             : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

其他:

valut可加密playbook文件,无密码则无法查看具体内容,为避免反复输入密码,可以将加密口令写入一个文件中,修改ansible.cfg,增加以下参数,再次查看加密文件则实现免密码查看:
# cat ansible.cfg
vault_password_file = /root/ansible/pass.txt
#查看被加密文件
# ansible-vault view vault-ssh-pass.yml
ansible_ssh_pass: redhat
#重置加密密码
# ansible-vault rekey createuser.yml 
Vault password: 
New Vault password: 
Confirm New Vault password: 
Rekey successful
#加密playbook文件
# ansible-vault encrypt web.yml
#解密playbookyywr并重命名
# ansible-vault decrypt web.yml –output=deweb.yml



上一篇:Ansible与cmdb配合使用动态inventory


下一篇:加快ansible执行