Ansible:如何在使用不同密码的主机上进行播放? [英] Ansible: how to run a play with hosts with different passwords?
问题描述
我目前正在学习如何使用Ansible.现在,我有一堆新的和旧的服务器,它们具有不同的登录名或密码,或两者都有.每个人都具有播放剧本的关键权限.
I'm currently learning how to use Ansible. Right now, I've got a bunch of servers, both new and legacy, that have different logins or passwords or both. All have key access to run the plays.
这就是我的开始.示例主机文件:
Here's what I started with. Example hosts file:
# legacy and new have different logins (like root and deploy)
[legacy]
serv1
serv2
[new]
serv3
serv4
# different has a different login and password altogether
[different]
serv5
为简单起见,我最初在所有机器上都运行了等效于sudo apt-get update && sudo apt-get upgrade的剧本,但是由于登录/密码不同,我为每个主机创建了多个剧本.但是,现在我想对其进行干燥,并根据他们的文档来研究角色".
So to keep things simple, I originally had a playbook run the equivalent of sudo apt-get update && sudo apt-get upgrade on all the machines, but because of the different login/passwd, I had created multiple playbooks for each host. But now I want to DRY it out and am looking at Roles, per their docs.
现在我有这样的事情. test/roles/common/tasks/main.yml文件:
Right now I have something like this. The test/roles/common/tasks/main.yml file:
---
- name: run apt-get update
apt: update_cache=yes
- name: run apt-get upgrade
apt: upgrade=yes
site.yml文件:
The site.yml file:
- name: apply common configuration to all nodes
hosts: all
roles:
- common
我知道实际上可以在主机文件中使用ansible_ssh_user=root或...=deploy定义不同的登录名.或将它们放在组变量中.但是我该如何处理不同的sudo密码? [legacy]是root用户,所以我不需要sudo,但是[new]和[different]需要它,并且具有不同的密码.我该怎么做呢?组变量?我是否创建这些文件:test/group_vars/new/some_file_with_a_passwd.yml和test/group_vars/different/some_other_passwd.yml(忽略安全性问题)?
I understand that I can actually define the different logins with ansible_ssh_user=root or ...=deploy in my hosts file. Or put them in group vars. But what do I do about the different sudo passwords? [legacy] is root so I don't need sudo, but [new] and [different] need it, and have different passwords. How do I do this? Group vars? Do I create these: test/group_vars/new/some_file_with_a_passwd.yml and test/group_vars/different/some_other_passwd.yml (ignoring security issues)?
site.yml如何识别存在不同密码的主机或某些没有密码的主机?
How does the site.yml recognize that there are hosts with different passwords or some hosts with no passwords?
为清楚起见,请进行我具有SSH访问权限,因此在播放过程中执行任务前"步骤始终有效(我通过键访问权限进行连接,而从未通过密码进行连接).我并不担心安全性,因为这是下一步.现在,我想正确处理group_vars问题....这是我遇到问题的sudo升级.例如. serv1 sudo可能是root/password1,serv3 sudo:deploy/password2,serv5:anotherdeploy/password3
Edit for clarity's sake: I have SSH access, so doing the 'pre-tasks' step during the play always work (I connect via key access and never via a password). I'm not worried about security as that's the next step. For now, I want to get the group_vars thing right....It's the sudo escalation I have issues with. E.g. serv1 sudo might be root/password1, serv3 sudo: deploy/password2, serv5: anotherdeploy/password3
推荐答案
Normally you would want to pass the sudo password on the command line after Ansible's password prompt after using either the --ask-sudo-password or its short alias -K when running with a user that doesn't have passwordless sudo. This has the benefit of then not being recorded in your Ansible code base anywhere and then not ending up in source control.
但是,这只是一个提示,将应用于所有主机,因此并不完全适合您的用例.
However, this is a single prompt and will be applied to all hosts so doesn't really fit your use case.
可以使用ansibe_sudo_pass变量为任何特定主机的用户提供sudo密码.此应该仅在需要sudo密码时使用,因此,如果将此变量提供给具有无密码sudo的主机,则应将其忽略.
The ansibe_sudo_pass variable can instead be used to provide the sudo password for the user for any specific host. This should only be used when a sudo password is needed so if you provide this variable to a host with passwordless sudo then it should be ignored.
由于您的用户名/密码组合似乎完全按组而不是每个主机划分,因此将凭据放入
As your user/password combination seems to be split entirely by group rather than by each and every host then it makes logical sense to put the credentials in group vars.
指出 > nikobelia ,您可能要考虑使用 credstash 或其他.
As pointed out by nikobelia you may want to consider encrypting this sensitive data using something like Ansible's Vault, credstash or something else.
这篇关于Ansible:如何在使用不同密码的主机上进行播放?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
