将Ansible剧本安全地限制在一台机器上吗? [英] Safely limiting Ansible playbooks to a single machine?

问题描述

我正在Ansible中使用一小组计算机执行一些简单的用户管理任务.目前，我的剧本设置为hosts: all，而我的主机文件只是一个列出了所有计算机的单个组:

I'm using Ansible for some simple user management tasks with a small group of computers. Currently, I have my playbooks set to hosts: all and my hosts file is just a single group with all machines listed:

# file: hosts
[office]
imac-1.local
imac-2.local
imac-3.local

我发现自己经常不得不瞄准一台机器. ansible-playbook命令可以限制播放，如下所示:

I've found myself frequently having to target a single machine. The ansible-playbook command can limit plays like this:

ansible-playbook --limit imac-2.local user.yml

但这似乎有些脆弱，尤其是对于可能具有破坏性的剧本而言.省略limit标志意味着该剧本将在任何地方运行.由于这些工具只是偶尔使用，因此似乎值得采取措施实现万无一失的播放，因此我们几个月后再也不会无意中破坏某些东西了.

But that seems kind of fragile, especially for a potentially destructive playbook. Leaving out the limit flag means the playbook would be run everywhere. Since these tools only get used occasionally, it seems worth taking steps to foolproof playback so we don't accidentally nuke something months from now.

是否存在将剧本的运行限制在一台机器上的最佳实践?理想情况下，如果忽略了一些重要细节，则剧本应该无害.

Is there a best practice for limiting playbook runs to a single machine? Ideally the playbooks should be harmless if some important detail was left out.

推荐答案

原来可以直接在剧本中输入主机名，因此使用hosts: imac-2.local运行剧本将可以正常工作.但这有点笨拙.

Turns out it is possible to enter a host name directly into the playbook, so running the playbook with hosts: imac-2.local will work fine. But it's kind of clunky.

更好的解决方案可能是使用变量定义剧本的主机，然后通过--extra-vars传入特定的主机地址:

A better solution might be defining the playbook's hosts using a variable, then passing in a specific host address via --extra-vars:

# file: user.yml  (playbook)
---
- hosts: '{{ target }}'
  user: ...

运行剧本:

ansible-playbook user.yml --extra-vars "target=imac-2.local"

如果未定义{{ target }}，则剧本不执行任何操作.如果需要，还可以传递hosts文件中的组.总体而言，这似乎是构建潜在破坏性剧本的一种更为安全的方法.

If {{ target }} isn't defined, the playbook does nothing. A group from the hosts file can also be passed through if need be. Overall, this seems like a much safer way to construct a potentially destructive playbook.

针对单个主机的剧本:

$ ansible-playbook user.yml --extra-vars "target=imac-2.local" --list-hosts

playbook: user.yml

  play #1 (imac-2.local): host count=1
    imac-2.local

包含一组主机的剧本:

$ ansible-playbook user.yml --extra-vars "target=office" --list-hosts

playbook: user.yml

  play #1 (office): host count=3
    imac-1.local
    imac-2.local
    imac-3.local

忘记定义主机是安全的！

Forgetting to define hosts is safe!

$ ansible-playbook user.yml --list-hosts

playbook: user.yml

  play #1 ({{target}}): host count=0

这篇关于将Ansible剧本安全地限制在一台机器上吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！