Ansible SSH提示known_hosts问题 [英] ansible ssh prompt known_hosts issue
问题描述
我正在运行Ansible剧本,它在一台机器上运行正常.
I'm running Ansible playbook and it works fine on one machine.
第一次尝试在一台新计算机上时,出现以下错误.
On a new machine when I try for the first time, I get the following error.
17:04:34 PLAY [appservers] *************************************************************
17:04:34
17:04:34 GATHERING FACTS ***************************************************************
17:04:34 fatal: [server02.cit.product-ref.dev] => {'msg': "FAILED: (22, 'Invalid argument')", 'failed': True}
17:04:34 fatal: [server01.cit.product-ref.dev] => {'msg': "FAILED: (22, 'Invalid argument')", 'failed': True}
17:04:34
17:04:34 TASK: [common | remove old ansible-tmp-*] *************************************
17:04:34 FATAL: no hosts matched or all hosts have already failed -- aborting
17:04:34
17:04:34
17:04:34 PLAY RECAP ********************************************************************
17:04:34 to retry, use: --limit @/var/lib/jenkins/site.retry
17:04:34
17:04:34 server01.cit.product-ref.dev : ok=0 changed=0 unreachable=1 failed=0
17:04:34 server02.cit.product-ref.dev : ok=0 changed=0 unreachable=1 failed=0
17:04:34
17:04:34 Build step 'Execute shell' marked build as failure
17:04:34 Finished: FAILURE
如果我首先转到源计算机(从我运行ansible剧本的位置)并手动ssh到目标计算机(作为给定用户),然后为known_hosts文件输入输入是",则可以解决此错误
This error can be resolved, if I first go to the source machine (from where I'm running the ansible playbook) and manually ssh to the target machine (as the given user) and enter "yes" for known_hosts file entry.
现在,如果我第二次运行同一个可播放的剧本,它将正常运行而不会出错.
Now, if I run the same ansible playbook second time, it works without an error.
因此,如何在给定用户(〜/.ssh文件夹,known_hosts文件)的ssh首次进入sshknown_hosts条目时抑制SSH给出的提示?
Therefore, how can I suppress the prompt what SSH gives while making ssh known_hosts entry for the first time for a given user (~/.ssh folder, file known_hosts)?
如果在〜/.ssh/config 文件中使用以下配置条目,我发现可以做到这一点.
I found I can do this if I use the following config entries in ~/.ssh/config file.
〜/.ssh/config
~/.ssh/config
# For vapp virtual machines
Host *
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
User kobaloki
LogLevel ERROR
即如果我将上述代码放在远程计算机的用户的〜/.ssh/config文件中,并首次尝试使用Ansible剧本,则系统不会提示我输入是",并且剧本将成功运行(无需用户手动创建从源计算机到目标/远程计算机的known_hosts文件条目.
i.e. if I place the above code in the user's ~/.ssh/config file of a remote machine and try Ansible playbook for the first time, I won't be prompted for entring "yes" and playbook will run successfully (without requiring the user to manually create a known_hosts file entry from the source machine to the target/remote machine).
我的问题: 1.如果我使用〜/.ssh/config方式,应该注意哪些安全问题 2.如何在命令行中将设置(配置文件中的内容)作为参数/选项传递给ansible,以便它将在新计算机上首次运行(不提示/取决于源计算机上的known_hosts文件条目)目标机器?
My questions: 1. What security issues I should take care if I go ~/.ssh/config way 2. How can I pass the settings (what's there in the config file) as parameters/options to ansible at command line so that it will run first time on a new machine (without prompting / depending upon the known_hosts file entry on the source machine for the target machine?
推荐答案
The ansible docs have a section on this. Quoting:
Ansible 1.2.1和更高版本默认情况下启用了主机密钥检查.
Ansible 1.2.1 and later have host key checking enabled by default.
如果主机被重新安装并且在"known_hosts"中具有不同的密钥,这将导致错误消息,直到更正为止.如果主机最初不在"known_hosts"中,则将提示您确认密钥,从而在使用Ansible(例如cron)时产生交互体验.您可能不想要这个.
If a host is reinstalled and has a different key in ‘known_hosts’, this will result in an error message until corrected. If a host is not initially in ‘known_hosts’ this will result in prompting for confirmation of the key, which results in an interactive experience if using Ansible, from say, cron. You might not want this.
如果您了解其中的含义并希望禁用此行为,则可以通过编辑/etc/ansible/ansible.cfg或〜/.ansible.cfg来实现:
If you understand the implications and wish to disable this behavior, you can do so by editing /etc/ansible/ansible.cfg or ~/.ansible.cfg:
[defaults]
host_key_checking = False
或者可以通过环境变量来设置:
Alternatively this can be set by an environment variable:
$ export ANSIBLE_HOST_KEY_CHECKING=False
还请注意,在paramiko模式下检查主机密钥的速度相当慢,因此,在使用此功能时也建议切换到"ssh".
Also note that host key checking in paramiko mode is reasonably slow, therefore switching to ‘ssh’ is also recommended when using this feature.
这篇关于Ansible SSH提示known_hosts问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
