sudo密码可在单个组中为多个主机运行剧本 [英] sudo password to run playbook for multiple hosts in single group
问题描述
我们正在使用ansible,现在我们要在服务器(远程主机)上进行一些配置更改.我们在清单的单个组内添加了多台服务器,每台服务器具有不同的密码.当我们运行playbook时,它要求输入sudo密码,但我们无法传递单个服务器的密码,因为其他服务器将无法使用该密码.我们正在使用数字海洋云,因此没有.pem
密钥文件选项.
We are using ansible and now we want make some configuration changes on our servers (remote host). We have added multiple servers inside single group in inventory and each server have different password. When we run playbook its asking for sudo password but we can't pass the password for single server because it will be fail for other servers. We are using Digital Ocean cloud so don't have .pem
key file option.
您能帮助我如何为多个主机传递密码吗? 应该以安全的方式进行.
Can you please help me out how we can pass password for multiple host? It should be in secure way.
任何帮助或指导将不胜感激. 预先感谢.
Any help or guidance will be appreciated. Thanks in advance.
推荐答案
如果您需要为每个主机提供唯一的sudo
密码,则需要在清单中或适当的位置设置ansible_become_pass
host_vars
目录中的文件.
If you need to provide a unique sudo
password for each host, you'll want to set the ansible_become_pass
in either your inventory or in an appropriate file in your host_vars
directory.
You obviously don't want to store the password in cleartext, so we can use ansible-vault to encrypt the information so that a single password, provided at runtime, permits Ansible to read the passwords.
假设我们有一个包含三个主机(server
,server2
和server3
)的清单,我们首先要确保在我们的剧本旁边有一个host_vars
目录:
Assuming that we have an inventory with three hosts, server
, server2
, and server3
, we would first ensure that there exists a host_vars
directory adjacent to our playbook:
mkdir host_vars
接下来,我们使用以下命令创建一个包含ansible_become_pass
变量的加密文件:
Next, we use the following command to create an encrypted file containing the ansible_become_pass
variable:
ansible-vault create host_vars/server1.yml
这将提示我们输入保管库密码,然后在编辑器中打开文件.我们添加以下内容:
This will prompt us for a vault password, and then open the file in an editor. We add content such as:
---
ansible_become_pass: secret1
对server2
和server3
执行相同的步骤,每次都使用相同保管库密码(并为每个主机将ansible_become_pass
设置为唯一的sudo
密码).现在,我们有了以下文件:
Perform the same steps for server2
and server3
, using the same vault password each time (and setting ansible_become_pass
to the unique sudo
password for each host). We now have the following files:
$ find . -type f
./playbook.yml
./host_vars/server2.yml
./host_vars/server3.yml
./host_vars/server1.yml
现在,我们将像这样运行我们的剧本:
Now, we would run our playbook like this:
ansible-playbook playbook.yml --ask-vault-pass
这将提示我们输入保险库密码:
This will prompt us for the vault password:
保险柜密码:
现在Ansible将能够升级目标主机上的特权.
And now Ansible will be able to escalate privileges on the target hosts.
这篇关于sudo密码可在单个组中为多个主机运行剧本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!