sudo密码可在单个组中为多个主机运行剧本 [英] sudo password to run playbook for multiple hosts in single group

问题描述

我们正在使用ansible，现在我们要在服务器(远程主机)上进行一些配置更改.我们在清单的单个组内添加了多台服务器，每台服务器具有不同的密码.当我们运行playbook时，它要求输入sudo密码，但我们无法传递单个服务器的密码，因为其他服务器将无法使用该密码.我们正在使用数字海洋云，因此没有.pem密钥文件选项.

We are using ansible and now we want make some configuration changes on our servers (remote host). We have added multiple servers inside single group in inventory and each server have different password. When we run playbook its asking for sudo password but we can't pass the password for single server because it will be fail for other servers. We are using Digital Ocean cloud so don't have .pem key file option.

您能帮助我如何为多个主机传递密码吗? 应该以安全的方式进行.

Can you please help me out how we can pass password for multiple host? It should be in secure way.

任何帮助或指导将不胜感激. 预先感谢.

Any help or guidance will be appreciated. Thanks in advance.

推荐答案

如果您需要为每个主机提供唯一的sudo密码，则需要在清单中或适当的位置设置ansible_become_pass host_vars目录中的文件.

If you need to provide a unique sudo password for each host, you'll want to set the ansible_become_pass in either your inventory or in an appropriate file in your host_vars directory.

您显然不想以明文形式存储密码，因此我们可以使用

You obviously don't want to store the password in cleartext, so we can use ansible-vault to encrypt the information so that a single password, provided at runtime, permits Ansible to read the passwords.

假设我们有一个包含三个主机(server，server2和server3)的清单，我们首先要确保在我们的剧本旁边有一个host_vars目录:

Assuming that we have an inventory with three hosts, server, server2, and server3, we would first ensure that there exists a host_vars directory adjacent to our playbook:

mkdir host_vars

接下来，我们使用以下命令创建一个包含ansible_become_pass变量的加密文件:

Next, we use the following command to create an encrypted file containing the ansible_become_pass variable:

ansible-vault create host_vars/server1.yml

这将提示我们输入保管库密码，然后在编辑器中打开文件.我们添加以下内容:

This will prompt us for a vault password, and then open the file in an editor. We add content such as:

---
ansible_become_pass: secret1

对server2和server3执行相同的步骤，每次都使用相同保管库密码(并为每个主机将ansible_become_pass设置为唯一的sudo密码).现在，我们有了以下文件:

Perform the same steps for server2 and server3, using the same vault password each time (and setting ansible_become_pass to the unique sudo password for each host). We now have the following files:

$ find . -type f
./playbook.yml
./host_vars/server2.yml
./host_vars/server3.yml
./host_vars/server1.yml

现在，我们将像这样运行我们的剧本:

Now, we would run our playbook like this:

ansible-playbook playbook.yml --ask-vault-pass

这将提示我们输入保险库密码:

This will prompt us for the vault password:

保险柜密码:

现在Ansible将能够升级目标主机上的特权.

And now Ansible will be able to escalate privileges on the target hosts.

这篇关于sudo密码可在单个组中为多个主机运行剧本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！