ansible ssh 提示 known_hosts 问题 [英] ansible ssh prompt known_hosts issue
问题描述
我正在运行 Ansible playbook,它在一台机器上运行良好.
在新机器上第一次尝试时,出现以下错误.
17:04:34 PLAY [appservers] *********************************************************************17:04:3417:04:34 收集事实 ***********************************************************************17:04:34 致命:[server02.cit.product-ref.dev] =>{'msg': "FAILED: (22, 'Invalid argument')", 'failed': True}17:04:34 致命:[server01.cit.product-ref.dev] =>{'msg': "FAILED: (22, 'Invalid argument')", 'failed': True}17:04:3417:04:34 任务:[普通 |删除旧的 ansible-tmp-*] *****************************************17:04:34 致命:没有主机匹配或所有主机都已经失败——正在中止17:04:3417:04:3417:04:34 播放回顾 ************************************************************************17:04:34 重试,使用:--limit @/var/lib/jenkins/site.retry17:04:3417:04:34 server01.cit.product-ref.dev:ok=0改变=0无法到达=1失败=017:04:34 server02.cit.product-ref.dev:ok=0改变=0无法到达=1失败=017:04:3417:04:34 构建步骤执行 shell"将构建标记为失败17:04:34 完成:失败如果我首先转到源计算机(从我运行 ansible playbook 的位置)并手动 ssh 到目标计算机(作为给定用户)并为 known_hosts 文件条目输入yes",则可以解决此错误.
现在,如果我第二次运行相同的 ansible playbook,它可以正常工作.
因此,如何在第一次为给定用户(~/.ssh 文件夹,文件 known_hosts)创建 ssh known_hosts 条目时抑制 SSH 给出的提示?
我发现如果我在 ~/.ssh/config 文件中使用以下配置条目,我可以做到这一点.
~/.ssh/config
# 用于 vapp 虚拟机主持人 *StrictHostKeyChecking 否UserKnownHostsFile=/dev/null用户 kobaloki日志级别错误即如果我将上面的代码放在用户的远程机器的 ~/.ssh/config 文件中并第一次尝试 Ansible playbook,我将不会被提示输入yes"并且 playbook 将成功运行(不需要用户手动创建从源机器到目标/远程机器的 known_hosts 文件条目).
我的问题:1.走~/.ssh/config方式需要注意哪些安全问题2. 如何将设置(配置文件中的内容)作为参数/选项传递给命令行中的 ansible,以便它首次在新机器上运行(不提示/取决于源机器上的 known_hosts 文件条目)对于目标机器?
ansible 文档有 关于此的一节.引用:
<块引用>Ansible 1.2.1 及更高版本默认启用主机密钥检查.
如果主机重新安装并且在known_hosts"中有不同的密钥,这将导致错误消息,直到得到纠正.如果主机最初不在known_hosts"中,这将导致提示确认密钥,如果使用 Ansible,例如 cron,则会导致交互式体验.你可能不想要这个.
如果您了解含义并希望禁用此行为,您可以通过编辑/etc/ansible/ansible.cfg 或 ~/.ansible.cfg 来实现:
[默认值]host_key_checking = False<块引用>
或者,这可以通过环境变量设置:
$ export ANSIBLE_HOST_KEY_CHECKING=False<块引用>
另请注意,paramiko 模式下的主机密钥检查速度相当慢,因此在使用此功能时也建议切换到ssh".
I'm running Ansible playbook and it works fine on one machine.
On a new machine when I try for the first time, I get the following error.
17:04:34 PLAY [appservers] *************************************************************
17:04:34
17:04:34 GATHERING FACTS ***************************************************************
17:04:34 fatal: [server02.cit.product-ref.dev] => {'msg': "FAILED: (22, 'Invalid argument')", 'failed': True}
17:04:34 fatal: [server01.cit.product-ref.dev] => {'msg': "FAILED: (22, 'Invalid argument')", 'failed': True}
17:04:34
17:04:34 TASK: [common | remove old ansible-tmp-*] *************************************
17:04:34 FATAL: no hosts matched or all hosts have already failed -- aborting
17:04:34
17:04:34
17:04:34 PLAY RECAP ********************************************************************
17:04:34 to retry, use: --limit @/var/lib/jenkins/site.retry
17:04:34
17:04:34 server01.cit.product-ref.dev : ok=0 changed=0 unreachable=1 failed=0
17:04:34 server02.cit.product-ref.dev : ok=0 changed=0 unreachable=1 failed=0
17:04:34
17:04:34 Build step 'Execute shell' marked build as failure
17:04:34 Finished: FAILURE
This error can be resolved, if I first go to the source machine (from where I'm running the ansible playbook) and manually ssh to the target machine (as the given user) and enter "yes" for known_hosts file entry.
Now, if I run the same ansible playbook second time, it works without an error.
Therefore, how can I suppress the prompt what SSH gives while making ssh known_hosts entry for the first time for a given user (~/.ssh folder, file known_hosts)?
I found I can do this if I use the following config entries in ~/.ssh/config file.
~/.ssh/config
# For vapp virtual machines
Host *
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
User kobaloki
LogLevel ERROR
i.e. if I place the above code in the user's ~/.ssh/config file of a remote machine and try Ansible playbook for the first time, I won't be prompted for entring "yes" and playbook will run successfully (without requiring the user to manually create a known_hosts file entry from the source machine to the target/remote machine).
My questions: 1. What security issues I should take care if I go ~/.ssh/config way 2. How can I pass the settings (what's there in the config file) as parameters/options to ansible at command line so that it will run first time on a new machine (without prompting / depending upon the known_hosts file entry on the source machine for the target machine?
The ansible docs have a section on this. Quoting:
Ansible 1.2.1 and later have host key checking enabled by default.
If a host is reinstalled and has a different key in ‘known_hosts’, this will result in an error message until corrected. If a host is not initially in ‘known_hosts’ this will result in prompting for confirmation of the key, which results in an interactive experience if using Ansible, from say, cron. You might not want this.
If you understand the implications and wish to disable this behavior, you can do so by editing /etc/ansible/ansible.cfg or ~/.ansible.cfg:
[defaults]
host_key_checking = False
Alternatively this can be set by an environment variable:
$ export ANSIBLE_HOST_KEY_CHECKING=False
Also note that host key checking in paramiko mode is reasonably slow, therefore switching to ‘ssh’ is also recommended when using this feature.
这篇关于ansible ssh 提示 known_hosts 问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
