Ansible:如何使用不同密码的主机运行游戏? [英] Ansible: how to run a play with hosts with different passwords?
问题描述
我目前正在学习如何使用 Ansible.现在,我有一堆服务器,无论是新的还是旧的,都有不同的登录名或密码,或者两者都有.所有人都拥有运行剧本的关键访问权限.
I'm currently learning how to use Ansible. Right now, I've got a bunch of servers, both new and legacy, that have different logins or passwords or both. All have key access to run the plays.
这是我的开始.示例 hosts 文件:
Here's what I started with. Example hosts file:
# legacy and new have different logins (like root and deploy)
[legacy]
serv1
serv2
[new]
serv3
serv4
# different has a different login and password altogether
[different]
serv5
所以为了简单起见,我最初运行了一个相当于 sudo apt-get update && 的剧本.sudo apt-get upgrade 在所有机器上,但由于不同的登录名/密码,我为每个主机创建了多个剧本.但现在我想把它弄干,并根据他们的文档查看角色.
So to keep things simple, I originally had a playbook run the equivalent of sudo apt-get update && sudo apt-get upgrade on all the machines, but because of the different login/passwd, I had created multiple playbooks for each host. But now I want to DRY it out and am looking at Roles, per their docs.
现在我有这样的事情.test/roles/common/tasks/main.yml 文件:
Right now I have something like this. The test/roles/common/tasks/main.yml file:
---
- name: run apt-get update
apt: update_cache=yes
- name: run apt-get upgrade
apt: upgrade=yes
site.yml 文件:
The site.yml file:
- name: apply common configuration to all nodes
hosts: all
roles:
- common
我知道我实际上可以在我的主机文件中使用 ansible_ssh_user=root 或 ...=deploy 定义不同的登录.或者将它们放在组变量中.但是我该如何处理不同的 sudo 密码?[legacy] 是 root 所以我不需要 sudo,但是 [new] 和 [different] 需要它,并有不同的密码.我该怎么做呢?组变量?我是否创建这些:test/group_vars/new/some_file_with_a_passwd.yml 和 test/group_vars/different/some_other_passwd.yml(忽略安全问题)?
I understand that I can actually define the different logins with ansible_ssh_user=root or ...=deploy in my hosts file. Or put them in group vars. But what do I do about the different sudo passwords? [legacy] is root so I don't need sudo, but [new] and [different] need it, and have different passwords. How do I do this? Group vars? Do I create these: test/group_vars/new/some_file_with_a_passwd.yml and test/group_vars/different/some_other_passwd.yml (ignoring security issues)?
site.yml 如何识别有不同密码的主机或一些没有密码的主机?
How does the site.yml recognize that there are hosts with different passwords or some hosts with no passwords?
为清楚起见进行我有 SSH 访问权限,因此在播放期间执行预任务"步骤始终有效(我通过密钥访问进行连接,而从不通过密码进行连接).我不担心安全性,因为这是下一步.现在,我想让 group_vars 事情正确......这是我遇到的 sudo 升级问题.例如.serv1 sudo 可能是 root/password1, serv3 sudo: deploy/password2, serv5: anotherdeploy/password3
Edit for clarity's sake: I have SSH access, so doing the 'pre-tasks' step during the play always work (I connect via key access and never via a password). I'm not worried about security as that's the next step. For now, I want to get the group_vars thing right....It's the sudo escalation I have issues with. E.g. serv1 sudo might be root/password1, serv3 sudo: deploy/password2, serv5: anotherdeploy/password3
推荐答案
通常,在使用 --ask-sudo-password 或其短别名 -K 与没有无密码 sudo 的用户一起运行时.这样做的好处是不会被记录在您的 Ansible 代码库中的任何地方,也不会在源代码控制中结束.
Normally you would want to pass the sudo password on the command line after Ansible's password prompt after using either the --ask-sudo-password or its short alias -K when running with a user that doesn't have passwordless sudo. This has the benefit of then not being recorded in your Ansible code base anywhere and then not ending up in source control.
然而,这是一个单一的提示,将应用于所有主机,因此并不适合您的用例.
However, this is a single prompt and will be applied to all hosts so doesn't really fit your use case.
ansibe_sudo_pass 变量可用于为任何特定主机的用户提供 sudo 密码.此应该仅在需要 sudo 密码时使用,因此如果您将此变量提供给具有无密码 sudo 的主机,则应忽略它.
The ansibe_sudo_pass variable can instead be used to provide the sudo password for the user for any specific host. This should only be used when a sudo password is needed so if you provide this variable to a host with passwordless sudo then it should be ignored.
由于您的用户/密码组合似乎完全按组拆分,而不是按每个主机拆分,因此将凭据放在 组变量.
As your user/password combination seems to be split entirely by group rather than by each and every host then it makes logical sense to put the credentials in group vars.
正如指出>nikobelia 您可能需要考虑使用诸如 Ansible 的 Vault、credstash 或其他.
As pointed out by nikobelia you may want to consider encrypting this sensitive data using something like Ansible's Vault, credstash or something else.
这篇关于Ansible:如何使用不同密码的主机运行游戏?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
