sudo 密码为单个组中的多个主机运行剧本 [英] sudo password to run playbook for multiple hosts in single group

问题描述

我们正在使用 ansible，现在我们想要在我们的服务器(远程主机)上进行一些配置更改.我们在清单中的单个组中添加了多个服务器，每个服务器都有不同的密码.当我们运行 playbook 时，它要求输入 sudo 密码，但我们无法为单个服务器传递密码，因为其他服务器会失败.我们使用的是 Digital Ocean 云，所以没有 .pem 密钥文件选项.

We are using ansible and now we want make some configuration changes on our servers (remote host). We have added multiple servers inside single group in inventory and each server have different password. When we run playbook its asking for sudo password but we can't pass the password for single server because it will be fail for other servers. We are using Digital Ocean cloud so don't have .pem key file option.

你能帮我解决如何为多个主机传递密码吗?它应该是安全的.

Can you please help me out how we can pass password for multiple host? It should be in secure way.

任何帮助或指导将不胜感激.提前致谢.

Any help or guidance will be appreciated. Thanks in advance.

推荐答案

如果您需要为每个主机提供唯一的 sudo 密码，您需要设置 ansible_become_pass 在您的清单或 host_vars 目录中的相应文件中.

If you need to provide a unique sudo password for each host, you'll want to set the ansible_become_pass in either your inventory or in an appropriate file in your host_vars directory.

您显然不想以明文形式存储密码，因此我们可以使用 ansible-vault 对信息进行加密，以便在运行时提供的单个密码允许 Ansible 读取密码.

You obviously don't want to store the password in cleartext, so we can use ansible-vault to encrypt the information so that a single password, provided at runtime, permits Ansible to read the passwords.

假设我们有一个包含三个主机的清单，server、server2 和 server3，我们首先要确保存在 server、server2 和 server3code>host_vars 与我们的剧本相邻的目录:

Assuming that we have an inventory with three hosts, server, server2, and server3, we would first ensure that there exists a host_vars directory adjacent to our playbook:

mkdir host_vars

接下来，我们使用以下命令创建一个包含 ansible_become_pass 变量的加密文件:

Next, we use the following command to create an encrypted file containing the ansible_become_pass variable:

ansible-vault create host_vars/server1.yml

这将提示我们输入保管库密码，然后在编辑器中打开文件.我们添加如下内容:

This will prompt us for a vault password, and then open the file in an editor. We add content such as:

---
ansible_become_pass: secret1

对 server2 和 server3 执行相同的步骤，每次使用 相同 保险库密码(并设置 ansible_become_pass> 到每个主机的唯一 sudo 密码).我们现在有以下文件:

Perform the same steps for server2 and server3, using the same vault password each time (and setting ansible_become_pass to the unique sudo password for each host). We now have the following files:

$ find . -type f
./playbook.yml
./host_vars/server2.yml
./host_vars/server3.yml
./host_vars/server1.yml

现在，我们将像这样运行我们的剧本:

Now, we would run our playbook like this:

ansible-playbook playbook.yml --ask-vault-pass

这将提示我们输入保管库密码:

This will prompt us for the vault password:

保险柜密码:

现在 Ansible 将能够提升对目标主机的权限.

And now Ansible will be able to escalate privileges on the target hosts.

这篇关于sudo 密码为单个组中的多个主机运行剧本的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！