測試環境 CentOS 9 Stream (虛擬機)
Ansible 架構分為 Control node ( Ansible 控制端 ) 與 Managed nodes ( 被 Ansible 控制端 ) .
- Control node ( Ansible 控制端) IP: 192.168.31.131
- Managed nodes (被 Ansible 控制端) IP: 192.168.31.178
- Managed nodes (被 Ansible 控制端) IP: 192.168.31.133
建立一個測試用的資料夾.
[root@localhost ~]# mkdir ansible_quickstart && cd ansible_quickstart [root@localhost ansible_quickstart]#
這邊來討論一下 Ansible Control node 透過 SSH 怎麼連線到 Managed nodes
- –ask-pass
設定 Inventory.[root@localhost ansible_quickstart]# vi remote.ini [CentOS] CentOS-VM1 ansible_host=192.168.31.133 ansible_connection=ssh ansible_port=22 ansible_user=root CentOS-VM2 ansible_host=192.168.31.178 ansible_connection=ssh ansible_port=22 ansible_user=root
可以透過指令 #ansible-inventory -i remote.ini –list 來檢查 Inventory.
透過參數 –ask-pass 在執行時會要求輸入 Managed Nodes (SSH Client)的密碼.
需安裝 sshpass 套件
[root@localhost ansible_quickstart]# yum -y install sshpass
設定接受 SSH Client ( Managed Nodes) 的 Public Key.
[root@localhost ansible_quickstart]# vi ansible.cfg [defaults] host_key_checking = false
執行結果.
[root@localhost ansible_quickstart]# ansible --ask-pass CentOS -m command -a "echo Hello World" -i remote.ini SSH password: 192.168.31.178 | CHANGED | rc=0 >> Hello World 192.168.31.133 | CHANGED | rc=0 >> Hello World
- ansible_ssh_pass
直接在 Inventory 指定密碼 ansible_ssh_pass=111111 .[root@localhost ansible_quickstart]# vi remote.ini [CentOS] CentOS-VM1 ansible_host=192.168.31.133 ansible_connection=ssh ansible_port=22 ansible_user=root ansible_ssh_pass=111111 CentOS-VM2 ansible_host=192.168.31.178 ansible_connection=ssh ansible_port=22 ansible_user=root ansible_ssh_pass=111111
[root@localhost ansible_quickstart]# ansible CentOS -m command -a "echo Hello World" -i remote.ini CentOS-VM2 | CHANGED | rc=0 >> Hello World CentOS-VM1 | CHANGED | rc=0 >> Hello World
- public SSH key
設定 Inventory.[root@localhost ansible_quickstart]# vi remote.ini [CentOS] CentOS-VM1 ansible_host=192.168.31.133 ansible_connection=ssh ansible_port=22 ansible_user=root CentOS-VM2 ansible_host=192.168.31.178 ansible_connection=ssh ansible_port=22 ansible_user=root
Control node 是透過 SSH 的方式去連到 Managed node 來工作,所以要先把 Control node 的 public SSH key 加到 Managed node 的 authorized_keys 檔案 (實現 SSH 免密碼的登入方式),更多關於 SSH 基於 Key 的驗證 請參考 – https://benjr.tw/106336
產生 SSH Public / Private Key (如需輸入 SSH Private Key PassPhrase 時須使用 SSH_Agent 去避免輸入 PassPhase 的密碼)
[root@localhost ansible_quickstart]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa Your public key has been saved in /root/.ssh/id_rsa.pub The key fingerprint is: SHA256:gDEFTV2X0g7/X3WiVNO0xYU57wUsPWwCqPzi4yMXmCo root@localhost.localdomain The key's randomart image is: +---[RSA 3072]----+ | +=o. ooo.= *=| | +. o o.= & =| | .... = = B | | o. + . =| | o .S . o o+| | o o . . . o| | . . o ..| |E . . = .| | . +.o | +----[SHA256]-----+
把 Control node 的 public SSH key 加到 Managed node 的 authorized_keys 檔案 .
[root@localhost ansible_quickstart]# ssh-copy-id root@192.168.31.178 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '192.168.31.178 (192.168.31.178)' can't be established. ED25519 key fingerprint is SHA256:PgFJeh+W+iNzarxpeUxtVg1ewnvb3GZTAt87Oxq260E. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.31.178's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.31.178'" and check to make sure that only the key(s) you wanted were added.
[root@localhost ansible_quickstart]# ssh-copy-id root@192.168.31.133 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.31.133's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.31.133'" and check to make sure that only the key(s) you wanted were added.
這樣就實現了 SSH 免密碼的登入方式,測試一下連線到 Managed nodes ( IP: 192.168.31.178 )
[root@localhost ~]# ssh root@192.168.31.178 Activate the web console with: systemctl enable --now cockpit.socket Last failed login: Thu May 16 17:31:43 CST 2024 from 192.168.31.131 on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Thu May 16 17:20:50 2024 from 192.168.31.1 [root@localhost ~]# exit 登出 Connection to 192.168.31.178 closed.
準備工作完成.
無需使用密碼.
[root@localhost ansible_quickstart]# ansible CentOS -m command -a "echo Hello World" -i remote.ini CentOS-VM1 | CHANGED | rc=0 >> Hello World CentOS-VM2 | CHANGED | rc=0 >> Hello World
遇過的問題
- Managed node Public Key
第一次連線的 SSH Client 要接受 Public Key .[root@localhost ~]# ssh root@192.168.31.133 The authenticity of host '192.168.31.133 (192.168.31.133)' can't be established. ED25519 key fingerprint is SHA256:PgFJeh+W+iNzarxpeUxtVg1ewnvb3GZTAt87Oxq260E. This host key is known by the following other names/addresses: ~/.ssh/known_hosts:1: 192.168.31.131 Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.31.133' (ED25519) to the list of known hosts. root@192.168.31.133's password: Activate the web console with: systemctl enable --now cockpit.socket Last login: Fri Jun 7 15:01:15 2024 from 192.168.31.131所以會出現以下的錯誤訊息.
[root@localhost ansible_quickstart]# ansible --ask-pass CentOS -m command -a "echo Hello World" -i remote.ini SSH password: 192.168.31.133 | FAILED | rc=-1 >> Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host's fingerprint to your known_hosts file to manage this host. 192.168.31.178 | FAILED | rc=-1 >> Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host's fingerprint to your known_hosts file to manage this host.
解決方式,在執行目錄加上
[root@localhost ansible_quickstart]# vi ansible.cfg [defaults] host_key_checking = false
sshpass
使用 –ask-pass 需先安裝 sshpass 套件[root@localhost ansible_quickstart]# ansible --ask-pass CentOS -m command -a "echo Hello World" -i remote.ini SSH password: 192.168.31.133 | FAILED | rc=-1 >> to use the 'ssh' connection type with passwords or pkcs11_provider, you must install the sshpass program 192.168.31.178 | FAILED | rc=-1 >> to use the 'ssh' connection type with passwords or pkcs11_provider, you must install the sshpass program
[root@localhost ansible_quickstart]# yum -y install sshpass
沒有解決問題,試試搜尋本站其他內容