Ansible – Connection methods

Loading

測試環境 CentOS 9 Stream (虛擬機)

Ansible 架構分為 Control node ( Ansible 控制端 ) 與 Managed nodes ( 被 Ansible 控制端 ) .

  • Control node ( Ansible 控制端) IP: 192.168.31.131
  • Managed nodes (被 Ansible 控制端) IP: 192.168.31.178
  • Managed nodes (被 Ansible 控制端) IP: 192.168.31.133

建立一個測試用的資料夾.

[root@localhost ~]# mkdir ansible_quickstart && cd ansible_quickstart
[root@localhost ansible_quickstart]#

這邊來討論一下 Ansible Control node 透過 SSH 怎麼連線到 Managed nodes

  • –ask-pass
    在執行時直接輸入密碼,先設定好 Inventory.

    [root@localhost ansible_quickstart]# vi remote.ini
    [CentOS]
    CentOS-VM1 ansible_host=192.168.31.133 ansible_connection=ssh ansible_port=22 ansible_user=root
    CentOS-VM2 ansible_host=192.168.31.178 ansible_connection=ssh ansible_port=22 ansible_user=root
    

    可以透過指令 #ansible-inventory -i remote.ini –list 來檢查 Inventory.

    透過參數 –ask-pass 在執行時會要求輸入 Managed Nodes (SSH Client)的密碼.

    需安裝 sshpass 套件

    [root@localhost ansible_quickstart]# yum -y install sshpass
    

    設定接受 SSH Client ( Managed Nodes) 的 Public Key.

    [root@localhost ansible_quickstart]# vi ansible.cfg
    [defaults]
    host_key_checking = false
    

    執行結果.

    [root@localhost ansible_quickstart]# ansible --ask-pass CentOS -m command -a "echo Hello World" -i remote.ini
    SSH password:
    192.168.31.178 | CHANGED | rc=0 >>
    Hello World
    192.168.31.133 | CHANGED | rc=0 >>
    Hello World
    
  • ansible_ssh_pass
    直接在 Inventory 指定密碼 ansible_ssh_pass .

    [root@localhost ansible_quickstart]# vi remote_w_pass.ini
    [CentOS]
    CentOS-VM1 ansible_host=192.168.31.133 ansible_connection=ssh ansible_port=22 ansible_user=root ansible_ssh_pass=111111
    CentOS-VM2 ansible_host=192.168.31.178 ansible_connection=ssh ansible_port=22 ansible_user=root ansible_ssh_pass=111111
    
    [root@localhost ansible_quickstart]# ansible CentOS -m command -a "echo Hello World" -i remote_w_pass.ini
    CentOS-VM2 | CHANGED | rc=0 >>
    Hello World
    CentOS-VM1 | CHANGED | rc=0 >>
    Hello World
    
  • public SSH key
    使用先前的 Inventory.

    [root@localhost ansible_quickstart]# cat remote.ini
    [CentOS]
    CentOS-VM1 ansible_host=192.168.31.133 ansible_connection=ssh ansible_port=22 ansible_user=root
    CentOS-VM2 ansible_host=192.168.31.178 ansible_connection=ssh ansible_port=22 ansible_user=root
    

    Control node 是透過 SSH 的方式去連到 Managed node 來工作,所以要先把 Control node 的 public SSH key 加到 Managed node 的 authorized_keys 檔案 (實現 SSH 免密碼的登入方式),更多關於 SSH 基於 Key 的驗證 請參考 – https://benjr.tw/106336

    產生 SSH Public / Private Key (如需輸入 SSH Private Key PassPhrase 時須使用 SSH_Agent 去避免輸入 PassPhase 的密碼)

    [root@localhost ansible_quickstart]# ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/root/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /root/.ssh/id_rsa
    Your public key has been saved in /root/.ssh/id_rsa.pub
    The key fingerprint is:
    SHA256:gDEFTV2X0g7/X3WiVNO0xYU57wUsPWwCqPzi4yMXmCo root@localhost.localdomain
    The key's randomart image is:
    +---[RSA 3072]----+
    |    +=o. ooo.= *=|
    |     +. o o.= & =|
    |    ....   = = B |
    |      o.    + . =|
    |     o .S  . o o+|
    |    o o .   . . o|
    |   . . o       ..|
    |E . . =         .|
    | .   +.o         |
    +----[SHA256]-----+
    

    把 Control node 的 public SSH key 加到 Managed node 的 authorized_keys 檔案 .

    [root@localhost ansible_quickstart]# ssh-copy-id root@192.168.31.178
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
    The authenticity of host '192.168.31.178 (192.168.31.178)' can't be established.
    ED25519 key fingerprint is SHA256:PgFJeh+W+iNzarxpeUxtVg1ewnvb3GZTAt87Oxq260E.
    This key is not known by any other names
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    root@192.168.31.178's password:
    
    Number of key(s) added: 1
    
    Now try logging into the machine, with:   "ssh 'root@192.168.31.178'"
    and check to make sure that only the key(s) you wanted were added.
    
    [root@localhost ansible_quickstart]# ssh-copy-id root@192.168.31.133
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    root@192.168.31.133's password:
    
    Number of key(s) added: 1
    
    Now try logging into the machine, with:   "ssh 'root@192.168.31.133'"
    and check to make sure that only the key(s) you wanted were added.
    

    這樣就實現了 SSH 免密碼的登入方式,測試一下連線到 Managed nodes ( IP: 192.168.31.178 )

    [root@localhost ~]# ssh root@192.168.31.178
    Activate the web console with: systemctl enable --now cockpit.socket
    
    Last failed login: Thu May 16 17:31:43 CST 2024 from 192.168.31.131 on ssh:notty
    There was 1 failed login attempt since the last successful login.
    Last login: Thu May 16 17:20:50 2024 from 192.168.31.1
    [root@localhost ~]# exit
    登出
    Connection to 192.168.31.178 closed.
    

    準備工作完成.

    無需使用密碼.

    [root@localhost ansible_quickstart]# ansible CentOS -m command -a "echo Hello World" -i remote.ini
    CentOS-VM1 | CHANGED | rc=0 >>
    Hello World
    CentOS-VM2 | CHANGED | rc=0 >>
    Hello World
    

遇過的問題

  • Managed node Public Key
    第一次連線的 SSH Client 要接受 Public Key .

    [root@localhost ~]# ssh root@192.168.31.133
    The authenticity of host '192.168.31.133 (192.168.31.133)' can't be established.
    ED25519 key fingerprint is SHA256:PgFJeh+W+iNzarxpeUxtVg1ewnvb3GZTAt87Oxq260E.
    This host key is known by the following other names/addresses:
        ~/.ssh/known_hosts:1: 192.168.31.131
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '192.168.31.133' (ED25519) to the list of known hosts.
    root@192.168.31.133's password:
    Activate the web console with: systemctl enable --now cockpit.socket
    
    Last login: Fri Jun  7 15:01:15 2024 from 192.168.31.131
    

    所以會出現以下的錯誤訊息.

    [root@localhost ansible_quickstart]# ansible --ask-pass CentOS -m command -a "echo Hello World" -i remote.ini 
    SSH password:
    192.168.31.133 | FAILED | rc=-1 >>
    Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host's fingerprint to your known_hosts file to manage this host.
    192.168.31.178 | FAILED | rc=-1 >>
    Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host's fingerprint to your known_hosts file to manage this host.
    

    解決方式,在執行目錄加上

    [root@localhost ansible_quickstart]# vi ansible.cfg
    [defaults]
    host_key_checking = false
    

    sshpass
    使用 –ask-pass 需先安裝 sshpass 套件

    [root@localhost ansible_quickstart]# ansible --ask-pass CentOS -m command -a "echo Hello World" -i remote.ini 
    SSH password:
    192.168.31.133 | FAILED | rc=-1 >>
    to use the 'ssh' connection type with passwords or pkcs11_provider, you must install the sshpass program
    192.168.31.178 | FAILED | rc=-1 >>
    to use the 'ssh' connection type with passwords or pkcs11_provider, you must install the sshpass program
    
    [root@localhost ansible_quickstart]# yum -y install sshpass
    
沒有解決問題,試試搜尋本站其他內容

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料