我想在所有具有不同用户名和密码的Linux服务器上运行更新。我认为这是一个常见的用例,但未在文档中涵盖。 有SSH身份验证,但我需要提升的访问权限才能进行更新过程,而Ansible任务需要太多权限才能通过sudoers文件执行此操作。
如何在一个文件库中从清单中获取不同的 ansible_password ,以便我可以运行剧本,仅输入一个密码来解密所有sudo密码并使其起作用?
库存:
[servers]
1.2.3.4 ansible_user=user1 ansible_password=password1
1.2.3.5 ansible_user=user2 ansible_password=password2
1.2.3.6 ansible_user=user3 ansible_password=password3
剧本:
---
- hosts: servers
become: yes
become_method: sudo
gather_facts: false
vars:
verbose: false
log_dir: "/var/log/ansible/dist-upgrade/{{ inventory_hostname }}"
pre_tasks:
- name: Install python for Ansible
raw: sudo bash -c "test -e /usr/bin/python || (apt -qqy update && apt install -qy python-minimal)"
changed_when: false
tasks:
- name: Update packages
apt:
update_cache: yes
upgrade: dist
autoremove: no
register: output
- name: Check changes
set_fact:
updated: true
when: not output.stdout is search("0 upgraded, 0 newly installed")
- name: Display changes
debug:
msg: "{{ output.stdout_lines }}"
when: verbose or updated is defined
- block:
- name: "Create log directory"
file:
path: "{{ log_dir }}"
state: directory
changed_when: false
- name: "Write changes to logfile"
copy:
content: "{{ output.stdout }}"
dest: "{{ log_dir }}/dist-upgrade_{{ ansible_date_time.iso8601 }}.log"
changed_when: false
when: updated is defined
connection: local
答案 0 :(得分:0)
将ansible_user
和ansible_password
从清单中移出,并移至host_vars
目录中。也就是说,使您的库存看起来像这样:
[servers]
1.2.3.4
1.2.3.5
1.2.3.6
然后ansible-vault create host_vars/1.2.3.4.yml
并为其提供内容:
ansible_user: user1
ansible_password: password1
对于清单中的其他主机,依此类推。
答案 1 :(得分:0)
Q:“如何在一个文件库中从清单中获取不同的ansible_password?”
A:可以使用#include <iostream>
#include <vector>
#include <string>
using namespace std;
#define mx 252
#define nx 40
bool full[mx][mx],vis[mx][mx],full_recur[mx][mx][nx][nx];
int ans[mx];
void init()
{
for(int i=0;i<mx;i++)
{
for(int j=0;j<mx;j++)
{
full[i][j]=false,vis[i][j]=false;
}
}
for(int i=0;i<mx;i++)
{
ans[i]=-1;
}
for(int i=0;i<mx;i++)
{
for(int j=0;j<mx;j++)
{
for(int k=0;k<nx;k++)
{
for(int l=0;l<nx;l++)
{
full_recur[i][j][k][l]=false;
}
}
}
}
}
bool compute_full_recur(string str,int low,int high,vector<string> pat,int idx,int len)
{
if(low>high&&len==pat[idx].length())
{
return true;
}
if(low>high&&len<pat[idx].length())
{
full_recur[low][high][idx][len]=false;
return false;
}
if(str[low]==pat[idx][len]&&compute_full_recur(str,low+1,high,pat,idx,len+1))
{
return full_recur[low][high][idx][len]=true;
}
for(int i=low+1;i<=high;i++)
{
if(str[low]==pat[idx][len]&&full[low+1][i]&&compute_full_recur(str,i+1,high,pat,idx,len+1))
{
return full_recur[low][high][idx][len]=true;
}
}
full_recur[low][high][idx][len]=false;
return false;
}
void compute_full(string str,int low,int high,vector<string> pats)
{
if(low>high)
{
return;
}
if(vis[low][high])
{
return;
}
vis[low][high]=true;
compute_full(str,low+1,high,pats);
compute_full(str,low,high-1,pats);
for(int i=0;i<pats.size();i++)
{
if(!full[low][high])
full[low][high]=compute_full_recur(str,low,high,pats,i,0);
}
}
int compute_ans(string str,int low,int high)
{
if(low>high)
{
return 0;
}
if(ans[low]!=-1)
{
return ans[low];
}
int sol=1+compute_ans(str,low+1,high);
for(int i=low+1;i<=high;i++)
{
if(full[low][i]==true)
{
sol=min(sol,compute_ans(str,i+1,high));
}
}
return ans[low]=sol;
}
signed main()
{
int t;
cin>>t;
while(t--)
{
string str;
int n;
vector<string> pats;
cin>>n>>str;
for(int i=0;i<n;i++)
{
string tem;
cin>>tem;
pats.push_back(tem);
}
init();
compute_full(str,0,str.length()-1,pats);
cout<<compute_ans(str,0,str.length()-1)<<endl;
}
return 0;
}
并添加解密的变量。例如
1)从清单文件中删除密码
set_fact
2)使用密码创建字典
[servers]
1.2.3.4 ansible_user=user1
1.2.3.5 ansible_user=user2
1.2.3.6 ansible_user=user3
3)加密文件
$ cat group_vars/servers/my_vault.yml
my_vault:
'1.2.3.4':
ansible_password: 'password1'
'1.2.3.5':
ansible_password: 'password2'
'1.2.3.6':
ansible_password: 'password3'
4)下面的剧本在第一个剧本中将变量$ ansible-vault encrypt group_vars/servers/my_vault.yml
Encryption successful
$ cat group_vars/servers/my_vault.yml
$ANSIBLE_VAULT;1.1;AES256
33613937636462643266613264333138376135313762663832393837616137323165363531666438
3564366531386130623162386332646366646561663763320a633533653631396637316138393339
66623531633936346363313965633565623566313264396636303136666432373037313666653630
3530343461616338370a323565346564383266323934376432383436646261313639663961343662
35336439646133333434363462616537323130373733363863646435376435343864323336323135
35623330303732666233313135643265393030386561306235303038353133386230336431396637
64663331316439336638646366636530626363353034326462393938363230386666303066383834
38643538343137633966336130393362303534666139373034356530303661643339623234356366
61316363333331613762663230616239643965333261353936373464366162646662323361626431
33663839386261313561396337393330616131663561646562373233373265646334383937386431
38386165653864363235646538353337373063376665386638653333646632316533363731663234
35663336663936653233
添加到每个主机,并在第二个剧本中使用它。例如
ansible_password
给予
- hosts: servers
gather_facts: false
tasks:
- set_fact:
ansible_password: "{{ my_vault[inventory_hostname].ansible_password }}"
- hosts: servers
tasks:
- debug:
var: ansible_password