如何在一个文件库中为多个主机定义sudo密码?

时间:2020-01-21 14:10:21

标签: ansible

我想在所有具有不同用户名和密码的Linux服务器上运行更新。我认为这是一个常见的用例,但未在文档中涵盖。 有SSH身份验证,但我需要提升的访问权限才能进行更新过程,而Ansible任务需要太多权限才能通过sudoers文件执行此操作。

如何在一个文件库中从清单中获取不同的 ansible_password ,以便我可以运行剧本,仅输入一个密码来解密所有sudo密码并使其起作用?

库存:

[servers]
1.2.3.4    ansible_user=user1 ansible_password=password1
1.2.3.5    ansible_user=user2 ansible_password=password2
1.2.3.6    ansible_user=user3 ansible_password=password3

剧本:

---
- hosts: servers
  become: yes
  become_method: sudo
  gather_facts: false
  vars:
    verbose: false
    log_dir: "/var/log/ansible/dist-upgrade/{{ inventory_hostname }}"
  pre_tasks:
    - name: Install python for Ansible
      raw: sudo bash -c "test -e /usr/bin/python || (apt -qqy update && apt install -qy python-minimal)"
      changed_when: false
  tasks:
    - name: Update packages
      apt:
        update_cache: yes
        upgrade: dist
        autoremove: no
      register: output

    - name: Check changes
      set_fact:
        updated: true
      when: not output.stdout is search("0 upgraded, 0 newly installed")

    - name: Display changes
      debug:
        msg: "{{ output.stdout_lines }}"
      when: verbose or updated is defined

    - block:
      - name: "Create log directory"
        file:
          path: "{{ log_dir }}"
          state: directory
        changed_when: false

      - name: "Write changes to logfile"
        copy:
          content: "{{ output.stdout }}"
          dest: "{{ log_dir }}/dist-upgrade_{{ ansible_date_time.iso8601 }}.log"
        changed_when: false

      when: updated is defined
      connection: local

2 个答案:

答案 0 :(得分:0)

ansible_useransible_password从清单中移出,并移至host_vars目录中。也就是说,使您的库存看起来像这样:

[servers]
1.2.3.4
1.2.3.5
1.2.3.6

然后ansible-vault create host_vars/1.2.3.4.yml并为其提供内容:

ansible_user: user1
ansible_password: password1

对于清单中的其他主机,依此类推。

答案 1 :(得分:0)

Q:“如何在一个文件库中从清单中获取不同的ansible_password?”

A:可以使用#include <iostream> #include <vector> #include <string> using namespace std; #define mx 252 #define nx 40 bool full[mx][mx],vis[mx][mx],full_recur[mx][mx][nx][nx]; int ans[mx]; void init() { for(int i=0;i<mx;i++) { for(int j=0;j<mx;j++) { full[i][j]=false,vis[i][j]=false; } } for(int i=0;i<mx;i++) { ans[i]=-1; } for(int i=0;i<mx;i++) { for(int j=0;j<mx;j++) { for(int k=0;k<nx;k++) { for(int l=0;l<nx;l++) { full_recur[i][j][k][l]=false; } } } } } bool compute_full_recur(string str,int low,int high,vector<string> pat,int idx,int len) { if(low>high&&len==pat[idx].length()) { return true; } if(low>high&&len<pat[idx].length()) { full_recur[low][high][idx][len]=false; return false; } if(str[low]==pat[idx][len]&&compute_full_recur(str,low+1,high,pat,idx,len+1)) { return full_recur[low][high][idx][len]=true; } for(int i=low+1;i<=high;i++) { if(str[low]==pat[idx][len]&&full[low+1][i]&&compute_full_recur(str,i+1,high,pat,idx,len+1)) { return full_recur[low][high][idx][len]=true; } } full_recur[low][high][idx][len]=false; return false; } void compute_full(string str,int low,int high,vector<string> pats) { if(low>high) { return; } if(vis[low][high]) { return; } vis[low][high]=true; compute_full(str,low+1,high,pats); compute_full(str,low,high-1,pats); for(int i=0;i<pats.size();i++) { if(!full[low][high]) full[low][high]=compute_full_recur(str,low,high,pats,i,0); } } int compute_ans(string str,int low,int high) { if(low>high) { return 0; } if(ans[low]!=-1) { return ans[low]; } int sol=1+compute_ans(str,low+1,high); for(int i=low+1;i<=high;i++) { if(full[low][i]==true) { sol=min(sol,compute_ans(str,i+1,high)); } } return ans[low]=sol; } signed main() { int t; cin>>t; while(t--) { string str; int n; vector<string> pats; cin>>n>>str; for(int i=0;i<n;i++) { string tem; cin>>tem; pats.push_back(tem); } init(); compute_full(str,0,str.length()-1,pats); cout<<compute_ans(str,0,str.length()-1)<<endl; } return 0; } 并添加解密的变量。例如

1)从清单文件中删除密码

set_fact

2)使用密码创建字典

[servers]
1.2.3.4    ansible_user=user1
1.2.3.5    ansible_user=user2
1.2.3.6    ansible_user=user3

3)加密文件

$ cat group_vars/servers/my_vault.yml
my_vault:
  '1.2.3.4':
    ansible_password: 'password1'
  '1.2.3.5':
    ansible_password: 'password2'
  '1.2.3.6':
    ansible_password: 'password3'

4)下面的剧本在第一个剧本中将变量$ ansible-vault encrypt group_vars/servers/my_vault.yml Encryption successful $ cat group_vars/servers/my_vault.yml $ANSIBLE_VAULT;1.1;AES256 33613937636462643266613264333138376135313762663832393837616137323165363531666438 3564366531386130623162386332646366646561663763320a633533653631396637316138393339 66623531633936346363313965633565623566313264396636303136666432373037313666653630 3530343461616338370a323565346564383266323934376432383436646261313639663961343662 35336439646133333434363462616537323130373733363863646435376435343864323336323135 35623330303732666233313135643265393030386561306235303038353133386230336431396637 64663331316439336638646366636530626363353034326462393938363230386666303066383834 38643538343137633966336130393362303534666139373034356530303661643339623234356366 61316363333331613762663230616239643965333261353936373464366162646662323361626431 33663839386261313561396337393330616131663561646562373233373265646334383937386431 38386165653864363235646538353337373063376665386638653333646632316533363731663234 35663336663936653233 添加到每个主机,并在第二个剧本中使用它。例如

ansible_password

给予

- hosts: servers
  gather_facts: false
  tasks:
    - set_fact:
        ansible_password: "{{ my_vault[inventory_hostname].ansible_password }}"

- hosts: servers
  tasks:
  - debug:
      var: ansible_password
相关问题
最新问题