最近公司將linux機器都禁止使用root直接遠程登陸,而機器上項目都是在root下創建的,平時都是通過一臺linux機器通過scp分發文件到多臺linux機器,這樣一來,就無法直接使用scp來分發文件,於是,我們用到了ansible來實現文件分發。
環境:
Ansible服務端操作系統:CentOS Linux release 7.5.1804 (Core)
Ansible服務端Ansible版本:ansible 2.5.3
Ansible服務器IP:192.168.100.127
Ansible客戶端操作系統:CentOS Linux release 7.3.1611 (Core)
CentOS Linux release 7.2.1511 (Core)
Ansible客戶端IP:10.15.43.164 10.15.43.238
ansible沒有服務端和客戶端,這裏爲了便於區分寫成了服務端和客戶端。
實驗目的
通過Ansible服務端將文件zabbix_discovery_port.sh分發Ansible的2個客戶端/app/ansible目錄
實驗步驟
1、配置資源清單inventory文件
[root@Super ~]# tail -5 /etc/ansible/hosts
## db-[99:101]-node.example.com
[test]
10.15.43.164 ansible_ssh_port=22 ansible_ssh_user=justin ansible_ssh_pass='51cto' ansible_become_pass='123456'
10.15.43.238 ansible_ssh_port=22 ansible_ssh_user=justin ansible_ssh_pass='51cto' ansible_become_pass='123456'
[root@Super ~]#
在2.5版本,變量也做了變化,ansible_become_pass替換了之前的ansible_sudo_pass or ansible_su_pass
2、Ansile客戶端禁止root直接遠程登陸,並創建普通用戶ywbz
[root@host164 ~]# grep -i "^PermitRootLogin" /etc/ssh/sshd_config
PermitRootLogin no
[root@host164 ~]# systemctl restart sshd
[root@host164 ~]# useradd ywbz
[root@host164 ~]# echo 'csdp' | passwd --stdin ywbz
Changing password for user ywbz.
passwd: all authentication tokens updated successfully.
[root@host164 ~]# 3、Ansible服務端分發文件
[root@Super ~]# ansible test -S -R root -m shell -a 'ls -l /app/ansible'
10.15.43.238 | SUCCESS | rc=0 >>
total 0
10.15.43.164 | SUCCESS | rc=0 >>
total 0
[root@Super ~]# ansible test -S -R root -m copy -a 'src=/app/scripts/remote-excet/zabbix_discovery_port.sh dest=/app/ansible/'
10.15.43.238 | SUCCESS => {
"changed": true,
"checksum": "824760fb7b2c5852a4bbffb77a57ef41d1880497",
"dest": "/app/ansible/zabbix_discovery_port.sh",
"gid": 0,
"group": "root",
"md5sum": "c66dd03749ee77696adb915e2dd8da4a",
"mode": "0664",
"owner": "root",
"size": 935,
"src": "/home/ywbz/.ansible/tmp/ansible-tmp-1529501925.71-156669741008262/source",
"state": "file",
"uid": 0
}
10.15.43.164 | SUCCESS => {
"changed": true,
"checksum": "824760fb7b2c5852a4bbffb77a57ef41d1880497",
"dest": "/app/ansible/zabbix_discovery_port.sh",
"gid": 0,
"group": "root",
"md5sum": "c66dd03749ee77696adb915e2dd8da4a",
"mode": "0664",
"owner": "root",
"secontext": "system_u:object_r:default_t:s0",
"size": 935,
"src": "/home/ywbz/.ansible/tmp/ansible-tmp-1529501925.77-183701352629116/source",
"state": "file",
"uid": 0
}
[root@Super ~]# ansible test -S -R root -m shell -a 'ls -l /app/ansible'
10.15.43.238 | SUCCESS | rc=0 >>
total 4
-rw-rw-r-- 1 root root 935 Jun 20 21:38 zabbix_discovery_port.sh
10.15.43.164 | SUCCESS | rc=0 >>
total 4
-rw-rw-r--. 1 root root 935 Jun 21 05:38 zabbix_discovery_port.sh
[root@Super ~]#
-S, --su run operations with su (deprecated, use become)
-R SU_USER, --su-user=SU_USER
run operations with su as this user (default=root)
(deprecated, use become)
-R後面緊跟用戶名,-S可以在前也可以在後。
到此,在客戶端的messages日誌裏可以看到相關信息
[root@host238 ~]# tail -5000f /var/log/messages
Jun 20 21:53:40 host238 systemd: Created slice User Slice of ywbz.
Jun 20 21:53:40 host238 systemd: Starting User Slice of ywbz.
Jun 20 21:53:40 host238 systemd: Started Session 191 of user ywbz.
Jun 20 21:53:40 host238 systemd-logind: New session 191 of user ywbz.
Jun 20 21:53:40 host238 systemd: Starting Session 191 of user ywbz.
Jun 20 21:53:40 host238 su: (to root) ywbz on pts/1 #由普通用戶test切換爲su切換爲root的日誌
Jun 20 21:53:41 host238 ansible-stat: Invoked with checksum_algorithm=sha1 get_checksum=True follow=False checksum_algo=sha1 path=/app/ansible/zabbix_discovery_port.sh get_md5=None get_mime=True get_attributes=True #ansible執行的內容功能實現了
這裏需要注意,普通用戶的家目錄是要存在,並切該普通用戶要有寫的權限的,否則會出現類似如下的報錯:
10.15.43.164 | UNREACHABLE! => {
"changed": false,
"msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"` echo /home/ywbz/.ansible/tmp/ansible-tmp-1529502822.22-28999465671661 `\" && echo ansible-tmp-1529502822.22-28999465671661=\"` echo /home/ywbz/.ansible/tmp/ansible-tmp-1529502822.22-28999465671661 `\" ), exited with result 1",
"unreachable": true
}
如果這個普通用戶沒有家目錄或者家目錄沒有寫權限在不修改遠端主機也有辦法可以搞定,修改ansible主機的ansible.cfg配置文件.
[root@Super ~]# vim /etc/ansible/ansible.cfg
[defaults]
# some basic default values...
#inventory = /etc/ansible/hosts
#library = /usr/share/my_modules/
#module_utils = /usr/share/my_module_utils/
#remote_tmp = ~/.ansible/tmp #默認在家目錄下
remote_tmp = /tmp/.ansible/tmp #改成tmp目錄
#local_tmp = ~/.ansible/tmp
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
#forks = 5
#poll_interval = 15
#sudo_user = root
#ask_sudo_pass = True
#ask_pass = True
#transport = smart
#remote_port = 22
#module_lang = C
#module_set_locale = False
tmp目錄一般都有寫的權限,改成臨時目錄爲/tmp下即可