最近公司将linux机器都禁止使用root直接远程登陆,而机器上项目都是在root下创建的,平时都是通过一台linux机器通过scp分发文件到多台linux机器,这样一来,就无法直接使用scp来分发文件,于是,我们用到了ansible来实现文件分发。
环境:
Ansible服务端操作系统:CentOS Linux release 7.5.1804 (Core)
Ansible服务端Ansible版本:ansible 2.5.3
Ansible服务器IP:192.168.100.127
Ansible客户端操作系统:CentOS Linux release 7.3.1611 (Core)
CentOS Linux release 7.2.1511 (Core)
Ansible客户端IP:10.15.43.164 10.15.43.238
ansible没有服务端和客户端,这里为了便于区分写成了服务端和客户端。
实验目的
通过Ansible服务端将文件zabbix_discovery_port.sh分发Ansible的2个客户端/app/ansible目录
实验步骤
1、配置资源清单inventory文件
[root@Super ~]# tail -5 /etc/ansible/hosts
## db-[99:101]-node.example.com
[test]
10.15.43.164 ansible_ssh_port=22 ansible_ssh_user=justin ansible_ssh_pass='51cto' ansible_become_pass='123456'
10.15.43.238 ansible_ssh_port=22 ansible_ssh_user=justin ansible_ssh_pass='51cto' ansible_become_pass='123456'
[root@Super ~]#
在2.5版本,变量也做了变化,ansible_become_pass替换了之前的ansible_sudo_pass or ansible_su_pass
2、Ansile客户端禁止root直接远程登陆,并创建普通用户ywbz
[root@host164 ~]# grep -i "^PermitRootLogin" /etc/ssh/sshd_config
PermitRootLogin no
[root@host164 ~]# systemctl restart sshd
[root@host164 ~]# useradd ywbz
[root@host164 ~]# echo 'csdp' | passwd --stdin ywbz
Changing password for user ywbz.
passwd: all authentication tokens updated successfully.
[root@host164 ~]#
3、Ansible服务端分发文件
[root@Super ~]# ansible test -S -R root -m shell -a 'ls -l /app/ansible'
10.15.43.238 | SUCCESS | rc=0 >>
total 0
10.15.43.164 | SUCCESS | rc=0 >>
total 0
[root@Super ~]# ansible test -S -R root -m copy -a 'src=/app/scripts/remote-excet/zabbix_discovery_port.sh dest=/app/ansible/'
10.15.43.238 | SUCCESS => {
"changed": true,
"checksum": "824760fb7b2c5852a4bbffb77a57ef41d1880497",
"dest": "/app/ansible/zabbix_discovery_port.sh",
"gid": 0,
"group": "root",
"md5sum": "c66dd03749ee77696adb915e2dd8da4a",
"mode": "0664",
"owner": "root",
"size": 935,
"src": "/home/ywbz/.ansible/tmp/ansible-tmp-1529501925.71-156669741008262/source",
"state": "file",
"uid": 0
}
10.15.43.164 | SUCCESS => {
"changed": true,
"checksum": "824760fb7b2c5852a4bbffb77a57ef41d1880497",
"dest": "/app/ansible/zabbix_discovery_port.sh",
"gid": 0,
"group": "root",
"md5sum": "c66dd03749ee77696adb915e2dd8da4a",
"mode": "0664",
"owner": "root",
"secontext": "system_u:object_r:default_t:s0",
"size": 935,
"src": "/home/ywbz/.ansible/tmp/ansible-tmp-1529501925.77-183701352629116/source",
"state": "file",
"uid": 0
}
[root@Super ~]# ansible test -S -R root -m shell -a 'ls -l /app/ansible'
10.15.43.238 | SUCCESS | rc=0 >>
total 4
-rw-rw-r-- 1 root root 935 Jun 20 21:38 zabbix_discovery_port.sh
10.15.43.164 | SUCCESS | rc=0 >>
total 4
-rw-rw-r--. 1 root root 935 Jun 21 05:38 zabbix_discovery_port.sh
[root@Super ~]#
-S, --su run operations with su (deprecated, use become)
-R SU_USER, --su-user=SU_USER
run operations with su as this user (default=root)
(deprecated, use become)
-R后面紧跟用户名,-S可以在前也可以在后。
到此,在客户端的messages日志里可以看到相关信息
[root@host238 ~]# tail -5000f /var/log/messages
Jun 20 21:53:40 host238 systemd: Created slice User Slice of ywbz.
Jun 20 21:53:40 host238 systemd: Starting User Slice of ywbz.
Jun 20 21:53:40 host238 systemd: Started Session 191 of user ywbz.
Jun 20 21:53:40 host238 systemd-logind: New session 191 of user ywbz.
Jun 20 21:53:40 host238 systemd: Starting Session 191 of user ywbz.
Jun 20 21:53:40 host238 su: (to root) ywbz on pts/1 #由普通用户test切换为su切换为root的日志
Jun 20 21:53:41 host238 ansible-stat: Invoked with checksum_algorithm=sha1 get_checksum=True follow=False checksum_algo=sha1 path=/app/ansible/zabbix_discovery_port.sh get_md5=None get_mime=True get_attributes=True #ansible执行的内容功能实现了
这里需要注意,普通用户的家目录是要存在,并切该普通用户要有写的权限的,否则会出现类似如下的报错:
10.15.43.164 | UNREACHABLE! => {
"changed": false,
"msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"` echo /home/ywbz/.ansible/tmp/ansible-tmp-1529502822.22-28999465671661 `\" && echo ansible-tmp-1529502822.22-28999465671661=\"` echo /home/ywbz/.ansible/tmp/ansible-tmp-1529502822.22-28999465671661 `\" ), exited with result 1",
"unreachable": true
}
如果这个普通用户没有家目录或者家目录没有写权限在不修改远端主机也有办法可以搞定,修改ansible主机的ansible.cfg配置文件.
[root@Super ~]# vim /etc/ansible/ansible.cfg
[defaults]
# some basic default values...
#inventory = /etc/ansible/hosts
#library = /usr/share/my_modules/
#module_utils = /usr/share/my_module_utils/
#remote_tmp = ~/.ansible/tmp #默认在家目录下
remote_tmp = /tmp/.ansible/tmp #改成tmp目录
#local_tmp = ~/.ansible/tmp
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
#forks = 5
#poll_interval = 15
#sudo_user = root
#ask_sudo_pass = True
#ask_pass = True
#transport = smart
#remote_port = 22
#module_lang = C
#module_set_locale = False
tmp目录一般都有写的权限,改成临时目录为/tmp下即可