ip | user | sudo_user | port | usage |
---|---|---|---|---|
192.168.48.81 | ansible | root | 29922 | nagios & ansible control |
192.168.48.82 | ansible | root | 29922 | nagios node1 & boston1 |
192.168.48.83 | ansible | root | 29922 | target host |
192.168.48.84 | ansible | root | 29922 | target host |
192.168.48.85 | ansible | root | 29922 | nagios node1 & boston2 |
192.168.48.86 | ansible | root | 29922 | target host |
192.168.48.87 | ansible | root | 29922 | target host |
1) 81不能直接访问83,84,86,87,可以通过82,85堡垒机变更部署
2) 所有服务器变更ssh端口22->29922,同时禁用root远程登录,允许ansible用户sudo到root
3) sshkey 81->82,85,82->83,84,85->86,87
安装方法
http://www.cnblogs.com/liujitao79/p/4193368.html
inventory
#/etc/ansible/hosts
[center]
192.168.48.81
[idc1]
192.168.48.82
192.168.48.83
192.168.48.84
[idc2]
192.168.48.85
192.168.48.86
192.168.48.87
ssh管理方式测试
# ansible idc1 -u root -k -m ping
SSH password:
# results
192.168.48.82 | success >> {
"changed": false,
"ping": "pong"
}
192.168.48.83 | success >> {
"changed": false,
"ping": "pong"
}
192.168.48.84 | success >> {
"changed": false,
"ping": "pong"
}
使用ssh password方式变更运维环境, 包括以下内容
1)建立ansible用户
2)sshd配置
3)sshkey
变更完成后,使用sshkey方式部署应用环境
81
ssh-keygen -b 2048 -t rsa -f /tmp/ansible.pem -q -N ''
ssh-keygen -b 2048 -t rsa -f /tmp/bastion82.pem -q -N ''
ssh-keygen -b 2048 -t rsa -f /tmp/bastion85.pem -q -N ''
mkdir -p /etc/ansible/keys
cp /tmp/{*.pem, *.pem.pub} -> /etc/ansible/keys
82 & 85
groupadd -g 501 ansible
useradd -u 501 -g 501 ansible
mkdir -p /home/ansible/.ssh && chown -R ansible:ansible /home/ansible/.ssh && chmod 700 /home/ansible/.ssh
cp ansible.pem.pub -> /home/ansible/.ssh/authorized_keys
chown ansible:ansible /home/ansible/.ssh/authorized_keys && chmod 600 /home/ansible/.ssh/authorized_keys
测试
ansible 192.168.48.82 -u ansible --private-key=/etc/ansible/keys/ansible.pem -m ping
192.168.48.82 | success >> {
"changed": false,
"ping": "pong"
}
ansible 192.168.48.85 -u ansible --private-key=/etc/ansible/keys/ansible.pem -m ping
192.168.48.85 | success >> {
"changed": false,
"ping": "pong"
}
83 & 84 & 86 & 87
groupadd -g 501 ansible
useradd -u 501 -g 501 ansible
mkdir -p /home/ansible/.ssh && chown -R ansible:ansible /home/ansible/.ssh && chmod 700 /home/ansible/.ssh
cp bastion82.pem.pub(83,84),bastion85.pem.pub(86,87) -> /home/ansible/.ssh/authorized_keys
chown ansible:ansible /home/ansible/.ssh/authorized_keys && chmod 600 /home/ansible/.ssh/authorized_keys
82
# cp bastion82.pem -> /tmp
ssh -i /tmp/bastion82.pem [email protected]
ssh -i /tmp/bastion82.pem [email protected]
# rm /tmp/bastion82.pem
/etc/ansitble/ssh.config
192.168.48.82 bastion-82
192.168.48.82 bastion-85
/etc/ansitble/ssh.config
ost bastion-82
User ansible
Hostname 192.168.48.82
IdentityFile /etc/ansible/keys/ansible.pem
StrictHostKeyChecking no
Host bastion-85
User ansible
Hostname 192.168.48.85
IdentityFile /etc/ansible/keys/ansible.pem
StrictHostKeyChecking no
Host server-83
User ansible
Hostname 192.168.48.83
IdentityFile /etc/ansible/keys/bastion82.pem
StrictHostKeyChecking no
ProxyCommand ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-82 -o 'StrictHostKeyChecking=no' -W %h:%p
Host server-84
User ansible
Hostname 192.168.48.84
IdentityFile /etc/ansible/keys/bastion82.pem
StrictHostKeyChecking no
ProxyCommand ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-82 -o 'StrictHostKeyChecking=no' -W %h:%p
Host server-86
User ansible
Hostname 192.168.48.86
IdentityFile /etc/ansible/keys/bastion85.pem
StrictHostKeyChecking no
ProxyCommand ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-85 -o 'StrictHostKeyChecking=no' -W %h:%p
Host server-87
User ansible
Hostname 192.168.48.87
IdentityFile /etc/ansible/keys/bastion85.pem
StrictHostKeyChecking no
ProxyCommand ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-85 -o 'StrictHostKeyChecking=no' -W %h:%p
ssh -F /etc/ansible/ssh.config bastion-82
ssh -F /etc/ansible/ssh.config bastion-85
ssh -F /etc/ansible/ssh.config server-83
ssh -F /etc/ansible/ssh.config server-84
ssh -F /etc/ansible/ssh.config server-86
ssh -F /etc/ansible/ssh.config server-87