案例一
控制主机上的普通用户控制受控主机
控制端1台,受控端两台
1.将两台受控主机添加到/etc/hosts文件中
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.197.153 node1 node1.example.com
192.168.197.154 node2 node1.example.com
2.控制端和受控端都需要有student用户,并设置密码
[student@control ~]$ id student
uid=1001(student) gid=1001(student) groups=1001(student)[student@control ~]# passwd student
[root@node1 ~]# id student
uid=1002(student) gid=1002(student) groups=1002(student),10(wheel)
[root@node1 ~]# passwd student[root@node2 ~]# id student
uid=1002(student) gid=1002(student) groups=1002(student),10(wheel)
[root@node2 ~]# passwd student
3.修改配置文件,控制端 需要root用户权限
4.测试
[student@control ~]$ ansible all -m command -a 'hostname'
SSH password:
node1 | CHANGED | rc=0 >>
node1.example.com
node2 | CHANGED | rc=0 >>
node2.example.com
案例二
关闭主机密钥验证
1.设置host-key-checking=False
相当于发送了密钥段,不用再用ssh-keygen命令
2.发送主机ssh-copy-id
主机少可用 ssh-copy-id -i node1或者node2
但是多台主机,可以使用循环:
创建一个shell脚本 如 a.sh
for host in node{1..2};do
ssh-copy-id -i $host;
done
执行a.sh
[student@control ~]$ bash a.sh
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/student/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
student@node1's password:Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'node1'"
and check to make sure that only the key(s) you wanted were added./usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/student/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
student@node2's password:Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'node2'"
and check to make sure that only the key(s) you wanted were added.
3.验证:
[student@control ~]$ ssh node1 hostname
node1.example.com
ansible.cfg配置文件详解
[root@ansible ~]# vim /etc/ansible/ansible.cfg
[defaults] 默认配置
# some basic default values...
#inventory = /etc/ansible/hosts #主机列表配置文件
#library = /usr/share/my_modules/ #库文件存放目录,ansible默认搜寻模块的位置
#module_utils = /usr/share/my_module_utils/ #模块存放目录
#remote_tmp = ~/.ansible/tmp #临时py命令文件存放在远程主机目录
#local_tmp = ~/.ansible/tmp #本机的临时命令执行目录
#forks = 5 #默认并发数
#poll_interval = 15 #时间间隔
#sudo_user = root #默认sudo用户
#ask_sudo_pass = True #每次执行ansible命令是否询问sudo用户密码,默认值为no
#ask_pass = True #每次执行ansible命令是否询问ssh密码,默认值为no
#transport = smart #传输方式
#remote_port = 22 #远程端口号
#remote_user = root ----远程用户,受控主机使用什么用户进行执行ansible任务
#roles_path = /etc/ansible/roles
#host_key_checking = False
[privilege_escalation] 定义对受管主机执行特权升级,默认普通用户是没有权限来执行很多ansible任务的,但是我们可以给普通用户提权,让它有权限去执行ansible任务
become = true
become_method = sudo
become_user = root
become_ask_pass = false[paramiko_connection]、[ssh_connection]、[accelerate]用于优化与受管主机的连接
[selinux] 定义如何配置selinux交互
)
:面向对象程序设计)
