• ansible测试环境

    ip user sudo_user port usage
    192.168.48.81 ansible root 29922 nagios & ansible control
    192.168.48.82 ansible root 29922 nagios node1 & boston1
    192.168.48.83 ansible root 29922 target host
    192.168.48.84 ansible root 29922 target host
    192.168.48.85 ansible root 29922 nagios node1 & boston2
    192.168.48.86 ansible root 29922 target host
    192.168.48.87 ansible root 29922 target host

    需求

    1. 81不能直接访问83,84,86,87,可以通过82,85堡垒机变更部署
    2. 所有服务器变更ssh端口22->29922,同时禁用root远程登录,允许ansible用户sudo到root
    3. sshkey 81->82,85,82->83,84,85->86,87

    控制机

    安装方法
    http://www.cnblogs.com/liujitao79/p/4193368.html

    inventory

    #/etc/ansible/hosts
[center]
192.168.48.81

[idc1]
192.168.48.82
192.168.48.83
192.168.48.84

[idc2]
192.168.48.85
192.168.48.86
192.168.48.87

    ssh管理方式测试

    # ansible idc1 -u root -k -m ping 
SSH password: 

# results
192.168.48.82 | success >> {
    "changed": false, 
    "ping": "pong"
}

192.168.48.83 | success >> {
    "changed": false, 
    "ping": "pong"
}

192.168.48.84 | success >> {
    "changed": false, 
    "ping": "pong"
}

    服务器初始化

    使用ssh password方式变更运维环境, 包括以下内容
    1)建立ansible用户
    2)sshd配置
    3)sshkey
    变更完成后,使用sshkey方式部署应用环境

    控制机->堡垒机

    81

    ssh-keygen -b 2048 -t rsa -f /tmp/ansible.pem -q -N ''
ssh-keygen -b 2048 -t rsa -f /tmp/bastion82.pem -q -N ''
ssh-keygen -b 2048 -t rsa -f /tmp/bastion85.pem -q -N ''

mkdir -p /etc/ansible/keys
cp  /tmp/{*.pem, *.pem.pub} -> /etc/ansible/keys

    82 & 85

    useradd ansible
su - ansible -c 'mkdir -p /home/ansible/.ssh'
su - ansible -c 'chmod 700 .ssh'
su - ansible -c 'echo "ssh-rsa ABBAB3NzaC1yc2EAAAADAQABAAABAQD4pbUECUaCod6dnNPJuqerZBOcqKiHc+JiXsJmJijOiTe7Xxyh0FEXqEAV7EOSOOe79LzZIsjq5iD6aPLZS7IKm/j8oGU0pB7s6Wz/Z8SWWBEpainBETIi0JgR2v/AmqSWi72o+d9isDSxkhfDZxIHXtlHo+rQ6iKytxTmlrplZwj+MDIo7g8Q3UXCa84b85HUaahS0VPATm8SM+YG89I6IV6NKL43N5guzfOKdxRrwOS6J2aGlq2UYMnC6emYXi/lKN92xvFbebyo5+KtbeLXjHuS1YvYdtvdpxvkOd2TboI9fB2qPKyt0LMv70nCJAUix7kBYcnaO4xe4vebfHpd ken@ken-HP6531s" > .ssh/authorized_keys'

or

su - ansible -c 'curl http://install.local/dc.pem.pub -O .ssh/authorized_keys'

su - ansible -c 'chmod 600 .ssh/authorized_keys'

    测试

    ansible 192.168.48.82 -u ansible --private-key=/etc/ansible/keys/ansible.pem -m ping
192.168.48.82 | success >> {
    "changed": false, 
    "ping": "pong"
}

ansible 192.168.48.85 -u ansible --private-key=/etc/ansible/keys/ansible.pem -m ping
192.168.48.85 | success >> {
    "changed": false, 
    "ping": "pong"
}

    堡垒机->目标机

    83 & 84 & 86 & 87

    groupadd -g 501 ansible
useradd -u 501 -g 501 ansible
mkdir -p /home/ansible/.ssh && chown -R ansible:ansible /home/ansible/.ssh && chmod 700 /home/ansible/.ssh

cp bastion82.pem.pub(83,84),bastion85.pem.pub(86,87) -> /home/ansible/.ssh/authorized_keys
chown ansible:ansible /home/ansible/.ssh/authorized_keys && chmod 600 /home/ansible/.ssh/authorized_keys

    82

    # cp bastion82.pem -> /tmp
ssh -i /tmp/bastion82.pem ansible@192.168.48.83
ssh -i /tmp/bastion82.pem ansible@192.168.48.84
# rm /tmp/bastion82.pem

    控制机->目标机

    /etc/ansitble/ssh.config

    192.168.48.82 bastion-82
192.168.48.82 bastion-85

    /etc/ansitble/ssh.config

    ost bastion-82
    User            ansible
    Hostname        192.168.48.82
    IdentityFile    /etc/ansible/keys/ansible.pem
    StrictHostKeyChecking no

Host bastion-85
    User            ansible
    Hostname        192.168.48.85
    IdentityFile    /etc/ansible/keys/ansible.pem
    StrictHostKeyChecking no

Host server-83
    User            ansible
    Hostname        192.168.48.83
    IdentityFile    /etc/ansible/keys/bastion82.pem
    StrictHostKeyChecking no
    ProxyCommand    ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-82 -o 'StrictHostKeyChecking=no' -W %h:%p

Host server-84
    User            ansible
    Hostname        192.168.48.84
    IdentityFile    /etc/ansible/keys/bastion82.pem
    StrictHostKeyChecking no
    ProxyCommand    ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-82 -o 'StrictHostKeyChecking=no' -W %h:%p

Host server-86
    User            ansible
    Hostname        192.168.48.86
    IdentityFile    /etc/ansible/keys/bastion85.pem
    StrictHostKeyChecking no
    ProxyCommand    ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-85 -o 'StrictHostKeyChecking=no' -W %h:%p

Host server-87
    User            ansible
    Hostname        192.168.48.87
    IdentityFile    /etc/ansible/keys/bastion85.pem
    StrictHostKeyChecking no
    ProxyCommand    ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-85 -o 'StrictHostKeyChecking=no' -W %h:%p

    ssh -F /etc/ansible/ssh.config bastion-82
ssh -F /etc/ansible/ssh.config bastion-85
ssh -F /etc/ansible/ssh.config server-83
ssh -F /etc/ansible/ssh.config server-84
ssh -F /etc/ansible/ssh.config server-86
ssh -F /etc/ansible/ssh.config server-87
  • 相关阅读:
    c#数据结构与算法
    学习资源---.NET
    怎样完全删除sqlserver
    树,森林 二叉树之间转化 原理
    ref 和out 区别
    GridView批量删除记录、全选及弹出确认对话框
    .NET基础 小记--------2013.8.10
    Xml 读写
    同步 异步 区别
    委托学习
  • 原文地址:https://www.cnblogs.com/liujitao79/p/4202895.html
Copyright © 2020-2023  润新知