ansible-playbook 配置 hosts 后可以指定变量,通过-k 可以交互输入密码,也可以将密码写在 hosts 文件中。
入口 yaml 文件中通过 {{ ** }} 获取变量,命令行通过 -i 指定 hosts 文件, -e 传入参数,如果同时传入多个 host 参数可使用逗号分隔,同时也可以使用 hosts 文件中的变量 ,其中 remote_user: root 可以在 ansiplay-book 命令行中使用 -u root 替代。
[root@10_1_162_39 host_vars]# ll total 16 -rw-r--r-- 1 root root 236 May 5 09:25 hosts
-rw-r--r-- 1 root root 152 May 5 09:21 test1.yaml -rw-r--r-- 1 root root 146 May 5 09:20 test.playbook [root@10_1_162_39 host_vars]# cat hosts [web] 10.1.167.36 [web:vars] ansible_ssh_port=32200 [web1] 10.1.162.18 [web1:vars] ansible_ssh_port=322 [root@10_1_162_39 host_vars]# cat test1.yaml --- - hosts: "{{ host }}" gather_facts: false remote_user: root tasks: - shell: uptime register: output - debug: var=output.stdout
[root@10_1_162_39 host_vars]# ansible-playbook test1.yaml -i hosts -e host=10.1.162.18 -k SSH password: PLAY [10.1.162.18] ************************************************************* TASK [command] ***************************************************************** changed: [10.1.162.18] TASK [debug] ******************************************************************* ok: [10.1.162.18] => { "output.stdout": " 09:26:36 up 18:05, 7 users, load average: 0.05, 0.10, 0.08" } PLAY RECAP ********************************************************************* 10.1.162.18 : ok=2 changed=1 unreachable=0 failed=0 [root@10_1_162_39 host_vars]#
配置密钥后还需要指定 host 端口,由于只配了一个 ip 的密钥,则另外 ip 报错,可以通过 -k 输入另外 ip 的密码即可。(这里的原理应该是 两个 ip 都会验证这个密码,其中一个 ip 密码验证通过,另外一个 ip 验证不通过则会判断是否已经打通公钥认证。当然顺序可能相反,没有看源码。而且 ansible 本身会缓存密码,缓存时间比较短,应该是几分钟内,这段时间内即使输错密码也可以登陆,这里应该是类似 session 原理)
[root@10_1_162_39 host_vars]# cat hosts [web] 10.1.162.18:322 10.1.167.36:32200 [root@10_1_162_39 host_vars]# ssh-copy-id -i ~/.ssh/id_rsa.pub "-p 322 root@10.1.162.18 " root@10.1.162.18's password: Now try logging into the machine, with "ssh '-p 322 root@10.1.162.18 '", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. [root@10_1_162_39 host_vars]# ansible web -m shell -a ifconfig -i hosts 10.1.162.18 | SUCCESS | rc=0 >> eth0 Link encap:Ethernet HWaddr 00:0C:29:21:BD:17 inet addr:192.168.238.129 Bcast:192.168.238.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe21:bd17/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:301306 errors:0 dropped:0 overruns:0 frame:0 TX packets:121768 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:364185541 (347.3 MiB) TX bytes:6774878 (6.4 MiB) Interrupt:19 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:480 (480.0 b) TX bytes:480 (480.0 b) 10.1.167.36 | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). ", "unreachable": true }