Ansible实现Linux SSH免密码登陆的role模块,ansiblerole
Ansible实现Linux SSH免密码登陆的role模块,ansiblerole
创建集群的时候,我们经常用到的一个通用模块就是 对多个主机指定的帐户,设置免密码登陆。
手动设置是网上常见的方法,但是对付2-3台马马虎虎,但是,系统部署经常要自动化,这样操作非常的痛苦。于是自己写了一个脚本,经过上百次的修改后,终于比较好用了。
github 源代码下载地址: https://github.com/HappyFreeAngel/passwordless-ssh-login.git
1.首先:
$ansible-galaxy init passwordless-ssh-login
创建基本目录结构
happy:tmp happy$ tree passwordless-ssh-login
passwordless-ssh-login
├── README.md
├── defaults
│ └── main.yml
├── files
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── tasks
│ └── main.yml
├── templates
├── tests
│ ├── inventory
│ └── test.yml
└── vars
└── main.yml
8 directories, 8 files
2. 把一下内容 main.yml 替换tasks/main.yml
#version:1.2.1 2018.08.07 22:57 2018.08.24 修改了user_ssh_dir 一经定义后面没有被修改的错误.
# tasks file for passwordless-ssh-login
# 参数传入演示 2个参数
#user_host_list=?
#username=? centos,
#password=? kaixin.com,
#auto_generate_etc_host_list=? False
#sudo_privilege? True 显示传入
- set_fact: passwordless_ssh_login_deploy_start_timestamp="{{lookup('pipe','date \"+%Y-%m-%d %H:%M:%S\"')}}"
- set_fact: max_wait_time_in_seconds=300
when: max_wait_time_in_seconds is undefined
- set_fact: username="root"
when: username is undefined
#
# python -c 'import crypt; print crypt.crypt("yourpassword", "$1$SomeSalt$")'
- set_fact: password="$1xreu3ze.m5A", #这里的密码形式必须是salt的加密形式
when: password is undefined
- set_fact: auto_generate_etc_host_list = False
when: auto_generate_etc_host_list is undefined
- set_fact: user_ssh_dir="/home/{{username}}/.ssh"
when: username != 'root'
- set_fact: user_ssh_dir="/root/.ssh"
when: username == 'root'
- name: add user {{ username }} on vm
user:
name: "{{username}}"
password: "{{password}}"
state: present
append: yes
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
when: username != 'root'
- stat: path=/root/.ssh/id_rsa
register: temp_file_path
ignore_errors: yes
- name: "Create a 2048-bit SSH key for user root in /root/.ssh/id_rsa 如果尚未存在的话."
user:
name: root
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
when: username == 'root' and temp_file_path.stat.exists == False
#添加一个sudo user {{username}}
- name: Make sure we have a 'wheel' group 当用户不是root时才创建
group:
name: wheel
state: present
when: username != 'root'
- name: Allow 'wheel' group to have passwordless sudo
lineinfile:
dest: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
when: username != 'root'
- set_fact: sudo_privilege = True
when: sudo_privilege is undefined
- name: "Add sudoers users to wheel group for {{username}}"
user: name={{username}} groups=wheel append=yes state=present createhome=yes
when: sudo_privilege == True and username != 'root'
- include_role:
name: etc-hosts-with-hostlist
vars:
etc_host_list: "{{ user_host_list }}"
when: auto_generate_etc_host_list == True
#to do 每次运行目录都不一样,确保多个ansible playbook并行运行,目录不会冲突,运行期间所有hosts 共享这一目录.
- set_fact: random_pub_key_file_path={{playbook_dir}}/tmp/remote_host_pub_key_store_{{ 200000000 | random }}_{{ 200000000 | random }}
when: random_pub_key_file_path is not defined
run_once: yes
- name: "创建临时目录{{playbook_dir}}/tmp 如果不存在的话."
file: path={{random_pub_key_file_path}} state=directory mode=0766
delegate_to: 127.0.0.1
#注意 fetch dest={{playbook_dir}}/tmp/id_rsa_{{item.name}}/ 后面的/不是可有可无的. 有/表示使用这个目录,没有/表示要把/abc.host/home/user/添加在后面.
- name: "username={{username}}取回每个主机上的公匙 fetch id_rsa.pub 到 ansible running host"
fetch: src={{user_ssh_dir}}/id_rsa.pub dest={{random_pub_key_file_path}}/id_rsa_{{item.name}}/ flat=yes fail_on_missing=yes #mode=766 group={{username}} owner={{username}} 这个本地机器上可能没有这个帐号.
delegate_to: "{{ item.name }}"
with_items: "{{ user_host_list }}"
ignore_errors: yes
retries: 3
when: inventory_hostname == user_host_list[0].name
#如果这个主机名称不一样,怎么取? todo 当 phoenix_host_list: "{{hostdict['hadoop-namenode-hosts']}}+{{hostdict['hadoop-datanode-hosts']}} 运行的hosts不在host_list时会出错,为什么
- name: "username={{username}}修改authorized_keys {{ inventory_hostname }},合并所有{{ user_host_list }}的id_rsa.pub 到ansible所在机器目录{{random_pub_key_file_path}}/authorized_keys"
shell: cat {{random_pub_key_file_path}}/id_rsa_{{item.name}}/id_rsa.pub >> {{random_pub_key_file_path}}/authorized_keys
delegate_to: 127.0.0.1 #localhost
with_items: "{{ user_host_list }}"
run_once: yes
#when: inventory_hostname == item.name #??user_host_list[0]
- name: "username={{username}}分发给每个机器 authorized_keys {{ inventory_hostname }}"
copy: src={{random_pub_key_file_path}}/authorized_keys dest={{user_ssh_dir}}/authorized_keys
delegate_to: "{{ inventory_hostname }}"
with_items: "{{user_host_list}}"
- name: "username={{username}}自动生成各个免密码登陆主机的域名 {{ inventory_hostname }} {{user_ssh_dir}}/known_hosts on {{user_host_list[0].name}}"
shell: ssh-keyscan {{ item.name }} >>{{user_ssh_dir}}/known_hosts; chown {{username}}:{{username}} {{user_ssh_dir}}/known_hosts ; chmod 644 {{user_ssh_dir}}/known_hosts
delegate_to: "{{ inventory_hostname }}"
with_items: "{{user_host_list}}"
- name: username={{username}}自动生成各个免密码登陆主机的域名简称 {{ inventory_hostname }} {{user_ssh_dir}}/known_hosts on "{{user_host_list[0].name}}"
shell: ssh-keyscan {{ item.name.split('.')[0] }} >>{{user_ssh_dir}}/known_hosts; chown {{username}}:{{username}} {{user_ssh_dir}}/known_hosts ; chmod 644 {{user_ssh_dir}}/known_hosts
delegate_to: "{{ inventory_hostname }}"
with_items: "{{user_host_list}}"
- name: username={{username}}自动生成各个免密码登陆主机的IP {{ inventory_hostname }} {{user_ssh_dir}}/known_hosts on "{{user_host_list[0].name}}"
shell: ssh-keyscan {{ item.ip }} >>{{user_ssh_dir}}/known_hosts; chown {{username}}:{{username}} {{user_ssh_dir}}/known_hosts ; chmod 644 {{user_ssh_dir}}/known_hosts
delegate_to: "{{ inventory_hostname }}"
with_items: "{{user_host_list}}"
- name: "username={{username}}清理垃圾, user_ssh_dir={{user_ssh_dir}}保护环境干净,确保不影响其他账号的运行."
file: path={{random_pub_key_file_path}}/ state=absent
delegate_to: 127.0.0.1 #localhost
- set_fact: passwordless_ssh_login_deploy_stop_timestamp="{{lookup('pipe','date \"+%Y-%m-%d %H:%M:%S\"')}}"
- name: "角色:passwordless_ssh_login安装执行共耗时{{( (passwordless_ssh_login_deploy_stop_timestamp | to_datetime) - (passwordless_ssh_login_deploy_start_timestamp | to_datetime)).total_seconds()}}秒."
debug: msg=" "
具体使用方法:
先定义spark-hosts变量
spark-hosts:
- name: "spark-node1.cityworks.cn"
- name: "spark-node2.cityworks.cn"
- name: "spark-node3.cityworks.cn"
- name: "spark-node4.cityworks.cn"
- name: "spark-node5.cityworks.cn"
#创建多主机之间root免密码登陆
- name: "安装不同主机间用户之间root免密码登陆 passwordless-ssh-login 这个不是必须的,只是为了方便用户使用."
include_role:
name: passwordless-ssh-login
vars:
user_host_list: "{{spark_host_list}}"
username: "root"
password: "{{root_salt_password}}"
sudo_privilege: True
auto_generate_etc_host_list: False
#下面这个操作会创建{{spark_username}}帐号,下面的group, owner 等创建文件夹时会用到.
- name: "安装不同主机间用户{{spark_username}}之间免密码登陆 passwordless-ssh-login"
include_role:
name: passwordless-ssh-login
vars:
user_host_list: "{{spark_host_list}}"
username: "{{spark_username}}"
password: "{{spark_salt_password}}"
sudo_privilege: True
auto_generate_etc_host_list: True
become_user: root
随便从spark-node1,spark-node2,spark-node3,spark-node4,spark-node5 用root 或spark 登陆到任意一台,包括本机 都可以实现使用相同帐户,免密码登陆了。
特别注意: 下面这种情况
[root@spark-node4 ~]# ssh spark@spark-node3
spark@spark-node3's password:
是需要密码的。 也就是说:当前用户A和当前机器,如果要免密码登陆不同的帐户B和任意spark-node1 到spark-node5 这个role模块目前是不支持的。 因为我们讨论的实现是:同帐户在不同主机之间免密码登陆。
评论暂时关闭