Ansible批量部署公钥到特定服务器集群

Ansible批量部署公钥到特定服务器集群

Aoi Komiya Lv3
  2024-04-10 20:15:28 2024-04-10 20:15 Created   2024-10-06 22:13:03 2024-10-06 22:13 Updated    

前言

复现+回顾一下ansible生产环境使用过程中的一次实践

需求

使用ansible服务器kali分发win10公钥给centos集群,实现宿主机直接访问centos集群

机器

ct3:s端(放置公钥、供访问的机器)

win10:c端(访问ct3的机器)

kali:ansible controller(批量操作s端的机器、运维机器)

实现

ansible基本结构下图。集群主机分组不在此处赘述。

第一次尝试

初步编写playbook.yaml:

1
2
3
4
5
6
7
8
9
10
- name: deploy win10's ssh public key
  hosts: ct3
  tasks:
    - name: Ping my hosts
      ansible.builtin.ping:
    
    - name: send ssh public key
      copy:
        src: /home/aoi/.ssh/authorized_keys
        dest: /root/.ssh/

执行ansible-playbook ct3 -i inventory.yaml -u root playbook.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
PLAY [deploy win10's ssh public key] ************************************************************

TASK [Gathering Facts] **************************************************************************
[WARNING]: Platform linux on host ct3 is using the discovered Python interpreter at
/usr/bin/python3.9, but future installation of another Python interpreter could change the
meaning of that path. See https://docs.ansible.com/ansible-
core/2.17/reference_appendices/interpreter_discovery.html for more information.
ok: [ct3]

TASK [Ping my hosts] ****************************************************************************
ok: [ct3]

TASK [send ssh public key] **********************************************************************
changed: [ct3]

PLAY RECAP **************************************************************************************
ct3                        : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

成功把win10的公钥部署到ct3服务器上,win10 terminal ssh连接成功。

问题来了

因为原来ct3上就有ansible controller也就是kali的公钥,存储公钥的文件名也是authorized_keys,执行上述部署后,kali的公钥被win10覆盖了,现在kali连不上ct3:

更换公钥后再次ansible-playbook,报错unreachable

1
2
3
4
5
6
7
PLAY [deploy win10's ssh public key] ************************************************************

TASK [Gathering Facts] **************************************************************************
fatal: [ct3]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: [email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", "unreachable": true}

PLAY RECAP **************************************************************************************
ct3                        : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0

虽然可以执行以下的简单命令+输入ct3密码,再把kali的公钥添加到ct3

1
ssh-copy-id -i id_rsa.pub root@ct3_ip

但会把刚上传的win10公钥覆盖……

第二次尝试

我放弃使用copy模块,使用lineinfile模块,因此我改写了一下playbook,看上去很笨,直接把要添加的公钥放在line后……

1
2
3
4
5
6
7
8
9
10
- name: add win10's ssh public key
  hosts: ct3
  tasks:
    - name: Ping my hosts
      ansible.builtin.ping:
    
    - name: add win10's ssh public key
      lineinfile:
        path: /root/.ssh/authorized_keys
        line: "ssh-rsa xxxxx="

结果是成功的,但过于臃肿和笨了……

第三次尝试

想到了重定向输入,利用ansible有Shell模块,输入/输出重定向操作符追加到现文件

playbook.ymal如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
- name: add win10's ssh public key
  hosts: ct3
  tasks:
    - name: Ping my hosts
      ansible.builtin.ping:
    
    - name: send win10's ssh public key
      copy:
        src: /home/aoi/.ssh/win10pubkey
        dest: /root/.ssh/

    - name: add win10pubkey to authorized_keys
      shell: cat /root/.ssh/win10pubkey >> /root/.ssh/authorized_keys

    - name: rm win10pubkey
      shell: rm /root/.ssh/win10pubkey

成功,算是一次不错的实践经历。

  • Title: Ansible批量部署公钥到特定服务器集群
  • Author: Aoi Komiya
  • Created at: 2024-04-10 20:15:28
  • Updated at: 2024-10-06 22:13:03
  • Link: https://blog.komiya.monster/2024/04/10/ansible/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Ansible批量部署公钥到特定服务器集群
  1. 前言
  2. 需求
  3. 机器
  4. 实现
    1. 第一次尝试
    2. 第二次尝试
    3. 第三次尝试