ansible测试环境

ip user sudo_user port usage
192.168.48.81 ansible root 29922 nagios & ansible control
192.168.48.82 ansible root 29922 nagios node1 & boston1
192.168.48.83 ansible root 29922 target host
192.168.48.84 ansible root 29922 target host
192.168.48.85 ansible root 29922 nagios node1 & boston2
192.168.48.86 ansible root 29922 target host
192.168.48.87 ansible root 29922 target host

需求

  1. 81不能直接访问83,84,86,87,可以通过82,85堡垒机变更部署
  2. 所有服务器变更ssh端口22->29922,同时禁用root远程登录,允许ansible用户sudo到root
  3. sshkey 81->82,85,82->83,84,85->86,87

控制机

安装方法
http://www.cnblogs.com/liujitao79/p/4193368.html

inventory

#/etc/ansible/hosts
[center]
192.168.48.81

[idc1]
192.168.48.82
192.168.48.83
192.168.48.84

[idc2]
192.168.48.85
192.168.48.86
192.168.48.87

ssh管理方式测试

# ansible idc1 -u root -k -m ping 
SSH password: 

# results
192.168.48.82 | success >> {
    "changed": false, 
    "ping": "pong"
}

192.168.48.83 | success >> {
    "changed": false, 
    "ping": "pong"
}

192.168.48.84 | success >> {
    "changed": false, 
    "ping": "pong"
}

服务器初始化

使用ssh password方式变更运维环境, 包括以下内容
1)建立ansible用户
2)sshd配置
3)sshkey
变更完成后,使用sshkey方式部署应用环境

控制机->堡垒机

81

ssh-keygen -b 2048 -t rsa -f /tmp/ansible.pem -q -N ''
ssh-keygen -b 2048 -t rsa -f /tmp/bastion82.pem -q -N ''
ssh-keygen -b 2048 -t rsa -f /tmp/bastion85.pem -q -N ''

mkdir -p /etc/ansible/keys
cp  /tmp/{*.pem, *.pem.pub} -> /etc/ansible/keys

82 & 85

useradd ansible
su - ansible -c 'mkdir -p /home/ansible/.ssh'
su - ansible -c 'chmod 700 .ssh'
su - ansible -c 'echo "ssh-rsa ABBAB3NzaC1yc2EAAAADAQABAAABAQD4pbUECUaCod6dnNPJuqerZBOcqKiHc+JiXsJmJijOiTe7Xxyh0FEXqEAV7EOSOOe79LzZIsjq5iD6aPLZS7IKm/j8oGU0pB7s6Wz/Z8SWWBEpainBETIi0JgR2v/AmqSWi72o+d9isDSxkhfDZxIHXtlHo+rQ6iKytxTmlrplZwj+MDIo7g8Q3UXCa84b85HUaahS0VPATm8SM+YG89I6IV6NKL43N5guzfOKdxRrwOS6J2aGlq2UYMnC6emYXi/lKN92xvFbebyo5+KtbeLXjHuS1YvYdtvdpxvkOd2TboI9fB2qPKyt0LMv70nCJAUix7kBYcnaO4xe4vebfHpd ken@ken-HP6531s" > .ssh/authorized_keys'

or

su - ansible -c 'curl http://install.local/dc.pem.pub -O .ssh/authorized_keys'

su - ansible -c 'chmod 600 .ssh/authorized_keys'

测试

ansible 192.168.48.82 -u ansible --private-key=/etc/ansible/keys/ansible.pem -m ping
192.168.48.82 | success >> {
    "changed": false, 
    "ping": "pong"
}

ansible 192.168.48.85 -u ansible --private-key=/etc/ansible/keys/ansible.pem -m ping
192.168.48.85 | success >> {
    "changed": false, 
    "ping": "pong"
}

堡垒机->目标机

83 & 84 & 86 & 87

groupadd -g 501 ansible
useradd -u 501 -g 501 ansible
mkdir -p /home/ansible/.ssh && chown -R ansible:ansible /home/ansible/.ssh && chmod 700 /home/ansible/.ssh

cp bastion82.pem.pub(83,84),bastion85.pem.pub(86,87) -> /home/ansible/.ssh/authorized_keys
chown ansible:ansible /home/ansible/.ssh/authorized_keys && chmod 600 /home/ansible/.ssh/authorized_keys

82

# cp bastion82.pem -> /tmp
ssh -i /tmp/bastion82.pem ansible@192.168.48.83
ssh -i /tmp/bastion82.pem ansible@192.168.48.84
# rm /tmp/bastion82.pem

控制机->目标机

/etc/ansitble/ssh.config

192.168.48.82 bastion-82
192.168.48.82 bastion-85

/etc/ansitble/ssh.config

ost bastion-82
    User            ansible
    Hostname        192.168.48.82
    IdentityFile    /etc/ansible/keys/ansible.pem
    StrictHostKeyChecking no

Host bastion-85
    User            ansible
    Hostname        192.168.48.85
    IdentityFile    /etc/ansible/keys/ansible.pem
    StrictHostKeyChecking no

Host server-83
    User            ansible
    Hostname        192.168.48.83
    IdentityFile    /etc/ansible/keys/bastion82.pem
    StrictHostKeyChecking no
    ProxyCommand    ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-82 -o 'StrictHostKeyChecking=no' -W %h:%p

Host server-84
    User            ansible
    Hostname        192.168.48.84
    IdentityFile    /etc/ansible/keys/bastion82.pem
    StrictHostKeyChecking no
    ProxyCommand    ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-82 -o 'StrictHostKeyChecking=no' -W %h:%p

Host server-86
    User            ansible
    Hostname        192.168.48.86
    IdentityFile    /etc/ansible/keys/bastion85.pem
    StrictHostKeyChecking no
    ProxyCommand    ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-85 -o 'StrictHostKeyChecking=no' -W %h:%p

Host server-87
    User            ansible
    Hostname        192.168.48.87
    IdentityFile    /etc/ansible/keys/bastion85.pem
    StrictHostKeyChecking no
    ProxyCommand    ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-85 -o 'StrictHostKeyChecking=no' -W %h:%p

ssh -F /etc/ansible/ssh.config bastion-82
ssh -F /etc/ansible/ssh.config bastion-85
ssh -F /etc/ansible/ssh.config server-83
ssh -F /etc/ansible/ssh.config server-84
ssh -F /etc/ansible/ssh.config server-86
ssh -F /etc/ansible/ssh.config server-87
【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/liujitao79/p/4202895.html