[英]How is ansible machine[Master] authenticated?
I'm learning ansible, I experimented working with ansible for like 4-5 servers.我正在学习 ansible,我尝试在 4-5 台服务器上使用 ansible。 I was copying the Public-Key to the machines manually.我正在手动将公钥复制到机器上。
Like should we do the same thing, providing the other team with SSH-public key and ask them to add it to their machines?就像我们应该做同样的事情,向其他团队提供 SSH 公钥并要求他们将其添加到他们的机器上? Are there any alternatives?有没有其他选择? How do people in the industry deal with it?业内人士如何应对?
TIA TIA
No, if you are managing really large number of servers, configuring your SSH key into each and every server is not a good way.不,如果您正在管理大量服务器,那么将您的 SSH 密钥配置到每个服务器中并不是一个好方法。 If we are talking about server on cloud, which are highly dynamic in nature, ie, they are started/terminated as and when needed.如果我们谈论的是云上的服务器,它们本质上是高度动态的,即它们在需要时启动/终止。
You can always configure which "remote user" to use for SSH connections on Ansible master configuration.您始终可以在 Ansible 主配置上配置用于 SSH 连接的“远程用户”。 Apart from that, you can configure the user anywhere playbook or roles or pass as command line parameter.除此之外,您可以在任何地方配置用户剧本或角色或作为命令行参数传递。
For connecting to remote server, using SSH key, same methods can be used.对于连接到远程服务器,使用 SSH 密钥,可以使用相同的方法。
eg : from command line :例如:从命令行:
ansible-playbook <playbook yml> -u <user name on remote host> --key-file <SSH key file name with path on master host>
ansible-playbook abc.yml -u "user1" --key-file "/u01/ansible_keys/user1_key.pem"
You can setup these keys in inventory file as well, as below :您也可以在清单文件中设置这些键,如下所示:
myHost ansible_ssh_private_key_file=~/.ssh/mykey1.pem
myOtherHost ansible_ssh_private_key_file=~/.ssh/mykey2.pem
Reference : Specifying ssh key in ansible playbook file参考: 在 ansible playbook 文件中指定 ssh 密钥
1.If all machines password are same. 1.如果所有机器密码都一样。
ansible -i <inventory_file> -m copy -a "src=<public_key_filepath> dest=<target_filepath> -k"
Input the password to copy Public-key to all machines and using ansible as before输入密码将Public-key复制到所有机器,并像以前一样使用ansible
2.If the most part of all machines password are same. 2.如果所有机器密码大部分相同。 You can do this in inventory.您可以在库存中执行此操作。
[groupA]
machine01
machine02
[groupB]
machine03
machine04 ansible_ssh_pass=<different password from others>
[all:vars]
ansible_ssh_user=<ssh_useranme>
ansible_ssh_pass=<machine password>
Then (Do not need to input password)然后(不需要输入密码)
ansible -i <inventory_file> -m copy -a "src=<public_key_filepath> dest=<target_filepath>"
Then delete the password in inventory file, and using ansible as before然后删除清单文件中的密码,并像以前一样使用ansible
For myself, I prefer method 2 because I have all machines root password and no one can login machines with root account.就我个人而言,我更喜欢方法2,因为我拥有所有机器的root密码,并且没有人可以使用root帐户登录机器。 So I write plaintext password in root directory.But I think your Public-key method maybe more secure.所以我在根目录下写明文密码。但我认为你的公钥方法可能更安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.