我如何指定一个sudo密码Ansible在非交互的方式?
我是这样运行Ansible剧本的:
$ ansible-playbook playbook.yml -i inventory.ini \
--user=username --ask-sudo-pass
但我想这样运行它:
$ ansible-playbook playbook.yml -i inventory.ini \
--user=username` **--sudo-pass=12345**
有办法吗?我希望尽可能地自动化我的项目部署。
当前回答
以上@toast38coza的解决方案对我来说很管用;只是sudo: yes现在在Ansible中被弃用了。 请使用become和become_user。
tasks:
- name: Restart apache service
service: name=apache2 state=restarted
become: yes
become_user: root
其他回答
以上@toast38coza的解决方案对我来说很管用;只是sudo: yes现在在Ansible中被弃用了。 请使用become和become_user。
tasks:
- name: Restart apache service
service: name=apache2 state=restarted
become: yes
become_user: root
用——extra-vars "become_pass=Password"调用你的剧本
become_pass =(“ansible_become_password”、“ansible_become_pass”)
我的黑客自动化这是使用一个环境变量,并通过——extralvars =“ansible_become_pass='{{lookup('env', ' ansible_become_pass ')}}'”访问它。
导出一个env变量,但避免bash/shell历史记录(前面有一个空格或其他方法)。例如:
export ANSIBLE_BECOME_PASS='<your password>'
查找env变量,同时将额外的ansible_become_pass变量传递到ansible-playbook中,例如:
ansible-playbook playbook.yml -i inventories/dev/hosts.yml -u user --extra-vars="ansible_become_pass='{{ lookup('env', 'ANSIBLE_BECOME_PASS') }}'"
好的替代答案:
@toast38coza: simply use a vaulted value for ansible_become_pass. This is decent. However, for the paranoid teams that need to share ansible vault passwords, and execute ansible plays with induvidual accounts, they coudld use the shared vault password to reverse each others operating system password (identiy theft). Arguably, you need to trust your own team? @slm's bash subshell output generated to temp file descriptor and using the @ prefix to read the ansible variable from the file desriptor. Avoids bash history at least. Not sure, but hopefully subshell echo doesn't get caught and exposed in audit logging (e.g. auditd).
你可以使用ansible vault,它会把你的密码编码成加密的vault。之后,你可以使用变量从金库在剧本。
ansible vault的一些文档: http://docs.ansible.com/playbooks_vault.html
我们使用它作为每个环境的保险库。要编辑vault,我们有如下命令: Ansible-vault编辑库存/生产/group_vars/all/vault
如果你想调用保险库变量,你必须使用ansible-playbook的参数如下: Ansible-playbook -s——vault-password-file=~/.ansible_vault.password
是的,我们存储仓库密码在本地目录明文,但这不是更危险的存储根密码为每个系统。根密码在保险库文件中,或者您可以将它像sudoers文件一样用于您的用户/组。 我建议在服务器上使用sudoers文件。下面是组管理的示例: %admin所有=(所有)NOPASSWD:所有
我在这个问题上撕了我的头发,现在我找到了一个解决方案,这是我想要的:
每台主机1个加密文件,包含sudo密码
/etc/ansible/hosts:
[all:vars]
ansible_ssh_connection=ssh ansible_ssh_user=myuser ansible_ssh_private_key_file=~/.ssh/id_rsa
[some_service_group]
node-0
node-1
然后为每个主机创建一个加密的var文件,如下所示:
ansible-vault create /etc/ansible/host_vars/node-0
与内容
ansible_sudo_pass: "my_sudo_pass_for_host_node-0"
如何组织保险库密码(通过——ask-vault-pass输入)或CFG由您决定
基于此,我怀疑你可以加密整个hosts文件…
