我如何指定一个sudo密码Ansible在非交互的方式?

我是这样运行Ansible剧本的:

$ ansible-playbook playbook.yml -i inventory.ini \
    --user=username --ask-sudo-pass

但我想这样运行它:

$ ansible-playbook playbook.yml -i inventory.ini \
    --user=username` **--sudo-pass=12345**

有办法吗?我希望尽可能地自动化我的项目部署。


当前回答

你可以像这样在hosts文件中为你的剧本写sudo密码:

[host-group-name]
host-name:port ansible_sudo_pass='*your-sudo-password*'

其他回答

我的黑客自动化这是使用一个环境变量,并通过——extralvars =“ansible_become_pass='{{lookup('env', ' ansible_become_pass ')}}'”访问它。

导出一个env变量,但避免bash/shell历史记录(前面有一个空格或其他方法)。例如:

     export ANSIBLE_BECOME_PASS='<your password>'

查找env变量,同时将额外的ansible_become_pass变量传递到ansible-playbook中,例如:

ansible-playbook playbook.yml -i inventories/dev/hosts.yml -u user --extra-vars="ansible_become_pass='{{ lookup('env', 'ANSIBLE_BECOME_PASS') }}'"

好的替代答案:

@toast38coza: simply use a vaulted value for ansible_become_pass. This is decent. However, for the paranoid teams that need to share ansible vault passwords, and execute ansible plays with induvidual accounts, they coudld use the shared vault password to reverse each others operating system password (identiy theft). Arguably, you need to trust your own team? @slm's bash subshell output generated to temp file descriptor and using the @ prefix to read the ansible variable from the file desriptor. Avoids bash history at least. Not sure, but hopefully subshell echo doesn't get caught and exposed in audit logging (e.g. auditd).

如果你愿意将密码保存在纯文本文件中,另一种选择是使用带有——extra-vars参数的JSON文件(确保将该文件排除在源代码控制之外):

ansible-playbook --extra-vars "@private_vars.json" playbook.yml 

Ansible从1.3开始就支持这个选项。

只要提示其他解决方案。 你可以设置你的ansible用户在没有密码的情况下运行sudo(这是GCP虚拟机的默认设置)

sudo visudo

添加行(tom是用户):

tom ALL=(ALL) NOPASSWD:ALL

你可以像这样在hosts文件中为你的剧本写sudo密码:

[host-group-name]
host-name:port ansible_sudo_pass='*your-sudo-password*'

这对我很管用…… 创建文件/etc/sudoers.d/90-init-users文件

echo "user ALL=(ALL)       NOPASSWD:ALL" > 90-init-users

其中“user”是您的用户id。