ansible提权操作-普通用户运行playbooks进行提权

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ansible提权操作-普通用户运行playbooks进行提权相关的知识,希望对你有一定的参考价值。

环境: 1、普通用户(密码账户已知) 2、该用户已经添加了sudo权限

准备: 1、cd /home/123 touch ./hosts
#创建hosts配置文件,123是普通用户名 vi /etc/ansible.cgf

#然后在ansible.cfg中修改主机清单inventory为当前目录(/home/123)的hosts文件。设置host_key_checking=False(取消注释)


[defaults]

   inventory = ./hosts    
   host_key_checking = yes

2、在当前目录下的主机清单hosts文件中,添加分组、主机IP、非root用户的帐号和密码,提权密码(非root用户的密码)。

#模版示例
[all:vars]
ansible_ssh_user=
ansible_ssh_port=
ansible_ssh_pass=

 ansible_become=yes
# ansible_become_method=sudo
# ansible_become_user=root
# ansible_become_pass=

#1
[aa]
11.133.64.111


#2
[bb]
11.133.64.111


#3
[cc]
11.133.64.111


4、在当前目录下编写xxx.yml的task脚本 #最后运行playbook执行特定运维 ansible-playbook xxx.ym

注意: 1、ansible的become就是提权的意思。ansible.cfg中become通常设置为false,具体的task操作中再指定become: true。这样可以确保使用最小权限进行操作,以防误操作。

2、提权操作时ssh登陆帐号还是非root帐号(该帐号有sudo权限),特别注意become_user不能写原ssh登陆的非root用户,一定要写root,或者不写默认为root。这样才能执行成功。

3、如果主机清单hosts中没有指定become的密码,那么执行ansible-playbook xxx.yml加-K参数,手动输入ssh用户的sudo密码(不是root密码)

4、ssh登陆时可以使用密码,也可以使用基于密钥的登陆(免密)。但是执行特权命令时必须要提权,即执行命令时加入-K参数,输入ssh用户的提权密码。

Ansible 使用普通用户_免密+提权

使用普通用户进行免密+提权执行Ansible

环境:

#Ansible主机:

IP:192.168.238.99

Ansible版本:
[wxy@nfs ansible]$ ansible --version
ansible [core 2.12.5]
  config file = /home/wxy/ansible/ansible.cfg
  configured module search path = ['/home/wxy/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  ansible collection location = /home/wxy/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.8 (default, Aug  2 2021, 14:57:02) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
  jinja version = 2.10.3
  libyaml = True

#被控节点:
IP:192.168.238.77

被控节点配置普通用户提权和执行命令免密码认证:

#被控节点使用root进行普通用户提权免密

1:配置普通用户www提权且执行命令都不需要密码
[root@localhost ~]# cat  /etc/sudoers
......省略......
## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
www  ALL=(ALL)  NOPASSWD: ALL
......省略......

Ansible主机:


#使用普通用户登录Ansible主机
[wxy@nfs ~]$ id
uid=1000(wxy) gid=1000(wxy) groups=1000(wxy),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[wxy@nfs ~]$ 

#普通用户做免密登录被控节点
[wxy@nfs ~]$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wxy/.ssh/id_rsa): 
Created directory '/home/wxy/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/wxy/.ssh/id_rsa.
Your public key has been saved in /home/wxy/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:bxZBYUCqpCbWcAeTkXgI5QZTZksMFi4K2N8SZKss4H0 wxy@nfs
The key's randomart image is:
+---[RSA 2048]----+
|*BX+*  .o.+.     |
|+@.Bo. . o       |
|=o*.+..   .      |
|*o==.+     .     |
|+o=o+E. S .      |
|.+  ..   . .     |
|          +      |
|         o       |
|                 |
+----[SHA256]-----+
[wxy@nfs ~]$ 
[wxy@nfs ~]$ ssh-copy-id -i .ssh/id_rsa.pub www@192.168.238.77

Ansible主机配置ansible.cfg和inventory文件


# wxy的家目录下,有一套ansible环境,其中有ansible目录和其目录下 ansible.cfg和inventory文件
[wxy@nfs ~]$ pwd
/home/wxy
[wxy@nfs ~]$ 
[wxy@nfs ~]$ tree
.
└── ansible
    ├── ansible.cfg
    └── inventory

1 directory, 2 files
[wxy@nfs ~]$ cd ansible/
[wxy@nfs ansible]$ 
[wxy@nfs ansible]$ cat ansible.cfg 
[defaults]
inventory = ./inventory
remote_user = www
ask_pass = false

[privilege_escalation]
become = yes
become_method = sudo
become_user = root
become_ask_pass = false
[wxy@nfs ansible]$ 
[wxy@nfs ansible]$ cat inventory 
[test]
192.168.238.77

#在ansible目录下,查看ansible版本,配置文件和inventory文件都指向了/home/wxy/ansible目录下,正是我们想要的
[wxy@nfs ansible]$ pwd
/home/wxy/ansible
[wxy@nfs ansible]$ ansible --version
ansible [core 2.12.5]
  config file = /home/wxy/ansible/ansible.cfg
  configured module search path = ['/home/wxy/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  ansible collection location = /home/wxy/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.8 (default, Aug  2 2021, 14:57:02) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
  jinja version = 2.10.3
  libyaml = True

 

Ansible主机执行命令,查看结果


#确认执行ansible命令时,所在位置要在ansible目录下
[wxy@nfs ansible]$ cd /home/wxy/ansible/
[wxy@nfs ansible]$ pwd
/home/wxy/ansible

#执行ansible命令,使用command模块,查看到被控节点的ip地址 192.168.238.77
[wxy@nfs ansible]$ ansible test -m command  -a 'ip a '
192.168.238.77 | CHANGED | rc=0 >>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:d9:e5:39 brd ff:ff:ff:ff:ff:ff
    inet 192.168.238.77/24 brd 192.168.238.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::a130:2640:d909:ddcc/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:bb:98:6b brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
[wxy@nfs ansible]$ 


以上是关于ansible提权操作-普通用户运行playbooks进行提权的主要内容,如果未能解决你的问题,请参考以下文章

Ansible 使用普通用户_免密+提权

Ansible 使用普通用户_免密+提权

5. ansible之sudo提权

Ansible playboos 实现上传文件创建crontab

为啥ansible script 不能切换到普通用户

记录一次setcap提权失败的经历