ansible提权操作-普通用户运行playbooks进行提权
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ansible提权操作-普通用户运行playbooks进行提权相关的知识,希望对你有一定的参考价值。
环境: 1、普通用户(密码账户已知) 2、该用户已经添加了sudo权限
准备:
1、cd /home/123
touch ./hosts
#创建hosts配置文件,123是普通用户名
vi /etc/ansible.cgf
#然后在ansible.cfg中修改主机清单inventory为当前目录(/home/123)的hosts文件。设置host_key_checking=False(取消注释)
[defaults]
inventory = ./hosts
host_key_checking = yes
2、在当前目录下的主机清单hosts文件中,添加分组、主机IP、非root用户的帐号和密码,提权密码(非root用户的密码)。
#模版示例
[all:vars]
ansible_ssh_user=
ansible_ssh_port=
ansible_ssh_pass=
ansible_become=yes
# ansible_become_method=sudo
# ansible_become_user=root
# ansible_become_pass=
#1
[aa]
11.133.64.111
#2
[bb]
11.133.64.111
#3
[cc]
11.133.64.111
4、在当前目录下编写xxx.yml的task脚本 #最后运行playbook执行特定运维 ansible-playbook xxx.ym
注意: 1、ansible的become就是提权的意思。ansible.cfg中become通常设置为false,具体的task操作中再指定become: true。这样可以确保使用最小权限进行操作,以防误操作。
2、提权操作时ssh登陆帐号还是非root帐号(该帐号有sudo权限),特别注意become_user不能写原ssh登陆的非root用户,一定要写root,或者不写默认为root。这样才能执行成功。
3、如果主机清单hosts中没有指定become的密码,那么执行ansible-playbook xxx.yml加-K参数,手动输入ssh用户的sudo密码(不是root密码)
4、ssh登陆时可以使用密码,也可以使用基于密钥的登陆(免密)。但是执行特权命令时必须要提权,即执行命令时加入-K参数,输入ssh用户的提权密码。
Ansible 使用普通用户_免密+提权
使用普通用户进行免密+提权执行Ansible
环境:
#Ansible主机:
IP:192.168.238.99
Ansible版本:
[wxy@nfs ansible]$ ansible --version
ansible [core 2.12.5]
config file = /home/wxy/ansible/ansible.cfg
configured module search path = ['/home/wxy/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.8/site-packages/ansible
ansible collection location = /home/wxy/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.8.8 (default, Aug 2 2021, 14:57:02) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
jinja version = 2.10.3
libyaml = True
#被控节点:
IP:192.168.238.77
被控节点配置普通用户提权和执行命令免密码认证:
#被控节点使用root进行普通用户提权免密
1:配置普通用户www提权且执行命令都不需要密码
[root@localhost ~]# cat /etc/sudoers
......省略......
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
www ALL=(ALL) NOPASSWD: ALL
......省略......
Ansible主机:
#使用普通用户登录Ansible主机
[wxy@nfs ~]$ id
uid=1000(wxy) gid=1000(wxy) groups=1000(wxy),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[wxy@nfs ~]$
#普通用户做免密登录被控节点
[wxy@nfs ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wxy/.ssh/id_rsa):
Created directory '/home/wxy/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/wxy/.ssh/id_rsa.
Your public key has been saved in /home/wxy/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:bxZBYUCqpCbWcAeTkXgI5QZTZksMFi4K2N8SZKss4H0 wxy@nfs
The key's randomart image is:
+---[RSA 2048]----+
|*BX+* .o.+. |
|+@.Bo. . o |
|=o*.+.. . |
|*o==.+ . |
|+o=o+E. S . |
|.+ .. . . |
| + |
| o |
| |
+----[SHA256]-----+
[wxy@nfs ~]$
[wxy@nfs ~]$ ssh-copy-id -i .ssh/id_rsa.pub www@192.168.238.77
Ansible主机配置ansible.cfg和inventory文件
# wxy的家目录下,有一套ansible环境,其中有ansible目录和其目录下 ansible.cfg和inventory文件
[wxy@nfs ~]$ pwd
/home/wxy
[wxy@nfs ~]$
[wxy@nfs ~]$ tree
.
└── ansible
├── ansible.cfg
└── inventory
1 directory, 2 files
[wxy@nfs ~]$ cd ansible/
[wxy@nfs ansible]$
[wxy@nfs ansible]$ cat ansible.cfg
[defaults]
inventory = ./inventory
remote_user = www
ask_pass = false
[privilege_escalation]
become = yes
become_method = sudo
become_user = root
become_ask_pass = false
[wxy@nfs ansible]$
[wxy@nfs ansible]$ cat inventory
[test]
192.168.238.77
#在ansible目录下,查看ansible版本,配置文件和inventory文件都指向了/home/wxy/ansible目录下,正是我们想要的
[wxy@nfs ansible]$ pwd
/home/wxy/ansible
[wxy@nfs ansible]$ ansible --version
ansible [core 2.12.5]
config file = /home/wxy/ansible/ansible.cfg
configured module search path = ['/home/wxy/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.8/site-packages/ansible
ansible collection location = /home/wxy/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.8.8 (default, Aug 2 2021, 14:57:02) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
jinja version = 2.10.3
libyaml = True
Ansible主机执行命令,查看结果
#确认执行ansible命令时,所在位置要在ansible目录下
[wxy@nfs ansible]$ cd /home/wxy/ansible/
[wxy@nfs ansible]$ pwd
/home/wxy/ansible
#执行ansible命令,使用command模块,查看到被控节点的ip地址 192.168.238.77
[wxy@nfs ansible]$ ansible test -m command -a 'ip a '
192.168.238.77 | CHANGED | rc=0 >>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:d9:e5:39 brd ff:ff:ff:ff:ff:ff
inet 192.168.238.77/24 brd 192.168.238.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::a130:2640:d909:ddcc/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:bb:98:6b brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
[wxy@nfs ansible]$
以上是关于ansible提权操作-普通用户运行playbooks进行提权的主要内容,如果未能解决你的问题,请参考以下文章