Ansible 使用普通用户_免密+提权

Posted 2022-06-22 晦暗留给过往

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了Ansible 使用普通用户_免密+提权相关的知识，希望对你有一定的参考价值。

使用普通用户进行免密+提权执行Ansible

环境：

#Ansible主机：

IP:192.168.238.99

Ansible版本：
[wxy@nfs ansible]$ ansible --version
ansible [core 2.12.5]
  config file = /home/wxy/ansible/ansible.cfg
  configured module search path = ['/home/wxy/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  ansible collection location = /home/wxy/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.8 (default, Aug  2 2021, 14:57:02) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
  jinja version = 2.10.3
  libyaml = True

#被控节点：
IP：192.168.238.77

被控节点配置普通用户提权和执行命令免密码认证：

#被控节点使用root进行普通用户提权免密

1：配置普通用户www提权且执行命令都不需要密码
[root@localhost ~]# cat  /etc/sudoers
......省略......
## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL
www  ALL=(ALL)  NOPASSWD: ALL
......省略......

Ansible主机：


#使用普通用户登录Ansible主机
[wxy@nfs ~]$ id
uid=1000(wxy) gid=1000(wxy) groups=1000(wxy),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[wxy@nfs ~]$ 

#普通用户做免密登录被控节点
[wxy@nfs ~]$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wxy/.ssh/id_rsa): 
Created directory '/home/wxy/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/wxy/.ssh/id_rsa.
Your public key has been saved in /home/wxy/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:bxZBYUCqpCbWcAeTkXgI5QZTZksMFi4K2N8SZKss4H0 wxy@nfs
The key's randomart image is:
+---[RSA 2048]----+
|*BX+*  .o.+.     |
|+@.Bo. . o       |
|=o*.+..   .      |
|*o==.+     .     |
|+o=o+E. S .      |
|.+  ..   . .     |
|          +      |
|         o       |
|                 |
+----[SHA256]-----+
[wxy@nfs ~]$ 
[wxy@nfs ~]$ ssh-copy-id -i .ssh/id_rsa.pub www@192.168.238.77

Ansible主机配置ansible.cfg和inventory文件


# wxy的家目录下，有一套ansible环境，其中有ansible目录和其目录下 ansible.cfg和inventory文件
[wxy@nfs ~]$ pwd
/home/wxy
[wxy@nfs ~]$ 
[wxy@nfs ~]$ tree
.
└── ansible
    ├── ansible.cfg
    └── inventory

1 directory, 2 files
[wxy@nfs ~]$ cd ansible/
[wxy@nfs ansible]$ 
[wxy@nfs ansible]$ cat ansible.cfg 
[defaults]
inventory = ./inventory
remote_user = www
ask_pass = false

[privilege_escalation]
become = yes
become_method = sudo
become_user = root
become_ask_pass = false
[wxy@nfs ansible]$ 
[wxy@nfs ansible]$ cat inventory 
[test]
192.168.238.77

#在ansible目录下，查看ansible版本，配置文件和inventory文件都指向了/home/wxy/ansible目录下，正是我们想要的
[wxy@nfs ansible]$ pwd
/home/wxy/ansible
[wxy@nfs ansible]$ ansible --version
ansible [core 2.12.5]
  config file = /home/wxy/ansible/ansible.cfg
  configured module search path = ['/home/wxy/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  ansible collection location = /home/wxy/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.8 (default, Aug  2 2021, 14:57:02) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
  jinja version = 2.10.3
  libyaml = True

Ansible主机执行命令，查看结果


#确认执行ansible命令时，所在位置要在ansible目录下
[wxy@nfs ansible]$ cd /home/wxy/ansible/
[wxy@nfs ansible]$ pwd
/home/wxy/ansible

#执行ansible命令，使用command模块，查看到被控节点的ip地址 192.168.238.77
[wxy@nfs ansible]$ ansible test -m command  -a 'ip a '
192.168.238.77 | CHANGED | rc=0 >>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:d9:e5:39 brd ff:ff:ff:ff:ff:ff
    inet 192.168.238.77/24 brd 192.168.238.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::a130:2640:d909:ddcc/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:bb:98:6b brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
[wxy@nfs ansible]$

以上是关于Ansible 使用普通用户_免密+提权的主要内容，如果未能解决你的问题，请参考以下文章

Ansible 使用普通用户_免密+提权

RHCSA-A16. 设置普通用户提权免密

ansible提权操作-普通用户运行playbooks进行提权

5. ansible之sudo提权

为啥ansible script 不能切换到普通用户

ansible 普通用户执行命令