ansible

使用Anisble部署git服務

Posted by Kubeguts on 2022-03-27

最近複習正Ansible這個自動化設定的工具

故這篇記錄如何為ansible在登入到不同的centos機器時,可以透過ssh方式免除用密碼登入的過程

而本篇的目標就是使用ansible在control機器上執行playbook,在另外一台workstation安裝git服務!

安裝 epel-release

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
[cloud_user@workstation ~]$ sudo yum install epel-release
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: download.cf.centos.org
 * epel: dl.fedoraproject.org
 * extras: download.cf.centos.org
 * updates: download.cf.centos.org
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be updated
---> Package epel-release.noarch 0:7-14 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================
 Package                                 Arch                              Version                           Repository                       Size
===================================================================================================================================================
Updating:
 epel-release                            noarch                            7-14                              epel                             15 k

Transaction Summary
===================================================================================================================================================
Upgrade  1 Package

Total download size: 15 k
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
warning: /var/cache/yum/x86_64/7/epel/packages/epel-release-7-14.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for epel-release-7-14.noarch.rpm is not installed
epel-release-7-14.noarch.rpm                                                                                                |  15 kB  00:00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
 Userid     : "Fedora EPEL (7) <epel@fedoraproject.org>"
 Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
 Package    : epel-release-7-11.noarch (@extras)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : epel-release-7-14.noarch                                                                                                        1/2
  Cleanup    : epel-release-7-11.noarch                                                                                                        2/2
  Verifying  : epel-release-7-14.noarch                                                                                                        1/2
  Verifying  : epel-release-7-11.noarch                                                                                                        2/2

Updated:
  epel-release.noarch 0:7-14

Complete!

https://blog.gtwang.org/linux/redhat-linux-enable-epel-repo/
EPEL(Extra Packages for Enterprise Linux)是一個由 Fedora Special Interest Group 社群所維護的套件庫,其主要目的是提供各種企業級的 Linux 一些額外的高品質套件,這個套件庫可用於 Red Hat Enterprise Linux(RHEL)、CentOS 與 Scientific Linux(SL)等。

確認epel 提供哪些packages

1
2
3
4
5
6
7
8
9
10
11
12
13
14
yum repolist

[cloud_user@workstation ~]$ yum repolist
Loaded plugins: fastestmirror
Determining fastest mirrors
 * base: download.cf.centos.org
 * epel: d2lzkl7pfhq30w.cloudfront.net
 * extras: download.cf.centos.org
 * updates: download.cf.centos.org
repo id                                                                         repo name                                                                                                      status
base/7/x86_64                                                                   CentOS-7 - Base                                                                                                10,072
epel/x86_64                                                                     Extra Packages for Enterprise Linux 7 - x86_64                                                                 13,747
extras/7/x86_64                                                                 CentOS-7 - Extras                                                                                                 509
updates/7/x86_64                                                                CentOS-7 - Updates                                                                                              3,573

安裝 ansible

使用 sudo yum install ansible 安裝ansible

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
[cloud_user@workstation ~]$ sudo yum install ansible
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: download.cf.centos.org
 * epel: iad.mirror.rackspace.com
 * extras: download.cf.centos.org
 * updates: download.cf.centos.org
Resolving Dependencies
--> Running transaction check
---> Package ansible.noarch 0:2.9.27-1.el7 will be installed
--> Processing Dependency: python-httplib2 for package: ansible-2.9.27-1.el7.noarch
--> Processing Dependency: python-paramiko for package: ansible-2.9.27-1.el7.noarch
--> Processing Dependency: python2-jmespath for package: ansible-2.9.27-1.el7.noarch
--> Processing Dependency: sshpass for package: ansible-2.9.27-1.el7.noarch
--> Running transaction check
---> Package python-paramiko.noarch 0:2.1.1-9.el7 will be installed
---> Package python2-httplib2.noarch 0:0.18.1-3.el7 will be installed
---> Package python2-jmespath.noarch 0:0.9.4-2.el7 will be installed
---> Package sshpass.x86_64 0:1.06-2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================================================================================================================================
 Package                                              Arch                                       Version                                            Repository                                  Size
=====================================================================================================================================================================================================
Installing:
 ansible                                              noarch                                     2.9.27-1.el7                                       epel                                        17 M
Installing for dependencies:
 python-paramiko                                      noarch                                     2.1.1-9.el7                                        base                                       269 k
 python2-httplib2                                     noarch                                     0.18.1-3.el7                                       epel                                       125 k
 python2-jmespath                                     noarch                                     0.9.4-2.el7                                        epel                                        41 k
 sshpass                                              x86_64                                     1.06-2.el7                                         extras                                      21 k

Transaction Summary
=====================================================================================================================================================================================================
Install  1 Package (+4 Dependent packages)

Total download size: 17 M
Installed size: 105 M
Is this ok [y/d/N]: y
Downloading packages:
(1/5): python-paramiko-2.1.1-9.el7.noarch.rpm                                                                                                                                 | 269 kB  00:00:00
(2/5): ansible-2.9.27-1.el7.noarch.rpm                                                                                                                                        |  17 MB  00:00:00
(3/5): python2-httplib2-0.18.1-3.el7.noarch.rpm                                                                                                                               | 125 kB  00:00:00
(4/5): python2-jmespath-0.9.4-2.el7.noarch.rpm                                                                                                                                |  41 kB  00:00:00
(5/5): sshpass-1.06-2.el7.x86_64.rpm                                                                                                                                          |  21 kB  00:00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                 47 MB/s |  17 MB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python2-jmespath-0.9.4-2.el7.noarch                                                                                                                                               1/5
  Installing : python2-httplib2-0.18.1-3.el7.noarch                                                                                                                                              2/5
  Installing : python-paramiko-2.1.1-9.el7.noarch                                                                                                                                                3/5
  Installing : sshpass-1.06-2.el7.x86_64                                                                                                                                                         4/5
  Installing : ansible-2.9.27-1.el7.noarch                                                                                                                                                       5/5
  Verifying  : sshpass-1.06-2.el7.x86_64                                                                                                                                                         1/5
  Verifying  : python-paramiko-2.1.1-9.el7.noarch                                                                                                                                                2/5
  Verifying  : python2-httplib2-0.18.1-3.el7.noarch                                                                                                                                              3/5
  Verifying  : ansible-2.9.27-1.el7.noarch                                                                                                                                                       4/5
  Verifying  : python2-jmespath-0.9.4-2.el7.noarch                                                                                                                                               5/5

Installed:
  ansible.noarch 0:2.9.27-1.el7

Dependency Installed:
  python-paramiko.noarch 0:2.1.1-9.el7              python2-httplib2.noarch 0:0.18.1-3.el7              python2-jmespath.noarch 0:0.9.4-2.el7              sshpass.x86_64 0:1.06-2.el7

Complete!

創建ansible使用者

在control Node與workstation Node各創建一個角色叫做 ansible
提供ansible登入到機器時所代表的role

1
sudo useradd ansible

在workstation那台替換一下ansible角色的密碼

1
sudo passwd ansible

主要是測試ssh到workstation是否會需要用密碼登入

設置ssh key給ansible角色

記得分別在controlworkstation這兩台先切換成 ansible 這個角色

1
2
[cloud_user@control ~]$ sudo su - ansible
[ansible@control ~]$
1
2
[cloud_user@workstation ~]$ sudo su - ansible
[ansible@workstation ~]$

在這兩台使用 ssh-keygen 產生key pair給ansible

先在workstation產生ssh key pair

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[ansible@workstation ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ansible/.ssh/id_rsa):
Created directory '/home/ansible/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ansible/.ssh/id_rsa.
Your public key has been saved in /home/ansible/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:9sCdpJq6hVydGJpZ5ChfB4si9VwyhK6Ct1eBDSuqx7Q ansible@workstation
The key's randomart image is:
+---[RSA 2048]----+
|  .o+ +          |
| ..o.O o         |
|..o ==* . .      |
| .o+o*o* = .     |
|.o .= o.S o      |
|= o. o.+ o       |
|o+ oo.+   .      |
|. E .o           |
| . .o.           |
+----[SHA256]-----+

在另外一台control產生ssh key pair

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[ansible@control ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ansible/.ssh/id_rsa):
Created directory '/home/ansible/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ansible/.ssh/id_rsa.
Your public key has been saved in /home/ansible/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:9W/Z7ejLKYb99gVh1BbevWgM/AbbgFlNneswMyqbx9M ansible@control
The key's randomart image is:
+---[RSA 2048]----+
|           .o.ooo|
|          =  o.o=|
|         o.=  oo+|
|         . .O*.o.|
|        S  .oBB. |
|         . .o. =.|
|          =o. + +|
|         o.++E.+.|
|          ...=Boo|
+----[SHA256]-----+

control 這台使用 ssh-copy-id 把control的ssh key登陸到workstation上,

要輸入剛剛在workstation更改 ansible角色的密碼

如此一來後續control機器內使用ansible去登陸workstation時,改成用ssh key登入,就不用透過password方式登入了!

1
2
3
4
5
6
7
8
9
10
11
12
[ansible@control ~]$ ssh-copy-id workstation
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/ansible/.ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'workstation'"
and check to make sure that only the key(s) you wanted were added.

[ansible@control ~]$

接著直接用 ssh workstation方式登陸到workstation

1
2
[ansible@control ~]$ ssh workstation
[ansible@workstation ~]$

設置Ansible user在workstation這台機器

在workstation這台機器中,替ansible這個角色設置執行sudo時,不用輸入密碼的動作

首先先到workstation這台機器

然後編輯 sudoers 檔案的最下面添加

1
ansible       ALL=(ALL)       NOPASSWD: ALL

譬如像這樣

1
2
3
4
5
6
7
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
cloud_user ALL=(ALL)   ALL
cloud_user        ALL=(ALL)       NOPASSWD: ALL

### 加入這一行....
ansible       ALL=(ALL)       NOPASSWD: ALL

產生一個ansible的 inventory定義檔

先在control這台機器中,創建inventory

1
sudo vim /home/ansible/inventory

內容寫上另外一台機器名稱,主要是為了實現在control機器上面,ansible方式在workstation上面安裝服務

1
workstation

接著以ansible角色,定義安裝git服務到workstation的playbook git-setup.yaml

1
[cloud_user@control ~]$ sudo su - ansible

然後定義 git-setup.yml這個playbook,後續就可透過之來讓ansible部署git這個工具到workstation這個host

vim /home/ansible/git-setup.yml

1
2
3
4
5
6
7
8
--- # install git on target host
- hosts: workstation
  become: yes
  tasks:
  - name: install git
    yum:
      name: git
      state: latest

接著運行playbook

1
ansible-playbook -i /home/ansible/inventory /home/ansible/git-setup.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[ansible@control ~]$ ansible-playbook -i /home/ansible/inventory /home/ansible/git-setup.yml

PLAY [workstation] **********************************************************************************************************************************************************************************

TASK [Gathering Facts] ******************************************************************************************************************************************************************************
ok: [workstation]

TASK [install git] **********************************************************************************************************************************************************************************
changed: [workstation]

PLAY RECAP ******************************************************************************************************************************************************************************************
workstation                : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[ansible@control ~]$

確認workstation是否已經安裝了 git,到workstation這台機器執行git做驗證

除錯紀錄

ansible無法用ssh登入

1
2
3
4
5
6
7
8
9
[ansible@control ~]$ ansible-playbook -i /home/ansible/inventory /home/ansible/git-setup.yml

PLAY [workstation] **********************************************************************************************************************************************************************************

TASK [Gathering Facts] ******************************************************************************************************************************************************************************
fatal: [workstation]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added 'workstation,10.0.1.200' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive).", "unreachable": true}

PLAY RECAP ******************************************************************************************************************************************************************************************
workstation                : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0

發生 Failed to connect to the host via ssh: Warning: Permanently added 'workstation,10.0.1.200'

表示之前的ssh key設定有問題

不小心在 workstation上面做 ssh-copy-id 而不是在control這台機器上面做

FEATURED TAGS
ansible
FRIENDS