1. ansible安装和配置 （

注意：ansible主控端执行命令全部使用root账号

1.1 主控机安装anisble

yum install epel-release -y

yum install ansible -y

ansible --version

目前我的ansible版本：2.9.27, 注意ansible版本兼容情况，比如内置变量的写法

1.2 ansible主控机 修改/etc/ansible/ansible.cfg配置文件

host_key_checking = False
remote_tmp = /tmp

不配置会有：Using a SSH password instead of a key is not possible because Host Key checking is enabl ed and sshp

2. 开始使用ansible

2.1 ansible主控机生成密钥 ,一路回车即可

ssh-keygen -t rsa

2.2 ansible主控机配置/etc/ansible/hosts

TODO 验证 ansible_ssh_user 、ansible_ssh_pass、ansible_user、ansible_pass

配置格式
【主机别名】 【主机地址】 【主机用户名】【主机密码】
hostnamexxx 192.168.237.xx ansible_ssh_user=“root” ansible_ssh_pass=“root6”
host有内置变量，如下还可以加自定义变量，可以在yml里面引用

举例内置变量：
ansible_host #用于指定被管理的主机的真实IP
ansible_port #用于指定连接到被管理主机的ssh端口号，默认是22
ansible_user #ssh连接时默认使用的用户名

3. ansible主控机对其他被控机批量免密

ssh_key.yaml 编排如下

- hosts:  bd # 请修改为自己的主机组名称 注意在/etc/ansible/hosts里配置主机对于用户的密码ansible_ssh_user=远程主机用户名、 ansible_ssh_pass=远程用户名密码
  vars_prompt:
   - name: "local_name"
     prompt: "输入当前主机免密的用户名"
     private: no  
   - name: "remote_user_name"
     prompt: "输入远程主机免密的用户名"
     private: no
  tasks:
   - name: root批量免密配置
     authorized_key: 
       user: "{{ remote_user_name }}"
       key: "{{ lookup('file', '/{{ local_name }}/.ssh/id_rsa.pub') }}"  
       state: present
     when:
      - local_name == 'root'
   - name: 非root批量免密配置
     authorized_key: 
       user: "{{ remote_user_name }}"
       key: "{{ lookup('file', '/home/{{ local_name }}/.ssh/id_rsa.pub') }}"  
       state: present
     when:
      - local_name != 'root'

最后执行 anibsle-palybook ssh_key.yaml

---

4. 被控机之间 免密配置

第一： ansible主控机 /etc/ansible/hosts 如下

master ansible_host=192.168.18.141 ansible_hostname=master ansible_user=tst ansible_pass=123456
slave1 ansible_host=192.168.18.142 ansible_hostname=slave1 ansible_user=tst ansible_pass=123456
slave2 ansible_host=192.168.18.143 ansible_hostname=slave2 ansible_user=tst ansible_pass=123456


[bd]

master ansible_host=192.168.18.141 ansible_hostname=master ansible_user=tst ansible_pass=123456
slave1 ansible_host=192.168.18.142 ansible_hostname=slave1 ansible_user=tst ansible_pass=123456
slave2 ansible_host=192.168.18.143 ansible_hostname=slave2 ansible_user=tst ansible_pass=123456

第二： ansible-playbook编排hosts_no_password_login.yml如下

- hosts: bd # 实现被控端主机 之间互相免密 ,执行命令 ansible-playbook hosts_no_password_login.yml --ask-become-pass
  gather_facts: no
  vars_prompt:
   - name: "user_name"
     prompt: "输入主机互相免密的用户名"
     private: no
  vars:
    ssh_key_length: 4096
  tasks:
    - name: 关闭第一次ssh连接的提示
      become: yes
      become_method: su
      become_user: root
      shell: sed -i "s/^.*StrictHostKeyChecking.*$/   StrictHostKeyChecking no/g" /etc/ssh/ssh_config


    - name: Root用户创建 SSH key 目录
      file:
        path: /root/.ssh
        state: directory
        mode: '0700'
      when: user_name == 'root'
    - name: Root用户 Generate SSH key pair
      command: ssh-keygen -t rsa -b {{ ssh_key_length }} -f /root/.ssh/id_rsa -N ''
      args:
        creates: "/root/.ssh/id_rsa"
      when: user_name == 'root'

    - name: "{{ user_name }}用户创建 SSH key 目录"
      file:
        path: "/home/{{ user_name }}/.ssh"
        state: directory
        mode: '0700'
      when: user_name != 'root'
    - name: "{{ user_name }}用户生成 SSH key pair"
      command: "ssh-keygen -t rsa -b {{ ssh_key_length }} -f /home/{{ user_name }}/.ssh/id_rsa -N '' "
      args:
        creates: "/home/{{ user_name }}/.ssh/id_rsa"
      when: user_name != 'root'

    - name: 删除ansible主控机的 /tmp/ssh/
      file: path=/tmp/ssh/ state=absent
      delegate_to: 127.0.0.1 #这里也可以用local_action，效果一样

    - name: root用户拷贝公钥到本机
      fetch:
        src: /root/.ssh/id_rsa.pub
        dest: /tmp/ssh/
      when:
        - user_name == 'root'
    - name: "{{ user_name }}用户拷贝公钥到本机"
      fetch:
        src: "/home/{{user_name}}/.ssh/id_rsa.pub"
        dest: /tmp/ssh/
      when:
        - user_name != 'root'

    - name: 将各个公钥合并成一个文件
      local_action: shell find /tmp/ssh/* -type f -exec sh -c 'cat {}>>/tmp/ssh/authorized_keys.log' \;
      run_once: true

    - name: 读取  /tmp/ssh/authorized_keys.log  注册为变量 keys_log
      shell: cat /tmp/ssh/authorized_keys.log
      delegate_to: 127.0.0.1
      register: keys_log

    - name: root用户将合成的公钥进行分发
      blockinfile:
        path: "/root/.ssh/authorized_keys"
        block: "{{ keys_log.stdout }}"
        backup: yes
        insertafter: 'EOF'
        mode: 0600
      when:
        - user_name == 'root'

    - name: "{{ user_name }}用户创建 authorized_keys文件"
      file:
        path: "/home/{{ user_name }}/.ssh/authorized_keys"
        state: touch
        mode: '0700'
      when:
        - user_name != 'root'
    - name: "{{ user_name }}用户将合成的公钥进行分发"
      blockinfile:
        path: "/home/{{user_name}}/.ssh/authorized_keys"
        block: "{{ keys_log.stdout }}"
        backup: yes
        insertafter: 'EOF'
        mode: 0600
      when:
        - user_name != 'root'

执行如下命令：

ansible-playbook hosts_no_password_login.yml --ask-become-pass

# 备注： --ask-become-pass 是提权操作，需要输入远程主机root用户密码，以便于在远程执行需要root权限的操作

ssh免密登录原理

非对称加密: 发送方使用对方的公钥加密信息，接收方使用自己的私钥进行解密