0

当我使用从客户端到服务器的敲门时,即使我使用的是 SSH 密钥,ansible playbook 在 SSH 身份验证期间也不起作用并且失败

当我手动运行相同的剧本时,它可以工作,但是当我尝试使用 knockd 时,客户端能够连接到运行 knockd 的服务器,但 ssh 无法进行身份验证。我已经设置了密码 ssh 公钥身份验证,所以不知道为什么会出现这个问题

ubuntu@ip-192-168-5-238:~$ sudo knockd -vD
sudo: unable to resolve host ip-192-168-5-238
config: new section: 'options'
config: usesyslog
config: new section: 'ansible'
config: ansible: sequence: 9000:tcp,9999:tcp
config: ansible: seq_timeout: 5
config: ansible: start_command: ansible-playbook -i hosts default.yml -vvv
ethernet interface detected
Local IP: 192.168.5.238
listening on eth0...
2016-00-27 20:54:59: tcp: 192.168.5.150:33260 -> 192.168.5.238:9000 74 bytes
192.168.5.150: ansible: Stage 1
2016-00-27 20:54:59: tcp: 192.168.5.150:53055 -> 192.168.5.238:9999 74 bytes
192.168.5.150: ansible: Stage 2
192.168.5.150: ansible: OPEN SESAME
ansible: running command: ansible-playbook -i hosts default.yml -vvv
No config file found; using defaults
[DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and make sure become_method is 'sudo' (default). This feature will be removed in a future release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
1 plays in default.yml

PLAY ***************************************************************************

TASK [setup] *******************************************************************
<192.168.5.150> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<192.168.5.150> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/home/ubuntu/.ansible/cp/ansible-ssh-%h-%p-%r -tt 192.168.5.150 '( umask 22 && mkdir -p "$( echo $HOME/.ansible/tmp/ansible-tmp-1453928100.08-29024361375363 )" && echo "$( echo $HOME/.ansible/tmp/ansible-tmp-1453928100.08-29024361375363 )" )'
fatal: [192.168.5.150]: UNREACHABLE! => {"changed": false, "msg": "ERROR! SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue", "unreachable": true}

PLAY RECAP *********************************************************************
192.168.5.150              : ok=0    changed=0    unreachable=1    failed=0

ansible: command returned non-zero status code (3)

这是手动运行时的剧本

ubuntu@ip-192-168-5-238:~$ ansible-playbook -i hosts default.yml
[DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and make sure become_method is 'sudo' (default). This feature will be removed in a future release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.

PLAY ***************************************************************************

TASK [setup] *******************************************************************
ok: [192.168.5.150]

TASK [ensure apache is at the latest version] **********************************
ok: [192.168.5.150]

TASK [drop an arbitrary file just so we know something happened] ***************
changed: [192.168.5.150]

PLAY RECAP *********************************************************************
192.168.5.150              : ok=3    changed=1    unreachable=0    failed=0
4

1 回答 1

0

Knockd 正在运行root(您已经使用 sudo 启动了它),当您手动运行时,ansible-playbook您是在ubuntu用户下运行的。要修复它,您可以使用 sudo,即:

sudo -H -u ansible /bin/bash -c "ansible-playbook -i hosts default.yml"

它可以改进:

  1. 不要使用静态库存文件,使用动态的,例如:

- add_host: name={{ IP }} groups=knockers ansible_user=ubuntu ansible_become=yes ansible_ssh_private_key_file=key_file changed_when: False failed_when: IP is not defined or not (IP | ipaddr) tags: - always

  1. ansible-playbook从 knockd pass ip address 运行到 playbook 时:sudo -H -u ansible /bin/bash -c "ansible-playbook -i hosts default.yml -e IP=%IP%"

这种设计允许使用 Ansible(或换句话说,拉模式)实现主从架构。

于 2017-01-10T12:23:25.707 回答