0

我看到很多帖子声称 playbook 在使用 ansible CLI 执行时可以正常工作,但在 AWX 中却不能。但是,我没有找到任何解决我的问题的方法。为简单起见,我担任以下角色:

---
- name: Append Public key in authorized_keys file
  authorized_key:
    user: "{{ username }}"
    state: present
    key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

它被称为如下:

- name: copy root public key to nodes
  become: yes
  become_user: root
  hosts: jenkins-nodes
  roles:
    - role: copy-keys
      username: root

使用 CLI 运行它,如下所示:

ansible-playbook -i inventory.ini -u root <my-playbook> ---vvv

按预期工作并显示以下内容:

TASK [copy-keys : Append Public key in authorized_keys file 
***************************************************************
task path: /opt/jenkins-cluster/roles/copy-keys/tasks/main.yml:2
...
ok: [jenkins-agent-1] => {
"changed": false,
"comment": null,
"exclusive": false,
"invocation": {
    "module_args": {
        "comment": null,
        "exclusive": false,
        "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuF9U2HvzUubuYYZxJaEu/1nls7RLAZO+qcJF37RIepTSLOgoPsluq7uVRhEnadqnB0yVWccZYHs6WEp5Fo2QIRDRho4+TuACB26EE4GTYGnozyMwOwVcTzRo0CiUXfo3IZKWwQ+v8WwBMae3EpYrbrEZy6lLS8K85uYseyjg1myRhEsltdSiNnHun7p09/v/HMq2KsZcmx6nTg66QvkbbnFvv9UpGQ1J6gvimp11r5r1hwXaB7ejTwrxMICvaE2Flq3WGeaB35I4dYFsrWNK1CalP7jPF+MRgqHUrjoOy5hxp3zSXunfGWeRJCaJY5hYDLp3hTGrt8BwcdD+8Gy7r root@inf-inone01-prd",
        "key_options": null,
        "keyfile": "/root/.ssh/authorized_keys",
        "manage_dir": true,
        "path": null,
        "state": "present",
        "unique": false,
        "user": "root",
        "validate_certs": true
    }
},
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCuF9U2HvzUubuYYZxJaEu/1nls7RLAZO+qcJF37RIepTSLOgoPsluq7uVRhEnadqnB0yVWccZYHs6WEp5Fo2QIRDRho4+TuACB26EE4GTYGnozyMwOwVcTzRo0CiUXfo3IZKWwQ+v8WwBMae3EpYrbrEZy6lLS8K85uYseyjg1myRhEsltdSiNnHun7p09/v/HMq2KsZcmx6nTg66QvkbbnFvv9UpGQ1J6gvimp11r5r1hwXaB7ejTwrxMICvaE2Flq3WGeaB35I4dYFsrWNK1CalP7jPF+MRgqHUrjoOy5hxp3zSXunfGWeRJCaJY5hYDLp3hTGrt8BwcdD+8Gy7r root@inf-inone01-prd",
"key_options": null,
"keyfile": "/root/.ssh/authorized_keys",
"manage_dir": true,
"path": null,
"state": "present",
"unique": false,
"user": "root",
"validate_certs": true
}
...
META: ran handlers
META: ran handlers

当我在 AWX 中执行完全相同的操作时,我得到:

TASK [copy-keys : Append Public key in authorized_keys file] 
*******************
task path: /var/lib/awx/projects/_39__jenkins_cluster/roles/copy-keys/tasks/main.yml:2
 [WARNING]: Unable to find '~/.ssh/id_rsa.pub' in expected paths (use -vvvvv to
see paths)
 [WARNING]: Unable to find '~/.ssh/id_rsa.pub' in expected paths (use -vvvvv to
see paths)
fatal: [jenkins-agent-1]: FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a 
<class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: ~/.ssh/id_rsa.pub"
}

例外情况是文件 ~/.ssh/id_rsa.pub,这里是 /root/.ssh/id_rsa.pub 用户 root,因为它不存在,所以无法找到。我的理解是authorized_key模块会将ansible控制器上/root/.ssh/id_rsa.pub文件的内容添加到目标主机上的authorized_keys文件中。这个文件存在:

PROD root@inf-inone01-prd jenkins-cluster $ cat /root/.ssh/id_rsa.pub
ssh-rsa 
 AAAAB3NzaC1yc2EAAAADAQABAAABAQCuF9U2HvzUubuYYZxJaEu/1nls7RLAZO
+qcJF37RIepTSLOgoPsluq7uVRhEnadqnB0yVWccZY
Hs6WEp5Fo2QIRDRho4+TuACB26EE4GTYGnozyMwOwVcTzRo0CiUXfo3IZKWwQ
+v8WwBMae3EpYrbrEZy6lLS8K85uYseyjg1myRhEsltd 
SiNnHun7p09/v/HMq2KsZcmx6nTg66QvkbbnFvv9UpGQ1J6gvimp11r5r1hwXaB7ejTwrxMIC
vaE2Flq3WGeaB35I4dYFsrWNK1CalP7jPF+MRgqHUrjoOy5hxp3zSXunfGWeRJCaJY5hYDLp3hTGrt8BwcdD+8Gy7r 
root@inf-inone01-prd
PROD root@inf-inone01-prd jenkins-cluster $

显然,authorized_keys 模块无法解析 ~/.ssh 但是使用 CLI 运行时它是怎么做到的呢?

任何建议都将受到高度赞赏,因为在花时间测试整个内容以涵盖使用 CLI 的所有情况之后,我认为将所有内容放入 AWX 只需几分钟。不幸的是,事实并非如此。

亲切的问候,

尼古拉斯

4

1 回答 1

0

我有同样的需求,并且我发现使用自定义凭据类型涉及的最佳解决方案。

此处此处很好地解释了如何设置自定义凭据类型的示例。

就我而言,我创建了一个名为“SSH Keypair Credential”的自定义凭证类型,如此处所示

输入配置:

fields:
  - id: my_ssh_private_key
    type: string
    label: ssh_private_key
    secret: true
    multiline: true
  - id: my_ssh_public_key
    type: string
    label: ssh_public_key
    secret: true

注入的配置:

extra_vars:
  ssh_private_key: '{{ tower.filename.my_ssh_private_key }}'
  ssh_public_key: '{{ tower.filename.my_ssh_public_key }}'
file:
  template.my_ssh_private_key: '{{ my_ssh_private_key  }}'
  template.my_ssh_public_key: '{{ my_ssh_public_key  }}'

创建自定义凭据类型后,创建自定义凭据,如此处所示

然后将自定义凭据添加到要使用的相应模板,如此处所示

使用了以下剧本变量:

admin_username: "admin"
admin_public_sshkey: "{{ '~/.ssh/id_rsa.pub' | expanduser }}"
admin_private_sshkey: "{{ '~/.ssh/id_rsa' | expanduser }}"

admin_ssh_private_key: "{{ ssh_private_key | d(admin_private_sshkey) }}"
admin_ssh_public_key: "{{ ssh_public_key | d(admin_public_sshkey) }}"

设置authorized_key时的剧本:

- name: Add admin user SSH authorized keys
  when: admin_ssh_public_key is defined
  authorized_key:
    user: "{{ admin_username }}"
    key: "{{ lookup('file', admin_ssh_public_key) }}"
于 2020-04-04T21:31:36.297 回答