0

  1. 我可以完全访问 ServerA(单服务器)[IP: 142.5.5.55] 我有我的公钥/app/serverA/mw.pub。该服务器从我运行自动化的地方具有ansible。

  2. 我从 ansible ServerA 与 3 个服务器 [IP: 11.1.1.220, 11.1.1.221, 11.1.1.222] 建立了 ssh 无密码连接,我们将这 3 个服务器称为 jump_nodes

  3. 最后,我有一个称为目标主机 [IP: 192.0.0.200, 192.0.0.201, 192.0.0.202] 的东西,我们将其命名为 dest_nodes 我们希望在其中注入我们的公钥mw.pub。只有 jump_nodes 连接到 dest_nodes。

因此:

ServerA(ansible) ---------------------> jump_nodes --------------------> dest_nodes 
                  copy to ~/mw.pub               inject ~/mw.pub

我可以mw.pub使用下面的剧本将我的公钥复制到 ~/mw.pub 下的所有 jump_nodes。

一切都很好,但以下是失败的:

我现在希望将~/mw.pubfrom jump 服务器注入到目标主机,即曾经具有连接性的 dest_nodes。

我的剧本:

---

- name: "Play 1"
  hosts: localhost
  gather_facts: false
  tags: always
  tasks:
    - name: Add host
      debug:
        msg: " hello "
    - set_fact:
        jump_server_list: "{{ JUMP_SERVER | trim }}"
    - set_fact:
        target_server_list: "{{ TARGET_SERVER | trim }}"

    - add_host:
        hostname: "{{ item }}"
        groups: jump_nodes
      with_items: "{{ jump_server_list.split('\n') }}"

    - add_host:
        hostname: "{{ item }}"
        groups: dest_nodes
      with_items: "{{ target_server_list.split('\n') }}"

- name: "Play 2"
  hosts: dest_nodes
  user: root
  ignore_unreachable: yes
  vars:
    ansible_ssh_extra_args: -o StrictHostKeyChecking=no
    ansible_ssh_private_key_file: /app/id_rsa

  gather_facts: true

  tasks:
    - name: Copy ssh public key to a file on jump servers
      raw: "echo {{ TARGET_KEY }}>~/mw.pub"
      run_once: True
      delegate_to: "{{ item }}"
      with_items: "{{ groups['jump_nodes'] }}"

    - name: Set authorized key taken from file
      ignore_errors: yes
      authorized_key:
        user: "{{ TARGET_USER }}"
        state: present
        key: "{{ lookup('file', '~/mw.pub') }}"
      register: keystatus
      delegate_to: "{{ item }}"
      with_items: "{{ groups['jump_nodes'] }}"

    - debug:
        msg: "CHECK STATUS {{ keystatus }}"
      ignore_errors: yes

输出:

TASK [Copy ssh public key to a file on jump servers] *******************************************************************************************************************
task path: /app/injectkeys/injectsshkeys.yml:40
<11.1.1.220> ESTABLISH SSH CONNECTION FOR USER: root
<11.1.1.220> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/app/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o ControlPath=/home/axmwapp/.ansible/cp/42c5d2e05f -tt 11.1.1.220 'echo ssh-rsa PPPPB3NzaC1yc2EPPPPDAQABAAABAQDQGeUOA0vJK1AXSp3UKK1KF4VnFzmcrCoM4Ha7jx49DGPkGuNgS4ZKYYGiAl7FDhwtysvUF6JSl1l3Gxrki3nLDmGYUHbzNCU0qghOw85gbr++W+b+VfEZEnzTE8VPjAgR/JvQItLd2F8PGGlZBwDUXOIvuw8Acqft0nErDkPkKApJcn302qHtOc9R1mFff/GuD6WL6gjPF0gZsEkxHq+FObdsuUzndon0SR3SPeoF/oKA2CVy15+ea6wZnAYqCCppbdgZYR9uSZlMnvwMGT2g3Au+kL2dls3aRYQm6ZH0IrOpfn8M+BaPCcpWppE64XSPZlkU+3mIe2riG4IyIE75 it@shop.com>~/mw.pub'
<11.1.1.220> (0, '', 'Shared connection to 11.1.1.220 closed.\r\n')
changed: [192.0.0.200 -> 11.1.1.220] => (item=11.1.1.220) => {
    "ansible_loop_var": "item",
    "changed": true,
    "item": "11.1.1.220",
    "rc": 0,
    "stderr": "Shared connection to 11.1.1.220 closed.\r\n",
    "stderr_lines": [
        "Shared connection to 11.1.1.220 closed."
    ],
    "stdout": "",
    "stdout_lines": []
}

TASK [Set authorized key taken from file] ******************************************************************************************************************************
task path: /app/injectkeys/injectsshkeys.yml:46
[WARNING]: Unable to find '~/mw.pub' in expected paths (use -vvvvv to see paths)

fatal: [192.0.0.200]: FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: ~/mw.pub"
}
...ignoring

TASK [debug] ***********************************************************************************************************************************************************
task path: /app/injectkeys/injectsshkeys.yml:57
ok: [192.0.0.200] => {
    "msg": "CHECK STATUS {'msg': u\"An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: ~/mw.pub\", 'failed': True}"
}
META: ran handlers
META: ran handlers

下面是我如何运行剧本

ansible-playbook /app/injectkeys/injectsshkeys.yml -f 5 -e JUMP_SERVER='11.1.1.220' -e TARGET_SERVER='192.0.0.200' -e TARGET_USER='root' -e TARGET_KEY="'ssh-rsa PPPPB3NzaC1yc2EPPPPDAQABAAABAQDQGeUOA0vJK1AXSp3UKK1KF4VnFzmcrCoM4Ha7jx49DGPkGuNgS4ZKYYGiAl7FDhwtysvUF6JSl1l3Gxrki3nLDmGYUHbzNCU0qghOw85gbr++W+b+VfEZEnzTE8VPjAgR/JvQItLd2F8PGGlZBwDUXOIvuw8Acqft0nErDkPkKApJcn302qHtOc9R1mFff/GuD6WL6gjPF0gZsEkxHq+FObdsuUzndon0SR3SPeoF/oKA2CVy15+ea6wZnAYqCCppbdgZYR9uSZlMnvwMGT2g3Au+kL2dls3aRYQm6ZH0IrOpfn8M+BaPCcpWppE64XSPZlkU+3mIe2riG4IyIE75 it@shop.com'" -vvv

正如您从输出中看到~/mw.pub的那样,尽管它应该在 dest_nodes 192.0.0.200 上查找它应该在它所在的 11.1.1.220 上查找,然后在 192.0.0.200 上注入它,但它仍在 dest_nodes 上查找delegate_to: jump_nodes~/mw.pub

你能建议我如何解决这个问题吗?

4

1 回答 1

1

从关于查找插件的文档

像所有模板一样,这些插件在 Ansible 控制机器上进行评估,而不是在目标/远程。

所以它实际上不是在目标主机上而是在控制器上。

如果你需要从目标中获取一个文件,你将不得不使用fetch之前lookup的本地副本或者slurp将内容放入一个变量中。

于 2020-09-07T07:22:32.077 回答