zoukankan      html  css  js  c++  java
  • ansible playbook批量改ssh配置文件,远程用户Permission denied

     最近手里的数百台服务器需要改/etc/ssh/sshd_config的参数,禁止root直接登陆,也就是说

    [root@t0 ~]# cat /etc/ssh/sshd_config | grep Root
    #PermitRootLogin yes

    得改成

    [root@t1 ~]# cat /etc/ssh/sshd_config| grep ^PermitRoot
    PermitRootLogin no

    一台台登上去改简直要死,ansible自动化运维工具听说还不错,之前就会用命令直接使用shell模块执行sed 替换配置文件里面的参数

    [root@t0 ansible]# ansible all -b --become-method=su --become-user=root -m shell -a "sed 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config" | grep -E "Root|10.0"
     [WARNING]: Consider using the replace, lineinfile or template module rather than running sed.  If you need to use
    command because replace, lineinfile or template is insufficient you can add warn=False to this command task or set
    command_warnings=False in ansible.cfg to get rid of this message.
    10.0.0.52 | CHANGED | rc=0 >>
    #    $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
    PermitRootLogin no
    # the setting of "PermitRootLogin without-password".
    10.0.0.53 | CHANGED | rc=0 >>
    #    $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
    PermitRootLogin no
    # the setting of "PermitRootLogin without-password".

    大概看个效果,这样做不仅效率低,而且你不能保证每台服务器的配置文件都是

    #PermitRootLogin yes

    也有可能是PermitRootLogin yes

    所以不一定能达到自己的要求

    然后根据提示信息,我看到了
    replace, lineinfile template这三个模块
    感兴趣的朋友可以自行研究一下
    我今天用的是playbook用正则表达式匹配要更改的项
    首先自己写一个playbook
    [root@t0 playbook]# cat change_ssh.yml 
    ---
    - hosts: test
      gather_facts: false
    #  become: yes
    #  become_method: su
      remote_user: root
      tasks:
      - name: "change file"
        lineinfile:
          path: /etc/ssh/sshd_config
          regexp: '^PermitRootLogin'
          line: 'PermitRootLogin yes'
          state: present
    #    notify: restart sshd
    #      handlers:
    #        - name: restart sshd
    #            service: name=sshd state=restarted
    
    

    之前写的是没有注释的那些,注释的内容是我后来加上去的,待会再解释注释的意思

    然后我的hosts文件

    [root@t0 playbook]# cat ../hosts 
    #[localhost]
    #127.0.0.1
    [test]
    10.0.0.52
    10.0.0.53
    [test:vars]
    ansible_ssh_pass=123456
    ansible_ssh_user=test
    ansible_become_pass=123456

    执行以下命令

    [root@t0 playbook]# ansible-playbook change_ssh.yml 
    
    PLAY [test] ************************************************************************************************************
    
    TASK [change file] *****************************************************************************************************
    fatal: [10.0.0.53]: FAILED! => {"changed": false, "module_stderr": "Shared connection to 10.0.0.53 closed.
    ", "module_stdout": "Traceback (most recent call last):
      File "/home/test/.ansible/tmp/ansible-tmp-1555555638.07-154814815296297/AnsiballZ_lineinfile.py", line 113, in <module>
        _ansiballz_main()
      File "/home/test/.ansible/tmp/ansible-tmp-1555555638.07-154814815296297/AnsiballZ_lineinfile.py", line 105, in _ansiballz_main
        invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
      File "/home/test/.ansible/tmp/ansible-tmp-1555555638.07-154814815296297/AnsiballZ_lineinfile.py", line 48, in invoke_module
        imp.load_module('__main__', mod, module, MOD_DESC)
      File "/tmp/ansible_lineinfile_payload_1q9ATP/__main__.py", line 524, in <module>
      File "/tmp/ansible_lineinfile_payload_1q9ATP/__main__.py", line 515, in main
      File "/tmp/ansible_lineinfile_payload_1q9ATP/__main__.py", line 257, in present
    IOError: [Errno 13] Permission denied: '/etc/ssh/sshd_config'
    ", "msg": "MODULE FAILURE
    See stdout/stderr for the exact error", "rc": 1}
    fatal: [10.0.0.52]: FAILED! => {"changed": false, "module_stderr": "Shared connection to 10.0.0.52 closed.
    ", "module_stdout": "Traceback (most recent call last):
      File "/home/test/.ansible/tmp/ansible-tmp-1555555638.06-7599860498373/AnsiballZ_lineinfile.py", line 113, in <module>
        _ansiballz_main()
      File "/home/test/.ansible/tmp/ansible-tmp-1555555638.06-7599860498373/AnsiballZ_lineinfile.py", line 105, in _ansiballz_main
        invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
      File "/home/test/.ansible/tmp/ansible-tmp-1555555638.06-7599860498373/AnsiballZ_lineinfile.py", line 48, in invoke_module
        imp.load_module('__main__', mod, module, MOD_DESC)
      File "/tmp/ansible_lineinfile_payload_5xlcxo/__main__.py", line 524, in <module>
      File "/tmp/ansible_lineinfile_payload_5xlcxo/__main__.py", line 515, in main
      File "/tmp/ansible_lineinfile_payload_5xlcxo/__main__.py", line 257, in present
    IOError: [Errno 13] Permission denied: '/etc/ssh/sshd_config'
    ", "msg": "MODULE FAILURE
    See stdout/stderr for the exact error", "rc": 1}
        to retry, use: --limit @/etc/ansible/playbook/change_ssh.retry
    
    PLAY RECAP *************************************************************************************************************
    10.0.0.52                  : ok=0    changed=0    unreachable=0    failed=1   
    10.0.0.53                  : ok=0    changed=0    unreachable=0    failed=1   

    结果是失败的,根据报错信息

    IOError: [Errno 13] Permission denied: '/etc/ssh/sshd_config'

    怀疑是权限的问题,因为根据我的hosts文件,默认是普通用户test去执行,所以在playbook里面加上两行

    #  become: yes
    #  become_method: su

    意思就是,我ansible远程操作的时候,用户使用的时管理员的权限,然后再次执行

    [root@t0 playbook]# ansible-playbook change_ssh.yml 
    
    PLAY [test] ************************************************************************************************************
    
    TASK [change file] *****************************************************************************************************
    changed: [10.0.0.52]
    changed: [10.0.0.53]
    
    PLAY RECAP *************************************************************************************************************
    10.0.0.52                  : ok=1    changed=1    unreachable=0    failed=0   
    10.0.0.53                  : ok=1    changed=1    unreachable=0    failed=0   

    查看远程主机的配置文件

    [root@t1 ~]# cat /etc/ssh/sshd_config| grep ^PermitRoot
    PermitRootLogin no

    说明已经改成功了,但是如果配置文件有其他的设置,我们还需要其他的正则,而且sshd的配置文件改完之后需要重启才能生效,所以需要一个触发器,playbook需要做一下调整

    ---
    #- hosts: 'test:!c2'
    - hosts: c2
    #- hosts: "`hosts`" gather_facts: false become: yes become_method: su remote_user: root tasks: - name: 'change sshd_config' lineinfile: dest: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present with_items: #In this way # - { regexp: "^#PermitRootLogin yes",line: "PermitRootLogin no" } #or # - regexp: "^#PermitRootLogin yes" # line: "PermitRootLogin no" #Both methods have the same effect - { regexp: "PermitRootLogin yes",line: "PermitRootLogin no" } notify: restart sshd handlers: - name: restart sshd service: name=sshd state=restarted

    总结:1. ansible如果hosts文件写的ansible_user时普通用户的时候,远程操作需要管理员权限,需要become的

      become: yes
      become_method: su

    或者是

      become: yes
      become_method: sudo
      remote_user: test

       2. 执行完操作之后,利用触发器notify重启sshd服务

      3. 需要继续学习,谢谢

  • 相关阅读:
    nyoj 202红黑树 (搜索)
    POJ 3281 Dining(最大流)
    nyoj-488 素数环 +nyoj -32 组合数 (搜索)
    LeetCode100:Same Tree
    LeetCode283:Move Zeros
    Leetcode226:Invert Binary Tree
    LeetCode258:Add Digits
    Leetcode237:Delete Node in a Linked List
    LeetCode7:Reverse Integer
    LeetCode292:Nim Game
  • 原文地址:https://www.cnblogs.com/augusite/p/10729784.html
Copyright © 2011-2022 走看看