0.禁止root登陆
1.用sudo的用户登陆
2.执行root的权限
3.cat /etc/ansible/hosts
# Ex 2: A collection of hosts belonging to the 'webservers' group
[test]
10.0.0.3 ansible_ssh_user="dev" ansible_ssh_pass="do2admin" ansible_become_pass="ccsds@AA2123"
10.0.0.7 ansible_ssh_user="dev" ansible_ssh_pass="do2admin" ansible_become_pass="ccsds@AA2123"
-------------------------------------------------
[frame]
10.0.0.4
[frame:vars]
ansible_ssh_user="dev"
ansible_ssh_pass="do2admin"
-------------------------------------------------
[root@frontend-1 yum_with_items]# ansible frame -m shell -a 'whoami'
10.0.0.4 | CHANGED | rc=0 >>
dev
-------------------------------------------------
4.用普通用户执行root的任务
ansible playbook远程切换用户执行
[root@frontend-1 deploy]# cat root_cannot_login.yaml
---
- name : root can not login and other user login and sudo as root
hosts: all
gather_facts: False
become: yes
become_user: root
become_method: sudo
tasks:
- name: create test file as normal user
shell: echo 'hahahahahhahah how to show command run results' > /tmp/fuckdevsudotoroot1.txt
- name: create new user
shell: sudo useradd aftergege
- name: test use special charactor
shell: sudo echo 'do2admin'|passwd --stdin aftergege
- name: Show debug info
debug: var=result.stdout verbosity=3
参考:https://blog.csdn.net/change_can/article/details/105559227
# 在使用verbosity: 3的时候输出debug结果
ansible-playbook ./debug.yaml -i /root/ansible-code/inventory/inventory.ini --private-key=/root/.ssh/ansible -vvv
3.远程执行脚本
[root@frontend-1 deploy]# cat to_adduser_script.yaml
---
- name: login to adduser at remote host as normal user
gather_facts: FALSE
hosts: all
become: yes
become_user: root
become_method: sudo
tasks:
# - name: copy script to remote host
# copy: src=/opt/deploy/adduser.sh dest=/tmp/adduser.sh
- name: execute scripts at remote hosts
script: /tmp/adduser.sh