ansibleテスト環境

5418 ワード

ip
user
sudo_user
port
usage
192.168.48.81
ansible
root
29922
nagios & ansible control
192.168.48.82
ansible
root
29922
nagios node1 & boston1
192.168.48.83
ansible
root
29922
target host
192.168.48.84
ansible
root
29922
target host
192.168.48.85
ansible
root
29922
nagios node1 & boston2
192.168.48.86
ansible
root
29922
target host
192.168.48.87
ansible
root
29922
target host

需要


1)81は83,84,86,87に直接アクセスできず、82,85砦機で配置を変更できます2)すべてのサーバでsshポート22->29922を変更し、rootリモートログインを無効にし、ansibleユーザーsudoをroot 3に許可します)sshkey 81->82,85,82->83,84,85->86,87

せいぎょき


インストール方法http://www.cnblogs.com/liujitao79/p/4193368.html
inventory
#/etc/ansible/hosts
[center]
192.168.48.81

[idc1]
192.168.48.82
192.168.48.83
192.168.48.84

[idc2]
192.168.48.85
192.168.48.86
192.168.48.87

ssh管理方式テスト
# ansible idc1 -u root -k -m ping 
SSH password: 

# results
192.168.48.82 | success >> {
    "changed": false, 
    "ping": "pong"
}

192.168.48.83 | success >> {
    "changed": false, 
    "ping": "pong"
}

192.168.48.84 | success >> {
    "changed": false, 
    "ping": "pong"
}

サーバの初期化


以下を含むssh password方式によるメンテナンス環境の変更1)ansibleユーザ2)sshd構成の確立3)sshkey変更完了後、sshkey方式によるアプリケーション環境の導入

せいぎょき


81
ssh-keygen -b 2048 -t rsa -f /tmp/ansible.pem -q -N ''
ssh-keygen -b 2048 -t rsa -f /tmp/bastion82.pem -q -N ''
ssh-keygen -b 2048 -t rsa -f /tmp/bastion85.pem -q -N ''

mkdir -p /etc/ansible/keys
cp  /tmp/{*.pem, *.pem.pub} -> /etc/ansible/keys

82 & 85
groupadd -g 501 ansible
useradd -u 501 -g 501 ansible
mkdir -p /home/ansible/.ssh && chown -R ansible:ansible /home/ansible/.ssh && chmod 700 /home/ansible/.ssh

cp ansible.pem.pub -> /home/ansible/.ssh/authorized_keys
chown ansible:ansible /home/ansible/.ssh/authorized_keys && chmod 600 /home/ansible/.ssh/authorized_keys

テスト
ansible 192.168.48.82 -u ansible --private-key=/etc/ansible/keys/ansible.pem -m ping
192.168.48.82 | success >> {
    "changed": false, 
    "ping": "pong"
}

ansible 192.168.48.85 -u ansible --private-key=/etc/ansible/keys/ansible.pem -m ping
192.168.48.85 | success >> {
    "changed": false, 
    "ping": "pong"
}

バリアマシン


83 & 84 & 86 & 87
groupadd -g 501 ansible
useradd -u 501 -g 501 ansible
mkdir -p /home/ansible/.ssh && chown -R ansible:ansible /home/ansible/.ssh && chmod 700 /home/ansible/.ssh

cp bastion82.pem.pub(83,84),bastion85.pem.pub(86,87) -> /home/ansible/.ssh/authorized_keys
chown ansible:ansible /home/ansible/.ssh/authorized_keys && chmod 600 /home/ansible/.ssh/authorized_keys

82
# cp bastion82.pem -> /tmp
ssh -i /tmp/bastion82.pem [email protected]
ssh -i /tmp/bastion82.pem [email protected]
# rm /tmp/bastion82.pem

せいぎょき


/etc/ansitble/ssh.config
192.168.48.82 bastion-82
192.168.48.82 bastion-85

/etc/ansitble/ssh.config
ost bastion-82
    User            ansible
    Hostname        192.168.48.82
    IdentityFile    /etc/ansible/keys/ansible.pem
    StrictHostKeyChecking no

Host bastion-85
    User            ansible
    Hostname        192.168.48.85
    IdentityFile    /etc/ansible/keys/ansible.pem
    StrictHostKeyChecking no

Host server-83
    User            ansible
    Hostname        192.168.48.83
    IdentityFile    /etc/ansible/keys/bastion82.pem
    StrictHostKeyChecking no
    ProxyCommand    ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-82 -o 'StrictHostKeyChecking=no' -W %h:%p

Host server-84
    User            ansible
    Hostname        192.168.48.84
    IdentityFile    /etc/ansible/keys/bastion82.pem
    StrictHostKeyChecking no
    ProxyCommand    ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-82 -o 'StrictHostKeyChecking=no' -W %h:%p

Host server-86
    User            ansible
    Hostname        192.168.48.86
    IdentityFile    /etc/ansible/keys/bastion85.pem
    StrictHostKeyChecking no
    ProxyCommand    ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-85 -o 'StrictHostKeyChecking=no' -W %h:%p

Host server-87
    User            ansible
    Hostname        192.168.48.87
    IdentityFile    /etc/ansible/keys/bastion85.pem
    StrictHostKeyChecking no
    ProxyCommand    ssh -q -A -x -l ansible -i /etc/ansible/keys/ansible.pem bastion-85 -o 'StrictHostKeyChecking=no' -W %h:%p
ssh -F /etc/ansible/ssh.config bastion-82
ssh -F /etc/ansible/ssh.config bastion-85
ssh -F /etc/ansible/ssh.config server-83
ssh -F /etc/ansible/ssh.config server-84
ssh -F /etc/ansible/ssh.config server-86
ssh -F /etc/ansible/ssh.config server-87