Ansible:根据服务器状态更改“remote_user”

Ansible:根据服务器状态更改“remote_user”

大多数服务器最初都会部署有rootSSH 密钥或密码的直接 SSH 访问权限,以便您可以配置服务器。由于安全问题,我想配置一个具有sudo权限的新用户并禁用 的直接访问权限root

我想创建一个可以帮我完成这项任务的 Ansible Playbook,但我不知道是否可以根据“您可以以 root 身份 ssh 吗?”之类的条件设置等。在运行剧本时ansible_useransible_become是否可以让 Ansible 检测到这一点?

答案1

是的,这是可能的,但大多数解决方案乍一看都会显得相当复杂。你最好简单地定义一个只执行一次的“引导”剧本。这就是我必须安装 python 并设置初始用户的原因。

但是,为了直接回答这个问题,这里有一个可行的解决方案:

# Experiment to "fix" `ansible_user` depending upon host availability
- hosts: all
  gather_facts: false  # Otherwise initial connection will fail

  vars:
    - bootstrap_user: root

  tasks:
    - debug:
        msg: |
          ansible_user: {{ ansible_user | d('unset') }};
          remote_user: {{ remote_user | d('unset') }}

    - action: ping
      ignore_unreachable: true  # requires Ansible >= 2.7
      ignore_errors: yes
      register: pingtest

    # Works (mostly) for Ansible >= 2.2.
    # Might think this alone would work, but only if NOT *ALL* hosts failed up to
    # this point, which makes running the playbook on only a single host pointless.
    # Therefore, also set `ignore_unrechable` in `ping` above.
    # - https://github.com/ansible/ansible/issues/26362
    # - https://github.com/ansible/ansible/issues/19673
    # - https://github.com/ansible/ansible/issues/18075
    - meta: clear_host_errors

    - name: set ansible_user if no ping failed
      set_fact:
        ansible_user: "{{ bootstrap_user }}"
      when: pingtest.failed | d(pingtest.unreachable) | d(false)

    - debug:
        msg: "ansible_user: {{ ansible_user | d('unset') }}"

    # Connect as ansible_user from here on
    - name: Show remote user
      shell: "echo $USER"
      changed_when: false

一般来说,以下两个参考将帮助您理解变量(和优先级,这在这里很重要)以及错误恢复:

相关内容