引用元
-
事前
Ansibleサーバ
adminユーザで実施
シェル配置
#!/bin/sh
# Variables
GROUP="ansible_group"
GROUPID=50000
USER="ansible_user"
USERID=50001
PASSWORD="hoge"
SSHPATH="/home/${USER}/.ssh"
AUTHFILE="authorized_keys"
SSHKEY=""
create_group() {
if getent group ${GROUP} > /dev/null 2>&1; then
echo "${GROUP} already exists."
else
if sudo groupadd -g ${GROUPID} ${GROUP} > /dev/null 2>&1; then
echo "${GROUP} created."
else
echo "Failed to create ${GROUP}: error code $?" && exit 8
fi
fi
}
create_user() {
if getent passwd ${USER} > /dev/null 2>&1; then
echo "${USER} already exists."
else
if sudo useradd -u ${USERID} -g ${GROUP} -m -d /home/${USER} ${USER} > /dev/null 2>&1; then
echo "${USER}:${PASSWORD}" | sudo chpasswd > /dev/null 2>&1
echo "${USER} created."
else
echo "Failed to create ${USER}: error code $?" && exit 8
fi
fi
}
set_ssh_key() {
if sudo mkdir -p ${SSHPATH} && sudo chown ${USER}:${GROUP} ${SSHPATH} && sudo chmod 700 ${SSHPATH}; then
if echo ${SSHKEY} | sudo tee "${SSHPATH}/${AUTHFILE}" > /dev/null && sudo chmod 600 "${SSHPATH}/${AUTHFILE}" && sudo chown ${USER}:${GROUP} "${SSHPATH}/${AUTHFILE}"; then
echo "SSH key file created and permissions set successfully"
else
echo "Failed to create SSH key file or set permissions" && exit 8
fi
fi
}
setup_sudoers() {
if grep ${GROUP} /etc/sudoers.d/${GROUP} > /dev/null 2>&1; then
echo "${GROUP} already exists in sudoers."
else
if echo "%${GROUP} ALL=(ALL:ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/${GROUP} > /dev/null && sudo chmod 0440 /etc/sudoers.d/${GROUP}; then
echo "Sudoers file setup for ${GROUP} completed."
else
echo "Failed to setup sudoers file for ${GROUP}." && exit 8
fi
fi
}
create_group
create_user
set_ssh_key
setup_sudoers
exit 0
シェル実行
$ bash ./setup.sh ansible_group created. ansible_user created. SSH key file created and permissions set successfully Sudoers file setup for ansible_group completed. $
ansible_userへスイッチ
$ su - ansible_user Password: $
鍵作成
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/ansible_user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ansible_user/.ssh/id_rsa. Your public key has been saved in /home/ansible_user/.ssh/id_rsa.pub. The key fingerprint is: - snip - +----[SHA256]-----+ $
ansibleサーバも対象のため、以下を手動で実施
$ cp ~/.ssh/id_rsa ~/.ssh/authorized_keys
作業ユーザへスイッチ
$ su - admin $
シェルに公開鍵を設定
$ sudo sh -c 'sed -i "s#SSHKEY=\"\"#SSHKEY=\"$(cat /home/ansible_user/.ssh/id_rsa.pub)\"#g" ./setup.sh'
シェルを対象サーバに転送
$ scp setup.sh admin@control01:. $ scp setup.sh admin@control02:.
SSH越しにシェルを実行
01,02で標準出力が違うのはadminユーザの設定テストをして状態が異なるため
$ ssh -t admin@control01 'sh ./setup.sh'
[sudo] password for admin:
ansible_group created.
ansible_user created.
SSH key file created and permissions set successfully
Sudoers file setup for ansible_group completed.
Connection to control01 closed.
$ ssh -t admin@control02 'sh ./setup.sh'
admin@control02's password:
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for admin:
ansible_group created.
ansible_user created.
SSH key file created and permissions set successfully
Sudoers file setup for ansible_group completed.
Connection to control02 closed.
ansible_userにスイッチ
$ su - ansible_user
接続テスト
[ansible_user@master01 ~]$ ssh ansible_user@control01 The authenticity of host 'control01 (192.168.50.41)' can't be established. ECDSA key fingerprint is SHA256:T------. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'control01,192.168.50.41' (ECDSA) to the list of known hosts. Activate the web console with: systemctl enable --now cockpit.socket [ansible_user@control01 ~]$ exit [ansible_user@master01 ~]$ ssh ansible_user@control02 The authenticity of host 'control02 (192.168.50.33)' can't be established. ECDSA key fingerprint is SHA256:jVWzlk+0fsrUkL5xxBLorwYb6NxFRSMXBOkpsvIrT6U. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'control02,192.168.50.33' (ECDSA) to the list of known hosts. Activate the web console with: systemctl enable --now cockpit.socket Register this system with Red Hat Insights: insights-client --register Create an account or view all your systems at https://red.ht/insights-dashboard [ansible_user@control02 ~]$ exit
秘密鍵確認(後続手順で使用)
$ sudo cat ~ansible_user/.ssh/id_rsa $
Ansible Automation Platform
認証情報
編集
変更
| 項目 | 変更前 | 変更後 |
|---|---|---|
| ユーザ名 | admin | ansible_user |
| SSH秘密鍵 | - | 秘密鍵確認(後続手順で使用)の内容をペースト |
確認
Testジョブの実行
0行目の最後に実行ユーザが変わっていることを確認
