引用元
-
事前
Ansibleサーバ
adminユーザで実施
シェル配置
#!/bin/sh # Variables GROUP="ansible_group" GROUPID=50000 USER="ansible_user" USERID=50001 PASSWORD="hoge" SSHPATH="/home/${USER}/.ssh" AUTHFILE="authorized_keys" SSHKEY="" create_group() { if getent group ${GROUP} > /dev/null 2>&1; then echo "${GROUP} already exists." else if sudo groupadd -g ${GROUPID} ${GROUP} > /dev/null 2>&1; then echo "${GROUP} created." else echo "Failed to create ${GROUP}: error code $?" && exit 8 fi fi } create_user() { if getent passwd ${USER} > /dev/null 2>&1; then echo "${USER} already exists." else if sudo useradd -u ${USERID} -g ${GROUP} -m -d /home/${USER} ${USER} > /dev/null 2>&1; then echo "${USER}:${PASSWORD}" | sudo chpasswd > /dev/null 2>&1 echo "${USER} created." else echo "Failed to create ${USER}: error code $?" && exit 8 fi fi } set_ssh_key() { if sudo mkdir -p ${SSHPATH} && sudo chown ${USER}:${GROUP} ${SSHPATH} && sudo chmod 700 ${SSHPATH}; then if echo ${SSHKEY} | sudo tee "${SSHPATH}/${AUTHFILE}" > /dev/null && sudo chmod 600 "${SSHPATH}/${AUTHFILE}" && sudo chown ${USER}:${GROUP} "${SSHPATH}/${AUTHFILE}"; then echo "SSH key file created and permissions set successfully" else echo "Failed to create SSH key file or set permissions" && exit 8 fi fi } setup_sudoers() { if grep ${GROUP} /etc/sudoers.d/${GROUP} > /dev/null 2>&1; then echo "${GROUP} already exists in sudoers." else if echo "%${GROUP} ALL=(ALL:ALL) NOPASSWD:ALL" | sudo tee /etc/sudoers.d/${GROUP} > /dev/null && sudo chmod 0440 /etc/sudoers.d/${GROUP}; then echo "Sudoers file setup for ${GROUP} completed." else echo "Failed to setup sudoers file for ${GROUP}." && exit 8 fi fi } create_group create_user set_ssh_key setup_sudoers exit 0
シェル実行
$ bash ./setup.sh ansible_group created. ansible_user created. SSH key file created and permissions set successfully Sudoers file setup for ansible_group completed. $
ansible_userへスイッチ
$ su - ansible_user Password: $
鍵作成
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/ansible_user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ansible_user/.ssh/id_rsa. Your public key has been saved in /home/ansible_user/.ssh/id_rsa.pub. The key fingerprint is: - snip - +----[SHA256]-----+ $
ansibleサーバも対象のため、以下を手動で実施
$ cp ~/.ssh/id_rsa ~/.ssh/authorized_keys
作業ユーザへスイッチ
$ su - admin $
シェルに公開鍵を設定
$ sudo sh -c 'sed -i "s#SSHKEY=\"\"#SSHKEY=\"$(cat /home/ansible_user/.ssh/id_rsa.pub)\"#g" ./setup.sh'
シェルを対象サーバに転送
$ scp setup.sh admin@control01:. $ scp setup.sh admin@control02:.
SSH越しにシェルを実行
01,02で標準出力が違うのはadminユーザの設定テストをして状態が異なるため
$ ssh -t admin@control01 'sh ./setup.sh' [sudo] password for admin: ansible_group created. ansible_user created. SSH key file created and permissions set successfully Sudoers file setup for ansible_group completed. Connection to control01 closed. $ ssh -t admin@control02 'sh ./setup.sh' admin@control02's password: We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for admin: ansible_group created. ansible_user created. SSH key file created and permissions set successfully Sudoers file setup for ansible_group completed. Connection to control02 closed.
ansible_userにスイッチ
$ su - ansible_user
接続テスト
[ansible_user@master01 ~]$ ssh ansible_user@control01 The authenticity of host 'control01 (192.168.50.41)' can't be established. ECDSA key fingerprint is SHA256:T------. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'control01,192.168.50.41' (ECDSA) to the list of known hosts. Activate the web console with: systemctl enable --now cockpit.socket [ansible_user@control01 ~]$ exit [ansible_user@master01 ~]$ ssh ansible_user@control02 The authenticity of host 'control02 (192.168.50.33)' can't be established. ECDSA key fingerprint is SHA256:jVWzlk+0fsrUkL5xxBLorwYb6NxFRSMXBOkpsvIrT6U. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'control02,192.168.50.33' (ECDSA) to the list of known hosts. Activate the web console with: systemctl enable --now cockpit.socket Register this system with Red Hat Insights: insights-client --register Create an account or view all your systems at https://red.ht/insights-dashboard [ansible_user@control02 ~]$ exit
秘密鍵確認(後続手順で使用)
$ sudo cat ~ansible_user/.ssh/id_rsa $
Ansible Automation Platform
認証情報
編集
変更
項目 | 変更前 | 変更後 |
---|---|---|
ユーザ名 | admin | ansible_user |
SSH秘密鍵 | - | 秘密鍵確認(後続手順で使用)の内容をペースト |
確認
Testジョブの実行
0行目の最後に実行ユーザが変わっていることを確認