2021.08.22追記 (ansible 2.11)
現在この設定は callbacks_enabled
に指定するようになっている。
[defaults] callbacks_enabled = profile_tasks
callback_whitelist
も引き続き使えるけど警告される。
$ ansible-playbook -i inventory.ini playbook.yml [DEPRECATION WARNING]: [defaults]callback_whitelist option, normalizing names to new standard, use callback_enabled instead. This feature will be removed from ansible-core in version 2.15. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
タスクごとの実行時刻と統計を表示するcallback_whitelist = profile_tasks
を試す。
元ネタはOpenShiftのデプロイ用Ansibleのansible.cfgから。
こんな感じ
環境
[zaki@okd-manager ~]$ cat /etc/redhat-release CentOS Linux release 7.7.1908 (Core) [zaki@okd-manager ~]$ [zaki@okd-manager ~]$ ansible --version ansible 2.8.5 config file = /etc/ansible/ansible.cfg configured module search path = [u'/home/zaki/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, Aug 7 2019, 00:51:29) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] [zaki@okd-manager ~]$ [zaki@okd-manager ~]$ ansible-config dump --only-changed [zaki@okd-manager ~]$ [zaki@okd-manager ~]$ cd ansible/initialize/ [zaki@okd-manager initialize]$ [zaki@okd-manager initialize]$ ls -l 合計 12 -rw-rw-r--. 1 zaki zaki 72 10月 16 07:19 ansible.cfg -rw-rw-r--. 1 zaki zaki 162 10月 16 06:58 inventory.ini -rw-r--r--. 1 zaki zaki 436 10月 16 07:18 playbook.yml [zaki@okd-manager initialize]$
ansible-config dump --only-changed
は、きんぎょのアイコンでも有名なよこちさん情報です。
(今週、Ansible実践ガイド第3版出ますよー)
inventory.ini
[all] okd-master.esxi.localhost ansible_host=192.168.0.71 okd-node01.esxi.localhost ansible_host=192.168.0.75 okd-node02.esxi.localhost ansible_host=192.168.0.76
ansible.cfg
[defaults] host_key_checking = False callback_whitelist = profile_tasks
callback_whitelist = profile_tasks
を追加する
playbook.yml
--- - hosts: localhost tasks: - name: create .ssh file: path: "/home/zaki/.ssh" state: directory mode: 0700 - name: generate ssh keypair openssh_keypair: path: "/home/zaki/.ssh/id_rsa" - hosts: all tasks: - name: put authorized keys to remote host authorized_key: key: "{{ lookup('file', '/home/zaki/.ssh/id_rsa.pub') }}" user: zaki
プレイブックの中身は以下の通り
これを「ssh鍵設定手順書.xlsx」なんて作ると表紙作って更新履歴シート作って手順書のシートつくって「手順」と「期待する結果」を書いたり大変だけど、YAMLならこんなにシンプル!!
要はOSインストール直後に最初に実行するプレイブック。
ちなみにopenssh_keypairはAnsible 2.8から使えるモジュール。2.6とかそれ以前の環境だとshell
でssh-keygen
するしかないかな?
実行
初期状態
[zaki@okd-manager initialize]$ ls -al ~ 合計 20 drwx------. 6 zaki zaki 151 10月 16 06:57 . drwxr-xr-x. 3 root root 18 10月 16 05:58 .. drwx------. 3 zaki zaki 17 10月 16 06:52 .ansible -rw-------. 1 zaki zaki 267 10月 16 06:50 .bash_history -rw-r--r--. 1 zaki zaki 18 4月 11 2018 .bash_logout -rw-r--r--. 1 zaki zaki 193 4月 11 2018 .bash_profile -rw-r--r--. 1 zaki zaki 231 4月 11 2018 .bashrc drwxrw----. 3 zaki zaki 19 10月 16 06:54 .pki drwxrwxr-x. 3 zaki zaki 24 10月 16 06:57 ansible drwxrwxr-x. 14 zaki zaki 4096 10月 16 06:55 openshift-ansible [zaki@okd-manager initialize]$
~/.ssh は無い。
当然Ansibleのpingモジュールも(鍵認証では)使えない。
[zaki@okd-manager initialize]$ ansible all -i inventory.ini -m ping okd-master.esxi.localhost | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '192.168.0.71' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", "unreachable": true } okd-node02.esxi.localhost | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '192.168.0.76' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", "unreachable": true } okd-node01.esxi.localhost | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '192.168.0.75' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", "unreachable": true } [zaki@okd-manager initialize]$
実行
(鍵設定前なので-k
オプションを付けてパスワード認証する)
[zaki@okd-manager initialize]$ ansible-playbook -i inventory.ini playbook.yml -k SSH password: PLAY [localhost] *************************************************************** TASK [Gathering Facts] ********************************************************* Wednesday 16 October 2019 07:19:59 +0900 (0:00:00.031) 0:00:00.031 ***** ok: [localhost] TASK [create .ssh] ************************************************************* Wednesday 16 October 2019 07:19:59 +0900 (0:00:00.545) 0:00:00.577 ***** ok: [localhost] TASK [generate ssh keypair] **************************************************** Wednesday 16 October 2019 07:19:59 +0900 (0:00:00.230) 0:00:00.807 ***** changed: [localhost] PLAY [all] ********************************************************************* TASK [Gathering Facts] ********************************************************* Wednesday 16 October 2019 07:20:00 +0900 (0:00:00.334) 0:00:01.141 ***** ok: [okd-master.esxi.localhost] ok: [okd-node01.esxi.localhost] ok: [okd-node02.esxi.localhost] TASK [put authorized keys to remote host] ************************************** Wednesday 16 October 2019 07:20:01 +0900 (0:00:01.068) 0:00:02.209 ***** changed: [okd-node02.esxi.localhost] changed: [okd-node01.esxi.localhost] changed: [okd-master.esxi.localhost] PLAY RECAP ********************************************************************* localhost : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 okd-master.esxi.localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 okd-node01.esxi.localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 okd-node02.esxi.localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 Wednesday 16 October 2019 07:20:01 +0900 (0:00:00.573) 0:00:02.783 ***** =============================================================================== Gathering Facts --------------------------------------------------------- 1.07s put authorized keys to remote host -------------------------------------- 0.57s Gathering Facts --------------------------------------------------------- 0.55s generate ssh keypair ---------------------------------------------------- 0.33s create .ssh ------------------------------------------------------------- 0.23s [zaki@okd-manager initialize]$
確認
[zaki@okd-manager initialize]$ ansible all -i inventory.ini -m ping okd-master.esxi.localhost | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } okd-node01.esxi.localhost | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } okd-node02.esxi.localhost | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" }
-k
無しで鍵認証で接続できました(公開鍵設定が正しく行われた)