我尝试简单验证了Ansible的多段SSH连接
首先
我在Ansible中使用多段SSH连接进行了简单的验证。
我参考了以下网站:
https://oji-cloud.net/2022/07/25/post-7084/
https://qiita.com/brighton0725/items/9c3b205fdc3234298928
我建议在参加实践课之前先观看以下的Udemy课程来深入理解Ansible。
前提条件
我在AWS上设置了一个位于公共子网的跳板服务器和一个位于私有子网的EC2实例(Amazon Linux 2)。
在WSL上安装Ansible
$ sudo apt-get install ansible
SSH连接的设置
$ vi config
Host basion
HostName <踏み台のIPアドレス>
User ec2-user
Port 22
IdentityFile 秘密鍵.pem
Host test
HostName <プライベートサブネットにEC2のIPアドレス>
User ec2-user
IdentityFile 秘密鍵.pem
ProxyCommand ssh -W %h:%p basion
创建库存文件
$ vi inventory.ini
[server]
server1 ansible_host=test ※サーバー
server2 ansible_host=basion ※踏み台
[server:vars]
ansible_user=ec2-user
ansible_become=yes
创建游戏策略书
$ vi test_playbook.yml
- hosts: server
tasks:
- name: test-playbook
file:
path: /tmp/test.txt
state: touch
播放列表的语法检查
我参考了以下网站:
https://chibinfra-techblog.com/ansible-playbook-to-how-to-read-the-output-results/
$ ansible-playbook -i inventory.ini test_playbook.yml --check
PLAY [server] **********************************************************************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************************************************************
ok: [server2]
ok: [server1]
TASK [test-playbook] ***************************************************************************************************************************************************
ok: [server2]
ok: [server1]
PLAY RECAP *************************************************************************************************************************************************************
server1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
server2 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
-vv可能是指首先显示处理细节,然后执行playbook。
$ ansible-playbook -i inventory.ini test_playbook.yml -vv
ansible-playbook 2.9.6
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/test/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 3.8.10 (default, Mar 15 2022, 12:22:08) [GCC 9.4.0]
Using /etc/ansible/ansible.cfg as config file
PLAYBOOK: test_playbook.yml ********************************************************************************************************************************************
1 plays in test_playbook.yml
PLAY [server] **********************************************************************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************************************************************
task path: /home/test/.ssh/test_playbook.yml:1
ok: [server2]
ok: [server1]
META: ran handlers
TASK [test-playbook] ***************************************************************************************************************************************************
task path: /home/test/.ssh/test_playbook.yml:3
changed: [server2] => {"changed": true, "dest": "/tmp/test.txt", "gid": 1000, "group": "ec2-user", "mode": "0664", "owner": "ec2-user", "size": 0, "state": "file", "uid": 1000}
changed: [server1] => {"changed": true, "dest": "/tmp/test.txt", "gid": 1000, "group": "ec2-user", "mode": "0664", "owner": "ec2-user", "size": 0, "state": "file", "uid": 1000}
META: ran handlers
META: ran handlers
PLAY RECAP *************************************************************************************************************************************************************
server1 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
server2 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
确认已在服务器上创建了test.txt文件。
在WSL上执行以下命令。
$ cat config
Host basion
HostName 57.180.59.107
User ec2-user
Port 22
IdentityFile shibata.pem
Host test
HostName 10.0.131.139
User ec2-user
IdentityFile shibata.pem
ProxyCommand ssh -W %h:%p basion
确认/tmp/test.txt文件已经被创建。
$ ssh basion "ls -l /tmp/test.txt"
-rw-r--r-- 1 root root 0 Nov 24 13:47 /tmp/test.txt
$ ssh test "ls -l /tmp/test.txt"
-rw-r--r-- 1 root root 0 Nov 24 13:47 /tmp/test.txt
确认踏板服务器EC2的日志。
[ec2-user@ip-10-0-15-6 tmp]$ journalctl -f
-- Logs begin at Fri 2023-11-24 12:29:27 UTC. --
Nov 24 13:47:36 ip-10-0-15-6.ap-northeast-1.compute.internal systemd-logind[2631]: New session 28 of user ec2-user.
Nov 24 13:47:36 ip-10-0-15-6.ap-northeast-1.compute.internal sshd[1356]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
Nov 24 13:47:37 ip-10-0-15-6.ap-northeast-1.compute.internal sudo[1443]: ec2-user : TTY=pts/1 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/sh#040-c#040echo#040BECOME-SUCCESS-tqlidhhedclkfrabnyjwnudlanpqoool#040;#040/usr/bin/python3#040/home/ec2-user/.ansible/tmp/ansible-tmp-1700833656.3074315-153278217607487/AnsiballZ_setup.py
Nov 24 13:47:37 ip-10-0-15-6.ap-northeast-1.compute.internal sudo[1443]: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0)
Nov 24 13:47:38 ip-10-0-15-6.ap-northeast-1.compute.internal ansible-setup[1445]: Invoked with gather_subset=['all'] gather_timeout=10 filter=* fact_path=/etc/ansible/facts.d
Nov 24 13:47:38 ip-10-0-15-6.ap-northeast-1.compute.internal sudo[1443]: pam_unix(sudo:session): session closed for user root
Nov 24 13:47:41 ip-10-0-15-6.ap-northeast-1.compute.internal sudo[1535]: ec2-user : TTY=pts/1 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/sh#040-c#040echo#040BECOME-SUCCESS-dnyjcbkcynztzzfwuvgvksedlrzqxgvg#040;#040/usr/bin/python3#040/home/ec2-user/.ansible/tmp/ansible-tmp-1700833661.0242012-152444705114118/AnsiballZ_file.py
Nov 24 13:47:41 ip-10-0-15-6.ap-northeast-1.compute.internal sudo[1535]: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0)
Nov 24 13:47:42 ip-10-0-15-6.ap-northeast-1.compute.internal ansible-file[1537]: Invoked with path=/tmp/test.txt state=touch recurse=False force=False follow=True modification_time_format=%Y%m%d%H%M.%S access_time_format=%Y%m%d%H%M.%S _original_basename=None _diff_peek=None src=None modification_time=None access_time=None mode=None owner=None group=None seuser=None serole=None selevel=None setype=None attributes=None content=NOT_LOGGING_PARAMETER backup=None remote_src=None regexp=None delimiter=None directory_mode=None unsafe_writes=None
私有子网的EC2日志
[ec2-user@ip-10-0-131-139 tmp]$ journalctl -f
Nov 24 14:03:05 ip-10-0-131-139.ap-northeast-1.compute.internal systemd[1]: Started Session 23 of user ec2-user.
Nov 24 14:03:05 ip-10-0-131-139.ap-northeast-1.compute.internal systemd-logind[2645]: New session 23 of user ec2-user.
Nov 24 14:03:05 ip-10-0-131-139.ap-northeast-1.compute.internal sshd[1381]: pam_unix(sshd:session): session opened for user ec2-user by (uid=0)
Nov 24 14:03:06 ip-10-0-131-139.ap-northeast-1.compute.internal sudo[1449]: ec2-user : TTY=pts/1 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/sh#040-c#040echo#040BECOME-SUCCESS-lpzgmvswrsnxdyozfmnseoicagdepksk#040;#040/usr/bin/python3#040/home/ec2-user/.ansible/tmp/ansible-tmp-1700834582.71089-82014919350321/AnsiballZ_setup.py
Nov 24 14:03:06 ip-10-0-131-139.ap-northeast-1.compute.internal sudo[1449]: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0)
Nov 24 14:03:07 ip-10-0-131-139.ap-northeast-1.compute.internal ansible-setup[1451]: Invoked with gather_subset=['all'] gather_timeout=10 filter=* fact_path=/etc/ansible/facts.d
Nov 24 14:03:07 ip-10-0-131-139.ap-northeast-1.compute.internal sudo[1449]: pam_unix(sudo:session): session closed for user root
Nov 24 14:03:08 ip-10-0-131-139.ap-northeast-1.compute.internal sudo[1541]: ec2-user : TTY=pts/1 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/sh#040-c#040echo#040BECOME-SUCCESS-klohxlvhzcbzoghiemtapfaeljzvjpbw#040;#040/usr/bin/python3#040/home/ec2-user/.ansible/tmp/ansible-tmp-1700834587.4417715-50074300371805/AnsiballZ_file.py
Nov 24 14:03:08 ip-10-0-131-139.ap-northeast-1.compute.internal sudo[1541]: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0)
Nov 24 14:03:08 ip-10-0-131-139.ap-northeast-1.compute.internal ansible-file[1543]: Invoked with path=/tmp/test.txt state=touch recurse=False force=False follow=True modification_time_format=%Y%m%d%H%M.%S access_time_format=%Y%m%d%H%M.%S _original_basename=None _diff_peek=None src=None modification_time=None access_time=None mode=None owner=None group=None seuser=None serole=None selevel=None setype=None attributes=None content=NOT_LOGGING_PARAMETER backup=None remote_src=None regexp=None delimiter=None directory_mode=None unsafe_writes=None
Nov 24 14:03:08 ip-10-0-131-139.ap-northeast-1.compute.internal sudo[1541]: pam_unix(sudo:session): session closed for user root
总结
通过参加 Ansible 的 Hands-on,我大致理解了概要。
如果按照本文中的引导进行 Hands-on,你会更容易理解其中的概念。