服务器
HostName IP CPU MEM DES
k8s-master 172.26.48.4 2 Core 2G k8s master 节点
k8s-node1 172.26.48.5 1 Core 2G 应用节点
k8s-node2 172.26.135.94 1 Core 2G 应用节点
| HostName | IP | CPU | MEM | DES
|–|–|–|–|–|–|
| k8s-master |172.26.48.4 |2Core | 2G | k8s master 节点 |
| k8s-node1 |172.26.48.5 |1 | 2G | 应用节点 |
| k8s-node2 | 172.26.135.94 | 1| 2G | 应用节点|
不要忘记修改本地/etc/hosts文件# 将以下内容追加(>>)到 /etc/hosts文件
[root@k8s-master ~]# cat <<EOF >> /etc/hosts
172.26.48.4 k8s-master
172.26.48.5 k8s-node1
172.26.135.94 k8s-node2
EOFCentOS 7 安装 ansible
[root@k8s-master home]# yum install ansible -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: ftp-srv2.kddilabs.jp
* extras: ftp-srv2.kddilabs.jp
* updates: ftp-srv2.kddilabs.jp
No package ansible available.
Error: Nothing to do
# 原理:Ansible是属于Extra Packages for Enterprise Linux (EPEL)库的一部分,因此要先安装EPEL
[root@msy-k8s-master home]# yum install epel-release -y
[root@msy-k8s-master home]# yum install ansible -y
[root@msy-k8s-master home]# ansible --version
ansible 2.7.10
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Jul 13 2018, 13:06:57) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
[root@msy-k8s-master home]#配置 ansible hosts
root@k8s-master deploy]# cat <<EOF >> /etc/ansible/hosts
[all]
172.26.48.4
172.26.48.5
172.26.135.94
[nodes]
172.26.48.5
172.26.135.94
EOF创建 SSH key
[root@k8s-master ansible]# pwd
/etc/ansible
[root@k8s-master ansible]# ssh-keygen -t rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:VJQenTc40F0FahV6wa+c/ftajF9JhT/le050ERYLOBc root@k8s-master
The key's randomart image is:
+---[RSA 2048]----+
| .+=.E*B=|
| .oo*=Boo|
| .. .*oo=o|
| . .. . o=|
| S . *=|
| =+*|
| .oB|
| =+|
| .o*|
+----[SHA256]-----+
[root@k8s-master ansible]#ansible 批量配置ssh免密
ansible nodes -m authorized_key -a "user=root key='{{ lookup('file','/root/.ssh/id_rsa.pub')}}' path='/root/.ssh/authorized_keys' manage_dir=no" --ask-pass -c paramikoSSH password:
......
[root@k8s-master ansible]##因为密码都一样,所以只需要输入一次密码即可,如果密码不同 需要自定义
# 说明:
# 将秘钥推送到远程主机的哪个用户下
user=root
# 指定要推送的秘钥文件所在的路径
key='{{ lookup('file','/root/.ssh/id_rsa.pub')}}'
# 将秘钥推送到远程主机的哪个目录下并重命名
path='/root/.ssh/authorized_keys'
# 指定模块是否应该管理authorized_keys文件所在的目录,如果设置为yes,模块会创建目录,以及设置一个已存在目录的拥有者和权限。如果通过 path 选项,重新指定了一个 authorized key 文件所在目录,那么应该将该选项设置为 no
manage_dir=no
# 是否移除 authorized_keys 文件中其它非指定 key
exclusive [default: no]:
# present 添加指定 key 到 authorized_keys 文件中;absent 从 authorized_keys 文件中移除指定 key
state (Choices: present, absent) [Default: present]:测试 SSH 免密是否成功, 查看所有节点的内核版本
[root@k8s-master ansible]# ansible nodes -m shell -a 'uname -r'
172.26.48.5 | CHANGED | rc=0 >>
3.10.0-862.14.4.el7.x86_64
172.26.135.94 | CHANGED | rc=0 >>
3.10.0-862.14.4.el7.x86_64
[root@k8s-master ansible]#不使用ansible手动配置免密
server1:root ——> server2:root
1、主控机生成公钥
[root@k8s-master]# ssh-keygen -t rsacat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys2.1、拷贝公钥信息到需要免密的服务器上(以此服务器为例-k8snodeip)
[root@k8s-master]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@k8snodeip然受输入密码即可(完成)
server1:user1——> server2:user2 (普通用户免密)
1、主控机生成公钥
[root@k8s-user1]$ ssh-keygen -t rsa2.1、拷贝公钥信息到需要免密的服务器上(以此服务器为例-k8snodeip)
[root@k8s-user1]$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
[root@k8s-user1]$ ssh-copy-id -i ~/.ssh/id_rsa.pub user2@server2然受输入密码即可(完成)
3、取消免密登录
只需要到免密的主机上把公钥去掉即可
vim /root/.ssh/authorized_keys
cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA9SpdzH…… root@k8s-master解决免密不生效
1、如果报错如下:
Are you sure you want to continue connecting (yes/no)? 16.11.8.86 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
^C [ERROR]: User interrupted executio理论上以上步骤copy完public key就已经可以实现免密。排查了是sshd_config里配置的问题
#第一步排查,确认文件以及目录权限
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
#第二步排查,若是上述配置后仍是不生效,检查/etc/ssh/sshd_config配置,而后执行systemctl restart sshd重启sshd服务
#禁用root帐户登陆,若是是用root用户登陆请开启,若是注释掉,默认即为yes
#PermitRootLogin yes
# 是否容许用户自行使用成对的密钥系统进行登入行为,仅针对 version 2,若是注释掉,默认即为yes。
RSAAuthentication yes
PubkeyAuthentication yes
# 至于自制的公钥数据就放置于用户家目录下的 .ssh/authorized_keys 内
AuthorizedKeysFile .ssh/authorized_keys
#第三步排查,若是上述配置以后仍是不能访问,尝试将/etc/ssh/sshd_config中的StrictModes配置改成no(若是注释掉,默认是yes的。注意这个配置可能会下降安全性),而后执行systemctl restart sshd重启sshd服务
StrictModes no解决
配置ansible使用的用户
修改/etc/ansible/ansible.cfg
become=True ###表示打开become开关,也就是输入密码那一栏
become_method=su ###表示用什么方式将普通账户切换到root或所需的其他账户,这里可以用su或sudo
become_user=root ##***设置为root账户,相当于我们以普通账户登入到远程主机时,再使用su - root切换为root账户。
become_ask_pass=True ###表示询问密码报错处理
1、报错如下
[WARNING]: Platform linux on host *.*.*.* is using the discovered Python interpreter at /usr/bin/python, but
future installation of another Python interpreter could change this. See
https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information.修改 vim /etc/ansible/ansible.cfg
在ansible.cfg的[defaults]部分添加配置
interpreter_python = auto_legacy_silent2、报错如下
| FAILED! => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"module_stderr": "",
"module_stdout": "sudo: a password is required\r\n",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo解决
[root@leo ~]# visudo
username ALL=(ALL) NOPASSWD: ALL3、报错如下
| FAILED | rc=-1 >>
Timeout (12s) waiting for privilege escalation prompt:语法修改添加参数-c paramiko
ansible all -m shell -a 'sudo mkdir -p /home/leo/ansible' -c paramiko3、报错如下
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).解决:
cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
