我正在尝试使用Ansible来自动化新服务器实例的设置过程。 其中一个设置任务改变了默认的SSH端口,因此需要我更新主机列表。
如果无法将连接build立到默认的SSH端口,可以通过让Ansible回退到指定的端口来实现自动化?
您可以在主机上尝试一个local_action来查看是否可以连接到相应的端口并注册成功并将其设置为事实。 您希望closures收集事实,否则设置模块在尝试连接已经重新configuration的主机时将失败。 一旦你完成了这个游戏,只需在gather_facts和其他的下面添加其他的。
- name: determine ssh port hosts: all gather_facts: false vars: custom_ssh_port: 222 tasks: - name: test default ssh port local_action: wait_for port=22 timeout=5 host={{inventory_hostname}} register: default_ssh ignore_errors: true - name: set ansible_ssh_port to default set_fact: ansible_ssh_port=22 when: default_ssh.elapsed < 5 - name: test ssh on high port local_action: wait_for port={{custom_ssh_port}} timeout=5 host={{inventory_hostname}} register: high_ssh when: default_ssh.elapsed >= 5 ignore_errors: true - name: set ansible_ssh_port high set_fact: ansible_ssh_port={{custom_ssh_port}} when: default_ssh.elapsed >= 5 and high_ssh.elapsed < 5
有人指出,这将会在你使用这个游戏手册的时候吹出时间。 你也可以在只能在具有重新configuration的ssh端口的主机上运行的vars部分中设置ansible_ssh_port。 例如
- name: change ssh ports tasks: - name: edit sshd_config lineinfile .. notify: restart ssh handlers: - name: restart ssh service: sshd state=restarted - name: continue setup vars: - ansible_ssh_port : 5422 tasks: ...
@RichardSalts感谢让我开始这个。 我用nc来检查应该快很多的端口。 这是我的bootstrap.xml:
testing使用ansible 1.5(devel 3b8fd62ff9)上次更新2014/01/28 20:26:03
--- # Be sure to set the following variables for all hosts: # vars: # oldsshport: 22 # sshport: 555 # Might fail without setting remote_tmp = /tmp/ansible/$USER in your ansible.cfg. Also fix for directly below. # Once host is setup most of the checks are skipped and works very quickly. # Also, be sure to set non-standard shells in a different playbook later. Stick with /bin/bash until you can run apt install. # Assumes root user has sshkey setup already. Not sure how to utilize the --ask-pass option. For now, use ssh-copy-id prior to running playbook on new host for root user (if needed). # Test new ssh port - name: ssh test nc {{ sshport }} local_action: shell nc -z -w5 {{ inventory_hostname }} {{ sshport }} register: nc_ssh_port failed_when: nc_ssh_port.stdout.find('failed') != -1 changed_when: nc_ssh_port.stdout == "" ignore_errors: yes # Set port to new port if connection success - name: set ansible_ssh_port set_fact: ansible_ssh_port={{ sshport }} when: nc_ssh_port|success # Fail back to old port if new ssh port fails - name: ssh test nc port {{ oldsshport }} local_action: shell nc -z -w5 {{ inventory_hostname }} {{ oldsshport }} register: nc_ssh_default changed_when: nc_ssh_default.stdout == "" ignore_errors: yes when: nc_ssh_port|changed # Set ansible to old port since new failed - name: set ansible_ssh_port to {{ oldsshport }} set_fact: ansible_ssh_port={{ oldsshport }} when: nc_ssh_default|success and nc_ssh_port|changed # Check if root user can ssh - name: find user local_action: shell ssh -o StrictHostKeyChecking=no -o BatchMode=yes -o ConnectTimeout=5 -p {{ ansible_ssh_port }} root@{{ inventory_hostname }} exit register: ssh_as_root failed_when: ssh_as_root.stdout.find('failed') != -1 changed_when: ssh_as_root.stderr.find('Permission denied') == -1 # If root user success, set this up to change later - name: first user set_fact: first_user={{ ansible_ssh_user }} when: ssh_as_root|changed # Set ssh user to root - name: root user set_fact: ansible_ssh_user=root when: ssh_as_root|changed # ANSIBLE FIX: /tmp/ansible isn't world-writable for setting remote_tmp = /tmp/ansible/$USER in ansible.cfg - name: /tmp/ansible/ directory exists with 0777 permission file: path=/tmp/ansible/ owner=root group=root mode=0777 recurse=no state=directory changed_when: False sudo: yes # Setup user accounts - include: users.yml # Set ssh user back to default user (that was setup in users.yml) - name: ansible_ssh_user back to default set_fact: ansible_ssh_user={{ first_user }} when: ssh_as_root|changed # Reconfigure ssh with new port (also disables non-ssh key logins and disable root logins) - name: sshd.conf template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644 register: sshd_config sudo: yes # Force changes immediately to ssh - name: restart ssh service: name=ssh state=restarted when: sshd_config|changed sudo: yes # Use updated ssh port - name: set ansible_ssh_port set_fact: ansible_ssh_port={{ sshport }} when: nc_ssh_port|changed
既然你可能很早就部署了你的sshconfiguration,你应该保持这个简单。 只需configuration目标ansible_ssh_port
您的广告资源和使用-e
第一次部署您的sshconfiguration时:
ansible-playbook bootstrap_ssh.yml -e 'ansible_ssh_port=22'
请注意, ansible_ssh_port
在2.0中已弃用(取代ansible_port
)
Is it possible to automate this by having Ansible fallback to a specified port if the connection could not be established to the default SSH port?
我也需要类似的function,所以我分叉并修补了Ansible ssh插件,希望Ansible Inc.能够采用它。 他们没有。 它testing非标准的SSH端口的规格,看看他们是否打开,如果没有,恢复到默认的SSH端口。 这是一个非常小的补丁,可在https://github.com/crlb/ansible获得 。
我想出了一个强大的幂等任务列表,以便更改SSH端口并处理连接到正确的端口的angular色,而无需更改库存文件。 我已经在我的博客上发布了详细信息: https : //dmsimard.com/2016/03/15/changing-the-ssh-port-with-ansible/