实例学习ansible系列（17）ssh用户名密码方式使用ansible

版权声明：本文为博主原创文章，未经博主允许欢迎转载，但请注明出处。 https://blog.csdn.net/liumiaocn/article/details/82354158

不打通ssh，是否可以ansible，答案是肯定的。
知识点：不打通ssh方式，利用ansible的方式

前提准备

ansible很多时候以ssh打通作为前提，但是并不一定要ssh通才可以，因为ssh不通，则需要用户名/密码。至于为什跟ssh关心这么紧密，我们使用ssh通道没有创建的两台机器进行确认

机器名/IP	用途
platform	ansible所安装的机器
192.168.163.129	ansible所要连接的目的机器

事前在platform机器上的ansible的hosts文件中添加如下信息

[root@platform ~]# grep 192.168 /etc/ansible/hosts |grep -v '#'
192.168.163.129
[root@platform ~]#

两台机器之间没有打通ssh，需要输入用户名和密码

[root@platform ~]# ssh 192.168.163.129 hostname
root@192.168.163.129's password: 
liumiaocn
[root@platform ~]# 

确认ansible的连接方式

可以看到如果不做ssh设定，使用最简单的ping命令时会得到UNREACHABLE的结果，而信息的提示就是“Failed to connect to the host via ssh“，不能使用ssh方式连接到该机

[root@platform ~]# ansible 192.168.163.129 -m ping
192.168.163.129 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n", 
    "unreachable": true
}
[root@platform ~]# 

我们使用-vvv选项来确认以下这种情况下失败的过程

[root@platform ~]# ansible 192.168.163.129 -m ping -vvv
ansible 2.6.3
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]
Using /etc/ansible/ansible.cfg as config file
Parsed /etc/ansible/hosts inventory source with ini plugin
META: ran handlers
<192.168.163.129> ESTABLISH SSH CONNECTION FOR USER: None
<192.168.163.129> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/15d39cfe75 192.168.163.129 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<192.168.163.129> (255, '', 'Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n')
192.168.163.129 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n", 
    "unreachable": true
}
[root@platform ~]#

设定用户名/密码

可以看到缺省的情况下SSH: EXEC ssh -C -o会被调用，根据ssh的设定选项，可以不必打通ssh通道，但是实际在执行的时候需要输入用户名和密码，而这两个信息，可以通过如下选项进行设定

设定项	说明
ansible_ssh_user	用户名
ansible_ssh_pass	密码

有不止一种方式可以进行设定，这里来看一下最简单的一种方式

[root@platform ~]# grep 192.168.163 /etc/ansible/hosts
192.168.163.129 ansible_ssh_user=root ansible_ssh_pass=liumiao
[root@platform ~]#

结果确认

使用这种方式，虽然ssh通道没有建立，但是ansible命令也可以执行

[root@platform ~]# ansible 192.168.163.129 -m ping
192.168.163.129 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
[root@platform ~]#

ansible的实现方式

可以看到ansible在执行的时候实际还是使用了ssh，生成临时执行文件，sftp到对象机器，然后执行，执行之后删除。

[root@platform ~]# ansible 192.168.163.129 -m ping -vvv
ansible 2.6.3
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]
Using /etc/ansible/ansible.cfg as config file
Parsed /etc/ansible/hosts inventory source with ini plugin
META: ran handlers
<192.168.163.129> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.163.129> SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o User=root -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/9e41121aec 192.168.163.129 '/bin/sh -c '"'"'echo ~root && sleep 0'"'"''
<192.168.163.129> (0, '/root\n', '')
<192.168.163.129> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.163.129> SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o User=root -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/9e41121aec 192.168.163.129 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1535588259.29-145057259619160 `" && echo ansible-tmp-1535588259.29-145057259619160="` echo /root/.ansible/tmp/ansible-tmp-1535588259.29-145057259619160 `" ) && sleep 0'"'"''
<192.168.163.129> (0, 'ansible-tmp-1535588259.29-145057259619160=/root/.ansible/tmp/ansible-tmp-1535588259.29-145057259619160\n', '')
Using module file /usr/lib/python2.7/site-packages/ansible/modules/system/ping.py
<192.168.163.129> PUT /root/.ansible/tmp/ansible-local-320slpIij/tmpfOmqrb TO /root/.ansible/tmp/ansible-tmp-1535588259.29-145057259619160/ping.py
<192.168.163.129> SSH: EXEC sshpass -d12 sftp -o BatchMode=no -b - -C -o ControlMaster=auto -o ControlPersist=60s -o User=root -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/9e41121aec '[192.168.163.129]'
<192.168.163.129> (0, 'sftp> put /root/.ansible/tmp/ansible-local-320slpIij/tmpfOmqrb /root/.ansible/tmp/ansible-tmp-1535588259.29-145057259619160/ping.py\n', '')
<192.168.163.129> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.163.129> SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o User=root -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/9e41121aec 192.168.163.129 '/bin/sh -c '"'"'chmod u+x /root/.ansible/tmp/ansible-tmp-1535588259.29-145057259619160/ /root/.ansible/tmp/ansible-tmp-1535588259.29-145057259619160/ping.py && sleep 0'"'"''
<192.168.163.129> (0, '', '')
<192.168.163.129> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.163.129> SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o User=root -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/9e41121aec -tt 192.168.163.129 '/bin/sh -c '"'"'/usr/bin/python /root/.ansible/tmp/ansible-tmp-1535588259.29-145057259619160/ping.py && sleep 0'"'"''
<192.168.163.129> (0, '\r\n{"invocation": {"module_args": {"data": "pong"}}, "ping": "pong"}\r\n', 'Shared connection to 192.168.163.129 closed.\r\n')
<192.168.163.129> ESTABLISH SSH CONNECTION FOR USER: root
<192.168.163.129> SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o User=root -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/9e41121aec 192.168.163.129 '/bin/sh -c '"'"'rm -f -r /root/.ansible/tmp/ansible-tmp-1535588259.29-145057259619160/ > /dev/null 2>&1 && sleep 0'"'"''
<192.168.163.129> (0, '', '')
192.168.163.129 | SUCCESS => {
    "changed": false, 
    "invocation": {
        "module_args": {
            "data": "pong"
        }
    }, 
    "ping": "pong"
}
META: ran handlers
META: ran handlers
[root@platform ~]# 

日志解析

我们曾经对ansible最简单的ping命令进行解析，详细可参看https://blog.csdn.net/liumiaocn/article/details/52070617，跟上面的信息相比，最重要的是ssh通道是否打通的前提，仔细比较以下你就会发现，没有打通的时候，ansible实际使用了sshpass , 而sshpass则正是免去交互式输入用户名密码的ssh命令。