Pages

Tuesday, 26 November 2019

EX294: Create and distribute SSH keys to managed nodes

0 Accounts used for Ansible SSH connection

Ansible uses  SSH connection as its communication layer, which is the reason why Ansible is agentless.

Theoretically, Ansible can use any account for SSH connection. But it's best practice to have a separate account created specially used for Ansible.

On a Managed node as root, create a user for Ansible connection.

# useradd ansible_user
# echo pwd123 | passwd --stdin ansible_user

1 Password-less ssh connection

Usually, key-based authentication is preferable to passwords because it's more secure and more convenient.

Distributing SSH keys to managed nodes is very simple.

On the control node:

# Generate a new key-pair if necessary
$ ssh-keygen -t rsa

The key-pair is saved under ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub.

All needed to do next is to install "id_rsa.pub" into ~ansible_user/.ssh/authorized_keys on managed nodes.

This can be done remotely or on the managed nodes. Here we do this job remotely.

ssh ansible_user@vm1 'mkdir ~/.ssh/'
ssh ansible_user@vm1 'chmod 700 ~/.ssh/'
cat ~/.ssh/id_rsa.pub | ssh ansible_user@vm1 'cat >> ~/.ssh/authorized_keys'
ssh ansible_user@vm1 'chmod 600 ~/.ssh/authorized_keys'

Then, test the connection by:

ssh ansible_user@vm1

It should not ask for password anymore.

2 Connection configuration for Ansible: inventory variables

There are some inventory variables affecting the Ansible connection. More details can be found at connecting-to-hosts-behavioral-inventory-parameters

Note:

As Ansible keeps changing,

ansible_ssh_user, ansible_ssh_password, ansible_ssh_host, ..., have been replaced by their shorter version ansible_user, anisble_password, ansible_host, ....

Since EX294 uses Ansible 2.8, we should always use the shorter version in the exam.

On the control node, add the managed node to inventory.

cat ./hosts
vm1 ansible_host=172.23.17.43 ansible_user=ansible_user ansible_password=pwd123

Note: In the real world, it's not safe to store the password as plain text in inventory.

Now we can test the connection on control node:

$ ansible all -i hosts -a 'whoami'
vm1 | SUCCESS | rc=0 >>
ansible_user

Finally, we test it using Ansible.

Delete the "ansible_password" variable in ./hosts.

cat ./hosts
vm1 ansible_host=172.23.17.43 ansible_user=ansible_user 

$ ansible all -i hosts -a 'whoami'
vm1 | SUCCESS | rc=0 >>
ansible_user

at

No comments:

Post a Comment