- \n
- \n
- \u30ed\u30fc\u30ab\u30eb\u74b0\u5883<\/ul>\n<\/li>\n<\/ul>\n
M1 Mac
\nMacOS Monterey 12.6<\/p>\n\u30b5\u30fc\u30d0<\/p>\n
Amazon Linux2<\/p>\n
\u4f7f\u7528ansible\u8fdb\u884c\u5b89\u88c5<\/h1>\n
\u5728\u672c\u5730\u5b89\u88c5ansible\u3002
\n\u867d\u7136\u4e5f\u53ef\u4ee5\u4f7f\u7528Homebrew\u8fdb\u884c\u5b89\u88c5\uff0c\u4f46\u7531\u4e8epip\u53ef\u4ee5\u8fdb\u884c\u8be6\u7ec6\u7684\u7248\u672c\u6307\u5b9a\uff0c\u56e0\u6b64\u6211\u4eec\u9009\u62e9\u4e86\u4f7f\u7528pip\u8fdb\u884c\u5b89\u88c5\u3002<\/p>\n\u6700\u65b0\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u5834\u5408\r\n<\/span>$<\/span> pip install <\/span>ansible\r\n\r\n\u30d0\u30fc\u30b8\u30e7\u30f3\u6307\u5b9a\r\n<\/span>$<\/span> pip install <\/span>ansible<\/span>==<\/span>6.5.0\r\n<\/code><\/pre>\n\u4e3a\u4e86\u786e\u8ba4\u5b89\u88c5\u6210\u529f\uff0c\u6211\u4eec\u9700\u8981\u68c0\u67e5\u8f6f\u4ef6\u7684\u7248\u672c\u3002<\/p>\n
$<\/span> pip list\r\nPackage Version\r\n------------ -------\r\nansible 6.5.0\r\nansible-core 2.13.6\r\n<\/span><\/code><\/pre>\n\u542f\u52a8EC2<\/h1>\n
\u6211\u5011\u5c07\u555f\u52d5\u4e00\u500b EC2 \u5be6\u4f8b\uff0c\u4f46\u555f\u52d5\u65b9\u5f0f\u5df2\u7c21\u7565\u63cf\u8ff0\u3002
\n\u5b89\u5168\u7fa4\u7d44\u5c07\u5141\u8a31\u5165\u7ad9\u898f\u5247\u5305\u62ec SSH 22 \u7aef\u53e3\u548c\u81ea\u8a02\u7aef\u53e3\u865f 50001\u3002
\n\u6b64\u5916\uff0c\u5c07\u555f\u7528\u516c\u6709 IP \u7684\u81ea\u52d5\u5206\u914d\u3002<\/p>\n![\"\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d4dc937434c4406cbea68\/11-0.png\" "\\"\\"")
<\/div>\n\u521b\u5efaansible\u9879\u76ee<\/h1>\n
\u521b\u5efa\u4e00\u4e2a\u540d\u4e3aplaybook\u7684\u76ee\u5f55\uff0c\u5e76\u5728\u5176\u4e2d\u521b\u5efa\u4e00\u4e2ahosts\u6587\u4ef6\u3001\u4e00\u4e2aplaybook.yml\u6587\u4ef6\u548c\u4e00\u4e2asshd\u7684roles\u76ee\u5f55\u3002<\/p>\n
$<\/span> mkdir <\/span>playbook\r\n$<\/span> cd <\/span>playbook\r\n$<\/span> touch <\/span>hosts playbook.yml\r\n$<\/span> ansible-galaxy init --init-path<\/span>=<\/span>\"roles\"<\/span> sshd\r\n\r\n$<\/span> tree \r\n.\r\n<\/span>\u251c\u2500\u2500 hosts\r\n\u251c\u2500\u2500 playbook.yml\r\n\u2514\u2500\u2500 roles\r\n \u2514\u2500\u2500 sshd\r\n \u251c\u2500\u2500 README.md\r\n \u251c\u2500\u2500 defaults\r\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 main.yml\r\n \u251c\u2500\u2500 files\r\n \u251c\u2500\u2500 handlers\r\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 main.yml\r\n \u251c\u2500\u2500 meta\r\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 main.yml\r\n \u251c\u2500\u2500 tasks\r\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 main.yml\r\n \u251c\u2500\u2500 templates\r\n \u251c\u2500\u2500 tests\r\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 inventory\r\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 test.yml\r\n \u2514\u2500\u2500 vars\r\n \u2514\u2500\u2500 main.yml\r\n<\/span><\/code><\/pre>\n\u5220\u9664\u672a\u4f7f\u7528\u7684\u76ee\u5f55\uff0c\u5e76\u6309\u7167\u4ee5\u4e0b\u65b9\u5f0f\u8fdb\u884c\u8c03\u6574\u3002<\/p>\n
$<\/span> tree\r\n.\r\n<\/span>\u251c\u2500\u2500 hosts\r\n\u251c\u2500\u2500 playbook.yml\r\n\u2514\u2500\u2500 roles\r\n \u2514\u2500\u2500 sshd\r\n \u251c\u2500\u2500 handlers\r\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 main.yml\r\n \u2514\u2500\u2500 tasks\r\n \u2514\u2500\u2500 main.yml\r\n\r\n4 directories, 4 files\r\n<\/span><\/code><\/pre>\n\u521b\u5efahosts\u6587\u4ef6<\/h2>\n
\u8bf7\u6309\u7167\u4ee5\u4e0b\u65b9\u5f0f\u63cf\u8ff0\uff1a
\n\u901a\u5e38\u60c5\u51b5\u4e0b\uff0c\u6700\u597d\u5728roles\u7684vars\u6587\u4ef6\u5939\u4e0b\u7684main.yml\u4e2d\u5199\u5165custom_ssh_port=50001\u7b49\u5185\u5bb9\uff0c\u4f46\u7531\u4e8e\u8fd9\u6837\u5f88\u9ebb\u70e6\uff0c\u6240\u4ee5\u6211\u5c06\u5176\u6574\u5408\u5230hosts\u6587\u4ef6\u4e2d\u3002
\n\u8bf7\u5728\u8be5IP\u5b57\u6bb5\u4e2d\u586b\u5199\u670d\u52a1\u5668\u7684\u516c\u5171IP\u3002<\/p>\n[web] # \u8a18\u8f09\u3055\u308c\u305fIP\u306b\u5bfe\u3057\u3066\u63a5\u7d9a\r\n11.11.11.11\r\n\r\n[web:vars] #[web]\u3067\u4f7f\u3046\u5909\u6570\u3092\u5b9a\u7fa9\r\nansible_ssh_port=22\r\nansible_user=ec2-user\r\n__working_user=ec2-user\r\nansible_python_interpreter=\/usr\/bin\/python2\r\n\r\n# custom ssh port \uff0849152\uff5e65535\uff09\r\ncustom_ssh_port=50001\r\n\r\n# pem key path\r\nansible_ssh_private_key_file=~\/.ssh\/test.pem\r\n<\/code><\/pre>\n\u521b\u5efaplaybook.yml<\/h2>\n
-<\/span> name<\/span>:<\/span> Change port<\/span>\r\n hosts<\/span>:<\/span> web<\/span>\r\n become<\/span>:<\/span> yes<\/span>\r\n gather_facts<\/span>:<\/span> false<\/span>\r\n roles<\/span>:<\/span>\r\n -<\/span> sshd<\/span>\r\n<\/code><\/pre>\n\u4e3a\u4e86\u5728\u4e0b\u4e00\u4e2a\u6a21\u5757\u4e2d\u4f7f\u7528`local_action`\uff0c\u9700\u8981\u5c06`gather_facts`\u8bbe\u7f6e\u4e3a`false`\u3002<\/p>\n
- \n
- \n
- gather_facts<\/ul>\n<\/li>\n<\/ul>\n
\u5bfe\u8c61\u30db\u30b9\u30c8\u306e\u60c5\u5831\u3092ansible_facts\u5909\u6570\u3068\u3044\u3046\u3082\u306e\u306b\u683c\u7d0d\u3057\u3001tasks\u5185\u306e\u5909\u6570\u3067\u4f7f\u7528\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n
\u521b\u5efaroles\u6587\u4ef6\u5939\u4e0b\u7684sshd\u76ee\u5f55\u3002<\/h2>\n
\u53ea\u9700\u5728tasks\u548chandlers\u7684main.yml\u4e2d\u8fdb\u884c\u8bb0\u5f55\u3002\u4e0d\u4f7f\u7528\u5176\u4ed6\u5185\u5bb9\u3002<\/p>\n
# port22 \u3067SSH\u63a5\u7d9a\u3059\u308b\u3002\u30bf\u30a4\u30e0\u30a2\u30a6\u30c8\u306f\uff15\u79d2\u3067\u3001\u63a5\u7d9a\u5931\u6557\u3057\u3066\u3082\u6b21\u306b\u9032\u3080<\/span>\r\n-<\/span> name<\/span>:<\/span> Connect default ssh port<\/span>\r\n local_action<\/span>:<\/span> wait_for port={{ansible_ssh_port}} timeout=5 host={{inventory_hostname}}<\/span>\r\n register<\/span>:<\/span> default_port<\/span>\r\n ignore_errors<\/span>:<\/span> true<\/span>\r\n become<\/span>:<\/span> False<\/span>\r\n\r\n# port22 \u3067\u5931\u6557\u3057\u305f\u5834\u5408\u3001port 50001\u3067SSH\u63a5\u7d9a\u3059\u308b\u3002\u30bf\u30a4\u30e0\u30a2\u30a6\u30c8\u306f\uff15\u79d2<\/span>\r\n-<\/span> name<\/span>:<\/span> Connect custom ssh port<\/span>\r\n local_action<\/span>:<\/span> wait_for port={{custom_ssh_port}} timeout=5 host={{inventory_hostname}}<\/span>\r\n register<\/span>:<\/span> custom_port<\/span>\r\n when<\/span>:<\/span> default_port.elapsed >= <\/span>5<\/span>\r\n become<\/span>:<\/span> False<\/span>\r\n\r\n# port22 \u3067\u30bf\u30a4\u30e0\u30a2\u30a6\u30c8\u3057\u3001port50001\u3067SSH\u63a5\u7d9a\u6210\u529f\u3057\u305f\u5834\u5408\u3001ansible_ssh_port\u309250001\u306b\u5909\u3048\u308b<\/span>\r\n-<\/span> name<\/span>:<\/span> set ansible_ssh_port custom_ssh_port<\/span>\r\n set_fact<\/span>:<\/span> ansible_ssh_port={{custom_ssh_port}}<\/span>\r\n when<\/span>:<\/span> default_port.elapsed >= 5 and custom_port.elapsed < <\/span>5<\/span>\r\n become<\/span>:<\/span> False<\/span>\r\n\r\n# \u73fe\u5728port22\u3067SSH\u63a5\u7d9a\u3057\u3066\u3044\u308b\u5834\u5408\u3001\/etc\/ssh\/sshd_config\u306ePort\u309250001\u306b\u66f8\u304d\u63db\u3048\u308b<\/span>\r\n-<\/span> name<\/span>:<\/span> Rewrite custom_ssh_port<\/span>\r\n lineinfile<\/span>:<\/span>\r\n dest<\/span>:<\/span> \/etc\/ssh\/sshd_config<\/span>\r\n regexp<\/span>:<\/span> '<\/span>^#Port'<\/span>\r\n line<\/span>:<\/span> '<\/span>Port<\/span> {{custom_ssh_port}}'<\/span>\r\n notify<\/span>:<\/span> Restart sshd<\/span>\r\n when<\/span>:<\/span> ansible_ssh_port == <\/span>22<\/span>\r\n\r\n# ssh\u63a5\u7d9a\u6642\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u8a8d\u8a3c\u3092\u7121\u52b9<\/span>\r\n-<\/span> name<\/span>:<\/span> Disabling password authentication<\/span>\r\n lineinfile<\/span>:<\/span>\r\n dest<\/span>:<\/span> \/etc\/ssh\/sshd_config<\/span>\r\n regexp<\/span>:<\/span> '<\/span>^PasswordAuthentication'<\/span>\r\n insertafter<\/span>:<\/span> '<\/span>^#PasswordAuthentication'<\/span>\r\n line<\/span>:<\/span> PasswordAuthentication no<\/span>\r\n notify<\/span>:<\/span> Restart sshd<\/span>\r\n# ssh\u63a5\u7d9a\u6642\u306e\u30c1\u30e3\u30ec\u30f3\u30b8\/\u30ec\u30b9\u30dd\u30f3\u30b9\u8a8d\u8a3c\u3092\u7121\u52b9<\/span>\r\n-<\/span> name<\/span>:<\/span> Disabling Challenge-Response Authentication<\/span>\r\n lineinfile<\/span>:<\/span>\r\n dest<\/span>:<\/span> \/etc\/ssh\/sshd_config<\/span>\r\n regexp<\/span>:<\/span> '<\/span>^ChallengeResponseAuthentication'<\/span>\r\n insertafter<\/span>:<\/span> '<\/span>^#ChallengeResponseAuthentication'<\/span>\r\n line<\/span>:<\/span> ChallengeResponseAuthentication no<\/span>\r\n notify<\/span>:<\/span> Restart sshd<\/span>\r\n\r\n# root\u30e6\u30fc\u30b6\u30fc\u306e\u30ed\u30b0\u30a4\u30f3\u7121\u52b9<\/span>\r\n-<\/span> name<\/span>:<\/span> Disabling root user login<\/span>\r\n lineinfile<\/span>:<\/span>\r\n dest<\/span>:<\/span> \/etc\/ssh\/sshd_config<\/span>\r\n regexp<\/span>:<\/span> '<\/span>^PermitRootLogin'<\/span>\r\n insertafter<\/span>:<\/span> '<\/span>^#PermitRootLogin'<\/span>\r\n line<\/span>:<\/span> PermitRootLogin no<\/span>\r\n notify<\/span>:<\/span> Restart sshd<\/span>\r\n<\/code><\/pre>\n# sshd\u306e\u8a2d\u5b9a\u304c\u5909\u66f4\u3055\u308c\u305f\u5834\u5408\u3001\u518d\u8d77\u52d5\u3059\u308b<\/span>\r\n-<\/span> name<\/span>:<\/span> Restart sshd<\/span>\r\n service<\/span>:<\/span>\r\n name<\/span>:<\/span> sshd<\/span>\r\n state<\/span>:<\/span> restarted<\/span>\r\n<\/code><\/pre>\n\u6a21\u5757\u8bf4\u660e<\/h2>\n
- \n
- \n
- local_action<\/ul>\n<\/li>\n<\/ul>\n
\u30ea\u30e2\u30fc\u30c8\u30db\u30b9\u30c8\u3067\u306f\u306a\u304f\u30ed\u30fc\u30ab\u30eb\u3067\u5b9f\u884c\u3057\u305f\u3044\u5834\u5408\u306b\u4f7f\u7528\u3057\u307e\u3059\u3002\u4eca\u56de\u3067\u3042\u308c\u3070\u3001\u30ed\u30fc\u30ab\u30eb\u304b\u3089SSH\u63a5\u7d9a\u3067\u304d\u307e\u3059\u3002<\/p>\n
wait_for<\/p>\n
SSH\u63a5\u7d9a\u306e\u30a2\u30af\u30b7\u30e7\u30f3\u6642\u3001\u30dd\u30fc\u30c8\u304c\u5fdc\u7b54\u3042\u308b\u307e\u3067\u5f85\u3064\u305f\u3081\u306b\u4f7f\u7528\u3057\u307e\u3059<\/p>\n
timeout\u3084host\u5148\u3092\u6307\u5b9a\u3067\u304d\u307e\u3059\u3002<\/p>\n
register<\/p>\n
\u51e6\u7406\u7d50\u679c\u3092\u5909\u6570\u306e\u4e2d\u306b\u4e00\u6642\u7684\u306b\u4fdd\u7ba1\u3067\u304d\u307e\u3059
\nelapsed<\/p>\n\u7d4c\u904e\u6642\u9593\u3092\u793a\u3057\u307e\u3059<\/p>\n
become<\/p>\n
\u305d\u306e\u30e2\u30b8\u30e5\u30fc\u30eb\u3092 root \u6a29\u9650\u3067\u5b9f\u884c\u3067\u304d\u307e\u3059<\/p>\n
set_fact<\/p>\n
\u65b0\u305f\u306a\u5909\u6570\u3092\u5b9a\u7fa9\u3067\u304d\u307e\u3059\u3002<\/p>\n
\u4eca\u56de\u306f\u3001ansible_ssh_port\u306e\u5024\u304c\u5143\u300522\u3060\u3063\u305f\u306e\u3092custom_ssh_port\uff0850001\uff09\u306b\u4e0a\u66f8\u304d\u3057\u307e\u3057\u305f<\/p>\n
lineinfile<\/p>\n
\u30d5\u30a1\u30a4\u30eb\u3092\u884c\u5358\u4f4d\u3067\u7de8\u96c6\u3067\u304d\u307e\u3059
\ndest<\/p>\n\u7de8\u96c6\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u306e\u30d1\u30b9\u3092\u6307\u5b9a<\/p>\n
line<\/p>\n
\u7f6e\u63db\u307e\u305f\u306f\u633f\u5165\u3059\u308b\u6587\u5b57\u5217\u3092\u6307\u5b9a<\/p>\n
regexp<\/p>\n
\u6307\u5b9a\u3057\u305f\u6b63\u898f\u8868\u73fe\u306b\u30de\u30c3\u30c1\u3057\u305f\u884c\u3092\u3001line\u3067\u6307\u5b9a\u3057\u305f\u6587\u5b57\u5217\u306b\u7f6e\u304d\u63db\u3048\u307e\u3059
\nline\u3067\u6307\u5b9a\u3057\u305f\u6587\u5b57\u5217\u3068\u3001\u540c\u3058\u5834\u5408\u306f\u4f55\u3082\u3057\u307e\u305b\u3093<\/p>\ninsertafter<\/p>\n
regexp \u306b\u30de\u30c3\u30c1\u3059\u308b\u884c\u304c\u7121\u304b\u3063\u305f\u5834\u5408\u3001\u3053\u3053\u306b\u6307\u5b9a\u3057\u305f\u6b63\u898f\u8868\u73fe\u306b\u30de\u30c3\u30c1\u3057\u305f\u6b21\u306e\u884c\u306b\u3001line\u3067\u6307\u5b9a\u3057\u305f\u6587\u5b57\u5217\u3092\u633f\u5165\u3059\u308b\u3002<\/p>\n
\u305d\u308c\u306b\u3082\u30de\u30c3\u30c1\u3057\u306a\u3044\u5834\u5408\u306f\u30d5\u30a1\u30a4\u30eb\u672b\u5c3e\u306b\u3001line\u3067\u6307\u5b9a\u3057\u305f\u6587\u5b57\u5217\u304c\u633f\u5165\u3055\u308c\u307e\u3059\u3002<\/p>\n
notify<\/p>\n
notify\u3092\u4ed8\u4e0e\u3057\u305f\u30bf\u30b9\u30af\u304cchanged\u306b\u306a\u3063\u305f\u5834\u5408\u3001handlers\u5185\u306b\u5b9a\u7fa9\u3055\u308c\u305f\u30bf\u30b9\u30af\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002<\/p>\n
\u540c\u3058handlers\u306e\u547c\u3073\u51fa\u3057\u306f1\u56de\u306b\u307e\u3068\u3081\u3089\u307e\u3059\u3002notify\u3092\u4ed8\u4e0e\u3057\u3066\u3044\u308b\u8907\u6570\u306e\u30bf\u30b9\u30af\u304cchanged\u306b\u306a\u3063\u3066\u3082\uff11\u5ea6\u3057\u304b\u5b9f\u884c\u3055\u308c\u307e\u305b\u3093\u3002<\/p>\n
\u6267\u884c\u5b89\u742a\u513f\u3002<\/h1>\n
\u5728\u6839\u76ee\u5f55\u4e0b\uff0c\u60a8\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u6765\u6267\u884cansible\u3002<\/p>\n
$<\/span> ansible-playbook -i<\/span> hosts playbook.yml\r\n<\/code><\/pre>\n\u5982\u679c\u60a8\u60f3\u8981\u8f93\u51fa\u8be6\u7ec6\u65e5\u5fd7\uff0c\u8bf7\u6dfb\u52a0 -vv\u3002<\/p>\n
$<\/span> ansible-playbook -i<\/span> hosts playbook.yml -vv<\/span>\r\n<\/code><\/pre>\n\u6211\u4eec\u5c06\u6267\u884c\u7b2c\u4e00\u6b21\u3002<\/p>\n
$<\/span> ansible-playbook -i<\/span> hosts playbook.yml -vv<\/span>\r\n\r\nPLAY [Change port] ************************************************************************************************************\r\n\r\nTASK [sshd : Connect default ssh port] ****************************************************************************************\r\n<\/span>ok: [13.231.201.67 -><\/span> localhost]\r\n\r\nTASK [sshd : Connect custom ssh port] *****************************************************************************************\r\nskipping: [13.231.201.67]\r\n\r\nTASK [sshd : set ansible_ssh_port custom_ssh_port] ****************************************************************************\r\nskipping: [13.231.201.67]\r\n\r\nTASK [sshd : Rewrite custom_ssh_port] *****************************************************************************************\r\nThe authenticity of host '13.231.201.67 (13.231.201.67)' can't be established.\r\nED25519 key fingerprint is SHA256:SgTQf176TUJ\/wSqlWH4inIAZ7NWU+eAQrewxa+aqEns.\r\nThis key is not known by any other names\r\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\r\nchanged: [13.231.201.67]\r\n\r\nTASK [sshd : Disabling password authentication] *******************************************************************************\r\nok: [13.231.201.67]\r\n\r\nTASK [sshd : Disabling Challenge-Response Authentication] *********************************************************************\r\nok: [13.231.201.67]\r\n\r\nTASK [sshd : Disabling root user login] ***************************************************************************************\r\nchanged: [13.231.201.67]\r\n\r\nRUNNING HANDLER [sshd : Restart sshd] *****************************************************************************************\r\nchanged: [13.231.201.67]\r\n\r\nPLAY RECAP ********************************************************************************************************************\r\n13.231.201.67 : ok=6 changed=3 unreachable=0 failed=0 skipped=2 rescued=0 ignored=0\r\n<\/span><\/code><\/pre>\n\u7b2c\u4e00\u6b21\u8fd0\u884c\u65f6\uff0c\u53d1\u73b0\u7aef\u53e322\u88ab\u4f7f\u7528\u3002
\n\u8fdb\u884c\u7b2c\u4e8c\u6b21\u6267\u884c\u3002<\/p>\n$<\/span> ansible-playbook -i<\/span> hosts playbook.yml\r\n\r\nPLAY [Change port] ************************************************************************************************************\r\n\r\nTASK [sshd : Connect default ssh port] ****************************************************************************************\r\n<\/span>fatal: [13.231.201.67 -><\/span> localhost]: FAILED! =><\/span>
- \n
- \n