Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
linux:ansible:playbook_example_10 [24.09.2022 10:44. ] – [Playbook: ssh_client_config.yml] django | linux:ansible:playbook_example_10 [24.09.2022 13:50. ] (aktuell) – [Links] django | ||
---|---|---|---|
Zeile 226: | Zeile 226: | ||
- | ==== Ansible-Playbook zum erstellen | + | ==== Ansible-Playbook zum Erstellen |
=== Playbook: ssh_client_config.yml === | === Playbook: ssh_client_config.yml === | ||
Unser Playbook legen wir nun wie gewohnt in unserem Playbook-Verzeichnis | Unser Playbook legen wir nun wie gewohnt in unserem Playbook-Verzeichnis | ||
Zeile 290: | Zeile 290: | ||
... # YML Ende</ | ... # YML Ende</ | ||
+ | Mit Hilfe dieses Tasks wird nun, mit Hilfe des Ansible Modules **[[https:// | ||
+ | <WRAP center round tip 80%> | ||
+ | Man könte jetzt natürlich sagen, warum definiert man denn diesen Task nicht gleich direkt in der **'' | ||
+ | </ | ||
+ | === Jinja2-Template: | ||
+ | In dem Task **'' | ||
+ | $ vim ~/ | ||
+ | <file c++ ssh_client_config.j2># | ||
+ | # Clientkonfigurationsbeispiel für unterschiedliche Zielsysteme | ||
+ | ## statische Konfiguration | ||
+ | # localhost | ||
+ | Host localhost | ||
+ | Hostname | ||
+ | IdentityFile ~/ | ||
- | FIXME //**... do geds weida!**// FIXME | + | # externer Einwahl-Hosts |
+ | Host example | ||
+ | Hostname 93.184.216.34 | ||
+ | Port 12345 | ||
+ | Protocol 2 | ||
+ | ForwardX11 yes | ||
+ | ForwardAgent yes | ||
+ | IdentityFile ~/.ssh/id_example | ||
+ | ## dynamisch aus dem Inventory generierte Konfiguration | ||
+ | # interne Systeme - DMZ | ||
+ | {% for host in groups[' | ||
+ | Host {{ host }} | ||
+ | Hostname {{ hostvars[host][' | ||
+ | User {{ hostvars[host][' | ||
+ | Port {{ hostvars[host][' | ||
+ | Protocol {{ hostvars[host][' | ||
+ | IdentityFile {{ hostvars[host][' | ||
- | ===== lorem ipsum dolor sit amet ===== | + | Host {{ hostvars[host][' |
+ | Hostname {{ hostvars[host][' | ||
+ | User {{ hostvars[host][' | ||
+ | Port {{ hostvars[host][' | ||
+ | Protocol {{ hostvars[host][' | ||
+ | IdentityFile {{ hostvars[host][' | ||
+ | |||
+ | {% endfor %} | ||
+ | # interne Systeme - Intranet | ||
+ | {% for host in groups[' | ||
+ | Host {{ host }} | ||
+ | Hostname {{ hostvars[host][' | ||
+ | User {{ hostvars[host][' | ||
+ | Port {{ hostvars[host][' | ||
+ | Protocol {{ hostvars[host][' | ||
+ | IdentityFile {{ hostvars[host][' | ||
+ | |||
+ | Host {{ hostvars[host][' | ||
+ | Hostname {{ hostvars[host][' | ||
+ | User {{ hostvars[host][' | ||
+ | Port {{ hostvars[host][' | ||
+ | Protocol {{ hostvars[host][' | ||
+ | IdentityFile {{ hostvars[host][' | ||
+ | |||
+ | {% endfor %} | ||
+ | # externe System | ||
+ | {% for host in groups[' | ||
+ | Host {{ host }} | ||
+ | Hostname [{{ hostvars[host][' | ||
+ | User {{ hostvars[host][' | ||
+ | Port {{ hostvars[host][' | ||
+ | Protocol {{ hostvars[host][' | ||
+ | IdentityFile {{ hostvars[host][' | ||
+ | ProxyCommand | ||
+ | |||
+ | Host {{ host }}-extern | ||
+ | Hostname {{ hostvars[host][' | ||
+ | User {{ hostvars[host][' | ||
+ | Port {{ hostvars[host][' | ||
+ | Protocol {{ hostvars[host][' | ||
+ | IdentityFile {{ hostvars[host][' | ||
+ | |||
+ | {% endfor %} | ||
+ | {% for host in groups[' | ||
+ | Host {{ host }} | ||
+ | Hostname {{ hostvars[host][' | ||
+ | User {{ hostvars[host][' | ||
+ | Port {{ hostvars[host][' | ||
+ | Protocol {{ hostvars[host][' | ||
+ | IdentityFile {{ hostvars[host][' | ||
+ | ProxyCommand | ||
+ | |||
+ | Host {{ host }}-intern | ||
+ | Hostname {{ hostvars[host][' | ||
+ | User {{ hostvars[host][' | ||
+ | Port {{ hostvars[host][' | ||
+ | Protocol {{ hostvars[host][' | ||
+ | IdentityFile {{ hostvars[host][' | ||
+ | |||
+ | {% endfor %} | ||
+ | </ | ||
+ | |||
+ | Das Beispiel passen wir natürlich unserer Umgebung entsprechend an. Einzelne Netzsegmente haben wir in unserem **[[playbook_example_09# | ||
+ | |||
+ | === Inventory | ||
+ | Die **[[playbook_example_09# | ||
+ | |||
+ | Für unser Playbook-Beispiel hier greifen wir auf das exemplarische **[[playbook_example_09# | ||
+ | $ less ~/ | ||
+ | |||
+ | <file bash hosts># Generiert mit Hilfe von Ansible am 2022-09-20 - diese Datei nicht manuell bearbeiten! | ||
+ | # Inventory Datei für die System-Umgebung bei nausch.org | ||
+ | # | ||
+ | # Hinweise: | ||
+ | # | ||
+ | # leere Zeilen werden ignoriert | ||
+ | # Host- und Gruppendefinitionen werden mit [] abgegrenzt | ||
+ | # Hosts können über ihren Hostnamen, FQN oder ihrer IP-Adresse definiert | ||
+ | # | ||
+ | # | ||
+ | # Host-Definitionen | ||
+ | |||
+ | # Hosts ohne Gruppenzuordnung | ||
+ | localhost | ||
+ | |||
+ | [intranet] | ||
+ | pml010002 | ||
+ | pml010003 | ||
+ | pml010004 | ||
+ | ... | ||
+ | ... | ||
+ | pml010124 | ||
+ | pml010125 | ||
+ | pml010126 | ||
+ | |||
+ | [IDMZ] | ||
+ | vml030010 | ||
+ | vml030020 | ||
+ | vml030030 | ||
+ | vml030040 | ||
+ | ... | ||
+ | ... | ||
+ | vml030230 | ||
+ | vml030240 | ||
+ | vml030250 | ||
+ | |||
+ | [EDMZ] | ||
+ | vml050010 | ||
+ | vml050020 | ||
+ | vml050030 | ||
+ | vml050040 | ||
+ | vml050250 | ||
+ | |||
+ | [TKDMZ] | ||
+ | vml070010 | ||
+ | vml070020 | ||
+ | vml070030 | ||
+ | |||
+ | [external] | ||
+ | customer_no_001 | ||
+ | customer_no_002 | ||
+ | ... | ||
+ | ... | ||
+ | customer_no_042 | ||
+ | |||
+ | [gluon] | ||
+ | ff_pliening_gbw__ug_ | ||
+ | ff_pliening_gbw_egod | ||
+ | ff_pliening_gbw_ogod | ||
+ | ff_pliening_gbw_dgod | ||
+ | ff_pliening_gbw_cpod | ||
+ | ff_roding_fwg_nausch | ||
+ | |||
+ | [raspbian] | ||
+ | ff_pliening_rpb4_ol_v6 | ||
+ | |||
+ | # Host-Gruppen-Definitionen | ||
+ | # (zu welcher Gruppe gehören Untergruppen bzw. Hosts) | ||
+ | |||
+ | [freifunk: | ||
+ | gluon | ||
+ | raspbian | ||
+ | |||
+ | [linux: | ||
+ | intranet | ||
+ | IDMZ | ||
+ | EDMZ | ||
+ | TKDMZ | ||
+ | external | ||
+ | </ | ||
+ | |||
+ | Die betreffenden Hostspezifischen Variablen halten wir hier in entsprechenden Dateien bzw. Unterverzeichnissen vor. Das nachfolgende Beispiel hier zeigt die Host-spezifischen Variablen eines Hosts im Intranet. | ||
+ | $ less ~/ | ||
+ | |||
+ | <file c++ vml030010># | ||
+ | host_alias: fw1 | ||
+ | host_mac: " | ||
+ | host_ipv4: " | ||
+ | host_ipv6: ":: | ||
+ | ssh_port: 22 | ||
+ | ssh_protocol: | ||
+ | ssh_keyfile: | ||
+ | |||
+ | Als Beispiel für einen externen Host, der nur via Jump-Host erreichbar ist sehen wir uns die Inventory-Host-Definition des Hosts **'' | ||
+ | $ less ~/ | ||
+ | |||
+ | |||
+ | <file c++ ff_pliening_gbw__ug_># | ||
+ | host_alias: | ||
+ | host_ipv4: | ||
+ | host_ipv6: 2001: | ||
+ | ssh_user: root | ||
+ | ssh_port: 22 | ||
+ | ssh_protocol: | ||
+ | ssh_keyfile: | ||
+ | host_sshjump: | ||
+ | |||
+ | branch: " | ||
+ | domain: " | ||
+ | director: " | ||
+ | node_contact_address: | ||
+ | node_hostname: | ||
+ | node_latitude: | ||
+ | node_longitude: | ||
+ | node_model: " | ||
+ | node_share_location: | ||
+ | node_ghostmode: | ||
+ | node_release: | ||
+ | node_autoupdate: | ||
+ | </ | ||
+ | |||
+ | Hier sehen wir nun dass unter anderem ein anderer SSH-User, ein anderes SSH-Keyfile sowie ein Jump-Host benutzt wird. Ferner finden sich im Anschluß noch weitere Host-spezische Variablen, für die Konfiguration des betreffenden **[[https:// | ||
+ | |||
+ | === Playbook-Lauf | ||
+ | Dank der **[[playbook_example_08# | ||
+ | $ ansible-playbook ~/ | ||
+ | |||
+ | < | ||
+ | <pre class=" | ||
+ | <font style=" | ||
+ | PLAY [ssh_client_config.yml] ****************************************************************************************************** | ||
+ | |||
+ | TASK [Gathering Facts] ************************************************************************************************************</ | ||
+ | <font style=" | ||
+ | <font style=" | ||
+ | TASK [ssh_client : include_tasks] *************************************************************************************************</ | ||
+ | <font style=" | ||
+ | <font style=" | ||
+ | TASK [ssh_client : Generieren und kopieren der SSH Client Konfiguration ~/ | ||
+ | <font style=" | ||
+ | <font style=" | ||
+ | PLAY RECAP *************************************************************************************************************************</ | ||
+ | <font style=" | ||
+ | </ | ||
+ | </ | ||
+ | === Ergebnis: ~/ | ||
+ | Als Ergebnis erhalten wir dann quasi auf Knopfdruck immer eine aktuelle SSH-Client-Konfigurationsdatei **'' | ||
+ | |||
+ | <file bash ~/ | ||
+ | # Clientkonfigurationsbeispiel für unterschiedliche Zielsysteme | ||
+ | |||
+ | ## statische Konfiguration | ||
+ | # localhost | ||
+ | Host localhost | ||
+ | Hostname | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | # externer Einwahl-Hosts | ||
+ | Host example | ||
+ | Hostname 93.184.216.34 | ||
+ | Port 12345 | ||
+ | Protocol 2 | ||
+ | ForwardX11 yes | ||
+ | ForwardAgent yes | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | ## dynamisch aus dem Inventory generierte Konfiguration | ||
+ | # interne Systeme - IDMZ | ||
+ | Host vml030010 | ||
+ | Hostname 10.30.30.10 | ||
+ | User django | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | Host fw1 | ||
+ | Hostname 10.30.30.10 | ||
+ | User django | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | Host vml030020 | ||
+ | Hostname 10.30.30.20 | ||
+ | User django | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | Host fw2 | ||
+ | Hostname 10.30.30.2 | ||
+ | User django | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | Host vml030030 | ||
+ | Hostname 10.30.30.30 | ||
+ | User django | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | Host | ||
+ | Hostname 10.30.30.30 | ||
+ | User django | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | ... | ||
+ | ... | ||
+ | |||
+ | Host vml030250 | ||
+ | Hostname 10.30.30.250 | ||
+ | User django | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | Host db_clusternode_3 | ||
+ | Hostname 10.30.30.250 | ||
+ | User django | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | # interne Systeme - Intranet | ||
+ | Host pml010002 | ||
+ | Hostname 10.10.10.2 | ||
+ | User django | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | Host kvm_1 | ||
+ | Hostname 10.10.10.2 | ||
+ | User django | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | ... | ||
+ | ... | ||
+ | |||
+ | Host pml010126 | ||
+ | Hostname 10.10.10.126 | ||
+ | User django | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | Host feinstaubsensor | ||
+ | Hostname 10.10.10.126 | ||
+ | User django | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | # externe System | ||
+ | Host ff_pliening_gbw__ug_ | ||
+ | Hostname [2001: | ||
+ | User root | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | ProxyCommand | ||
+ | |||
+ | Host ff_pliening_gbw__ug_-extern | ||
+ | Hostname 2001: | ||
+ | User root | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | ... | ||
+ | ... | ||
+ | |||
+ | Host ff_roding_fwg_nausch | ||
+ | Hostname [2001: | ||
+ | User root | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | ProxyCommand | ||
+ | |||
+ | Host ff_roding_fwg_nausch-extern | ||
+ | Hostname 2001: | ||
+ | User root | ||
+ | Port 22 | ||
+ | Protocol 2 | ||
+ | IdentityFile ~/ | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== Fazit und Ausblick ===== | ||
+ | <WRAP center round info 80%> | ||
+ | |||
+ | Die manuelle, zeitraubende und ggf. Fehlerbehaftete Pflege der SSH-Client-Konfigurations-Datei durch mehrere Admins auf verschiedenen Ansible-Kontroll-Knoten ist somit Geschichte. Ferner sind wir unabhängig und können so viele SSH-Jump-Hosts verwenden, die eben zum Erreichen der Zielhost von Nöten sind. | ||
+ | |||
+ | Die initiale Fragestellung //Wie wird sicher gestellt, dass alle Ziele auch erreichbar sind?//, die wir bei unseren **[[detail# | ||
+ | </ | ||
+ | |||
+ | ====== Links ====== | ||
+ | * **[[detail|zurück zum Kapitel " | ||
+ | * **=> [[playbook_example_11|weiter zum Kapitel " | ||
+ | * **[[start|Zurück zur " | ||
+ | * **[[wiki: | ||
+ | * **[[http:// | ||
- | :KRIT: FIXME :KRIT: | ||