ansibleを公開鍵認証する時に秘密鍵のパスフレーズを何度も聞かれるのを対策する
2018/09/19
ansibleを秘密鍵を指定して公開鍵認証する時に秘密鍵にパスフレーズを設定していると、一動作するごとにパスフレーズを聞かれるのですごく面倒くさい。
ためしにやってみると以下のように延々とパスフレーズを着換える。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
[kunikiya@home6 ansible]$ ansible-playbook -i hosts/onamae1.kunikiya.jp playbook/cent7.yml --private-key="/home/kunikiya/.ssh/ansible_private_key" -K -vvvv sudo password: PLAY [all] ******************************************************************** GATHERING FACTS *************************************************************** <157.7.~.~> <157.7.~.~> <157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22 Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key': <157.7.~.~> Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key': <157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 'sudo -k && sudo -H -S -p "[sudo via ansible, key=gyyewwtaapzyzjrakmisucdoclwjqdri] password: " -u root /bin/sh -c '"'"'echo SUDO-SUCCESS-gyyewwtaapzyzjrakmisucdoclwjqdri; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/kunikiya/.ansible/tmp/ansible-tmp-1426640110.34-264435779051132/setup; rm -rf /home/kunikiya/.ansible/tmp/ansible-tmp-1426640110.34-264435779051132/ >/dev/null 2>&1'"'"'' PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22 Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key': ok: [157.7.~.~] TASK: [install python-selinux] ************************************************ <157.7.~.~> <157.7.~.~> state=present pkg=libselinux-python <157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22 Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key': <157.7.~.~> Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key': <157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 'sudo -k && sudo -H -S -p "[sudo via ansible, key=nvzfapwwvtjfksqviffcojpmjmpkgfjg] password: " -u root /bin/sh -c '"'"'echo SUDO-SUCCESS-nvzfapwwvtjfksqviffcojpmjmpkgfjg; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python -tt /home/kunikiya/.ansible/tmp/ansible-tmp-1426640126.39-230927170753395/yum; rm -rf /home/kunikiya/.ansible/tmp/ansible-tmp-1426640126.39-230927170753395/ >/dev/null 2>&1'"'"'' PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22 Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key': ok: [157.7.~.~] => {"changed": false, "msg": "", "rc": 0, "results": ["libselinux-python-2.2.2-6.el7.x86_64 providing libselinux-python is already installed"]} TASK: [disable selinux] ******************************************************* <157.7.~.~> <157.7.~.~> state=disabled <157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22 Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key': <157.7.~.~> Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key': <157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 'sudo -k && sudo -H -S -p "[sudo via ansible, key=qeiyrfplokyoeyskumleekdofrqzqzne] password: " -u root /bin/sh -c '"'"'echo SUDO-SUCCESS-qeiyrfplokyoeyskumleekdofrqzqzne; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/kunikiya/.ansible/tmp/ansible-tmp-1426640135.84-154163555149484/selinux; rm -rf /home/kunikiya/.ansible/tmp/ansible-tmp-1426640135.84-154163555149484/ >/dev/null 2>&1'"'"'' PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22 Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key': ok: [157.7.~.~] => {"changed": false, "configfile": "/etc/selinux/config", "msg": "", "policy": "targeted", "state": "disabled"} TASK: [install vim] *********************************************************** <157.7.~.~> <157.7.~.~> state=latest pkg=vim <157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22 Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key': <157.7.~.~> Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key': |
その場合はsshエージェントに秘密鍵を食わせて、キャッシュさせてしまえばよい。
そうするとパスフレーズも聞かれることがなくなる。
1 2 3 4 5 |
[kunikiya@home6 ansible]$ eval `ssh-agent` Agent pid 28246 [kunikiya@home6 ansible]$ ssh-add ../.ssh/ansible_private_key Enter passphrase for ../.ssh/ansible_private_key: Identity added: ../.ssh/ansible_private_key (../.ssh/ansible_private_key) |
以下のようにansibleの実行コマンドと一緒にシェルスクリプトにまとめておいて、ansibleを実行したいときはそのシェルを叩くようにしておけば便利。
1 2 3 4 |
#!/bin/sh eval `ssh-agent` ssh-add ../.ssh/ansible_private_key ansible-playbook -i hosts/onamae1.kunikiya.jp playbook/cent7.yml --private-key="/home/kunikiya/.ssh/ansible_private_key" -K |