ansibleを公開鍵認証する時に秘密鍵のパスフレーズを何度も聞かれるのを対策する

ansibleを秘密鍵を指定して公開鍵認証する時に秘密鍵にパスフレーズを設定していると、一動作するごとにパスフレーズを聞かれるのですごく面倒くさい。

 

ためしにやってみると以下のように延々とパスフレーズを着換える。

 

[shell]
[kunikiya@home6 ansible]$ ansible-playbook -i hosts/onamae1.kunikiya.jp playbook/cent7.yml --private-key="/home/kunikiya/.ssh/ansible_private_key" -K -vvvv
sudo password:

PLAY [all] ********************************************************************

GATHERING FACTS ***************************************************************
<157.7.~.~>
<157.7.~.~>
<157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22
Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key':
<157.7.~.~>
Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key':
<157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 'sudo -k && sudo -H -S -p "[sudo via ansible, key=gyyewwtaapzyzjrakmisucdoclwjqdri] password: " -u root /bin/sh -c '"'"'echo SUDO-SUCCESS-gyyewwtaapzyzjrakmisucdoclwjqdri; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/kunikiya/.ansible/tmp/ansible-tmp-1426640110.34-264435779051132/setup; rm -rf /home/kunikiya/.ansible/tmp/ansible-tmp-1426640110.34-264435779051132/ >/dev/null 2>&1'"'"'' PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22
Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key':
ok: [157.7.~.~]

TASK: [install python-selinux] ************************************************
<157.7.~.~>
<157.7.~.~> state=present pkg=libselinux-python
<157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22
Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key':
<157.7.~.~>
Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key':
<157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 'sudo -k && sudo -H -S -p "[sudo via ansible, key=nvzfapwwvtjfksqviffcojpmjmpkgfjg] password: " -u root /bin/sh -c '"'"'echo SUDO-SUCCESS-nvzfapwwvtjfksqviffcojpmjmpkgfjg; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python -tt /home/kunikiya/.ansible/tmp/ansible-tmp-1426640126.39-230927170753395/yum; rm -rf /home/kunikiya/.ansible/tmp/ansible-tmp-1426640126.39-230927170753395/ >/dev/null 2>&1'"'"'' PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22
Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key':
ok: [157.7.~.~] => {"changed": false, "msg": "", "rc": 0, "results": ["libselinux-python-2.2.2-6.el7.x86_64 providing libselinux-python is already installed"]}

TASK: [disable selinux] *******************************************************
<157.7.~.~>
<157.7.~.~> state=disabled
<157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22
Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key':
<157.7.~.~>
Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key':
<157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 'sudo -k && sudo -H -S -p "[sudo via ansible, key=qeiyrfplokyoeyskumleekdofrqzqzne] password: " -u root /bin/sh -c '"'"'echo SUDO-SUCCESS-qeiyrfplokyoeyskumleekdofrqzqzne; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/kunikiya/.ansible/tmp/ansible-tmp-1426640135.84-154163555149484/selinux; rm -rf /home/kunikiya/.ansible/tmp/ansible-tmp-1426640135.84-154163555149484/ >/dev/null 2>&1'"'"'' PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22
Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key':
ok: [157.7.~.~] => {"changed": false, "configfile": "/etc/selinux/config", "msg": "", "policy": "targeted", "state": "disabled"}

TASK: [install vim] ***********************************************************
<157.7.~.~>
<157.7.~.~> state=latest pkg=vim
<157.7.~.~> IdentityFile=/home/kunikiya/.ssh/ansible_private_key ConnectTimeout=10 PasswordAuthentication=no KbdInteractiveAuthentication=no ForwardAgent=yes PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey Port=22
Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key':
<157.7.~.~>
Enter passphrase for key '/home/kunikiya/.ssh/ansible_private_key':
[/shell]

 

その場合はsshエージェントに秘密鍵を食わせて、キャッシュさせてしまえばよい。
そうするとパスフレーズも聞かれることがなくなる。

[shell]
[kunikiya@home6 ansible]$ eval `ssh-agent`
Agent pid 28246
[kunikiya@home6 ansible]$ ssh-add ../.ssh/ansible_private_key
Enter passphrase for ../.ssh/ansible_private_key:
Identity added: ../.ssh/ansible_private_key (../.ssh/ansible_private_key)
[/shell]

 

以下のようにansibleの実行コマンドと一緒にシェルスクリプトにまとめておいて、ansibleを実行したいときはそのシェルを叩くようにしておけば便利。

[shell]
#!/bin/sh
eval `ssh-agent`
ssh-add ../.ssh/ansible_private_key
ansible-playbook -i hosts/onamae1.kunikiya.jp playbook/cent7.yml --private-key="/home/kunikiya/.ssh/ansible_private_key" -K
[/shell]

 

 

 - シェルスクリプト ansible, ssh, 秘密鍵