linux 如何从github操作运行ansible剧本-不使用外部操作

fslejnso  于 2022-11-02  发布在  Linux
关注(0)|答案(2)|浏览(242)

我已经编写了一个工作流文件,准备运行者使用ssh连接到所需的服务器,这样我就可以运行ansible剧本。
ssh -t -v theUser@theHost显示SSH连接正常工作。
但是,ansible脚本告诉我,sudo密码丢失。
如果我把ssh -t -v theUser@theHost这一行去掉,ansible就会抛出连接超时,无法连接到服务器。
=〉fatal: [***]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh: connect to host***port 22: Connection timed out

首先,我不明白,为什么ansible只能在我执行命令ssh -t -v theUser@theHost时才能连接到服务器。

    • 下一个问题**是,用户不需要任何sudo密码就可以拥有执行权限。同样的ansible剧本在我的本地机器上运行得很好,不需要使用sudo密码。我配置了服务器,这样用户就可以递归地在所需的文件夹中拥有足够的权限。

我的GithHub操作根本不起作用。你能告诉我我做错了什么吗?
我的工作流文件如下所示:

name: CI

# Controls when the workflow will run

on:
  # Triggers the workflow on push or pull request events but only for the "master" branch
  push:
    branches: [ "master" ]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel

jobs:
  run-playbooks:
    runs-on: ubuntu-latest
    steps: 
      - uses: actions/checkout@v3
        with:
          submodules: true
          token: ${{secrets.REPO_TOKEN}}
      - name: Run Ansible Playbook
        run: |
         mkdir -p /home/runner/.ssh/
         touch /home/runner/.ssh/config
         touch /home/runner/.ssh/id_rsa
         echo -e "${{secrets.SSH_KEY}}" > /home/runner/.ssh/id_rsa
         echo -e "Host ${{secrets.SSH_HOST}}\nIdentityFile /home/runner/.ssh/id_rsa" >> /home/runner/.ssh/config 
         ssh-keyscan -H ${{secrets.SSH_HOST}} > /home/runner/.ssh/known_hosts
         cd myproject-infrastructure/ansible
         eval `ssh-agent -s`
         chmod 700 /home/runner/.ssh/id_rsa
         ansible-playbook -u ${{secrets.ANSIBLE_DEPLOY_USER}} -i hosts.yml setup-prod.yml
quhf5bfb

quhf5bfb1#

另一种方法是测试并使用actions/run-ansible-playbook来运行您的剧本,但不解释为什么会出现这些错误。
这样,您就可以测试该配置中是否缺少“sudo Password is missing”。

- name: Run playbook
  uses: dawidd6/action-ansible-playbook@v2
  with:
    # Required, playbook filepath
    playbook: deploy.yml
    # Optional, directory where playbooks live
    directory: ./
    # Optional, SSH private key
    key: ${{secrets.SSH_PRIVATE_KEY}}
    # Optional, literal inventory file contents
    inventory: |
      [all]
      example.com

      [group1]
      example.com
    # Optional, SSH known hosts file content
    known_hosts: .known_hosts
    # Optional, encrypted vault password
    vault_password: ${{secrets.VAULT_PASSWORD}}
    # Optional, galaxy requirements filepath
    requirements: galaxy-requirements.yml
    # Optional, additional flags to pass to ansible-playbook
    options: |
      --inventory .hosts
      --limit group1
      --extra-vars hello=there
      --verbose
laik7k3q

laik7k3q2#

终于找到了
动作本身的第一个基本设置。

name: CI

# Controls when the workflow will run

on:
  # Triggers the workflow on push or pull request events but only for the "master" branch
  push:
    branches: [ "master" ]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel

jobs:

接下来,在第一步中添加要运行的作业并 checkout 存储库。

jobs:
  run-playbooks:
    runs-on: ubuntu-latest
    steps: 
      - uses: actions/checkout@v3
        with:
          submodules: true
          token: ${{secrets.REPO_TOKEN}}

接下来正确设置ssh。

- name: Setup ssh
   shell: bash
        run: |
         service ssh status
         eval `ssh-agent -s`

首先,您需要确保ssh服务正在运行。在我的例子中,ssh服务已经在运行了。
但是当我尝试使用Docker时,我不得不在第一个地方手动启动服务,比如service ssh start。接下来,确保.shh文件夹对于您的用户存在,并将您的私钥复制到该文件夹中。我已经在我的存储库中添加了一个github secret,在我的例子中,它是runner用户。

mkdir -p /home/runner/.ssh/
         touch /home/runner/.ssh/id_rsa
         echo -e "${{secrets.SSH_KEY}}" > /home/runner/.ssh/id_rsa

确保您的私钥受到保护。否则ssh服务不会接受使用它。为此,请执行以下操作:

chmod 700 /home/runner/.ssh/id_rsa

通常当你启动ssh连接时,系统会询问你是否要将主机永久保存为已知主机。由于我们是自动运行的,所以不能输入yes。如果你不回答,进程将失败。
您必须防止进程被提示符中断。为此,您需要自己将主机添加到known_hosts文件中。您可以使用ssh-keyscan。不幸的是,ssh-keyscan可以生成不同格式/类型的输出。在我的情况下,仅仅使用ssh-keyscan是不够的。我必须在命令中添加其他类型的选项。生成的输出必须写入用户的.ssh文件夹中的known_hosts文件。
所以下一个命令是:

ssh-keyscan -t rsa,dsa,ecdsa,ed25519 ${{secrets.SSH_HOST}} >> /home/runner/.ssh/known_hosts

现在你差不多到了。只要调用ansible playbook命令来运行ansible脚本。我创建了一个新的步骤,我把目录更改到了我的存储库中保存我的ansible文件的文件夹。

- name: Run ansible script
        shell: bash 
        run: |
          cd infrastructure/ansible
          ansible-playbook --private-key /home/runner/.ssh/id_rsa -u ${{secrets.ANSIBLE_DEPLOY_USER}} -i hosts.yml setup-prod.yml

完整文件:

name: CI

# Controls when the workflow will run

on:
  # Triggers the workflow on push or pull request events but only for the "master" branch
  push:
    branches: [ "master" ]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel

jobs:
  run-playbooks:
    runs-on: ubuntu-latest
    steps: 
      - uses: actions/checkout@v3
        with:
          submodules: true
          token: ${{secrets.REPO_TOKEN}}
      - name: Setup SSH 
        shell: bash
        run: |
         eval `ssh-agent -s`
         mkdir -p /home/runner/.ssh/
         touch /home/runner/.ssh/id_rsa
         echo -e "${{secrets.SSH_KEY}}" > /home/runner/.ssh/id_rsa
         chmod 700 /home/runner/.ssh/id_rsa
         ssh-keyscan -t rsa,dsa,ecdsa,ed25519 ${{secrets.SSH_HOST}} >> /home/runner/.ssh/known_hosts
      - name: Run ansible script
        shell: bash 
        run: |
          service ssh status
          cd infrastructure/ansible
          cat setup-prod.yml
          ansible-playbook -vvv --private-key /home/runner/.ssh/id_rsa -u ${{secrets.ANSIBLE_DEPLOY_USER}} -i hosts.yml setup-prod.yml

下一个享受...

相关问题