[Ansible] Known_hosts 등록하기
Known_hosts란?
Ansible Server(Source)에서 Ansible Node(Destination) 접속 시도 시 접속하려는 대상이 믿을만한 대상인지 확인하게 됩니다.
Known_hosts란 사용자에게 확인된 Ansible Node(Destination)의 키를 Known_hosts 파일에 저장하게 됩니다.
Known_hosts에 Ansible Node(Destination)의 키가 저장되면 SSH 접속 시 접속하려는 대상에 대한 확인없이 접속 가능해집니다.
Known_hosts에 Ansible Node(Destination)의 키값이 없을 경우
Ansible Node(Destination)에 접속하며, 해당 대상이 맞는지 사용자에게 확인합니다.
|
[vagrant@ansible-server .ssh]$ ssh node201
The authenticity of host 'node201 (192.168.1.201)' can't be established.
ECDSA key fingerprint is SHA256:ZCWb+uZU6v4iW+BUHZnQr+KMcT9o6ywTzLCD6eKRgmk.
ECDSA key fingerprint is MD5:ad:31:3e:08:31:11:4f:08:64:50:db:c2:20:0f:76:ab.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'node201,192.168.1.201' (ECDSA) to the list of known hosts.
vagrant@node201's password:
|
Known_hosts에 Ansible Node(Destination)의 키 값이 있을 경우
Ansible Node(Destination)에 접속하며, 해당 대상이 이미 Known_hosts에 등록되어 있으므로 따로 사용자에게 확인하지 않습니다.
|
[vagrant@ansible-server .ssh]$ ssh node201
vagrant@node201's password:
|
이러한 Ansible Node(Destination) 키 값은 Known_hosts 파일에 아래와 같이 저장됩니다.
|
[vagrant@ansible-server ~]$ cat .ssh/known_hosts
node201,192.168.1.201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN
LR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
|
Ansible Node를 Knwon_hosts에 자동등록
Known_hosts로 등록되는 키 값 확인
- ssh-keyscan -t ecdsa [HostName or IP]를 입력하면 아래와 같이 Known_hosts에 등록되는 Ansible Node의 키 값을 확인할 수 있습니다.
|
[vagrant@ansible-server ~]$ ssh-keyscan -t ecdsa node201
# node201:22 SSH-2.0-OpenSSH_7.4
node201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN
LR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
|
Ansible Node 적용 대상을 위한 인벤토리 파일 작성
- vi /home/vagrant/invetory
- IP가 연속될 경우 ["Start IP":"End IP"]로 작성해도 됩니다.
|
[vagrant@ansible-server ~]$ vi inventory
[ubunt]
192.168.1.[101:104]
[cent]
192.168.1.201
192.168.1.202
192.168.1.203
192.168.1.204
|
Ansible-Playbook 작성
|
[vagrant@ansible-server ~]$ vi add_known_hosts.yml
---
- hosts: cent #Inventory 파일에서 적용될 Node의 그룹 지정
connection: local
serial: 1 #여러 호스트를 동시에 처리하지 않고 한 호스트 씩 처리
gather_facts: no
tasks:
- command: /usr/bin/ssh-keyscan -t ecdsa {{ ansible_host }} #"{{ ansible_host }}"변수에 Inventory에 등록된 Node를 불러와 하나씩 대입
register: keyscan #command로 확인된 Node의 키 값을 keyscan이라는 변수에 저장
- lineinfile:
name=~/.ssh/known_hosts
create=yes
line={{ item }} #keyscan 변수에 있는 값이 stdout_lines으로 출력되면 Known_hosts파일에 한줄씩 작성
with_items:
- "{{ keyscan.stdout_lines }}"
|
작성된 Ansible-Playbook 실행
|
[vagrant@ansible-server ~]$ ansible-playbook -i inventory add_known_hosts.yml -k
SSH password:
PLAY [cent] ************************************************************************************************************************************************************************************************************
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.201]
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.201] => (item=192.168.1.201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
PLAY [cent] ************************************************************************************************************************************************************************************************************
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.202]
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.202] => (item=192.168.1.202 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
PLAY [cent] ************************************************************************************************************************************************************************************************************
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.203]
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.203] => (item=192.168.1.203 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
PLAY [cent] ************************************************************************************************************************************************************************************************************
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.204]
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.204] => (item=192.168.1.204 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
PLAY RECAP *************************************************************************************************************************************************************************************************************
192.168.1.201 : ok=2 changed=2 unreachable=0 failed=0
192.168.1.202 : ok=2 changed=2 unreachable=0 failed=0
192.168.1.203 : ok=2 changed=2 unreachable=0 failed=0
192.168.1.204 : ok=2 changed=2 unreachable=0 failed=0
|
Known_hosts에 등록된 Node 확인
|
[vagrant@ansible-server ~]$ cat .ssh/known_hosts
192.168.1.201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
192.168.1.202 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
192.168.1.203 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
192.168.1.204 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
|
Ansible Node SSH 접속
- Known_hosts에 등록되어 있으므로 사용자에게 접속확인에 대해 더이상 묻지 않습니다.
|
[vagrant@ansible-server ~]$ ssh 192.168.1.204
vagrant@192.168.1.204's password:
|
Question
Known_hosts에 등록하였는데 호스트네임으로 ssh 접속을 하면 사용자에게 접속확인을 물어봅니다.
- Known_hosts에 등록되는 값 중 맨 앞에 있는 값은 접속하는 Host에 대한 정보입니다.
- 해당 정보에 IP로 등록되어 있기 때문에 호스트명으로 접속할 경우 Known_hosts에 정보가 없으므로 다시 물어보게 됩니다.
- 이럴 경우 아래와 같이 Inventory 파일과 Ansible-Playbook을 작성하여 Known_hosts에 등록하여 해결할 수 있습니다.
Inventory 파일 작성
|
[vagrant@ansible-server ~]$ vi inventory
[ubunt]
192.168.1.[101:104]
[cent]
192.168.1.201 hostname=node201 #Ansible host에 "hostname"이라는 변수를 생성하여 hostname 값을 입력
192.168.1.202 hostname=node202
192.168.1.203 hostname=node203
192.168.1.204 hostname=node204
|
Ansible-Playbook 작성
|
[vagrant@ansible-server ~]$ vi add_known_hosts.yml
---
- hosts: nodes
connection: local
serial: 1
gather_facts: no
tasks:
- command: /usr/bin/ssh-keyscan -t ecdsa {{ hostname }} #Inventory 파일에 작성된 "hostname" 변수를 불러옵니다.
register: keyscan
- lineinfile:
name=~/.ssh/known_hosts
create=yes
line={{ item }}
with_items:
- "{{ keyscan.stdout_lines }}"
|
작성된 Ansible-Playbook 실행
|
[vagrant@ansible-server ~]$ ansible-playbook -i inventory add_known_hosts.yml -k
SSH password:
PLAY [cent] ************************************************************************************************************************************************************************************************************
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.201]
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.201] => (item=node201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
PLAY [cent] ************************************************************************************************************************************************************************************************************
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.202]
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.202] => (item=node202 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
PLAY [cent] ************************************************************************************************************************************************************************************************************
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.203]
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.203] => (item=node203 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
PLAY [cent] ************************************************************************************************************************************************************************************************************
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.204]
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.204] => (item=node204 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
PLAY RECAP *************************************************************************************************************************************************************************************************************
192.168.1.201 : ok=2 changed=2 unreachable=0 failed=0
192.168.1.202 : ok=2 changed=2 unreachable=0 failed=0
192.168.1.203 : ok=2 changed=2 unreachable=0 failed=0
192.168.1.204 : ok=2 changed=2 unreachable=0 failed=0
|
Known_hosts에 등록된 Node 확인
|
[vagrant@ansible-server ~]$ cat .ssh/known_hosts
192.168.1.201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
192.168.1.202 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
192.168.1.203 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
192.168.1.204 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
node201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
node202 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
node203 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
node204 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
|
Ansible Node SSH 접속
- Known_hosts에 Hostname도 등록되어 있으므로 사용자에게 접속확인에 대해 더이상 묻지 않습니다.
|
[vagrant@ansible-server ~]$ ssh node202
vagrant@node202's password:
|
'[Server Story] > Management' 카테고리의 다른 글
| [Ansible] Facts란 무엇인가? (0) | 2018.12.29 |
|---|---|
| [Ansible] Authorized_keys 등록하기(SSH Key) (0) | 2018.12.26 |
| [VAGRANT & ANSIBLE] Windows Ansible WinRM 환경구성 (0) | 2018.08.20 |
| [VAGRANT & ANSIBLE] CentOS Ansible SSH TEST 환경 구성 (1) | 2018.08.14 |
| [Vagrant] vagrantfile 기초 작성 방법 (0) | 2018.08.08 |
