[Ansible] Known_hosts 등록하기

티스토리 뷰

[Server Story]/Management

[Ansible] Known_hosts 등록하기

ossians 2018. 12. 24. 17:16

[Ansible] Known_hosts 등록하기

Known_hosts란?

Ansible Server(Source)에서 Ansible Node(Destination) 접속 시도 시 접속하려는 대상이 믿을만한 대상인지 확인하게 됩니다.

Known_hosts란 사용자에게 확인된 Ansible Node(Destination)의 키를 Known_hosts 파일에 저장하게 됩니다.

Known_hosts에 Ansible Node(Destination)의 키가 저장되면 SSH 접속 시 접속하려는 대상에 대한 확인없이 접속 가능해집니다.

Known_hosts에 Ansible Node(Destination)의 키값이 없을 경우

Ansible Node(Destination)에 접속하며, 해당 대상이 맞는지 사용자에게 확인합니다.

[vagrant@ansible-server .ssh]$ ssh node201
 
The authenticity of host 'node201 (192.168.1.201)' can't be established.
ECDSA key fingerprint is SHA256:ZCWb+uZU6v4iW+BUHZnQr+KMcT9o6ywTzLCD6eKRgmk.
ECDSA key fingerprint is MD5:ad:31:3e:08:31:11:4f:08:64:50:db:c2:20:0f:76:ab.
Are you sure you want to continue connecting (yes/no)? yes
 
Warning: Permanently added 'node201,192.168.1.201' (ECDSA) to the list of known hosts.
vagrant@node201's password:

Known_hosts에 Ansible Node(Destination)의 키 값이 있을 경우

Ansible Node(Destination)에 접속하며, 해당 대상이 이미 Known_hosts에 등록되어 있으므로 따로 사용자에게 확인하지 않습니다.

[vagrant@ansible-server .ssh]$ ssh node201
vagrant@node201's password:

이러한 Ansible Node(Destination) 키 값은 Known_hosts 파일에 아래와 같이 저장됩니다.

[vagrant@ansible-server ~]$ cat .ssh/known_hosts
 
node201,192.168.1.201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN
LR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=

Ansible Node를 Knwon_hosts에 자동등록

Known_hosts로 등록되는 키 값 확인

- ssh-keyscan -t ecdsa [HostName or IP]를 입력하면 아래와 같이 Known_hosts에 등록되는 Ansible Node의 키 값을 확인할 수 있습니다.

[vagrant@ansible-server ~]$ ssh-keyscan -t ecdsa node201
 
# node201:22 SSH-2.0-OpenSSH_7.4
node201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN
LR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=

Ansible Node 적용 대상을 위한 인벤토리 파일 작성

- vi /home/vagrant/invetory

- IP가 연속될 경우 ["Start IP":"End IP"]로 작성해도 됩니다.

[vagrant@ansible-server ~]$ vi inventory
 
[ubunt]
192.168.1.[101:104]
  
[cent]
192.168.1.201
192.168.1.202
192.168.1.203
192.168.1.204

Ansible-Playbook 작성

[vagrant@ansible-server ~]$ vi add_known_hosts.yml
 
---
- hosts: cent #Inventory 파일에서 적용될 Node의 그룹 지정
  connection: local
  serial: 1 #여러 호스트를 동시에 처리하지 않고 한 호스트 씩 처리
  gather_facts: no
 
  tasks:
  - command: /usr/bin/ssh-keyscan -t ecdsa {{ ansible_host }} #"{{ ansible_host }}"변수에 Inventory에 등록된 Node를 불러와 하나씩 대입
    register: keyscan #command로 확인된 Node의 키 값을 keyscan이라는 변수에 저장
 
  - lineinfile:
      name=~/.ssh/known_hosts
      create=yes
      line={{ item }} #keyscan 변수에 있는 값이 stdout_lines으로 출력되면 Known_hosts파일에 한줄씩 작성
    with_items:
      - "{{ keyscan.stdout_lines }}"

작성된 Ansible-Playbook 실행

[vagrant@ansible-server ~]$ ansible-playbook -i inventory add_known_hosts.yml -k
SSH password:
 
PLAY [cent] ************************************************************************************************************************************************************************************************************
 
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.201]
 
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.201] => (item=192.168.1.201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
 
PLAY [cent] ************************************************************************************************************************************************************************************************************
 
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.202]
 
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.202] => (item=192.168.1.202 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
 
PLAY [cent] ************************************************************************************************************************************************************************************************************
 
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.203]
 
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.203] => (item=192.168.1.203 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
 
PLAY [cent] ************************************************************************************************************************************************************************************************************
 
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.204]
 
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.204] => (item=192.168.1.204 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
 
PLAY RECAP *************************************************************************************************************************************************************************************************************
192.168.1.201              : ok=2    changed=2    unreachable=0    failed=0
192.168.1.202              : ok=2    changed=2    unreachable=0    failed=0
192.168.1.203              : ok=2    changed=2    unreachable=0    failed=0
192.168.1.204              : ok=2    changed=2    unreachable=0    failed=0
 

Known_hosts에 등록된 Node 확인

[vagrant@ansible-server ~]$ cat .ssh/known_hosts
168.1.201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
168.1.202 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
168.1.203 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
168.1.204 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=

Ansible Node SSH 접속

- Known_hosts에 등록되어 있으므로 사용자에게 접속확인에 대해 더이상 묻지 않습니다.

[vagrant@ansible-server ~]$ ssh 192.168.1.204
vagrant@192.168.1.204's password:

Question

Known_hosts에 등록하였는데 호스트네임으로 ssh 접속을 하면 사용자에게 접속확인을 물어봅니다.

- Known_hosts에 등록되는 값 중 맨 앞에 있는 값은 접속하는 Host에 대한 정보입니다.

- 해당 정보에 IP로 등록되어 있기 때문에 호스트명으로 접속할 경우 Known_hosts에 정보가 없으므로 다시 물어보게 됩니다.

- 이럴 경우 아래와 같이 Inventory 파일과 Ansible-Playbook을 작성하여 Known_hosts에 등록하여 해결할 수 있습니다.

Inventory 파일 작성

[vagrant@ansible-server ~]$ vi inventory
 
[ubunt]
192.168.1.[101:104]
 
[cent]
192.168.1.201 hostname=node201   #Ansible host에 "hostname"이라는 변수를 생성하여 hostname 값을 입력 
192.168.1.202 hostname=node202
192.168.1.203 hostname=node203
192.168.1.204 hostname=node204

Ansible-Playbook 작성

[vagrant@ansible-server ~]$ vi add_known_hosts.yml
 
---
- hosts: nodes
  connection: local
  serial: 1
  gather_facts: no
 
  tasks:
  - command: /usr/bin/ssh-keyscan -t ecdsa {{ hostname }}  #Inventory 파일에 작성된 "hostname" 변수를 불러옵니다.
    register: keyscan
 
  - lineinfile:
      name=~/.ssh/known_hosts
      create=yes
      line={{ item }}
    with_items:
      - "{{ keyscan.stdout_lines }}"

작성된 Ansible-Playbook 실행

[vagrant@ansible-server ~]$ ansible-playbook -i inventory add_known_hosts.yml -k
SSH password:
 
PLAY [cent] ************************************************************************************************************************************************************************************************************
 
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.201]
 
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.201] => (item=node201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
 
PLAY [cent] ************************************************************************************************************************************************************************************************************
 
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.202]
 
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.202] => (item=node202 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
 
PLAY [cent] ************************************************************************************************************************************************************************************************************
 
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.203]
 
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.203] => (item=node203 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
 
PLAY [cent] ************************************************************************************************************************************************************************************************************
 
TASK [command] *********************************************************************************************************************************************************************************************************
changed: [192.168.1.204]
 
TASK [lineinfile] ******************************************************************************************************************************************************************************************************
changed: [192.168.1.204] => (item=node204 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=)
 
PLAY RECAP *************************************************************************************************************************************************************************************************************
192.168.1.201              : ok=2    changed=2    unreachable=0    failed=0
192.168.1.202              : ok=2    changed=2    unreachable=0    failed=0
192.168.1.203              : ok=2    changed=2    unreachable=0    failed=0
192.168.1.204              : ok=2    changed=2    unreachable=0    failed=0
 

Known_hosts에 등록된 Node 확인

[vagrant@ansible-server ~]$ cat .ssh/known_hosts
 
192.168.1.201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
192.168.1.202 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
192.168.1.203 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
192.168.1.204 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
node201 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
node202 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
node203 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=
node204 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNLR5UAGhtw8dxe1lfz7vvek6PQa8MT835wOwcc2B/awbQ4Gt1Fu0pRSabuTX4ppKCFkqqM0CvVOUgnLyf/fsFc=




 

Ansible Node SSH 접속

- Known_hosts에 Hostname도 등록되어 있으므로 사용자에게 접속확인에 대해 더이상 묻지 않습니다.

[vagrant@ansible-server ~]$ ssh node202
vagrant@node202's password:

저작자표시 비영리 변경금지

'[Server Story] > Management' 카테고리의 다른 글

[Ansible] Facts란 무엇인가? (0)	2018.12.29
[Ansible] Authorized_keys 등록하기(SSH Key) (0)	2018.12.26
[VAGRANT & ANSIBLE] Windows Ansible WinRM 환경구성 (0)	2018.08.20
[VAGRANT & ANSIBLE] CentOS Ansible SSH TEST 환경 구성 (1)	2018.08.14
[Vagrant] vagrantfile 기초 작성 방법 (0)	2018.08.08

공유하기 링크

Comments

Related Articles more

최근에 올라온 글

Ossian Story

티스토리 뷰

[Ansible] Known_hosts 등록하기

'[Server Story] > Management' 카테고리의 다른 글

티스토리툴바