Ansible批量修改密码

共计 5105 个字符，预计需要花费 13 分钟才能阅读完成。

因为线上存在大量主机即将密码过期（每三个月过期），急需一个批量改密码的脚本好拯救我弱小的身板

这里记录下使用user模块修改用户密码

批量修改playbook

[xadocker@jenkins-master xadocker]$ cat play.yaml
---
- hosts: all
  gather_facts: false
  remote_user: xadocker
  become_user: root
  become: yes
  tasks:
    - name: chanage_user_pass
      user: name={{ item.name }} password={{ item.chpass | password_hash('sha512') }}  update_password=always
      with_items:
        - { name: 'root', chpass: "{{ root_passwd }}" }
        - { name: 'xadocker', chpass: "{{ xadocker_passwd }}" }

inventory主机清单

[xadocker@jenkins-master xadocker]$ cat hosts
[web]
192.168.237.119 root_passwd='hfs8HO903hk*&^' xadocker_passwd='%hkjh(hj23hsleF'
192.168.237.114 root_passwd='hfs8HO903hGGEk*&^' xadocker_passwd='%hkjh(hj23hslfhF'
192.168.237.115 root_passwd='hfs8HO90GG3hk*&^' xadocker_passwd='%hkjh(hj23hslefwF'

执行playbook

[xadocker@jenkins-master xadocker]$ ansible-playbook -i hosts play.yaml 

PLAY [all] ***************************************************************************************************************

TASK [chanage_user_pass] *************************************************************************************************
changed: [192.168.237.114] => (item={u'chpass': u'hfs8HO903hGGEk*&^', u'name': u'root'})
changed: [192.168.237.119] => (item={u'chpass': u'hfs8HO903hk*&^', u'name': u'root'})
changed: [192.168.237.115] => (item={u'chpass': u'hfs8HO90GG3hk*&^', u'name': u'root'})
changed: [192.168.237.119] => (item={u'chpass': u'%hkjh(hj23hsleF', u'name': u'xadocker'})
changed: [192.168.237.115] => (item={u'chpass': u'%hkjh(hj23hslefwF', u'name': u'xadocker'})
changed: [192.168.237.114] => (item={u'chpass': u'%hkjh(hj23hslfhF', u'name': u'xadocker'})

PLAY RECAP ***************************************************************************************************************
192.168.237.119            : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
192.168.237.114            : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
192.168.237.115            : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[xadocker@jenkins-master xadocker]$ ansible-playbook -i hosts play.yaml 

PLAY [all] ***************************************************************************************************************

TASK [chanage_user_pass] *************************************************************************************************
changed: [192.168.237.115] => (item={u'chpass': u'hfs8HO90GG3hk*&^', u'name': u'root'})
changed: [192.168.237.114] => (item={u'chpass': u'hfs8HO903hGGEk*&^', u'name': u'root'})
changed: [192.168.237.119] => (item={u'chpass': u'hfs8HO903hk*&^', u'name': u'root'})
changed: [192.168.237.114] => (item={u'chpass': u'%hkjh(hj23hslfhF', u'name': u'xadocker'})
changed: [192.168.237.115] => (item={u'chpass': u'%hkjh(hj23hslefwF', u'name': u'xadocker'})
changed: [192.168.237.119] => (item={u'chpass': u'%hkjh(hj23hsleF', u'name': u'xadocker'})

PLAY RECAP ***************************************************************************************************************
192.168.237.119            : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
192.168.237.114            : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
192.168.237.115            : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

题外话：host里的密码如何批量生成，因为在使用ansible时，并未自动生成密码，所以需要提前生成密码并写在hosts中

1.安装pwgen密码生成器

[xadocker@jenkins-master xadocker]$ sudo yum install pwgen -y

2.生成密码

[xadocker@jenkins-master xadocker]$ pwgen -cny 20
chuCohg8gei.Thoo3cha tho5to0eep2Vi>oxu`gh ivi3eSh>ietu3noh1Ohw
he}ot9aithohquah=b1W Koothah3ahm{ai6ei6ve hei3eesohT5ughel}aa9
yei4gieToh?qua\kah9r uc=o9Equ1ongom5shoo1 eida,c9EiQu^i5phie=W
xa5michei^Ho6rex0ec+ aiPh|uapeinge9angahY eGhie/d[i6ies6iech7z
paesh2aRuath/ailaiko eesiopu(o6roh$Vai6if rae/qu0Lie@G{a9eet?e
ID{ee9Keimei4ir$o4qu eeb2cu?uw1nie4xu7aeD oaN@uugiu5gieFahgho8
aechoo9ni9ahp/ei8Koo Oghaig!eem1quua5Soo| aiNg1cu@o2ahF%ie=c~i
Duip9axii8gaej.ohb3i reeYo_ng0ahc"ahk6zit dai^Chie+d3bi}Mailin
xoo+gie8aito8vaSaike ox7sahHoo;sh(ohghieY ijai4oogh;ie0ibiV6ie
Eighooco6Thah5kaJah" eikio8Hei$Reebiajai3 ieJae7tie{guphoo7gid
Eechai|w4Hie7Au{l5ee iequ}e`da`a2ieTh3Aep Ziegh3wais"u4ooth?ai
aibee0aing~ai1Rah1ie eeph6PaweuN4je`shahb oCei8Uph8thoh[ng,eed
wesh1thes<i-re"aJoo7 diCh.ae2raiceim9da4I iek]eiT3wee)ch)i3Xoh
ahthi1ahMeeh&oo!phei keifaiReiPh*ei9Aey>u naishai9cua$f4Aethe^
ui&woPheiSeheiViw9ru jaiPh4neiSh@aifahqu> aipaa7aechaz@iM7too+
Ahsaechohc.i<r/i>x8E id6peisahwah9De4vu@c dieb7aikoolea6oYah@c
nohc0koogh*i3oohoo4O AhMi5Ez#ia3yohqu9eeh aih9moo*lai(m7nahJ4E
Ro3ahc3eloaboh\ei`c+ Hei8lie;b3iH5ohnguph Sooph{ie3Ahleb@oxuib
ochie0joch,ae3eix5Da ha1eif7iesh'aich4Tha lee4auku"oNei0Voh%Ra
quo9kae\lah4Ideingai OoCooj8Pah1ab7ohroh_ chi;u3yoh3ohvooseeLe

思路：收集主机地址列表写入hosts中，这种东西在你管理批量主机时是首要的工作之一，别说你没有记录，或没有别的方式收集到（真的话那你就你个一个收集吧）

# host样例
[web]
192.168.237.119

[test]
192.168.237.114

[db]
192.168.237.115

3.使用shell脚本配合pwgen生成密码

[xadocker@jenkins-master xadocker]$ cat gen_hosts.sh 
#!/bin/bash
cat hosts| while read line;
do
    echo $line | egrep '^\[|^#|^$' && continue
    echo $line root_passwd=\'`pwgen -cny 20`\' xadoker_passwd=\'`pwgen -cny 20`\'
done

4.生成hosts

[xadocker@jenkins-master xadocker]$ bash gen_hosts.sh 
[web]
192.168.237.119 root_passwd='oShohje8Oa\T8eich9ie' xadoker_passwd='ua3aeShah^geiSail4uf'

[test]
192.168.237.114 root_passwd='aiv(ah4quaxa|u6Iej8o' xadoker_passwd='eequ`a7maem+eihaeG0A'

[db]
192.168.237.115 root_passwd='vieRa=u5vo7aeNgailoh' xadoker_passwd='thoh0AiLu5tu0uho~o)x'