2016年12月8日

ansibleでsshdの設定

Share

前提

ここまで終わってること

  1. ansible実行用のhostをvagrantのansible_localで設定
  2. hostからansibleでcentOS 7.2の基本設定

やること

  1. ansibleでsshdの設定
  2. ansible実行で設定反映
  3. sshdの起動確認

1.ansibleでsshdの設定

ファイル構成

$ tree
.
├── Vagrantfile
├── ansible.cfg
└── provision
    ├── development
    ├── group_vars
    │   └── web.yml
    ├── host
    ├── roles
    │   ├── CentOS7.2
    │   │   ├── handlers
    │   │   │   └── main.yml        <<<< 変更
    │   │   ├── tasks
    │   │   │   ├── chrony.yml
    │   │   │   ├── env.yml
    │   │   │   ├── locale.yml
    │   │   │   ├── main.yml        <<<< 変更
    │   │   │   ├── selinux.yml
    │   │   │   ├── sshd.yml        <<<< 追加
    │   │   │   └── yumallupdate.yml
    │   │   ├── templates
    │   │   │   ├── alias.sh.j2
    │   │   │   └── chrony.conf.j2
    │   │   └── vars
    │   │       └── main.yml
    │   └── ansible
    │       ├── tasks
    │       │   ├── main.yml
    │       │   └── ssh.yml
    │       └── templates
    │           └── ssh
    │               └── config.j2
    └── site.yml

12 directories, 20 files

各ファイル

provision/roles/CentOS7.2/tasks/main.yml

@@ -6,3 +6,4 @@
 - include: chrony.yml
 - include: env.yml
 - include: selinux.yml
+- include: sshd.yml

provision/roles/CentOS7.2/tasks/ssh.yml

---
# file: ./CentOS7.2/tasks/sshd.yml

- block:

  - name: check existing sshd_config backup file
    stat:
      path: /etc/ssh/sshd_config.bk
    register: sshd_config_bkup

  - debug: var=sshd_config_bkup

  - name: copy sshd_config to bk
    command: cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk
    when: sshd_config_bkup.stat.exists == False

  - name: modify sshd_config
    lineinfile:
      dest: /etc/ssh/sshd_config
      state: present
      backrefs: yes
      regexp: '{{ item.regexp }}'
      line: '{{ item.line }}'
    with_items:
      - regexp: '^#?\s*Port'
        line: 'Port {{ ansible_port }}'
      - regexp: '^#?\s*PermitRootLogin'
        line: 'PermitRootLogin no'
      - regexp: '^PasswordAuthentication yes'
        line: 'PasswordAuthentication no'
      - regexp: '^#?\s*PubkeyAuthentication'
        line: 'PubkeyAuthentication yes'
    notify:
      - restart sshd
    tags:
      - construct
      - ssh

  - name: check sshd_config changed
    command: diff /etc/ssh/sshd_config /etc/ssh/sshd_config.bk
    register: sshd_config_diff
    ignore_errors: yes

  - debug: var=sshd_config_diff.stdout_lines

  become: yes
  tags:
    - construct
    - sshd

provision/roles/CentOS7.2/handlers/main.yml

@@ -8,3 +8,10 @@
       name: chronyd
       state: restarted
       enabled: yes
+
+  - name: restart sshd
+    become: yes
+    service:
+      name: sshd
+      state: restarted
+      enabled: yes

ansible実行で設定反映

$ ansible-playbook -i /vagrant/development /vagrant/site.yml

PLAY [web] *********************************************************************

TASK [setup] *******************************************************************
ok: [192.168.52.52]

TASK [CentOS7.2 : yum update all] **********************************************
ok: [192.168.52.52]

TASK [CentOS7.2 : check CentOS version] ****************************************
changed: [192.168.52.52]

TASK [CentOS7.2 : set LANG] ****************************************************
changed: [192.168.52.52]

TASK [CentOS7.2 : set keymap] **************************************************
changed: [192.168.52.52]

TASK [CentOS7.2 : set timezone] ************************************************
changed: [192.168.52.52]

TASK [CentOS7.2 : install chrony] **********************************************
ok: [192.168.52.52]

TASK [CentOS7.2 : start chrony] ************************************************
ok: [192.168.52.52]

TASK [CentOS7.2 : copy chrony.conf template] ***********************************
ok: [192.168.52.52]

TASK [CentOS7.2 : copy /etc/profile.d/alias.sh template] ***********************
ok: [192.168.52.52]

TASK [CentOS7.2 : install selinux util] ****************************************
ok: [192.168.52.52] => (item=[u'libselinux-python', u'libselinux-utils', u'selinux-policy', u'selinux-policy-targeted'])

TASK [CentOS7.2 : disable selinux] *********************************************
ok: [192.168.52.52]

TASK [CentOS7.2 : check existing sshd_config backup file] **********************
ok: [192.168.52.52]

TASK [CentOS7.2 : debug] *******************************************************
ok: [192.168.52.52] => {
    "sshd_config_bkup": {
        "changed": false,
        "stat": {
            "exists": false
        }
    }
}

TASK [CentOS7.2 : copy sshd_config to bk] **************************************
changed: [192.168.52.52]

TASK [CentOS7.2 : modify sshd_config] ******************************************
changed: [192.168.52.52] => (item={u'regexp': u'^#?\\s*Port', u'line': u'Port 22'})
changed: [192.168.52.52] => (item={u'regexp': u'^#?\\s*PermitRootLogin', u'line': u'PermitRootLogin no'})
changed: [192.168.52.52] => (item={u'regexp': u'^PasswordAuthentication yes', u'line': u'PasswordAuthentication no'})
changed: [192.168.52.52] => (item={u'regexp': u'^#?\\s*PubkeyAuthentication', u'line': u'PubkeyAuthentication yes'})

TASK [CentOS7.2 : check sshd_config changed] ***********************************
fatal: [192.168.52.52]: FAILED! => {"changed": true, "cmd": ["diff", "/etc/ssh/sshd_config", "/etc/ssh/sshd_config.bk"], "delta": "0:00:00.002562", "end": "2016-12-08 16:24:22.570969", "failed": true, "rc": 1, "start": "2016-12-08 16:24:22.568407", "stderr": "", "stdout": "17c17\n< Port 22\n---\n> #Port 22\n49c49\n< PermitRootLogin no\n---\n> #PermitRootLogin yes\n55c55\n< PubkeyAuthentication yes\n---\n> #PubkeyAuthentication yes\n79c79\n< PasswordAuthentication no\n---\n> PasswordAuthentication yes", "stdout_lines": ["17c17", "< Port 22", "---", "> #Port 22", "49c49", "< PermitRootLogin no", "---", "> #PermitRootLogin yes", "55c55", "< PubkeyAuthentication yes", "---", "> #PubkeyAuthentication yes", "79c79", "< PasswordAuthentication no", "---", "> PasswordAuthentication yes"], "warnings": []}
...ignoring

TASK [CentOS7.2 : debug] *******************************************************
ok: [192.168.52.52] => {
    "sshd_config_diff.stdout_lines": [
        "17c17",
        "< Port 22",
        "---",
        "> #Port 22",
        "49c49",
        "< PermitRootLogin no",
        "---",
        "> #PermitRootLogin yes",
        "55c55",
        "< PubkeyAuthentication yes",
        "---",
        "> #PubkeyAuthentication yes",
        "79c79",
        "< PasswordAuthentication no",
        "---",
        "> PasswordAuthentication yes"
    ]
}

RUNNING HANDLER [CentOS7.2 : restart sshd] *************************************
changed: [192.168.52.52]

PLAY RECAP *********************************************************************
192.168.52.52              : ok=19   changed=7    unreachable=0    failed=0

sshdの起動確認

[vagrant@web ssh]$ systemctl status  sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since 木 2016-12-08 16:24:22 JST; 48min ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 15539 (sshd)
   CGroup: /system.slice/sshd.service
           └─15539 /usr/sbin/sshd -D
[vagrant@web ssh]$