{"id":12176,"date":"2025-02-17T11:55:53","date_gmt":"2025-02-17T19:55:53","guid":{"rendered":"https:\/\/www.xh86.me\/?p=12176"},"modified":"2025-02-18T21:13:27","modified_gmt":"2025-02-19T05:13:27","slug":"debian-12-%e7%bd%91%e7%bb%9c%e8%b7%b3%e6%9d%bf%e6%9c%ba%ef%bc%88bastion-host%ef%bc%89%e6%90%ad%e5%bb%ba%e4%b8%8e-ansible-%e8%87%aa%e5%8a%a8%e5%8c%96%e7%ae%a1%e7%90%86%e6%8c%87%e5%8d%97","status":"publish","type":"post","link":"https:\/\/www.xh86.me\/?p=12176","title":{"rendered":"Debian 12 \u7f51\u7edc\u8df3\u677f\u673a\uff08Bastion Host\uff09\u642d\u5efa\u4e0e Ansible \u81ea\u52a8\u5316\u7ba1\u7406\u6307\u5357"},"content":{"rendered":"<h2><strong>1. \u5b89\u88c5 Ansible<\/strong><\/h2>\n<h3><strong>1.1 \u5b89\u88c5\u5fc5\u8981\u7684\u8f6f\u4ef6<\/strong><\/h3>\n<pre><code class=\"language-bash\">sudo apt update\r\nsudo apt install -y python3-venv python3-pip sshpass\r\n<\/code><\/pre>\n<h3><strong>1.2 \u4f7f\u7528 <code>venv<\/code> \u65b9\u5f0f\u5b89\u88c5 Ansible<\/strong><\/h3>\n<pre><code class=\"language-bash\">python3 -m venv ~\/ansible_venv\r\nsource ~\/ansible_venv\/bin\/activate\r\npip install --upgrade pip\r\npip install ansible\r\n<\/code><\/pre>\n<p><strong>\u6bcf\u6b21\u4f7f\u7528 Ansible \u65f6<\/strong>\uff0c\u9700\u6fc0\u6d3b\u73af\u5883\uff1a<\/p>\n<pre><code class=\"language-bash\">source ~\/ansible_venv\/bin\/activate\r\nansible --version\r\n<\/code><\/pre>\n<blockquote><p><strong>\u53ef\u9009\uff1a\u521b\u5efa\u5168\u5c40\u547d\u4ee4\u8f6f\u94fe\u63a5<\/strong><\/p><\/blockquote>\n<pre><code class=\"language-bash\">sudo ln -s ~\/ansible_venv\/bin\/ansible \/usr\/local\/bin\/ansible\r\nsudo ln -s ~\/ansible_venv\/bin\/ansible-playbook \/usr\/local\/bin\/ansible-playbook\r\n<\/code><\/pre>\n<hr \/>\n<h2><strong>2. \u5b89\u88c5 Ansible \u7f51\u7edc\u7ba1\u7406\u63d2\u4ef6<\/strong><\/h2>\n<pre><code class=\"language-bash\">ansible-galaxy collection install \\\r\n    amazon.aws:9.1.1 \\\r\n    ansible.netcommon:7.1.0 \\\r\n    ansible.posix:1.6.2 \\\r\n    ansible.utils:5.1.2 \\\r\n    ansible.windows:2.7.0 \\\r\n    arista.eos:10.0.1 \\\r\n    awx.awx:24.6.1 \\\r\n    azure.azcollection:3.1.0 \\\r\n    check_point.mgmt:6.2.1 \\\r\n    chocolatey.chocolatey:1.5.3 \\\r\n    cisco.aci:2.10.1 \\\r\n    cisco.asa:6.1.0 \\\r\n    cisco.dnac:6.28.0 \\\r\n    cisco.intersight:2.0.20 \\\r\n    cisco.ios:9.1.0 \\\r\n    cisco.iosxr:10.3.0 \\\r\n    cisco.ise:2.10.0 \\\r\n    cisco.meraki:2.20.5 \\\r\n    cisco.mso:2.9.0 \\\r\n    cisco.nxos:9.3.0 \\\r\n    cisco.ucs:1.15.0 \\\r\n    cloud.common:4.0.0 \\\r\n    cloudscale_ch.cloud:2.4.1 \\\r\n    community.aws:9.0.0 \\\r\n    community.ciscosmb:1.0.10 \\\r\n    community.crypto:2.24.0 \\\r\n    community.digitalocean:1.27.0 \\\r\n    community.dns:3.1.2 \\\r\n    community.docker:4.3.1 \\\r\n    community.general:10.3.0 \\\r\n    community.grafana:2.1.0 \\\r\n    community.hashi_vault:6.2.0 \\\r\n    community.hrobot:2.1.0 \\\r\n    community.library_inventory_filtering_v1:1.0.2 \\\r\n    community.libvirt:1.3.1 \\\r\n    community.mongodb:1.7.9 \\\r\n    community.mysql:3.12.0 \\\r\n    community.network:5.1.0 \\\r\n    community.okd:4.0.1 \\\r\n    community.postgresql:3.10.2 \\\r\n    community.proxysql:1.6.0 \\\r\n    community.rabbitmq:1.4.0 \\\r\n    community.routeros:3.3.0 \\\r\n    community.sap_libs:1.4.2 \\\r\n    community.sops:2.0.1 \\\r\n    community.vmware:5.3.0 \\\r\n    community.windows:2.3.0 \\\r\n    community.zabbix:3.2.0 \\\r\n    containers.podman:1.16.2 \\\r\n    cyberark.conjur:1.3.2 \\\r\n    cyberark.pas:1.0.30 \\\r\n    dellemc.enterprise_sonic:2.5.1 \\\r\n    dellemc.openmanage:9.10.0 \\\r\n    dellemc.powerflex:2.6.0 \\\r\n    dellemc.unity:2.0.0 \\\r\n    f5networks.f5_modules:1.34.1 \\\r\n    fortinet.fortimanager:2.8.2 \\\r\n    fortinet.fortios:2.3.9 \\\r\n    google.cloud:1.5.0 \\\r\n    grafana.grafana:5.7.0 \\\r\n    hetzner.hcloud:4.2.2 \\\r\n    ibm.qradar:4.0.0 \\\r\n    ibm.spectrum_virtualize:2.0.0 \\\r\n    ibm.storage_virtualize:2.6.0 \\\r\n    ieisystem.inmanage:3.0.0 \\\r\n    infinidat.infinibox:1.4.5 \\\r\n    infoblox.nios_modules:1.7.1 \\\r\n    inspur.ispim:2.2.3 \\\r\n    junipernetworks.junos:9.1.0 \\\r\n    kaytus.ksmanage:2.0.0 \\\r\n    kubernetes.core:5.1.0 \\\r\n    kubevirt.core:2.1.0 \\\r\n    lowlydba.sqlserver:2.5.0 \\\r\n    microsoft.ad:1.8.0 \\\r\n    netapp.cloudmanager:21.24.0 \\\r\n    netapp.ontap:22.13.0 \\\r\n    netapp.storagegrid:21.13.0 \\\r\n    netapp_eseries.santricity:1.4.1 \\\r\n    netbox.netbox:3.20.0 \\\r\n    ngine_io.cloudstack:2.5.0 \\\r\n    openstack.cloud:2.4.1 \\\r\n    ovirt.ovirt:3.2.0 \\\r\n    purestorage.flasharray:1.32.0 \\\r\n    purestorage.flashblade:1.19.2 \\\r\n    sensu.sensu_go:1.14.0 \\\r\n    splunk.es:4.0.0 \\\r\n    telekom_mms.icinga_director:2.2.2 \\\r\n    theforeman.foreman:4.2.0 \\\r\n    vmware.vmware:1.9.0 \\\r\n    vmware.vmware_rest:4.5.0 \\\r\n    vultr.cloud:1.13.0 \\\r\n    vyos.vyos:5.0.0 \\\r\n    wti.remote:1.0.10\r\n<\/code><\/pre>\n<hr \/>\n<h2><strong>3. \u914d\u7f6e <code>\/etc\/ansible\/hosts<\/code><\/strong><\/h2>\n<p>sudo mkdir -p \/etc\/ansible<br \/>\nsudo touch \/etc\/ansible\/hosts<br \/>\nsudo chmod 644 \/etc\/ansible\/hosts<\/p>\n<p>&nbsp;<\/p>\n<p># Cisco IOS \u8bbe\u5907<br \/>\n[cisco_ios]<br \/>\n2960-1 ansible_host=xxxxxxx ansible_user=admin ansible_password=&#8221;xxxxxxx&#8221; ansible_port=22 ansible_network_os=cisco.ios ansible_connection=network_cli<br \/>\n2960-2 ansible_host=xxxxxxx ansible_user=admin ansible_password=&#8221;xxxxxxx&#8221; ansible_port=22 ansible_network_os=cisco.ios ansible_connection=network_cli<br \/>\n2960-3 ansible_host=xxxxxxx ansible_user=admin ansible_password=&#8221;xxxxxxx&#8221; ansible_port=22 ansible_network_os=cisco.ios ansible_connection=network_cli<br \/>\n2960-4 ansible_host=xxxxxxx ansible_user=admin ansible_password=&#8221;xxxxxxx&#8221; ansible_port=22 ansible_network_os=cisco.ios ansible_connection=network_cli<\/p>\n<p># Cisco NX-OS \u8bbe\u5907<br \/>\n[cisco_nxos]<br \/>\nN9K ansible_host=xxxxxxx ansible_user=admin ansible_password=&#8221;xxxxxxx&#8221; ansible_port=22 ansible_network_os=cisco.nxos ansible_connection=network_cli<br \/>\nN3K ansible_host=xxxxxxx ansible_user=admin ansible_password=&#8221;xxxxxxx&#8221; ansible_port=22 ansible_network_os=cisco.nxos ansible_connection=network_cli<br \/>\nN5K ansible_host=xxxxxxx ansible_user=admin ansible_password=&#8221;xxxxxxx&#8221; ansible_port=22 ansible_network_os=cisco.nxos ansible_connection=network_cli<\/p>\n<p># \u8bbe\u5907\u5206\u7ec4<br \/>\n[all_network_devices:children]<br \/>\ncisco_ios<br \/>\ncisco_nxos<\/p>\n<p>&nbsp;<\/p>\n<h1 data-start=\"3169\" data-end=\"3187\"><strong data-start=\"3171\" data-end=\"3187\">4. SSH \u8df3\u677f\u673a\u529f\u80fd<\/strong><\/h1>\n<h3 data-start=\"3188\" data-end=\"3206\"><strong data-start=\"3192\" data-end=\"3206\">4.1 \u8bbe\u5907\u5217\u8868\u67e5\u770b<\/strong><\/h3>\n<p data-start=\"3207\" data-end=\"3240\">\u521b\u5efa <code data-start=\"3210\" data-end=\"3239\">\/usr\/local\/bin\/show_devices<\/code>\uff1a<\/p>\n<div class=\"contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary dark:bg-gray-950\">\n<div class=\"flex items-center text-token-text-secondary px-4 py-2 text-xs font-sans justify-between rounded-t-[5px] h-9 bg-token-sidebar-surface-primary dark:bg-token-main-surface-secondary select-none\"><\/div>\n<div class=\"overflow-y-auto p-4\" dir=\"ltr\"><code class=\"!whitespace-pre language-bash\">#!\/bin\/bash<br \/>\necho \"===== \u53ef\u7ba1\u7406\u7684\u7f51\u7edc\u8bbe\u5907\u5217\u8868 =====\"<br \/>\nawk '\/ansible_host\/ {print NR, $1, $2, $3}' \/etc\/ansible\/hosts | sed 's\/ansible_host=\/\/g'<br \/>\n<\/code><\/div>\n<div dir=\"ltr\"><\/div>\n<\/div>\n<div class=\"contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary dark:bg-gray-950\">\n<div class=\"overflow-y-auto p-4\" dir=\"ltr\"><code class=\"!whitespace-pre language-bash\"><span class=\"hljs-built_in\">chmod<\/span> +x \/usr\/local\/bin\/show_devices<br \/>\n<\/code><\/div>\n<\/div>\n<h3 data-start=\"3437\" data-end=\"3455\"><strong data-start=\"3441\" data-end=\"3455\">4.2 \u9009\u62e9\u8bbe\u5907\u767b\u5f55<\/strong><\/h3>\n<p>\u521b\u5efa <code data-start=\"3459\" data-end=\"3480\">\/usr\/local\/bin\/jump<\/code><\/p>\n<p>&nbsp;<\/p>\n<p>#!\/bin\/bash<br \/>\necho &#8220;===== \u8bf7\u9009\u62e9\u8981\u8fde\u63a5\u7684\u8bbe\u5907 =====&#8221;<\/p>\n<p># **\u8fc7\u6ee4\u7a7a\u884c\u548c\u6ce8\u91ca\uff0c\u89e3\u6790\u8bbe\u5907\u5217\u8868**<br \/>\nmapfile -t devices &lt; &lt;(awk &#8216;!\/^#|^$\/ &amp;&amp; \/ansible_host\/ {print $1}&#8217; \/etc\/ansible\/hosts)<\/p>\n<p># **\u663e\u793a\u8bbe\u5907\u5217\u8868\uff08\u786e\u4fdd\u5e8f\u53f7\u6b63\u786e\uff09**<br \/>\nfor i in &#8220;${!devices[@]}&#8221;; do<br \/>\necho &#8220;$((i+1)). ${devices[$i]}&#8221;<br \/>\ndone<\/p>\n<p># **\u7528\u6237\u9009\u62e9\u8bbe\u5907**<br \/>\nread -p &#8220;\u8f93\u5165\u8bbe\u5907\u7f16\u53f7: &#8221; choice<br \/>\nif [[ -z &#8220;$choice&#8221; || &#8220;$choice&#8221; -lt 1 || &#8220;$choice&#8221; -gt &#8220;${#devices[@]}&#8221; ]]; then<br \/>\necho &#8220;\u65e0\u6548\u9009\u62e9\uff0c\u8bf7\u8f93\u5165\u6b63\u786e\u7f16\u53f7\u3002&#8221;<br \/>\nexit 1<br \/>\nfi<\/p>\n<p># **\u89e3\u6790\u6240\u9009\u8bbe\u5907\u7684 IP\u3001\u7528\u6237\u540d\u3001\u5bc6\u7801\u3001\u7aef\u53e3**<br \/>\nselected_device_line=$(awk &#8216;!\/^#|^$\/ &amp;&amp; \/ansible_host\/ {print $1, $2, $3, $4, $5}&#8217; \/etc\/ansible\/hosts | sed -n &#8220;${choice}p&#8221;)<\/p>\n<p>device_name=$(echo &#8220;$selected_device_line&#8221; | awk &#8216;{print $1}&#8217;)<br \/>\nip=$(echo &#8220;$selected_device_line&#8221; | awk &#8216;{print $2}&#8217; | sed &#8216;s\/ansible_host=\/\/g&#8217;)<br \/>\nuser=$(echo &#8220;$selected_device_line&#8221; | awk &#8216;{print $3}&#8217; | sed &#8216;s\/ansible_user=\/\/g&#8217;)<br \/>\npass=$(echo &#8220;$selected_device_line&#8221; | awk &#8216;{print $4}&#8217; | sed &#8216;s\/ansible_password=\/\/g&#8217; | sed &#8216;s\/&#8221;\/\/g&#8217;)<br \/>\nport=$(echo &#8220;$selected_device_line&#8221; | awk &#8216;{print $5}&#8217; | sed &#8216;s\/ansible_port=\/\/g&#8217;)<\/p>\n<p># **\u68c0\u67e5\u89e3\u6790\u662f\u5426\u6210\u529f**<br \/>\nif [[ -z &#8220;$ip&#8221; || -z &#8220;$user&#8221; || -z &#8220;$pass&#8221; || -z &#8220;$port&#8221; || ! &#8220;$port&#8221; =~ ^[0-9]+$ ]]; then<br \/>\necho &#8220;\u89e3\u6790\u7aef\u53e3\u9519\u8bef\uff01\u8bf7\u68c0\u67e5 \/etc\/ansible\/hosts\uff0c\u786e\u4fdd ansible_password \u548c ansible_port \u5b58\u5728\uff0c\u5e76\u6309\u6b63\u786e\u987a\u5e8f\u6392\u5217\u3002&#8221;<br \/>\necho &#8220;\u5f53\u524d\u89e3\u6790\u7ed3\u679c: device_name=&#8217;$device_name&#8217;, ip=&#8217;$ip&#8217;, user=&#8217;$user&#8217;, pass=&#8217;$pass&#8217;, port=&#8217;$port'&#8221;<br \/>\nexit 1<br \/>\nfi<\/p>\n<p>echo &#8220;\u6b63\u5728\u8fde\u63a5\u5230\u8bbe\u5907 $device_name ($ip:$port) &#8230;&#8221;<\/p>\n<p># **\u4f7f\u7528\u7279\u5b9a\u7684\u52a0\u5bc6\u7b97\u6cd5**<br \/>\nsshpass -p &#8220;$pass&#8221; ssh -tt -p &#8220;$port&#8221; \\<br \/>\n-o KexAlgorithms=+diffie-hellman-group14-sha1 \\<br \/>\n-o HostKeyAlgorithms=+ssh-rsa \\<br \/>\n-o StrictHostKeyChecking=no \\<br \/>\n&#8220;$user@$ip&#8221;<\/p>\n<p>&nbsp;<\/p>\n<p>chmod +x \/usr\/local\/bin\/jump<\/p>\n<p>&nbsp;<\/p>\n<p>\u4fee\u6539 <code data-start=\"3376\" data-end=\"3391\">~\/.ssh\/config<\/code> \u4ee5\u81ea\u52a8\u9002\u914d\u8001\u65e7 Cisco \u8bbe\u5907<\/p>\n<p>Host xxxxx.*<br \/>\nKexAlgorithms +diffie-hellman-group14-sha1<br \/>\nHostKeyAlgorithms +ssh-rsa<\/p>\n<p>&nbsp;<\/p>\n<p>\u624b\u52a8\u6d4b\u8bd5<\/p>\n<p>sshpass -p &#8220;Password&#8221; ssh -vvv -o KexAlgorithms=+diffie-hellman-group14-sha1 -o HostKeyAlgorithms=+ssh-rsa admin@IP -p 22<\/p>\n","protected":false},"excerpt":{"rendered":"<p>1. \u5b89\u88c5 Ansible 1.1 \u5b89\u88c5\u5fc5\u8981\u7684\u8f6f\u4ef6 sudo apt update sudo apt inst [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,3],"tags":[],"class_list":["post-12176","post","type-post","status-publish","format-standard","hentry","category-linux","category-system"],"_links":{"self":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/12176","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12176"}],"version-history":[{"count":9,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/12176\/revisions"}],"predecessor-version":[{"id":12195,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/12176\/revisions\/12195"}],"wp:attachment":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12176"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}