如何通过 kubespray 设置本地主机名通过身份验证?

编程问答 2022-05-23

问题描述

嗨,我在通过 kubespray 使用 ansible 时不断收到此错误,我想知道如何克服它


TASK [bootstrap-os : Assign inventory name to unconfigured hostnames (non-CoreOS,non-Flatcar,Suse and ClearLinux)] ********************************************************************************************************************************************************************************************************
task path: /home/dc/xcp-projects/kubespray/roles/bootstrap-os/tasks/main.yml:50

<192.168.10.55> (1,b'\x1b[1;31m==== AUTHENTICATING FOR org.freedesktop.hostname1.set-hostname ===\r\n\x1b[0mAuthentication is required to set the local host name.\r\nMultiple identities can be used for authentication:\r\n 1.  test\r\n 2.  provision\r\n 3.  dc\r\nChoose identity to authenticate as (1-3): \r\n{"msg": "Command failed rc=1,out=,err=\\u001b[0;1;31mCould not set property: Connection timed out\\u001b[0m\\n","failed": true,"invocation": {"module_args": {"name": "node3","use": null}}}\r\n',b'Shared connection to 192.168.10.55 closed.\r\n')
<192.168.10.55> Failed to connect to the host via ssh: Shared connection to 192.168.10.55 closed.
<192.168.10.55> ESTABLISH SSH CONNECTION FOR USER: provision
<192.168.10.55> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/home/dc/.ssh/xcp_server_k8s_nodes/xcp-k8s-provision-key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="provision"' -o ConnectTimeout=10 -oStrictHostKeyChecking=no -o ControlPath=/home/dc/.ansible/cp/c6d70a0b7d 192.168.10.55 '/bin/sh -c '"'"'rm -f -r /home/provision/.ansible/tmp/ansible-tmp-1614373378.5434802-17760837116436/ > /dev/null 2>&1 && sleep 0'"'"''
<192.168.10.56> (0,b'',b'')
fatal: [node2]: FAILED! => {
    "changed": false,"invocation": {
        "module_args": {
            "name": "node2","use": null
        }
    },"msg": "Command failed rc=1,err=\u001b[0;1;31mCould not set property: Method call timed out\u001b[0m\n"
}

我的库存文件如下

all:
  hosts:
    node1:
      ansible_host: 192.168.10.54
      ip: 192.168.10.54
      access_ip: 192.168.10.54
    node2:
      ansible_host: 192.168.10.56
      ip: 192.168.10.56
      access_ip: 192.168.10.56
    node3:
      ansible_host: 192.168.10.55
      ip: 192.168.10.55
      access_ip: 192.168.10.55
  children:
    kube-master:
      hosts:
        node1:
        node2:
    kube-node:
      hosts:
        node1:
        node2:
        node3:
    etcd:
      hosts:
        node1:
        node2:
        node3:
    k8s-cluster:
      children:
        kube-master:
        kube-node:
    calico-rr:
      hosts: {}

我还有一个文件,它以下列方式提供用户

- name: Add a new user named provision
  user:
    name: provision
    create_home: true
    shell: /bin/bash
    password: "{{ provision_password }}"
    groups: sudo
    append: yes

- name: Add a new user named dc
  user:
    name: dc
    create_home: true
    shell: /bin/bash
    password: "{{ provision_password }}"
    groups: sudo
    append: yes

- name: Add provision user to the sudoers
  copy:
    dest: "/etc/sudoers.d/provision"
    content: "provision  ALL=(ALL)  NOPASSWD: ALL"

- name: Add provision user to the sudoers
  copy:
    dest: "/etc/sudoers.d/dc"
    content: "dc  ALL=(ALL)  NOPASSWD: ALL"


- name: Disable Root Login
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin'
    line: "PermitRootLogin no"
    state: present
    backup: yes

  notify:
    - Restart ssh

我已按以下方式运行 ansible 命令

ansible-playbook -i kubespray/inventory/mycluster/hosts.yaml --user="provision"  --ssh-extra-args="-oStrictHostKeyChecking=no" --key-file "/home/dc/.ssh/xcp_server_k8s_nodes/xcp-k8s-provision-key" kubespray/cluster.yml -vvv

以及

ansible-playbook -i kubespray/inventory/mycluster/hosts.yaml --user="provision"  --ssh-extra-args="-oStrictHostKeyChecking=no" --key-file "/home/dc/.ssh/xcp_server_k8s_nodes/xcp-k8s-provision-key" --become-user="provision" kubespray/cluster.yml -vv

两者都产生相同的错误,有趣的是升级似乎在较早的点上成功

阅读本文后 https://askubuntu.com/questions/542397/change-default-user-for-authentication 我已决定将用户添加到 sudo 组,但错误仍然存​​在

查看错误提示的 main.yaml 文件位置,似乎是此代码可能导致问题?

# Workaround for https://github.com/ansible/ansible/issues/42726
# (1/3)
- name: Gather host facts to get ansible_os_family
  setup:
    gather_subset: '!all'
    filter: ansible_*

- name: Assign inventory name to unconfigured hostnames (non-CoreOS,Suse and ClearLinux)
  hostname:
    name: "{{ inventory_hostname }}"
  when:
    - override_system_hostname
    - ansible_os_family not in ['Suse','Flatcar Container Linux by Kinvolk','ClearLinux'] and not is_fedora_coreos

主机的操作系统是 ubuntu 20.04.02 服务器 还有什么我可以做的吗?

解决方法

来自 Kubespray 文档:

# Deploy Kubespray with Ansible Playbook - run the playbook as root
# The option `--become` is required,as for example writing SSL keys in /etc/,# installing packages and interacting with various systemd daemons.
# Without --become the playbook will fail to run!
ansible-playbook -i inventory/mycluster/hosts.yaml  --become --become-user=root cluster.yml

如前所述,--become 是必需的,它允许对 Kubespray 执行的大多数系统修改(如设置主机名)进行权限提升。

使用 --user=provision 您只是设置了 SSH 用户,但无论如何它都需要权限提升。 使用 --become-user=provision,您只是说权限升级将升级为“提供”用户(但您需要 --become 进行权限升级)。 在这两种情况下,除非 'provision' 用户具有 root 权限(不确定将其放在 root 组中是否足够),否则是不够的。

要使用户“配置”就足够了,您需要确保它可以执行 hostnamectl <some-new-host> 而不会被要求进行身份验证。

ansiblekuberneteskubespraysshssh

相关问答

matplotlib报错:AttributeError: module 'backend_interagg' has no attribute 'FigureCanvas'. Did you mean: 'FigureCanvasAgg'?
使用本地python环境可以成功执行 import pandas as pd impor...
gitlab登录失败,报错:This challenge page was accidentally cached by an intermediary and is no longer available.
设置时间 控制面板
后端开发常见错误
错误1:Request method ‘DELETE‘ not supported 错误还原:...
docker常见错误
错误1:启动docker镜像时报错:Error response from daemon:...
idea常见错误
错误1:private field ‘xxx‘ is never assigned 按Alt...
pip安装依赖失败
报错如下,通过源不能下载,最后警告pip需升级版本 Requirem...