[LINUX] Create multiple users with serial numbers at once in Ansible Playbook: Part 2

Introduction

I made an SSH key version of the Ansible Playbook posted in this article.

Assumed case

Create a large number of serial number users, for example for developers. However, I want to use key authentication instead of password authentication.

Playbook

The beginning is almost the same as the previous article. The initial password variable is unnecessary and has been deleted.

usercreate_withkey.yml


---
- name: Create many user
  hosts: localhost
  vars:
    user_num_data: "{% for n in range(10) %}{{n+1}},{% endfor %}"
    user_num: "{{ user_num_data.split(',') }}"
    pre_id: 50
    pre_name: devuser
    common_group: devgroup

  tasks:
    - name: Common group is created
      group:
        name: '{{ common_group }}'
        gid: '{{ pre_id }}00'
        state: present

    - name: Groups are created
      group:
        name: '{{ pre_name }}{{ item.zfill(2) }}'
        gid: '{{ pre_id }}{{ item.zfill(2) }}'
        state: present
      with_items:
        - '{{ user_num[:-1] }}'

In the user creation, change it to specify generate_ssh_key: true and ssh_key_bits: 4096.

usercreate_withkey.yml


    - name: Users are created
      user:
        name: '{{ pre_name }}{{ item.zfill(2) }}'
        group: '{{ pre_name }}{{ item.zfill(2) }}'
        groups: '{{ pre_name }}{{ item.zfill(2) }}, {{ common_group }}'
        uid: '{{ pre_id }}{{ item.zfill(2) }}'
        state: present
        generate_ssh_key: true
        ssh_key_bits: 4096
      with_items:
        - '{{ user_num[:-1] }}'
      register: usercreated

Next, create a ~ / .ssh / authorized_keys for each user you created. By the way, the reason why it is set to ╩╗item.invocation.module_args.name instead of ╩╗item.name is to prevent an error in Check mode (Dry run).

usercreate_withkey.yml


    - name: authorized_keys files are created
      copy:
        src: '/home/{{ item.invocation.module_args.name }}/.ssh/id_rsa.pub'
        dest: '/home/{{ item.invocation.module_args.name }}/.ssh/authorized_keys'
        owner: '{{ item.invocation.module_args.name }}'
        group: '{{ item.invocation.module_args.name }}'
        mode: '0600'
        remote_src: true
      with_items:
        - '{{ usercreated.results }}'
      when:
        - item.changed
        - item.invocation.module_args.state == "present"
      loop_control:
        label: "{{ item.invocation.module_args.name }}"

Finally, collect the created user's private key in / tmp. (Aside from the question of how to distribute the private key in the first place ...)

usercreate_withkey.yml


    - name: Secret key files are copied
      copy:
        src: '/home/{{ item.invocation.module_args.name }}/.ssh/id_rsa'
        dest: '/tmp/id_rsa_{{ item.invocation.module_args.name }}'
        owner: root
        group: root
        mode: '0644'
        remote_src: true
      with_items:
        - '{{ usercreated.results }}'
      when: 
        - item.changed
        - item.invocation.module_args.state == "present"
      loop_control:
        label: "{{ item.invocation.module_args.name }}"

Execution result

The execution result of ansible-playbook is as follows.

$ ansible-playbook -i inventories/test usercreate_withkey.yml

PLAY [Create many user] ************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [localhost]

TASK [Common group is created] *****************************************************************************************
ok: [localhost]

TASK [Groups are created] **********************************************************************************************
changed: [localhost] => (item=1)
changed: [localhost] => (item=2)
changed: [localhost] => (item=3)
changed: [localhost] => (item=4)
changed: [localhost] => (item=5)
changed: [localhost] => (item=6)
changed: [localhost] => (item=7)
changed: [localhost] => (item=8)
changed: [localhost] => (item=9)
changed: [localhost] => (item=10)

TASK [Users are created] ***********************************************************************************************
changed: [localhost] => (item=1)
changed: [localhost] => (item=2)
changed: [localhost] => (item=3)
changed: [localhost] => (item=4)
changed: [localhost] => (item=5)
changed: [localhost] => (item=6)
changed: [localhost] => (item=7)
changed: [localhost] => (item=8)
changed: [localhost] => (item=9)
changed: [localhost] => (item=10)

TASK [authorized_keys files are created] *******************************************************************************
changed: [localhost] => (item=devuser01)
changed: [localhost] => (item=devuser02)
changed: [localhost] => (item=devuser03)
changed: [localhost] => (item=devuser04)
changed: [localhost] => (item=devuser05)
changed: [localhost] => (item=devuser06)
changed: [localhost] => (item=devuser07)
changed: [localhost] => (item=devuser08)
changed: [localhost] => (item=devuser09)
changed: [localhost] => (item=devuser10)

TASK [Secret key files are copied] *************************************************************************************
changed: [localhost] => (item=devuser01)
changed: [localhost] => (item=devuser02)
changed: [localhost] => (item=devuser03)
changed: [localhost] => (item=devuser04)
changed: [localhost] => (item=devuser05)
changed: [localhost] => (item=devuser06)
changed: [localhost] => (item=devuser07)
changed: [localhost] => (item=devuser08)
changed: [localhost] => (item=devuser09)
changed: [localhost] => (item=devuser10)

PLAY RECAP *************************************************************************************************************
localhost                  : ok=6    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

The private key is collected in / tmp, and you can log in with that private key.

$ ls -l /tmp/id_rsa*
-rw-r--r-- 1 root root 3247 Apr 27 22:42 /tmp/id_rsa_devuser01
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser02
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser03
-rw-r--r-- 1 root root 3247 Apr 27 22:42 /tmp/id_rsa_devuser04
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser05
-rw-r--r-- 1 root root 3247 Apr 27 22:42 /tmp/id_rsa_devuser06
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser07
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser08
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser09
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser10
$ ssh -i /tmp/id_rsa_devuser01 [email protected]
Last login: Mon Apr 27 22:46:46 2020 from ::1
$

that's all. Now, how should we distribute this private key ...

Recommended Posts

Create multiple users with serial numbers at once in Ansible Playbook: Part 2
Create multiple users with serial numbers at once with Ansible Playbook
Update multiple tables at once with pandas to_sql
Convert multiple proto files at once with python
Register multiple self-made styles in Word at once
[Linux] Grep multiple gzip files in a directory at once
Convert only date serial numbers in CSV files with awk
Rsync multiple files at once
[Laravel] Aliase to create migration file of multiple tables at once