问题描述

我正在使用 Ansible 执行一些与一小组计算机的简单用户管理任务.目前，我将剧本设置为 hosts: all 并且我的主机文件只是一个列出所有机器的组:

I'm using Ansible for some simple user management tasks with a small group of computers. Currently, I have my playbooks set to hosts: all and my hosts file is just a single group with all machines listed:

# file: hosts
[office]
imac-1.local
imac-2.local
imac-3.local

我发现自己经常不得不针对一台机器.ansible-playbook 命令可以像这样限制播放:

I've found myself frequently having to target a single machine. The ansible-playbook command can limit plays like this:

ansible-playbook --limit imac-2.local user.yml

但这似乎有点脆弱，尤其是对于可能具有破坏性的剧本.省略 limit 标志意味着剧本将在任何地方运行.由于这些工具只是偶尔使用，因此似乎值得采取措施进行万无一失的播放，这样我们就不会在几个月后意外损坏某些东西.

But that seems kind of fragile, especially for a potentially destructive playbook. Leaving out the limit flag means the playbook would be run everywhere. Since these tools only get used occasionally, it seems worth taking steps to foolproof playback so we don't accidentally nuke something months from now.

是否有将剧本运行限制在单台机器上的最佳实践?理想情况下，如果遗漏了一些重要细节，剧本应该是无害的.

Is there a best practice for limiting playbook runs to a single machine? Ideally the playbooks should be harmless if some important detail was left out.

推荐答案

原来可以直接在 playbook 中输入主机名，因此使用 hosts: imac-2.local 会正常工作.但它有点笨重.

Turns out it is possible to enter a host name directly into the playbook, so running the playbook with hosts: imac-2.local will work fine. But it's kind of clunky.

更好的解决方案可能是使用变量定义剧本的主机，然后通过 --extra-vars 传入特定的主机地址:

A better solution might be defining the playbook's hosts using a variable, then passing in a specific host address via --extra-vars:

# file: user.yml  (playbook)
---
- hosts: '{{ target }}'
  user: ...

运行剧本:

ansible-playbook user.yml --extra-vars "target=imac-2.local"

如果 {{ target }} 没有定义，playbook 什么都不做.如果需要，也可以传递来自主机文件的组.总体而言，这似乎是构建具有潜在破坏性的剧本的更安全的方法.

If {{ target }} isn't defined, the playbook does nothing. A group from the hosts file can also be passed through if need be. Overall, this seems like a much safer way to construct a potentially destructive playbook.

针对单个主机的剧本:

$ ansible-playbook user.yml --extra-vars "target=imac-2.local" --list-hosts

playbook: user.yml

  play #1 (imac-2.local): host count=1
    imac-2.local

一组主持人的剧本:

$ ansible-playbook user.yml --extra-vars "target=office" --list-hosts

playbook: user.yml

  play #1 (office): host count=3
    imac-1.local
    imac-2.local
    imac-3.local

忘记定义主机是安全的！

Forgetting to define hosts is safe!

$ ansible-playbook user.yml --list-hosts

playbook: user.yml

  play #1 ({{target}}): host count=0

这篇关于将 Ansible playbook 安全地限制在一台机器上?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！