为啥我在ansible.cf中加入这一配置后就可以ping通了
[ssh_connection]
pipelining = True
[student@master ansible]$ ansible all -m ping
[WARNING]: sftp transfer mechanism failed on [node2]. Use ANSIBLE_DEBUG=1 to see detailed information
[WARNING]: sftp transfer mechanism failed on [node1]. Use ANSIBLE_DEBUG=1 to see detailed information
[WARNING]: scp transfer mechanism failed on [node2]. Use ANSIBLE_DEBUG=1 to see detailed information
[WARNING]: scp transfer mechanism failed on [node1]. Use ANSIBLE_DEBUG=1 to see detailed information
[WARNING]: piped transfer mechanism failed on [node2]. Use ANSIBLE_DEBUG=1 to see detailed information
[WARNING]: piped transfer mechanism failed on [node1]. Use ANSIBLE_DEBUG=1 to see detailed information
node2 | FAILED! => {"msg": "failed to transfer file to /home/student/.ansible/tmp/ansible-local-4122_k3rqmzq/tmp1t0mhe3_ /home/student/.ansible/tmp/ansible-tmp-1760963719.3710346-4127-253941042140370/AnsiballZ_ping.py:\n\ndd: failed to open '/home/student/.ansible/tmp/ansible-tmp-1760963719.3710346-4127-253941042140370/AnsiballZ_ping.py': Permission denied\n"
}
node1 | FAILED! => {"msg": "failed to transfer file to /home/student/.ansible/tmp/ansible-local-4122_k3rqmzq/tmpkfkcz216 /home/student/.ansible/tmp/ansible-tmp-1760963719.397347-4126-192652111529128/AnsiballZ_ping.py:\n\ndd: failed to open '/home/student/.ansible/tmp/ansible-tmp-1760963719.397347-4126-192652111529128/AnsiballZ_ping.py': Permission denied\n"
}cat ansible.cfg
[defaults]
inventory=/home/student/ansible/inventory
remote_user=student
roles_path=/home/student/ansible/roles
host_key_checking=False
collections_path=/home/student/ansible/collections
[privilege_escalation]
become=True
become_ask_pass=False
become_method=sudo
become_user=root
这涉及到 Ansible 底层文件传输机制的工作原理。下面将详细解释一下为什么添加 pipelining = True 解决了这个问题。
问题根源分析
从错误信息可以看出,问题出现在文件传输阶段:
failed to transfer file to /home/student/.ansible/tmp/...
dd: failed to open '/home/student/.ansible/tmp/.../AnsiballZ_ping.py': Permission denied
两种传输机制的区别
1. 默认模式 (pipelining = False)
- Ansible 先将模块代码(如
ping模块的AnsiballZ_ping.py)通过 SFTP/SCP 传输到目标节点的临时目录 - 然后在目标节点上执行该模块
- 问题:需要写入临时文件的权限,如果目标用户的 home 目录权限严格,就会遇到权限拒绝
2. 管道模式 (pipelining = True)
- Ansible 不先将文件写入磁盘,而是通过 SSH 管道直接将模块代码传递给 Python 解释器执行
- 优势:避免了文件写入操作,完全在内存中处理
- 解决了权限问题,因为不需要在目标节点创建临时文件
具体工作流程对比
默认模式:
# 1. 传输文件到临时目录
scp/sftp AnsiballZ_ping.py node1:/home/student/.ansible/tmp/
# 2. 执行模块
ssh node1 python /home/student/.ansible/tmp/AnsiballZ_ping.py
管道模式:
# 直接通过管道执行,无需临时文件
ssh node1 python -c "$(cat AnsiballZ_ping.py)"
权限问题的根本原因
目标节点上 /home/student/.ansible/tmp/ 目录可能存在权限问题:
- 目录属主或权限设置不正确
- SELinux 安全上下文限制
- 磁盘空间或 inode 问题
- 先前执行留下的损坏文件
建议的解决方案
除了启用管道模式,还可以考虑:
- 检查目标节点 tmp 目录权限:
ansible all -a "ls -ld /home/student/.ansible/tmp/"
- 清理临时目录:
ansible all -a "rm -rf /home/student/.ansible/tmp/*"
- 在 ansible.cfg 中设置合适的临时目录:
[defaults]
remote_tmp = /tmp/.ansible
管道模式的注意事项
启用 pipelining = True 虽然解决了这个问题,但需要注意:
- 要求:目标节点的
/etc/sudoers需要禁用requiretty - 兼容性:某些需要文件操作的模块可能不兼容
- 性能:通常性能更好,因为减少了文件传输开销
在此案例中,启用管道模式是正确的解决方案,因为它避免了权限问题并提高了执行效率。