1、ansible传输密码的时候，要求加密，所以安装python的passlib库。如果没有安装pip的话，先装pip再装passlib

sudo apt install python-pip
sudo pip install passlib
#pip会提示你更新一下pip
sudo pip install --upgrade pip
#默认是装在python2.7下面，装到python3要用下面
sudo apt install python3-pip
sudo pip3 install passlib
sudo pip3 install --upgrade pip

这里是生成加密字串的方法：
python 3.x 版本（sha512 加密算法）：

$ python3 -c 'from  passlib.hash  import sha512_crypt;  import  getpass;  print (sha512_crypt.encrypt(getpass.getpass()))'
Password:
$6$rounds=656000$K.vgvF8ZpzgRggK1$vzuTgMkCvAB.AWSsQbjSoNPXzDoZyuGSImFktFdNcIt50kR87tAJ5xCJrXgrebo1npf/qNittpTxL48w4h7E/1

python 3.x 版本（普通加密算法）：

axing@THN:~$ python3 -c 'import crypt; print (crypt.crypt("123456","test1"))'
teMGKvBPcptKo

说明： "teMGKvBPcptKo" 就是生成的经过加密的密码

python 2.x 版本（sha512 加密算法）：

$ python -c 'from passlib.hash import sha512_crypt; import getpass; print (sha512_crypt.encrypt(getpass.getpass()))'
Password:
$6$rounds=656000$2uuoiI12EgjAoZf/$YNZH5r/iHxcOpHvck0mvwJIWot3VjUywJTkE/IVwkOtMWCP6cGZ.fBrOnqaCFsw5AyXowAwAMgRuKkej6SBFw0

python 2.x 版本（普通加密算法）：
python -c 'import crypt; print (crypt.crypt("123456","test1"))'
举例：

axing@ax:~/ansible$ python -c 'from  passlib.hash  import sha512_crypt;  import  getpass;  print (sha512_crypt.encrypt(getpass.getpass()))'
Password:
$6$rounds=656000$yqWKaWtYA.vsOoxk$VQv8QI9g7prvHkEUI2JtIgLBmVCLVbg4nM31ee3DBs9b4xV/ZikuTDUenoO4KuBeRDCtbTUyEV3qlHFamZZKV0

2、增删用户操作
注意，ansible的主机需要能够免密ssh目的主机
建用户 state=present, 删除用 absent。下面我要对axtest组里的主机增加axtest1用户，使用命令：
ansible axtest -m user -a 'name=axtest1 shell=/bin/bash home=/home/axtest1/ state=present'

$ ansible  axtest   -m  user  -a  'name=axtest1  shell=/bin/bash  home=/home/axtest1/  state=present'
192.168.0.30 | CHANGED => {
    "changed": true,
    "comment": "",
    "create_home": true,
    "group": 1005,
    "home": "/home/axtest1/",
    "name": "axtest1",
    "shell": "/bin/bash",
    "state": "present",
    "stderr": "useradd: warning: the home directory already exists.\nNot copying any file from skel directory into it.\n",
    "stderr_lines": [
        "useradd: warning: the home directory already exists.",
        "Not copying any file from skel directory into it."
    ],
    "system": false,
    "uid": 1005
}
192.168.0.31 | CHANGED => {
    "changed": true,
    "comment": "",
    "create_home": true,
    "group": 1005,
    "home": "/home/axtest1/",
    "name": "axtest1",
    "shell": "/bin/bash",
    "state": "present",
    "stderr": "useradd: warning: the home directory already exists.\nNot copying any file from skel directory into it.\n",
    "stderr_lines": [
        "useradd: warning: the home directory already exists.",
        "Not copying any file from skel directory into it."
    ],
    "system": false,
    "uid": 1005
}
192.168.0.32 | CHANGED => {
    "changed": true,
    "comment": "",
    "create_home": true,
    "group": 1008,
    "home": "/home/axtest1/",
    "name": "axtest1",
    "shell": "/bin/bash",
    "state": "present",
    "stderr": "useradd: warning: the home directory already exists.\nNot copying any file from skel directory into it.\n",
    "stderr_lines": [
        "useradd: warning: the home directory already exists.",
        "Not copying any file from skel directory into it."
    ],
    "system": false,
    "uid": 1007
}

修改用户密码：

ansible   axtest   -m   user  -a  'name=axtest1  shell=/bin/bash password=$6$rounds=656000$PnLWGmmesYis4Uqj$YtbkH3W83bSHDpJqGYgGUnrMoLDDRLf6itL/1A.xSrgFvCmgYXzCv/7tTde17ORguWSzHswSsKSk2eMBwF6Gq. update_password=always'

3、免密设置：
3.1、本地创建用户 axtest1

useradd axtest1 -s /bin/bash -d /home/axtest1
mkdir -p /home/axtest1/.ssh
touch /home/axtest1/.ssh/known_hosts

3.2、收集远程主机的公钥，保存在 /home/axtest1/.ssh/known_hosts文件里，以避免第一次ssh连接要输密码

#收集所有远程主机的 公钥，主要是利用 ssh-keyscan 命令：
ssh-keyscan   -f   ip.txt  >> /home/axtest1/.ssh/known_hosts  
# ip.txt 文件存放所有的远程主机 ip 地址，一行代表一台主机。

3.3、创建公私钥对，注意存放目录

su - axtest1
ssh-keygen  -t  rsa 
# 一直按回车键就可以了。但要注意生成的 id_rsa 和 id_rsa.pub 存放的路径，我这是放在/home/axtest1/.ssh/ 目录下。

3.4、推送公钥到所有主机，编写playbook ssh-addkey.yml

---
- hosts: axtest        # 对axtest 组里的所有远程主机
  gather_facts: False
  tasks:
    - name: install sshkey
      authorized_key:
        user: apple
        key: "{{ lookup('file', '/home/axtest1/.ssh/id_rsa.pub') }}"
        state: present

运行ansible-playbook ssh-addkye.yml

4、遇到的几个坑
4.1 log文件没有写权限的：
axing@ax:~/ansible$ sudo chmod 766 /var/log/ansible.log
4.2 最先在hosts文件里主机名/ip后加上 ”ansible_ssh_user=xxx" 配置文件里取消注释 "sudo_user = root", 运行出现提示：

[DEPRECATION WARNING]: DEFAULT_SUDO_USER option, In favor of Ansible Become, which is a generic
framework. See become_user. , use become instead. This feature will be removed in version 2.8.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

解决方法一个是修改 /etc/ansible/ansible.cfg文件，“sudo_user = root” 保持注释，修改这几行：

[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False

或者是在hosts文件里直接写上：

192.168.2.1 ansible_ssh_user=test  ansible_become_user=root ansible_become=true  ansible_become_pass='123456'

4.3 运行playbook出错，提示如下

axing@ax-ld8:~/ansible$ ansible-playbook ssh-addkey.yml

PLAY [axtest] ********************************************************************************************

TASK [install sshkey] ************************************************************************************
fatal: [192.168.0.30]: FAILED! => {"changed": false, "module_stderr": "Shared connection to 192.168.0.30 closed.\r\n", "module_stdout": "\r\n/bin/sh: 1: /usr/bin/python: not found\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 127}
ok: [192.168.0.31]
ok: [192.168.0.32]
    to retry, use: --limit @/home/axing/ansible/ssh-addkey.retry

PLAY RECAP ***********************************************************************************************
192.168.0.30              : ok=1    changed=0    unreachable=0    failed=0
192.168.0.31              : ok=0    changed=0    unreachable=0    failed=1
192.168.0.32              : ok=1    changed=0    unreachable=0    failed=0

在目标主机上安装python来解决：

sudo apt install python-minimal python-simplejson

4.4 还碰到这样的错误提示：

192.168.0.30 | UNREACHABLE! => {
    "changed": false,
    "msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"` echo /home/axing/.ansible/tmp/ansible-tmp-1551229137.01-175739929259727 `\" && echo ansible-tmp-1551229137.01-175739929259727=\"` echo /home/axing/.ansible/tmp/ansible-tmp-1551229137.01-175739929259727 `\" ), exited with result 1",
    "unreachable": true
}

解决方法是修改 etc/ansible/ansible.cfg文件，更改临时文件目录

remote_tmp     = /tmp
#remote_tmp     = ~/.ansible/tmp