Ansible
安装
yum install -y epel-release
yum install -y ansible
配置ssh免密
[root@master ~]# ssh-keygen -t rsa
[root@master ~]# ssh-copy-id -f root@172.18.54.20 #172.18.54.20 node的ip
测试与被管理节点的连通性
[root@master ~]# ansible all -i 172.18.54.20,172.18.54.30 -m ping
用户级ansible环境构建
在每台主机分别创建zh54用户,设置密码为123456
useradd zh54
passwd zh54
123456
在ansible控制端创建ansible目录及配置文件和资产清单
su zh54
mkdir ansible
cd ansible
vim inventory
[node]
10.0.54.101
10.0.54.102
vim ansible.cfg
[defaults]
inventory = /home/zh54/ansiable/inventory
remote_user = zh54
remote_port = 22
ask_pass = False
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
验证清单是否配置成功
[zh54@controller ansiable]$ ansible all --list
hosts (2):
10.0.54.101
10.0.54.102
在被控端配置sudo提权无需密码
# visudo
zh54 ALL=(ALL) NOPASSWD: ALL
测试
[zh54@controller ansiable]$ ansible all -m shell -a "ls /root"
10.0.54.102 | CHANGED | rc=0 >>
anaconda-ks.cfg
Desktop
Documents
Downloads
Music
original-ks.cfg
Pictures
Public
Templates
Videos
10.0.54.101 | CHANGED | rc=0 >>
anaconda-ks.cfg
Desktop
Documents
Downloads
Music
original-ks.cfg
Pictures
Public
Templates
Videos
Ansible资产
Ansible的资产分为静态资产和动态资产
静态资产
顾名思义它本身是一个文本文件,一个格式类似INI的文件。
默认情况下,Ansible的资产文件位于``/etc/ansible/hosts`
编写资产文件
vim inventory.ini
172.18.54.20
172.18.54.30
[node]
172.18.54.20
172.18.54.30
#嵌套组
[all_server:children]
node
#组变量
[node:vars]
ansible_ssh_port=22
ansible_ssh_user=root
ansible_ssh_123456=123456
列出所有的静态资产
[root@master ~]# ansible all -i inventory.ini --list-hosts
或者
[root@master ~]# ansible all -i inventory.ini --list
基本语法格式
[root@master ~]# ansible PATTERN -i inventory -m module -a argument
| 参数 | 参数解释 |
| --------- | :----------------------------------------------------------- |
| -i | 指定Ansible的资产,也就是被管理服务器 |
| -m | 指定要运行的模块,比如这里的ping和copy模块 |
| -a | 指定模块的参数,例:"src=/tmp/haojuetrace dest=/tmp/haojuetrace" |
| PATTERN | 资产选择器,例:all匹配所有指定的所有资产 |
| inventory | 资产清单文件 |
| module | 模块,例:copy |
| argument | 模块的参数 |
例:
#单个资产
ansible 172.18.54.20 -i inventory.ini --list-hosts
#多个资产
ansible 172.18.54.20,172.18.54.30 -i inventory.ini --list-hosts
#按组
ansible node -i inventory.ini --list-hosts
#使用*匹配
ansible 172.18.54.2* -i inventory.ini --list-hosts
#逻辑匹配
并集:node组和db组的资产
ansible 'node:db' -i inventory.ini --list-hosts
交集:node组上有的并且db组上也有的资产
ansible 'node:&db' -i inventory.ini --list-hosts
排除:在node组中的不在db组中
ansible 'node:!db' -i inventory.ini --list-hosts
#以某个关键字开头:以node开头的资产
ansible '~node' --list
ansible配置文件解析
https://www.cnblogs.com/yangmingxianshen/p/12655843.html
# config file for ansible -- https://ansible.com/
# ===============================================
# nearly all parameters can be overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
# finds first
[defaults]
# some basic default values...
#资产清单文件
#inventory = /etc/ansible/hosts
#存放Ansible模块的目录
#library = /usr/share/my_modules/
#模块路径
#module_utils = /usr/share/my_module_utils/
#远程临时路径
#remote_tmp = ~/.ansible/tmp
#本地临时路径
#local_tmp = ~/.ansible/tmp
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
#并发数量
#forks = 5
#轮询时间
#poll_interval = 15
#sudo的用户
#sudo_user = root
#sudo是否要密码
#ask_sudo_pass = True
#是否要密码
#ask_pass = True
#指定远程主机连接传输方式
#transport = smart
#默认端口号
#remote_port = 22
#设置 Ansible 在远程主机上执行模块时使用的编程语言
#module_lang = C
#是否设置执行模块编程语言
#module_set_locale = False
# plays will gather facts by default, which contain information about
# the remote system.
#
# smart - gather by default, but don't regather if already gathered
# implicit - gather by default, turn off with gather_facts: False
# explicit - do not gather by default, must say gather_facts: True
#是否收集fact信息
#gathering = implicit
# This only affects the gathering done by a play's gather_facts directive,
# by default gathering retrieves all facts subsets
# all - gather all subsets
# network - gather min and network facts
# hardware - gather hardware facts (longest facts to retrieve)
# virtual - gather min and virtual facts
# facter - import facts from facter
# ohai - import facts from ohai
# You can combine them using comma (ex: network,virtual)
# You can negate them using ! (ex: !hardware,!facter,!ohai)
# A minimal set of facts is always gathered.
#指定收集fact信息
#gather_subset = all
# some hardware related facts are collected
# with a maximum timeout of 10 seconds. This
# option lets you increase or decrease that
# timeout to something more suitable for the
# environment.
#收集fact信息的超时时间
# gather_timeout = 10
# Ansible facts are available inside the ansible_facts.* dictionary
# namespace. This setting maintains the behaviour which was the default prior
# to 2.5, duplicating these variables into the main namespace, each with a
# prefix of 'ansible_'.
# This variable is set to True by default for backwards compatibility. It
# will be changed to a defaulteof 'False' in a future release.
# ansible_facts.
#这个设置是为了维护2.5之前的默认行为。设置为True是为了向后兼容
# inject_facts_as_vars = True
# additional paths to search for roles in, colon separated
#搜索角色的其它路径,冒号分隔
#roles_path = /etc/ansible/roles
# uncomment this to disable SSH key host checking
#是否需要主机的秘钥检查
#host_key_checking = False
# change the default callback, you can only have one 'stdout' type enabled at a time.
# 回调的类型
#stdout_callback = skippy
## Ansible ships with some plugins that require whitelisting,
## this is done to avoid running all of a type by default.
## These setting lists those that you want enabled for your system.
## Custom plugins should not need this unless plugin author specifies it.
# enable callback plugins, they can output to stdout but cannot be 'stdout' type.
# 回调插件白名单
#callback_whitelist = timer, mail
# Determine whether includes in tasks and handlers are "static" by
# default. As of 2.0, includes are dynamic by default. Setting these
# values to True will make includes behave more like they did in the
# 1.x versions.
#默认情况下,tasks和handlers是静态。从2.0开始默认是动态
#task_includes_static = False
#handler_includes_static = False
# Controls if a missing handler for a notification event is an error or a warning
# 处理程序丢失是错误还是警告
#error_on_missing_handler = True
# change this for alternative sudo implementations
#设置sudo命令的路径
#sudo_exe = sudo
# What flags to pass to sudo
# WARNING: leaving out the defaults might create unexpected behaviours
#传递给sudo的标志,这里如果省略默认值可能会报错
#sudo_flags = -H -S -n
# SSH timeout
#ssh超时时间
#timeout = 10
# default user to use for playbooks if user is not specified
# (/usr/bin/ansible will use current user as default)
#默认的远程用户
#remote_user = root
# logging is off by default unless this path is defined
# if so defined, consider logrotate
#日志存放文件
#log_path = /var/log/ansible.log
# default module name for /usr/bin/ansible
#默认的模块名字
#module_name = command
# use this shell for commands executed under sudo
# you may need to change this to bin/bash in rare instances
# if sudo is constrained
#sudo下用的shell终端
#executable = /bin/sh
# if inventory variables overlap, does the higher precedence one win
# or are hash values merged together? The default is 'replace' but
# this can also be set to 'merge'.
#如果资产清单重叠的处理方式
#hash_behaviour = replace
# by default, variables from roles will be visible in the global variable
# scope. To prevent this, the following option can be enabled, and only
# tasks and handlers within the role will see the variables there
#设置此变量,只有角色中的任务和处理程序才能看到那里的变量,默认情况下,角色中的变量将在全局变量中可见
#private_role_vars = yes
# list any Jinja2 extensions to enable here:
#Jinjia2所有可用的扩展名
#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
# if set, always use this private key file for authentication, same as
# if passing --private-key to ansible or ansible-playbook
#使用私钥文件进行身份验证,私钥的存储位置
#private_key_file = /path/to/file
# If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
#配置Vault密码文件的路径,以替代在命令行上指定--vault-password-file
#vault_password_file = /path/to/vault_password_file
# format of string {{ ansible_managed }} available within Jinja2
# templates indicates to users editing templates files will be replaced.
# replacing {file}, {host} and {uid} and strftime codes with proper values.
#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence
# in some situations so the default is a static string:
#Jinja2模板中提供的字符串{{ansible_managed}}的格式表示用户编辑模板文件将被替换
#ansible_managed = Ansible managed
# by default, ansible-playbook will display "Skipping [host]" if it determines a task
# should not be run on a host. Set this to "False" if you don't want to see these "Skipping"
# messages. NOTE: the task header will still be shown regardless of whether or not the
# task is skipped.
#默认情况下,如果确定不应该在主机上运行任务,则ansible-playbook将显示Skipping [host] 如果你不想看到这条消息,将其设置为False
#display_skipped_hosts = True
# by default, if a task in a playbook does not include a name: field then
# ansible-playbook will construct a header that includes the task's action but
# not the task's args. This is a security feature because ansible cannot know
# if the *module* considers an argument to be no_log at the time that the
# header is printed. If your environment doesn't have a problem securing
# stdout from ansible-playbook (or you have manually specified no_log in your
# playbook on all of the tasks where you have secret information) then you can
# safely set this to True to get more informative messages.
#默认情况下,如果playbook中的任务不包含name:field,则ansible-playbook将构造一个包含任务操作但不包含任务args的头。
#这是一个安全功能,因为ansible无法知道* module *在打印标题时是否将参数视为no_log。
#如果您的环境没有从ansible-playbook保护stdout的问题(或者您在所有具有秘密信息的任务中手动指定了playbook中的no_log),那么您可以安全地将其设置为True以获取更多信息
#display_args_to_stdout = False
# by default (as of 1.3), Ansible will raise errors when attempting to dereference
# Jinja2 variables that are not set in templates or action lines. Uncomment this line
# to revert the behavior to pre-1.3.
#默认情况下(从1.3开始),Ansible在尝试取消引用未在模板或操作行中设置的Jinja2变量时会引发错误。
取消注释此行以将行为还原为1.3之前的版本
#error_on_undefined_vars = False
# by default (as of 1.6), Ansible may display warnings based on the configuration of the
# system running ansible itself. This may include warnings about 3rd party packages or
# other conditions that should be resolved if possible.
# to disable these warnings, set the following value to False:
#默认情况下(从1.6开始),Ansible可能会根据运行ansible本身的系统配置显示警告。
#这可能包括有关第三方软件包的警告或应尽可能解决的其他条件。要禁用这些警告,请将值设置为False:
#system_warnings = True
# by default (as of 1.4), Ansible may display deprecation warnings for language
# features that should no longer be used and will be removed in future versions.
# to disable these warnings, set the following value to False:
#默认情况下(从1.4开始),Ansible可能会显示不再使用的语言功能的弃用警告,并且将在以后的版本中删除。
#要禁用这些警告,请将值设置为False
#deprecation_warnings = True
# (as of 1.8), Ansible can optionally warn when usage of the shell and
# command module appear to be simplified by using a default Ansible module
# instead. These warnings can be silenced by adjusting the following
# setting or adding warn=yes or warn=no to the end of the command line
# parameter string. This will for example suggest using the git module
# instead of shelling out to the git command.
#(从1.8开始),Ansible可以选择在使用默认的Ansible模块时简化shell和command的使用时发出警告。
#通过调整以下内容可以使这些警告静音在命令行的末尾设置或添加warn = yes或warn = no参数字符串。
#例如,这将建议使用git模块而不是外壳到git命令
# command_warnings = False
# set plugin path directories here, separate with colons
#插件的存储位置,ansible将会自动执行下面的插件
#action_plugins = /usr/share/ansible/plugins/action
#become_plugins = /usr/share/ansible/plugins/become
#cache_plugins = /usr/share/ansible/plugins/cache
#callback_plugins = /usr/share/ansible/plugins/callback
#connection_plugins = /usr/share/ansible/plugins/connection
#lookup_plugins = /usr/share/ansible/plugins/lookup
#inventory_plugins = /usr/share/ansible/plugins/inventory
#vars_plugins = /usr/share/ansible/plugins/vars
#filter_plugins = /usr/share/ansible/plugins/filter
#test_plugins = /usr/share/ansible/plugins/test
#terminal_plugins = /usr/share/ansible/plugins/terminal
#strategy_plugins = /usr/share/ansible/plugins/strategy
# by default, ansible will use the 'linear' strategy but you may want to try
# another one
#ansible将使用“linear”策略,但您可能想尝试另一种策略
#strategy = free
# by default callbacks are not loaded for /bin/ansible, enable this if you
# want, for example, a notification or logging callback to also apply to
# /bin/ansible runs
#默认情况下没有为/bin/ansible加载回调,如果你想要启用它将其设置为True就行了
#bin_ansible_callbacks = False
# don't like cows? that's unfortunate.
# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
#如果您不想要cowsay支持或导出ANSIBLE_NOCOWS = 1,则设置为1
#nocows = 1
# set which cowsay stencil you'd like to use by default. When set to 'random',
# a random stencil will be selected for each task. The selection will be filtered
# against the `cow_whitelist` option below.
#设置默认情况下你想使用的cowsay模板。 设置为'随机'时,将为每个任务选择随机模板。
#选择将被过滤反对下面的`cow_whitelist`选项
#cow_selection = default
#cow_selection = random
# when using the 'random' option for cowsay, stencils will be restricted to this list.
# it should be formatted as a comma-separated list with no spaces between names.
# NOTE: line continuations here are for formatting purposes only, as the INI parser
# in python does not support them.
#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
# hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
# stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
# don't like colors either?
# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
#当使用cowsay的'random'选项时,模板将被限制在此列表中。
#它应格式化为逗号分隔列表,名称之间不能有空格。注意:此处的行连续仅用于格式化,因为python中的INI解析器不支持它们
#nocolor = 1
# if set to a persistent type (not 'memory', for example 'redis') fact values
# from previous runs in Ansible will be stored. This may be useful when
# wanting to use, for example, IP information from one group of servers
# without having to talk to them in the same playbook run to get their
# current IP information.
#fact缓存的存储类型。如果存储在memory那么只是暂时的,你可以将其存储在文件或者数据库中。
#fact_caching = memory
#This option tells Ansible where to cache facts. The value is plugin dependent.
#For the jsonfile plugin, it should be a path to a local directory.
#For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0
#fact缓存的存储路径,如果设置为文件存储,这里应该设置为文件路径。
#如果是数据库类型,应该是localhost:6379:0格式
#fact_caching_connection=/tmp
# retry files
# When a playbook fails a .retry file can be created that will be placed in ~/
# You can enable this feature by setting retry_files_enabled to True
# and you can change the location of the files by setting retry_files_save_path
# 默认情况下,当playbook执行失败时,将在~/创建.retry文件。可以通过retry_files_enabled来禁用。
# 通过设置retry_files_save_path来更改文件的位置。
#retry_files_enabled = False
#retry_files_save_path = ~/.ansible-retry
# squash actions
# Ansible can optimise actions that call modules with list parameters
# when looping. Instead of calling the module once per with_ item, the
# module is called once with all items at once. Currently this only works
# under limited circumstances, and only with parameters named 'name'.
#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper
# prevents logging of task data, off by default
#Ansible可以优化在循环时使用列表参数调用模块的操作。
#而不是每个with_item调用一次模块,模块一次调用所有项目一次。
#目前只适用于有限的情况
#no_log = False
# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
#防止记录任务,但仅在目标上,数据仍记录在主/控制器上
#no_target_syslog = False
# controls whether Ansible will raise an error or warning if a task has no
# choice but to create world readable temporary files to execute a module on
# the remote machine. This option is False by default for security. Users may
# turn this on to have behaviour more like Ansible prior to 2.1.x. See
# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
# for more secure ways to fix this than enabling this option.
#控制Ansible是否会引发错误或警告,如果任务别无选择,只能创建可读的临时文件来执行远程计算机上的模块。
#对于安全性,默认情况下此选项为False
#allow_world_readable_tmpfiles = False
# controls the compression level of variables sent to
# worker processes. At the default of 0, no compression
# is used. This value must be an integer from 0 to 9.
#控制发送到工作进程的变量的压缩级别。 默认值为0时,不使用压缩。 该值必须是0到9之间的整数
#var_compression_level = 9
# controls what compression method is used for new-style ansible modules when
# they are sent to the remote system. The compression types depend on having
# support compiled into both the controller's python and the client's python.
# The names should match with the python Zipfile compression types:
# * ZIP_STORED (no compression. available everywhere)
# * ZIP_DEFLATED (uses zlib, the default)
# These values may be set per host via the ansible_module_compression inventory
# variable
#控制将ansible模块发送到远程系统时使用的压缩方法。 压缩类型依赖于编译到控制器的python和客户端的python中的支持。 名称应与python Zipfile压缩类型匹配:
#ZIP_STORED(无压缩。无处不在)
#ZIP_DEFLATED(使用zlib,默认值)
#可以通过ansible_module_compression库存变量为每个主机设置这些值
#module_compression = 'ZIP_DEFLATED'
# This controls the cutoff point (in bytes) on --diff for files
# set to 0 for unlimited (RAM may suffer!).
#这将控制文件的--diff的截止点(以字节为单位)
#设置为0表示无限制(RAM可能会受损!)
#max_diff_size = 1048576
# This controls how ansible handles multiple --tags and --skip-tags arguments
# on the CLI. If this is True then multiple arguments are merged together. If
# it is False, then the last specified argument is used and the others are ignored.
# This option will be removed in 2.8.
#这将控制ansible如何在CLI上处理多个--tags和--skip-tags参数。 如果这是True,则将多个参数合并在一起。
#如果为False,则使用最后指定的参数,并忽略其他参数。此选项将在2.8中删除
#merge_multiple_cli_flags = True
# Controls showing custom stats at the end, off by default
#最后显示自定义统计信息的控件,默认情况下已关闭
#show_custom_stats = True
# Controls which files to ignore when using a directory as inventory with
# possibly multiple sources (both static and dynamic)
#控制将目录用作具有可能多个源(静态和动态)的库存时要忽略的文件
#inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo
# This family of modules use an alternative execution path optimized for network appliances
# only update this setting if you know how this works, otherwise it can break module execution
#此系列模块使用针对网络设备优化的替代执行路径,只有在您了解其工作原理的情况下才更新此设置,否则会破坏模块执行
#network_group_modules=eos, nxos, ios, iosxr, junos, vyos
# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as
# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain
# jinja2 templating language which will be run through the templating engine.
# ENABLING THIS COULD BE A SECURITY RISK
#
#启用时,此选项允许查找(通过{{lookup('foo')}}之类的变量或当用作带有“with_foo”的循环时)返回未标记为“不安全”的数据。
#这意味着数据可能包含将通过模板引擎运行的jinja2模板语言。
#ENABLING这可能是一种安全风险
#allow_unsafe_lookups = False
# set default errors for all plays
#为所有的操作设置默认错误
#any_errors_fatal = False
[inventory]
# enable inventory plugins, default: 'host_list', 'script', 'auto', 'yaml', 'ini', 'toml'
#默认启动的插件
#enable_plugins = host_list, virtualbox, yaml, constructed
# ignore these extensions when parsing a directory as inventory source
#在将目录解析为库存源时忽略这些扩展
#ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry
# ignore files matching these patterns when parsing a directory as inventory source
#在将目录解析为库存源时忽略与这些模式匹配的文件
#ignore_patterns=
# If 'true' unparsed inventory sources become fatal errors, they are warnings otherwise.
#如果'true'未解析的库存来源成为致命错误,则会发出警告
#unparsed_is_failed=False
[privilege_escalation]
#是否需要切换用户
#become=True
#以sudo的方式切换
#become_method=sudo
#切换到什么用户
#become_user=root
#是否需要秘钥验证
#become_ask_pass=False
[paramiko_connection]
# uncomment this line to cause the paramiko connection plugin to not record new host
# keys encountered. Increases performance on new host additions. Setting works independently of the
# host key checking setting above.
#取消注释此行以使paramiko连接插件不记录遇到的新主机密钥。 提高新主机添加的性能。 设置独立于上面的主机密钥检查设置
#record_host_keys=False
# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
# line to disable this behaviour.
#默认情况下,Ansible请求在sudo下执行的命令的伪终端。 取消注释此行以禁用此行为
#pty=False
# paramiko will default to looking for SSH keys initially when trying to
# authenticate to remote devices. This is a problem for some network devices
# that close the connection after a key failure. Uncomment this line to
# disable the Paramiko look for keys function
#在尝试向远程设备进行身份验证时,paramiko将默认初始查找SSH密钥。
#对于在密钥发生故障后关闭连接的某些网络设备,这是一个问题。 取消注释此行以禁用Paramiko查找键功能
#look_for_keys = False
# When using persistent connections with Paramiko, the connection runs in a
# background process. If the host doesn't already have a valid SSH key, by
# default Ansible will prompt to add the host key. This will cause connections
# running in background processes to fail. Uncomment this line to have
# Paramiko automatically add host keys.
#当与Paramiko使用持久连接时,连接在后台进程中运行。
#如果主机尚未具有有效的SSH密钥,则默认情况下Ansible将提示添加主机密钥。
#这将导致在后台进程中运行的连接失败。 取消注释此行以使Paramiko自动添加主机密钥
#host_key_auto_add = True
[ssh_connection]
# ssh arguments to use
# Leaving off ControlPersist will result in poor performance, so use
# paramiko on older platforms rather than removing it, -C controls compression use
#要使用的ssh参数离开ControlPersist会导致性能不佳,所以在较旧的平台上使用paramiko而不是删除它,-C控制压缩使用
#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
# The base directory for the ControlPath sockets.
# This is the "%(directory)s" in the control_path option
#ControlPath套接字的基目录
# Example:
# control_path_dir = /tmp/.ansible/cp
#control_path_dir = ~/.ansible/cp
# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname,
# port and username (empty string in the config). The hash mitigates a common problem users
# found with long hostnames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format.
# In those cases, a "too long for Unix domain socket" ssh error would occur.
# 用于ControlPath套接字的路径。 默认为主机名,端口和用户名的散列字符串(配置中为空字符串)
# Example:
# control_path = %(directory)s/%%h-%%r
#control_path =
# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled, however when using "sudo:" you must
# first disable 'requiretty' in /etc/sudoers
#
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
#
#启用流水线操作可减少在远程服务器上执行模块所需的SSH操作数。
#这可以在启用时显着提高性能,但是当使用“sudo:”时,必须先在/ etc / sudoers中禁用'requiretty'
#默认情况下,禁用此选项以保持兼容性,sudoers配置requiretty(许多发行版的默认设置)
#pipelining = False
# Control the mechanism for transferring files (old)
# * smart = try sftp and then try scp [default]
# * True = use scp only
# * False = use sftp only
#控制传输文件的机制(旧)
#smart:尝试sftp然后尝试scp [默认]
#True:仅使用scp
#False:仅使用sftp
#scp_if_ssh = smart
# Control the mechanism for transferring files (new)
# If set, this will override the scp_if_ssh option
# * sftp = use sftp to transfer files
# * scp = use scp to transfer files
# * piped = use 'dd' over SSH to transfer files
# * smart = try sftp, scp, and piped, in that order [default]
#控制传输文件的机制(新)
#如果设置,这将覆盖scp_if_ssh选项:
#sftp:使用sftp传输文件
#scp:使用scp传输文件
#piped:通过SSH使用'dd'来传输文件
#smart:按顺序尝试sftp,scp和piped [默认]
#transfer_method = smart
# if False, sftp will not use batch mode to transfer files. This may cause some
# types of file transfer failures impossible to catch however, and should
# only be disabled if your sftp version has problems with batch mode
#如果为False,sftp将不使用批处理模式传输文件。
#但是,这可能导致某些类型的文件传输失败无法捕获,并且只有在sftp版本的批处理模式出现问题时才应禁用
#sftp_batch_mode = False
# The -tt argument is passed to ssh when pipelining is not enabled because sudo
# requires a tty by default.
#未启用管道传输时,-tt参数将传递给ssh,因为默认情况下sudo需要tty。
#usetty = True
# Number of times to retry an SSH connection to a host, in case of UNREACHABLE.
# For each retry attempt, there is an exponential backoff,
# so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max).
#在UNREACHABLE的情况下,重试与主机的SSH连接的次数。
#对于每次重试尝试,都存在指数退避,因此在第一次尝试之后有1s等待,然后是2s,4s等等,最多30s(最大)
#retries = 3
[persistent_connection]
# Configures the persistent connection timeout value in seconds. This value is
# how long the persistent connection will remain idle before it is destroyed.
# If the connection doesn't receive a request before the timeout value
# expires, the connection is shutdown. The default value is 30 seconds.
#以秒为单位配置持久连接超时值。 此值是持久连接在销毁之前保持空闲的时间。
#如果连接在超时值到期之前未收到请求,则连接将关闭。 默认值为30秒
#connect_timeout = 30
# The command timeout value defines the amount of time to wait for a command
# or RPC call before timing out. The value for the command timeout must
# be less than the value of the persistent connection idle timeout (connect_timeout)
# The default value is 30 second.
#命令超时值定义在超时之前等待命令或RPC调用的时间。 命令超时的值必须小于持久连接空闲超时(connect_timeout)的值 默认值为10秒
#command_timeout = 30
[accelerate]
#指定加速器进程使用的端口号
#accelerate_port = 5099
#命令执行超时时间
#accelerate_timeout = 30
#连接超时时间
#accelerate_connect_timeout = 5.0
# The daemon timeout is measured in minutes. This time is measured
# from the last activity to the accelerate daemon.
#守护程序超时以分钟为单位。 这个时间是衡量的从最后一个活动到加速守护进程
#accelerate_daemon_timeout = 30
# If set to yes, accelerate_multi_key will allow multiple
# private keys to be uploaded to it, though each user must
# have access to the system via SSH to add a new key. The default
# is "no".
#如果设置为yes,则accele_multi_key将允许将多个私钥上传到它,尽管每个用户必须通过SSH访问系统才能添加新密钥。 默认值为“no”
#accelerate_multi_key = yes
[selinux]
# file systems that require special treatment when dealing with security context
# the default behaviour that copies the existing context or uses the user default
# needs to be changed to use the file system dependent context.
#处理安全上下文时需要特殊处理的文件系统复制现有上下文或使用用户默认值的默认行为需要更改为使用依赖于文件系统的上下文
#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p,vfat
# Set this to yes to allow libvirt_lxc connections to work without SELinux.
#将此设置为yes以允许libvirt_lxc连接在没有SELinux的情况下工作
#libvirt_lxc_noseclabel = yes
#输出颜色设置
[colors]
#highlight = white
#verbose = blue
#warn = bright purple
#error = red
#debug = dark gray
#deprecate = purple
#skip = cyan
#unreachable = red
#ok = green
#changed = yellow
#diff_add = green
#diff_remove = red
#diff_lines = cyan
[diff]
# Always print diff when running ( same as always running with -D/--diff )
#在运行时始终打印diff
# always = no
# Set how many context lines to show in diff
# 设置要在diff中显示的上下文行数
# context = 3
Ansible Ad-Hoc命令
Ad-hoc命令是什么?这其实是一个概念性的名字,是相对于Ansible playbook来说的,l类似于在命令行敲入shell命令和写shell script两者之间的关系。可以用于执行一些临时命令
模块类型
Ansible模块分为三种类型:核心模块(core module)、附加模块(extra module)及用户自定义模块(consume module)
联机帮助
常用帮助命令
列举出所有的核心模块和附加模块
[root@master ~]# ansible-doc -l
查询某个模块的使用方法
[root@master ~]# ansible-doc modulename
#简单的帮助
[root@master ~]# ansible-doc -s modulename
常用模块
command&shell
command模块是ad-hoc的默认模块
两个模块的差异
- shell 模块可以执行shell的内置命令和特性(比如管道符)
- command模块无法执行shell的内置命令和特性
[root@master ~]# ansible node -i inventory.ini -a "echo 'haojuetrace'"
172.18.54.20 | CHANGED | rc=0 >>
haojuetrace
172.18.54.30 | CHANGED | rc=0 >>
haojuetrace
[root@master ~]# ansible node -i inventory.ini -m shell -a "hostname -i"
172.18.54.20 | CHANGED | rc=0 >>
fe80::379d:618:1ce7:aac0%ens33 fe80::b444:5e3e:d105:27d3%ens34 fe80::4e16:d6da:3d3b:9e56%ens33 fe80::3f38:6b78:3a35:f3d9%ens34 172.17.54.20 172.18.54.20
172.18.54.30 | CHANGED | rc=0 >>
fe80::7c65:1dd1:e1ae:4d43%ens33 fe80::a94a:877c:6595:d626%ens34 fe80::b444:5e3e:d105:27d3%ens34 fe80::4e16:d6da:3d3b:9e56%ens33 fe80::379d:618:1ce7:aac0%ens33 fe80::3f38:6b78:3a35:f3d9%ens34 172.17.54.30 172.18.54.30
script模块
将管理节点上的脚本传递到被管理节点(远程服务器)上进行执行,理论上使用此模块的执行完全不需要被管理服务器上有python。
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m script -a "test.sh"
copy模块
用于管理节点和被管理节点之间的文件拷贝
常用参数
src指定拷贝文件的原地址content指定内容传送到目标地址文件dest指定拷贝文件的目标地址backup拷贝文件前,若原始文件发生变化,则对目标文件进行备份woner指定新拷贝文件的所属者group指定新拷贝文件的所属组mode指定新拷贝文件的权限
[root@master ~]# ansible all -i inventory.ini -m copy -a "src=./test.sh dest=/root/test.sh backup=yes group=nobody owner=nobody mode=777"
#传送内容到目的地址案例
[root@master ~]# ansible all -i inventory.ini -m copy -a "content="haojue" dest=/root/test.txt"
fetch
常用参数
src指定被控制节点文件的原路径dest指定控制节点文件的目标路径flatyes允许您覆盖将主机名/路径/到/文件附加到目的地 no则会在目的地下创建一个被控节点文件
[root@master ~]# ansible all -i inventory.ini -m shell -a "tar -cf /var/log.tar /var/log"
[root@master ~]# ansible all -i inventory.ini -m fetch -a "src=/var/log.tar dest=log.tar flat=yes"
yum_repository
yum仓库添加删除操作
常用参数
name仓库名称(必须的参数)description仓库描述信息(必须的参数)baseurlyum仓库地址(必须的参数)file仓库文件保存到被管理节点的文件名,不包含.repo。默认是name的值statepreset确认添加仓库文件,absent确认删除仓库文件。gpgcheck是否检查GPG yes|no,没有默认值
添加yum仓库
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m yum_repository -a "name=test baseurl=file:///haojuetrace/test description='haojuetrace yum test'"
删除yum仓库
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m yum_repository -a "name=test state=absent"
yum模块
等同于linux上的yum命令,对远程服务器上RPM包进行管理
常用参数
name要安装的软件报名,多个软件包以(,)隔开
state对当前指定的软件安装、移除操作支持的参数:
present确认已经安装,但不升级
installed确认已经安装
latest确保安装,且升级为最新
absent和removed确认已移除
安装软件
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m yum -a "name=httpd state=present"
卸载软件
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m yum -a "name=httpd state=removed"
systemd模块
管理远程节点上的systemd服务(centos6之前的版本用service模块)
常用参数
daemon_reload重新载入systemd,扫描新的或有变动的单元enabled是否开机自启动yes|noname必选项,服务名称,例:httpdstate对当前服务执行启动,停止,重启,重新加载等操作(started,stopped,restarted,reloaded)
重启载入systemd
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m systemd -a "daemon_reload=yes"
启动服务
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m systemd -a "name=httpd state=started"
停止服务
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m systemd -a "name=httpd state=stopped"
设置开机自启
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m systemd -a "name=httpd enabled=yes"
重新加载
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m systemd -a "name=httpd state=reloaded"
group模块
对被管理节点的组进行管理
常用参数
name组名称,必选项system是否为系统组,yes/no,默认为nostate删除或创建 ,present/absent,默认为present
创建组
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m group -a "name=test_hao"
删除组
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m group -a "name=test_hao state=absent"
user模块
常用参数
name必须的参数, 指定用户名password设置用户的密码,这里接受的是一个加密的值,因为会直接存到 shadow, 默认不设置密码update_password假如设置的密码不同于原密码,则会更新密码. 在 1.3 中被加入home指定用户的家目录shell设置用户的 shellcomment用户的描述信息create_home在创建用户时,是否创建其家目录。默认创建,假如不创建,设置为 no。2.5版本之前使用 createhomegroup设置用户的主组groups将用户加入到多个其他组中,多个用逗号隔开。- by:默认会把用户从其他已经加入的组中删除。
appendyes|no 和 groups 配合使用,yes 时,默认会把用户从其他已经加入的组中删除。system设置为 yes 时,将会创建一个系统账号expires设置用户的过期时间,值为时间戳,会转为为天数后,放在 shadow 的第 8 个字段里generate_ssh_key设置为 yes 将会为用户生成密钥,这不会覆盖原来的密钥ssh_key_type指定用户的密钥类型, 默认 rsa, 具体的类型取决于被管理节点state删除或添加用户, present 为添加,absent 为删除;默认值 presentremove当与 state=absent 一起使用,删除一个用户及关联的目录,
创建用户并设置密码
先生成加密密码
[root@master ~]# pass=$(echo "123456" | openssl passwd -1 -stdin)
[root@master ~]# echo $pass
$1$53sCzKmD$M8HXglMba2wTnAIOKNuy8/
执行 ansible 命令 创建用户 haojue 并设置密码
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m user -a "name=haojue password=${pass}"
创建用户 haojue2, 并且为其创建密钥对,并且密钥类型为: ecdsa
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m user -a "name=haojue2 generate_ssh_key=yes ssh_key_type=ecdsa"
创建用户haojue3, 并且设置其有效期到 2022年9月9日, 加入到组 test_hao 中, 不改变用户原有假如的组。
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m user -a "name=haojue3 groups=test_hao append=yes expires=$(date +%s -d 20220909)"
date 命令说明
//计算3小时之后是几点几分
date +T -d '3 hours'
//任意日期的前N天,后N天的具体日期
date +%F -d "20220908 1 day"
date +%F -d "20220908 -1 day"
//计算两个日期相差天数,比如计算生日距离现在还有多少天
d1=$(date +%s -d 20220908)
d2=$(date +%s -d 202201109)
echo $((d1-d2)/86400))
file模块
file模块主要用于远程主机上的文件操作
常用参数
owner定义文件/目录属主group定义文件/目录的属组mode定义文件/目录的权限path必选项,定义文件/目录的路径recurse递归的设置文件的属性,只对目录有效src要被链接(软/硬)的源文件的路径,只应用于state=link的情况dest被链接到的路径,只用于state=link的情况state- directory 如果目录不存在,创建目录
- file 文件不存在,则不会被创建,存在则返回文件的信息,常用于检查文件是否存在
- link 创建软连接
- hard 创建硬链接
- touch 如果文件不存在,则会创建一个新的文件,如果文件或目录已存在,则更新其最后修改时间
- absent 删除目录、文件或者取消链接文件
// 创建一个文件
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m file -a "path=/tmp/haojue2.conf state=touch"
// 改变文件所有者及权限
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m file -a "path=/tmp/haojue2.conf owner=haojue group=test_hao mode=777"
// 创建一个软连接
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m file -a "src=/tmp/haojue2.conf dest=/tmp/hao_link.conf state=link"
// 创建一个目录
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m file -a "path=/tmp/haojuetrace_dir state=directory"
// 取消一个连接
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m file -a "path=/tmp/hao_link.conf state=absent"
// 删除一个文件
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m file -a "path=/tmp/haojue2.conf state=absent"
cron模块
管理远程节点的CRON 服务。等同于Linux 中的 计划任务。
注意:使用 Ansible 创建的计划任务,是不能使用本地 crontab -e去编辑,否则 Ansible 无法再次操作此计划任务了。
常用参数:
name指定一个cron job 的名字。一定要指定,便于日之后删除。minute指定分钟,可以设置成(0-59, *, */2 等)格式。 默认是 * , 也就是每分钟。hour指定小时,可以设置成(0-23, *, */2 等)格式。 默认是 * , 也就是每小时。day指定天, 可以设置成(1-31, *, */2 等)格式。 默认是 * , 也就是每天。month指定月份, 可以设置成(1-12, *, */2 等)格式。 默认是 * , 也就是每周。weekday指定星期, 可以设置成(0-6 for Sunday-Saturday, * 等)格式。默认是 *,也就是每星期。job指定要执行的内容,通常可以写个脚本,或者一段内容。state指定这个job的状态,可以是新增(present)或者是删除(absent)。 默认为新增(present)
// 新建一个 CRON JOB 任务
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m cron -a "name='create new job' minute='0' job='ls -alh > /dev/null'"
// 删除一个 CRON JOB 任务,删除时,一定要正确指定job 的name参数,以免误删除。
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m cron -a "name='create new job' state=absent"
查看计划任务
[root@node1 ~]# crontab -l
#Ansible: create new job
0 * * * * ls -alh > /dev/null
debug模块
debug 模块主要用于调试时使用,通常的作用是将一个变量的值给打印出来。
常用参数:
var直接打印一个指定的变量值msg打印一段可以格式化的字符串
这里引入了变量,我们只需了解 debug 模板的使用即可。在学习变量、剧本时,我们会对它有更深刻的理解。
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m debug -a "var=role" -e "role=web"
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m debug -a "msg='role is {{role}}'" -e role="role"
template 模块
template 模块使用了Jinjia2格式作为文件模版,可以进行文档内变量的替换。文件以 .j2 结尾。
常用参数:
src指定 Ansible 控制端的 文件路径dest指定 Ansible 被控端的 文件路径owner指定文件的属主group指定文件的属组mode指定文件的权限backup创建一个包含时间戳信息的备份文件,这样如果您以某种方式错误地破坏了原始文件, 就可以将其恢复原状。yes/no
用法其实和 copy 模块基本一样, template 模块的强大之处就是使用变量替换,就是可以把传递给 Ansible 的变量的值替换到模板文件中。
[root@master ~]# cat hello_haojuetrace.j2
hello {{name}}!
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m template -a "src=/root/hello_haojuetrace.j2 dest=/tmp/hello_haojuetrace.word" -e "name=haojuetrace"
lineinfile 模块
在被管理节点上,用正则匹配的方式对目标文件的一行内容修改删除等操作。
如果是在一个文件中把所有匹配到的多行都进行统一处理,请参考replace 模块。
如果想对一个文件进行一次性添加/更新/删除多行内容等操作,参考blockinfile模块
常用参数:
path被管理节点的目标文件路径, 必须。state可选值absent 删除 |present 替换(默认值)。regexp在文件的每一行中查找的正则表达式。对于 state=present ,仅找到的最后一行将被替换。line要在文件中插入/替换的行。需要state=present。create文件不存在时,是否要创建文件并添加内容。yes/nobackup当文件更新时创建备份副本insertbefore在指定位置的上一行插入(定位)insertafter在指定位置的下一行插入(定位)
删除管理节点文件里的正则匹配内容
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m lineinfile -a "path=/etc/sudoers regexp='^%wheel' state=absent"
替换某一行
[root@master ~]# ansible 172.18.54.20 -i inventory.ini -m lineinfile -a "path=/etc/selinux/config regexp='^SELINUX=' line='SELINUX=disabled' state=present"
在最后一行后面添加一行
[root@master ~]# ansible 10.0.54.101 -m lineinfile -a "path=/etc/hosts insertafter="EOF" line='10.0.54.100 controller'"
Ansible-Playbook
Playbook 在 Ansible 中成为 剧本。
可以认为它是Ansible 自定义的一门语言。
可以将 Playbook 比作 Linux 中的 shell 脚本。
如何写 Playbook
Play
由于Playbook 是由一个或者多个Play组成,那么如果我们熟悉Play 的写法,就自然掌握了我们这章的PlayBook。
那如何定义一个Play
- 每一个Play 都是以短横杠开始的
- 每一个Play 都是一个YAML 字典格式
根据上面两条Play 的规则,一个 Play 应该是类似如下的样子
---
- name: shark
hosts: all
...
由于一个Playbook 是由一个或者多个Play构成, 那么一个含有多个Play的Playbook 结构上应该是如下的样子
---
# 一个含有2个Play 的伪PlayBook构成
- name: create a user
hosts: nginx
key3: value3
- name: copy a file to webNginx
hosts: webNginx
key3: value3
...
Play 的属性
常用属性:
name属性, 每个play的名字hosts属性, 每个play 涉及的被管理节点,同命令行执行时候的 主机匹配模式tasks属性, 每个play 中具体要完成的任务,以列表的形式表达become属性,如果需要提权,则加上become 相关属性become_user属性, 若提权的话,提权到哪个用户上remote_user属性,指定连接用户。若不指定,则默认使用当前执行 ansible Playbook 的用户
一个完整剧本
根据上一小节中介绍的真实的属性,一个含有一个Play 的 Playbook 应该是如下的样子
---
- name: the first play example
hosts: all
remote_user: root
tasks:
- name: install nginx package
yum: name=nginx state=present
- name: copy nginx.conf to remote server
copy: src=nginx.conf dest=/etc/nginx/nginx.conf
- name: start nginx server
service:
name: nginx
enabled: true
state: started
...
tasks 属性中任务的几种写法
# 以启动 nginx 服务,并增加开机启动为例
# 一行的形式:
service: name=nginx enabled=true state=started
#分行写
service: name=nginx
enabled=true
state=started
# 多行写成字典的形式:
service:
name: nginx
enabled: true
state: started
含有多个Play 的 Playbook 啥样
---
- name: manage web servers
hosts: webNginx
remote_user: root
tasks:
- name: install nginx package
yum: name=nginx state=present
- name: copy nginx.conf to remote server
copy: src=nginx.conf dest=/etc/nginx/nginx.conf
- name: start nginx server
service:
name: nginx
enabled: true
state: started
- name: manager db servers
hosts: webNginx
tasks:
- name: update database confg
copy: src=my.cnf dest=/etc/my.cnf
语法校验
ansible-playbook myplaybook.yaml --syntax-check
运行PlayBook
ansible-playbook myplaybook.yaml
测试运行
// 会执行完整个PlayBook ,但是所有Task中的行为都不会在远程服务器上执行,所有执行都是模拟行为。
ansible-playbook myplaybook.yml -C
// -C 为大写的字母 C
Ansible-变量
变量的定义与使用
在 playbook 中定义变量
直接写在 playbook 中
---
- name: test var
hosts: node1
vars:
name: "haojuetrace"
tasks:
- name: debug test
debug:
msg: "my name is {{ name }}"
...
写到一个单独的文件中,之后在 playbook 中引用
some.yaml
users:
- tom
- shark
enable: false
引用变量文件
- name: test var
hosts: node1
gather_facts: no
vars_files:
# 引用变量文件
- ./some.yaml
tasks:
- name: test var
debug:
msg: "{{ enable }} {{ users }}"
我希望变量从命令行里传递
接上例, 执行 playbook 的时候使用选项 -e
-e "key1=var1 key2=var2"
-e 传递的是全局变量,可以覆盖已经定义的自定义变量
[root@master ~]# ansible-playbook -i inventory.ini test_play.yaml -e "name=haojue2"
[WARNING]: Found variable using reserved name: name
PLAY [test var] ****************************************************************
TASK [Gathering Facts] *********************************************************
ok: [172.18.54.20]
TASK [debug test] **************************************************************
ok: [172.18.54.20] => {
"msg": "my name is haojue2"
}
PLAY RECAP *********************************************************************
172.18.54.20 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
在资产清单中定义变量
定义主机变量
[node1]
172.18.54.20 app=haojue
[node2]
172.18.54.30
[all_node:children]
node1
node2
输出变量:
[root@master ~]# ansible node1 -i inventory.ini -m debug -a "var=app"
172.18.54.20 | SUCCESS => {
"app": "haojue"
}
定义组变量 all_node是组名
[all_node:vars]
n=10
还有一些变量用户设置后,默认直接调用的。
ansible_ssh_user单独指定连接到远程主机的远程用户ansible_ssh_pass连接到远程主机的远程用户的密码
[node1]
172.18.54.20 app=haojue
[node2]
172.18.54.30 ansible_ssh_user=shark ansible_ssh_pass=456
[all_node:children]
node1
node2
变量的优先级
全局 > Playbook 变量 > 资产清单中定义的变量
Facts变量
这个任务是获取此次 playbook 中每个主机的基础系统信息的。
包括: 主机名、主机 IP,主机网卡信息、主机分区挂载信息等。或者到后就可以在 palybook 中使用了。
Facts 变量也可以通过命令行获取
[root@master ~]# ansible all -i localhost, -m setup
筛选变量
[root@master ~]# ansible all -i localhost, -m setup -a "filter='*addr*'"
使用 Facts 变量
---
- name: test var
hosts: localhost
vars:
name: "haojuetrace"
tasks:
- name: debug test
debug:
msg: "my name is {{ ansible_ens34.ipv4.address }}"
...
[root@master ~]# ansible-playbook test_play.yaml
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
[WARNING]: Found variable using reserved name: name
PLAY [test var] ****************************************************************
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [debug test] **************************************************************
ok: [localhost] => {
"msg": "my name is 172.18.54.10"
}
PLAY RECAP *********************************************************************
localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
关闭facts
如果在 playbook 中用不到这些变量,就可以关闭它:
[root@master ~]# cat test_play.yaml
---
- name: test var
hosts: localhost
gather_facts: no # 这一项就是关闭facts的
vars:
name: "haojuetrace"
tasks:
- name: debug test
debug:
msg: "my name is {{ ansible_ens34.ipv4.address }}"
...
测试
因为facts关闭了所以获取不到就报错了
[root@master ~]# ansible-playbook test_play.yaml [WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
[WARNING]: Found variable using reserved name: name
PLAY [test var] ****************************************************************
TASK [debug test] **************************************************************
fatal: [localhost]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'ansible_ens34' is undefined\n\nThe error appears to be in '/root/test_play.yaml': line 8, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n tasks:\n - name: debug test\n ^ here\n"}
PLAY RECAP *********************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
变量注册
默认情况下,在执行 playbook 中的某个任务时候,我们并不能得到这个任务执行的结果,比如执行一条命令,命令的结果不论正确与否,都不能看到执行结果。
Ansible 提供一个变量注册的功能,可以把某个 task 执行的结果赋值给一个变量,之后在接下来的 task 中就可以使用这个变量了。
使用场景,判断上一个 task 是否执行成功,或者使用上一个 task 执行的结果来进行判断。
这个功能就是在某个 task 中添加
register: 变量名 来实现。
实例:
---
- name: yum nginx or out
hosts: node1
tasks:
- name: yum nginx or debug out
yum:
name: httpd
state: present
register: out
- name: debug out
debug:
var: out
...
输出结果
#检验语法
[root@master ~]# ansible-playbook -i inventory.ini nginx_ploy.yaml --syntax-check
#输出
[root@master ~]# ansible-playbook -i inventory.ini nginx_ploy.yaml
PLAY [yum nginx or out] ********************************************************
TASK [Gathering Facts] *********************************************************
ok: [172.18.54.20]
TASK [yum nginx or debug out] **************************************************
ok: [172.18.54.20]
TASK [debug out] ***************************************************************
ok: [172.18.54.20] => {
"out": {
"changed": false,
"failed": false,
"msg": "",
"rc": 0,
"results": [
"httpd-2.4.6-97.el7.centos.5.x86_64 providing httpd is already installed"
]
}
}
PLAY RECAP *********************************************************************
172.18.54.20 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Ansible任务控制
条件判断
实例
---
- name: when test
hosts: node1
gather_facts: no
vars:
num: "1"
tasks:
- name: when test
debug:
var: num
when: num == "2"
...
输出:
[root@master ~]# ansible-playbook -i inventory.ini when.yaml
PLAY [when test] ***********************************************************************
TASK [when test] ***********************************************************************
ok: [172.18.54.20] => {
"num": "1"
}
PLAY RECAP *****************************************************************************
172.18.54.20 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[root@master ~]# vim when.yaml
[root@master ~]# ansible-playbook -i inventory.ini when.yaml
PLAY [when test] ***********************************************************************
TASK [when test] ***********************************************************************
skipping: [172.18.54.20]
PLAY RECAP *****************************************************************************
172.18.54.20 : ok=0 changed=0 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0
语法注意事项:
== 等于
!= 不等于
>
>=
<
<=
is defined 已经定义过
is not defined 没有定义过
true 真的
false 假的
"" 空字符串或者说是空值
支持逻辑运算符: and or
循环
loop循环出来的变量必须使用item调用,不能自定义
实例
---
- name: loop test
hosts: node2
gather_facts: no
vars:
nums:
- 1
- 2
- 3
tasks:
- name: loop test
debug:
var: "{{ item }}"
loop: "{{ nums }}"
...
输出
[root@master ~]# ansible-playbook -i inventory.ini loop.yaml
PLAY [loop test] ***********************************************************************
TASK [loop test] ***********************************************************************
ok: [172.18.54.30] => (item=1) => {
"1": "VARIABLE IS NOT DEFINED!",
"ansible_loop_var": "item",
"item": 1
}
ok: [172.18.54.30] => (item=2) => {
"2": "VARIABLE IS NOT DEFINED!",
"ansible_loop_var": "item",
"item": 2
}
ok: [172.18.54.30] => (item=3) => {
"3": "VARIABLE IS NOT DEFINED!",
"ansible_loop_var": "item",
"item": 3
}
PLAY RECAP *****************************************************************************
172.18.54.30 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
tags标签
在一个 playbook 中可以给一部分 task(任务) 打标签,之后执行的时候使用
-t选项并且指定具体的 tags 的名字,可以实现仅执行这部分 task。
- name: tags test
hosts: node1
gather_facts: no
tasks:
- name: 任务1
debug:
msg: "task 1"
tags: qf
- name: 任务2
debug:
msg: "task 2"
tags: qf
- name: 任务3
debug:
msg: "task 3"
未指定tags标签输出
[root@master ~]# ansible-playbook -i inventory.ini tags.yaml
PLAY [tags test] ***********************************************************************
TASK [任务1] *****************************************************************************
ok: [172.18.54.20] => {
"msg": "task 1"
}
TASK [任务2] *****************************************************************************
ok: [172.18.54.20] => {
"msg": "task 2"
}
TASK [任务3] *****************************************************************************
ok: [172.18.54.20] => {
"msg": "task 3"
}
PLAY RECAP *****************************************************************************
172.18.54.20 : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
指定tags输出
指定了tags,则只会执行带有tags标签的play
[root@master ~]# ansible-playbook -i inventory.ini tags.yaml -t qf
PLAY [tags test] ***********************************************************************
TASK [任务1] *****************************************************************************
ok: [172.18.54.20] => {
"msg": "task 1"
}
TASK [任务2] *****************************************************************************
ok: [172.18.54.20] => {
"msg": "task 2"
}
PLAY RECAP *****************************************************************************
172.18.54.20 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Handlers
在部署一个应用的时候,当应用的配置文件更新的时候,我们应该重启这个应用,以便让新的配置文件生效。
在 Ansisble 中可以使用
tasks.notify和handlers属性进行组合,来实现当配置文件有更新,就自动触发另外一个任务的执行。
例子:
---
- name: handlers test
hosts: node1
gather_facts: no
tasks:
- name: handlers test
copy:
src: /tmp/handlers
dest: /tmp/handlers
notify: copy handlers
register: hostname
handlers:
- name: copy handlers
debug:
msg: "hostname: --- {{hostname}}"
...
文件无变化
[root@master ~]# ansible-playbook -i inventory.ini handlers.yaml
PLAY [handlers test] *******************************************************************
TASK [handlers test] *******************************************************************
ok: [172.18.54.20]
PLAY RECAP *****************************************************************************
172.18.54.20 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
文件发生变化
notify监听的文件发生变化则会执行handlers
[root@master ~]# ansible-playbook -i inventory.ini handlers.yaml
PLAY [handlers test] *******************************************************************
TASK [handlers test] *******************************************************************
changed: [172.18.54.20]
RUNNING HANDLER [copy handlers] ********************************************************
ok: [172.18.54.20] => {
"msg": "hostname: --- {u'src': u'/root/.ansible/tmp/ansible-tmp-1662691095.05-31910-233385672997932/source', u'md5sum': u'146137e49c75b4fb4b1cbca112432a92', u'group': u'root', u'uid': 0, u'dest': u'/tmp/handlers', u'checksum': u'1b8f72ebdb9ba816edc93c59cd5e0b67bff5ea8e', u'changed': True, 'failed': False, u'state': u'file', u'gid': 0, u'mode': u'0644', u'owner': u'root', 'diff': [], 'ansible_facts': {u'discovered_interpreter_python': u'/usr/bin/python'}, u'size': 9}"
}
PLAY RECAP *****************************************************************************
172.18.54.20 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Playbook的进阶应用
when实现条件判断
条件测试:如果需要根据变量、facts或此前任务的执行结果来做为某task执行与否的前提时要用到条件测试。剧本中不能使用if判断,需要使用when判断。
when语句: 在task后添加when子句即可使用条件测试,可以使用facts或playbook中定义的变量,支持Jinja2表达式语法
---
- hosts: all
tasks:
- name: copy file
copy:
src: /etc/hosts
dest: /etc/hosts
when: ansible_hostname is match "node1"
使用with_items实现迭代
迭代:当有需要重复性执行的任务时,可以使用迭代机制对迭代项的引用,固定变量名为”item"
迭代列表
---
- hosts: node1
gather_facts: False
tasks:
- name: add user
user:
name: "{{ item }}"
with_items:
- user1
- user2
- user3
迭代字典
---
- hosts: node1
gather_facts: False
tasks:
- name: add user
user:
name: "{{ item.name }}"
with_items:
- {name: 'user1'}
- {name: 'user2'}
- {name: 'user3'}
Ansible模板
Ansible使用Jinja2模板来启用动态表达式和访问变量。
Jinja2 模板基本语法
Jinja模板只是一个文本文件,一般文件名使用
.j2为后缀。模板包含变量和或表达式,在渲染模板时将其替换为值。有几种分隔符。默认的Jinja分隔符配置如下:
{% ... %}声明逻辑表达式{{ ... }}用于将变量输出{# ... #}用于模板的注释
JinJa2 逻辑控制
条件表达
{% if %}
...
{% elif %}
...
{% else %}
...
{% endif %}
实例:
{# 如果定义了idc变量,则输出此变量 #}
{% if idc is defined %}
{{ idc }}
{% else %}
没有定义
{% endif %}
循环控制
{% for %}
...
...
{% endfor %}
实例:
for_test.j2
{% for i in li %}
{{ i }}
{% endfor %}
test_for.yaml
---
- name: for test
hosts: node1
vars:
- li:
- "1"
- "2"
- "3"
tasks:
- name: for test
template:
src: ./for_test.j2
dest: /tmp/for_test.conf
...
执行
[root@master template]# ansible-playbook -i ../inventory.ini test_for.yaml
输出结果
[root@node1 ~]# cat /tmp/for_test.conf
1
2
3
实战实例
nginx安装
nginx.conf.j2
user nginx;
worker_processes {{ ansible_processor_vcpus }};
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
nginx.repo
南大源
[nginx]
name=nginxrepo
baseurl=https://mirrors.nju.edu.cn/nginx/centos/7/x86_64/
gpgcheck=0
enabled=1
nginx_play.yaml
---
- name: nginx start or updata conf
hosts: node2
tasks:
- name: copy nginx repo
copy:
src: ./nginx.repo
dest: /etc/yum.repos.d/nginx.repo
- name: updata yum
shell: yum makecache
- name: yum install nginx
yum:
name: nginx
state: present
- name: update
template:
src: ./nginx.conf.j2
dest: /etc/nginx/nginx.conf
tags: reload nginx server
notify: reload nginx server
- name: check nginx syntax
shell: /usr/sbin/nginx -t
register: nginxsyntax
tags: reload nginx server
- name: start nginx server
when: nginxsyntax.rc == 0
systemd:
name: nginx
state: started
handlers:
- name: reload nginx server
when: nginxsyntax.rc == 0
systemd:
name: nginx
state: restarted
...
执行
[root@master nginx_test]# ansible-playbook -i ../inventory.ini nginx_play.yaml
PLAY [nginx start or updata conf] *****************************************************
TASK [Gathering Facts] ****************************************************************
ok: [172.18.54.30]
TASK [copy nginx repo] ****************************************************************
ok: [172.18.54.30]
TASK [updata yum] *********************************************************************
[WARNING]: Consider using the yum module rather than running 'yum'. If you need to
use command because yum is insufficient you can add 'warn: false' to this command task
or set 'command_warnings=False' in ansible.cfg to get rid of this message.
changed: [172.18.54.30]
TASK [yum install nginx] **************************************************************
ok: [172.18.54.30]
TASK [update] *************************************************************************
ok: [172.18.54.30]
TASK [check nginx syntax] *************************************************************
changed: [172.18.54.30]
TASK [start nginx server] *************************************************************
ok: [172.18.54.30]
PLAY RECAP ****************************************************************************
172.18.54.30 : ok=7 changed=2 unreachable=0 failed=0 skipped= 0 rescued=0 ignored=0
Ansible-role
role介绍
role 角色就是把一个 playbook 中的代码按照一定的规则分解开。
模块化编程的思想组织 playbook 的代码。
目录结构
nginx
├── defaults
│ └── main.yml
├── files
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── tasks
│ └── main.yml
├── templates
├── tests
│ ├── inventory
│ └── test.yml
└── vars
└── main.yml
上面示例中 nginx就成为一个 role, 这个 role 的主要功能是部署并配置 nginx。
从表面上看,它就是一个目录。目录的名字也就是role的名字,示例中,role 的名字叫做nginx 。
进到这个role名字的目录里,会发现好多子目录。使用时,每个目录必须包含一个main.yml文件,这个文件应该包含如下目录名称对应的内容:
- tasks -包含角色要执行的任务的主要列表。
- handlers -包含处理程序,此角色甚至该角色之外的任何地方都可以使用这些处理程序。
- defaults-角色的默认变量。
- vars-角色的其他变量。
- files -包含可以通过此角色部署的文件。
- templates -包含可以通过此角色部署的模板。
- meta-为此角色定义一些元数据。
角色必须至少包含这些目录中的其中之一,但是最好删除掉任何未使用的目录
一键生成role
生成一个es-1的角色
ansible-galaxy init es-1
role 的制作过程
files文件夹存放文件
存放配置文件之类的
[root@master nginx_test]# ls nginx/files/
nginx.repo
handlers 文件夹中的main.yml 文件
- name: reload nginx server
when: nginxsyntax.rc == 0
systemd:
name: nginx
state: restarted
tasks 文件夹中的 main.yml 文件
- name: copy nginx repo
copy:
src: ./nginx.repo
dest: /etc/yum.repos.d/nginx.repo
- name: updata yum
shell: yum makecache
- name: yum install nginx
yum:
name: nginx
state: present
- name: update
template:
src: ./nginx.conf.j2
dest: /etc/nginx/nginx.conf
tags: reload nginx server
notify: reload nginx server
- name: check nginx syntax
shell: /usr/sbin/nginx -t
register: nginxsyntax
tags: reload nginx server
- name: start nginx server
when: nginxsyntax.rc == 0
systemd:
name: nginx
state: started
templates 文件夹存放模板
[root@master nginx_test]# ls nginx/templates/
nginx.conf.j2
现在的目录
nginx
├── defaults
│ └── main.yml
├── files
│ └── nginx.repo
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── README.md
├── tasks
│ └── main.yml
├── templates
│ └── nginx.conf.j2
├── tests
│ ├── inventory
│ └── test.yml
└── vars
└── main.yml
在PlayBook中使用 Role
经典(原始)方式
编译一个 playbool,内容如下:
在 playbook 中给定
role:属性
deploy-nging.yaml
---
- name: use role
hosts: node1
role:
- nginx
保证 deploy-nginx.yml 文件的当前目录下有 nginx角色
执行:
[root@master nginx_test]# ansible-playbook -i ../inventory.ini deploy-nginx.yaml
新方式
在 playbook 中给定
import_role属性
这种方式适用于 Ansible 2.4及以上
new-role-ploy.yaml
---
- name: role new
hosts: node1
tasks:
- name: debug run role
debug:
msg: "before we run our role"
- name: role run
import_role:
name: nginx
- name: debug stop role
debug:
msg: "after we run our role"
执行:
[root@master nginx_test]# ansible-playbook -i ../inventory.ini new-role-ploy.yaml
文章评论