Operations-ansible-01
2016-02-02 22:45
821 查看
Operations-ansible-01
ansible
features
模块化,调用特定的模块来完成特定任务 基于python语言实现,由paramiko、pyYAML和jinja2三个关键模块实现 部署简单,agentless 主从模式 支持自定义模块 支持playbook 幂等性:运行多次,结果相同
组成部分
ansible core host inventory:主机库,定义了ansible能够管控的主机列表 connection plugins:用于管理主机的插件,一般是SSH的API向主机建立会话并发送指令 modules:各种 core modules custom modules playbooks:定制好的模块和命令
配置文件
主配置文件/etc/ansible/ansible.cfg
Host Inventory
/etc/ansible/hosts
ansible命令
ansible <host-pattern> [-f forks] [-m module_name] [-a args]
host-pattern
A name of a group in the inventory file, a shell-like glob selecting hosts in inventory file, or any combination of the two separated by semicolons.
/etc/ansible/hostsINI风格,中括号中的字符是组名;一个主机可同时属于多个组
-i PATH, --inventory=PATH
The PATH to the inventory hosts file, which defaults to /etc/ansible/hosts.
-a 'ARGUMENTS', --args='ARGUMENTS'
The ARGUMENTS to pass to the module.
–
[root@husa ansible]# ansible-doc --help Usage: ansible-doc [options] [module...] Show Ansible module documentation Options: --version show program's version number and exit -h, --help show this help message and exit -M MODULE_PATH, --module-path=MODULE_PATH Ansible modules/ directory -l, --list List available modules -s, --snippet Show playbook snippet for specified module(s) #查看模块的使用参数 -v Show version number and exit
常用模块
ansible-doc -l查看支持的模块[root@localhost .ssh]# ansible-doc -l ... apt Manages apt-packages apt_key Add or remove an apt key apt_repository Add and remove APT repositories apt_rpm apt_rpm package manager assemble Assembles a configuration file from frag... assert Fail with custom message at Schedule the execution of a command or s... authorized_key Adds or removes an SSH authorized key azure create or terminate a virtual machine in... bigip_facts Collect facts from F5 BIG-IP devices bigip_monitor_http Manages F5 BIG-IP LTM http monitors bigip_monitor_tcp Manages F5 BIG-IP LTM tcp monitors ...
模块的参数是KV数据
-a key=value
command
-a 'COMMAND'
[root@localhost .ssh]# ansible all -m command -a 'ls' 172.16.11.101 | success | rc=0 >> anaconda-ks.cfg httpd.csr 172.16.11.102 | success | rc=0 >> anaconda-ks.cfg
command是默认模块,可以省略不写即ansible all -a ‘ls’
默认模块,这个模块的参数不是KV格式而是直接给出命令;这个模块不能使用 管道
ping
A trivial test module, this module always returns pong on successful contact. It does not make sense in playbooks, but it is useful from /usr/bin/ansible to verify the ability to login and that a usable python is configured. This is NOT ICMP ping, this is just a trivial test module.
[root@localhost .ssh]# ansible 172.16.11.101 -m ping 172.16.11.101 | success >> { "changed": false, "ping": "pong" }
user
name yes Name of the user to create, remove or modify.state no [present|absent] Whether the account should exist or not, taking action if the state is different from what is stated.
system no [yes|no] When creating an account, setting this to yes makes the user a system account. This setting cannot be changed on existing users.
-a 'name= state={present|absent} force= system= uid= shell= home='
# 在两个主机上创建了centos用户 [root@localhost ~]# ansible all -m user -a 'name=centos system=yes state=present' 172.16.11.101 | success >> { "changed": true, "comment": "", "createhome": true, "group": 992, "home": "/home/centos", "name": "centos", "shell": "/bin/bash", "state": "present", "system": true, "uid": 995 } 172.16.11.102 | success >> { "changed": true, "comment": "", "createhome": true, "group": 992, "home": "/home/centos", "name": "centos", "shell": "/bin/bash", "state": "present", "system": true, "uid": 995 } [root@husa ~]# id centos uid=995(centos) gid=992(centos) 组=992(centos)
group
-a 'name= state={present|absent} gid= system=' [root@localhost ~]# ansible-doc -s group - name: A d d o r r e m o v e g r o u p s action: group gid # Optional `GID' to set for the group. name= # Name of the group to manage. state # Whether the group should be present or not on the remote host. system # If `yes', indicates that the group created is a system group.
file
Sets attributes of files, symlinks, and directories, or removes files/symlinks/directories. Many other modules support the same options as the file module - including copy, template, and assemble.-a 'path= mode= owner= group= state={file|directory|link|hard|touch|absent} src='
[root@localhost ~]# ansible all -m file -a 'path=/root/ansi state=directory mode=755 owner=root group=root' 172.16.11.102 | success >> { "changed": true, "gid": 0, "group": "root", "mode": "0755", "owner": "root", "path": "/root/ansi", "secontext": "unconfined_u:object_r:admin_home_t:s0", "size": 6, "state": "directory", "uid": 0 } 172.16.11.101 | success >> { "changed": true, "gid": 0, "group": "root", "mode": "0755", "owner": "root", "path": "/root/ansi", "secontext": "unconfined_u:object_r:admin_home_t:s0", "size": 6, "state": "directory", "uid": 0 } # 172.16.11.101 [root@husa ~]# ll 总用量 8 -rw-------. 1 root root 1998 1月 30 02:49 anaconda-ks.cfg drwxr-xr-x. 2 root root 6 1月 31 08:11 ansi -rw-r--r--. 1 root root 708 1月 31 03:39 httpd.csr
yum
Installs, upgrade, removes, and lists packages and groups with the yum package manager.-a 'name= conf_file= state={present|latest|absent} enablerepo= disablerepo='
[root@localhost ~]# ansible all -m yum -a 'name=httpd state=present' 172.16.11.101 | success >> { "changed": false, "msg": "", "rc": 0, "results": [ "httpd-2.4.6-31.el7.centos.x86_64 providing httpd is already installed" ] } 172.16.11.102 | success >> { "changed": false, "msg": "", "rc": 0, "results": [ "httpd-2.4.6-31.el7.centos.x86_64 providing httpd is already installed" ] } # 安装httpd,但是提示已经早已安装过了
copy
The copy module copies a file on the local box to remote locations. Use the fetch module to copy files from remote locations to the local box. If you need variable interpolation in copied files, use the template module.把本地主机的文件复制到远程主机-a 'dest= src= content= owner= group= mode='
[root@localhost ~]# ansible all -m copy -a 'src=/etc/httpd/conf/httpd.conf dest=/tmp mode=744 owner=root group=root' 172.16.11.101 | success >> { "changed": true, "checksum": "fa2850bb3dae846b727917ae0777bc85109cf4e0", "dest": "/tmp/httpd.conf", "gid": 0, "group": "root", "md5sum": "f6351c6d8c8dfc5899820d8c46d74651", "mode": "0744", "owner": "root", "secontext": "unconfined_u:object_r:admin_home_t:s0", "size": 34419, "src": "/root/.ansible/tmp/ansible-tmp-1451141734.1-70247620035515/source", "state": "file", "uid": 0 } 172.16.11.102 | success >> { "changed": true, "checksum": "fa2850bb3dae846b727917ae0777bc85109cf4e0", "dest": "/tmp/httpd.conf", "gid": 0, "group": "root", "md5sum": "f6351c6d8c8dfc5899820d8c46d74651", "mode": "0744", "owner": "root", "secontext": "unconfined_u:object_r:admin_home_t:s0", "size": 34419, "src": "/root/.ansible/tmp/ansible-tmp-1451141734.12-232176586930023/source", "state": "file", "uid": 0 } # remote location [root@husa ~]# ll /tmp 总用量 60 drwxr-xr-x. 2 root root 17 1月 30 02:40 hsperfdata_root -rwxr--r--. 1 root root 34419 1月 31 08:29 httpd.conf
service
Controls services on remote hosts. Supported init systems include BSD init, OpenRC, SysV, Solaris SMF, systemd, upstart.-a 'name= state={started|stopped|restarted} enabled= runlevel=' enabled表示开机自启
# 启动httpd服务并设置开机启动 [root@localhost ~]# ansible all -m service -a 'name=httpd state=started enabled=true' 172.16.11.102 | success >> { "changed": true, "enabled": true, "name": "httpd", "state": "started" } 172.16.11.101 | success >> { "changed": true, "enabled": true, "name": "httpd", "state": "started" }
shell
The shell module takes the command name followed by a list of space-delimited arguments. It is almost exactly like the command module but runs the command through a shell (/bin/sh) on the remote node.可以使用管道重定向等-a 'COMMAND'
# 向远程主机的centos用户设置密码为root [root@localhost ~]# ansible all -m shell -a 'echo "root" | passwd --stdin centos' 172.16.11.101 | success | rc=0 >> Changing password for user centos. passwd: all authentication tokens updated successfully. 172.16.11.102 | success | rc=0 >> Changing password for user centos. passwd: all authentication tokens updated successfully.
script
The script module takes the script name followed by a list of space-delimited arguments. The local script at path will be transferred to the remote node and then executed. The given script will be processed through the shell environment on the remote node. This module does not require python on the remote system, much like the raw module.把本地的脚本文件传递到远程主机并执行,执行结果-a '/PATH/TO/SCRIPT'
# local host [root@localhost ~]# vim hello.sh #!/bin/bash # echo "hello $HOSTNAME" [root@localhost ~]# ansible all -m script -a '/root/hello.sh' 172.16.11.101 | success >> { "changed": true, "rc": 0, "stderr": "OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug1: mux_client_request_session: master session id: 2\r\nShared connection to 172.16.11.101 closed.\r\n", "stdout": "hello husa\r\n" } 172.16.11.102 | success >> { "changed": true, "rc": 0, "stderr": "OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug1: mux_client_request_session: master session id: 2\r\nShared connection to 172.16.11.102 closed.\r\n", "stdout": "hello localhost.localdomain\r\n" }
script上传到远程主机并在远程主机执行,结果在本地主机可以捕获
cron
Use this module to manage crontab entries. This module allows you to create named crontab entries, update, or delete them. The module includes one line with the description of the crontab entry “#Ansible: ” corresponding to the “name” passed to the module, which is used by future ansible/module calls to find/check the state. The “name” parameter should be unique, and changing the “name” value will result in a new cron task being created (or a different one being removed)-a 'name= state= minute= hour= day= month= weekday= job='
setup
This module is automatically called by playbooks to gather useful variables about remote hosts that can be used in playbooks. It can also be executed directly by /usr/bin/ansible to check what variables are available to a host. Ansible provides many facts about the system, automatically. 获取指定主机的facts[root@localhost ~]# ansible 172.16.11.101 -m setup 172.16.11.101 | success >> { "ansible_facts": { "ansible_all_ipv4_addresses": [ "192.168.200.101", "172.16.11.101" ], "ansible_all_ipv6_addresses": [ "fe80::20c:29ff:fecc:de26", "fe80::20c:29ff:fecc:de1c" ], "ansible_architecture": "x86_64", "ansible_bios_date": "07/02/2015", "ansible_bios_version": "6.00", "ansible_cmdline": { "BOOT_IMAGE": "/vmlinuz-3.10.0-229.el7.x86_64", "LANG": "zh_CN.UTF-8", "crashkernel": "auto", "quiet": true, "rhgb": true, "ro": true, "root": "UUID=6db0652d-dad9-400a-bd91-0d6dfb59b2b4" }, "ansible_date_time": { "date": "2016-01-31", "day": "31", "epoch": "1454201429", "hour": "08", "iso8601": "2016-01-31T00:50:29Z", "iso8601_micro": "2016-01-31T00:50:29.107179Z", "minute": "50", "month": "01", "second": "29", "time": "08:50:29", "tz": "CST", "tz_offset": "+0800", "weekday": "Sunday", "year": "2016" }, "ansible_default_ipv4": { ... ...
templates
-a 'dest= src= content= owner= group= mode='
playbooks
contain one or more plays written in YAML executed in the order it is written
ansible-playbook - run an ansible playbook
ansible-playbook
变量
变量命名:字母数字下划线,只能以字母开头 变量种类: facts:由远程主机发回的主机属性信息,这些信息被保存在ansible变量中;无须定义,可直接调用 自定义变量 通过命令行传递:ansible-playbook xxx.yml --extra-vars "host=xxx user=xxx" 通过roles传递:在roles的yml文件中使用 {{role:role_name,var_name:var_value}},传递模板变量的值给变量 主机变量:定义在inventory中的主机之后的变量 组变量:定义在inventory中的组上的变量
inventory参数
ansible基于ssh连接inventory中指定的远程主机时,以此处的参数指定的属性进行ansible_ssh_host ansible_ssh_user ansible_ssh_pass ansible_sudo_pass
例子:
oot@localhost ~]# vim /etc/ansible/hosts[real server]
172.16.11.101 ansible_ssh_user='root' ansible_ssh_port=22 ansible_ssh_pass='root' ansible_sudo_pass='xxxx'
172.16.11.102
facts
使用setup模块可以查看远程主机的各种facts主机变量
定义在inventory中的主机之后的变量[root@localhost ~]# vim /etc/ansible/hosts[real server:vars]
172.16.11.101 user=apace group=apace
172.16.11.102
自定义变量之通过命令行传递
ansible-playbook test.yml --extra-vars "host=172.16.11.101" #这里的host就是一个通过命令行传递的自定义变量
组变量
[root@localhost ~]# vim /etc/ansible/hosts[real server:vars]
user=apache
group=apache
172.16.11.101
172.16.11.102
palybook结构
host {hostname|inventory_name|ip} #表示远程主机标识remote_user:remote_user_name #表示远程主机上执行任务的身份
vars: #定义变量
Key1:Value1 #这种变量的应用方法为 {{Keyx}}
Key2:Value2
Keyn:Valuen
tasks: #表示一个任务组,用列表表示
name:task_name1 #具有标识性质的字符串比如:task useradd
module_name:module_args #比如:user:name={{var_name}} state=present或者user:name=username state=present,args中的变量还可以是item中的
when:condition #比如条件为facts即:ansible_os_family==”RedHat”
notify:handlers_name #表示发生改变才触发的任务,handlers_name表示handlers条目中的名称
with_items:
item_name1 #这种形式的item在args中使用 {{item}} 应用
item_name2
item_namen
{var_name:’content’,var_name2:’content’,var_namen:’content’} #这种形式的item在args中使用 {{item.var_name}} 应用
{var_name:’content’,var_name2:’content’,var_namen:’content’}
template:template_args #这里显示使用template模块,其参数主要是 src 和 dest,一般用于配置文件的修改使用,src的配置文件应该使用jinja2模板的语法,使用{{tempalte_name}}定义,而其应用可以使用主机变量、自定义变量和vars变量
tags:tags_name #定义tasks的TAGS,这个tags可用于ansible-playbook -t tags_name playname.yml来调用特定的tasks
name:task_namex… #表示可以定义多个tasks
handlers:
name:handlers_name1
module_name:module_args #表示handlers同样也使用模块来定义任务
name:handlers_name2… #表示可以定义多个handlers
roles
在roles目录中定义各种元素,然后再定义一个playbook,在playbook中定义好role的名称,执行这个yml文件,就能够按照目录结构寻找相应的配置文件组织格式
一个目录表示一个roles,roles下的目录是各种配置roles用于实现“代码复用”;
roles以特定的层次型格式组织起来的playbook元素(variables, tasks, templates, handlers);可被playbook以role的名字直接进行调用;
roles/ webserver/ files/:此角色中用到的所有文件均放置于此目录中; templates/:Jinja2模板文件存放位置; tasks/:任务列表文件;可以有多个,但至少有一个叫做main.yml的文件; handlers/:处理器列表文件;可以有多个,但至少有一个叫做main.yml的文件; vars/:变量字典文件;可以有多个,但至少有一个叫做main.yml的文件; meta/:此角色的特殊设定及依赖关系;
[root@localhost ~]# tree /etc/ansible/roles/ /etc/ansible/roles/ └── real server # 这个real server目录就表示一个roles ├── files # 此角色中用到的所有文件均放置于此目录中 ├── handlers # 处理器列表文件;可以有多个,但至少有一个叫做main.yml的文件 ├── meta # 此角色的特殊设定及依赖关系 ├── tasks # 任务列表文件;可以有多个,但至少有一个叫做main.yml的文件 ├── templates # Jinja2模板文件存放位置 └── vars # 变量字典文件;可以有多个,但至少有一个叫做main.yml的文件
安装ansible
ansible在epel源,要先配置好epel源[root@localhost ~]# yum install ansible Installing: ansible noarch 1.9.2-1.el6 epel 1.7 M Transaction Summary Installed: ansible.noarch 0:1.9.2-1.el6 Complete!
配置host inventory文件
[root@localhost ~]# vim /etc/ansible/hosts# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts#
# - Comments begin with the '#' character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
[real server]
172.16.11.101
172.16.11.102
上面就把172.16.11.101和172.16.11.102作为了ansible得被管理主机
另外可以使用ansible -i PATH,–inventory=PATH指明使用的host inventory文件路径
基于密钥认证
# ansible所在主机 [root@localhost .ssh]# ssh-keygen -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 35:e3:89:d5:d8:94:99:96:c4:6b:a1:b7:e6:64:fa:9b root@localhost.localdomain The key's randomart image is: +--[ RSA 2048]----+ | oo= | | =O | | *ooo | | =.++ | | S oo . | | = | | * | | . .. | | .E. | +-----------------+ # 被管理主机 [root@localhost .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.11.101 The authenticity of host '172.16.11.101 (172.16.11.101)' can't be established. RSA key fingerprint is 7c:83:16:24:34:09:db:58:a5:31:32:1b:c9:25:07:a2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.11.101' (RSA) to the list of known hosts. root@172.16.11.101's password: Now try logging into the machine, with "ssh 'root@172.16.11.101'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. # 被管理主机的.ssh目录下生成了authorized_keys文件说明OK [root@husa .ssh]# cd [root@husa ~]# ls ~/.ssh/ authorized_keys # 同样的方法把ansible所在主机的公钥复制到RS2 [root@localhost .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.16.11.102 The authenticity of host '172.16.11.102 (172.16.11.102)' can't be established. RSA key fingerprint is fe:1e:4a:0d:c9:d1:67:91:57:1f:01:2c:ea:c1:b3:69. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.11.102' (RSA) to the list of known hosts. root@172.16.11.102's password: Now try logging into the machine, with "ssh 'root@172.16.11.102'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
简单使用ansible
[root@localhost .ssh]# ansible-doc -s ping less 436 Copyright (C) 1984-2009 Mark Nudelman less comes with NO WARRANTY, to the extent permitted by law. For information about the terms of redistribution, see the file named README in the less distribution. Homepage: http://www.greenwoodsoftware.com/less - name: T r y t o c o n n e c t t o h o s t a n d r e t u r n action: ping (END) [root@localhost .ssh]# ansible all -m ping 172.16.11.101 | success >> { "changed": false, "ping": "pong" } 172.16.11.102 | success >> { "changed": false, "ping": "pong" } # 下面使用的组名也可以 [root@localhost .ssh]# ansible real\ server -m ping 172.16.11.101 | success >> { "changed": false, "ping": "pong" } 172.16.11.102 | success >> { "changed": false, "ping": "pong" } # 下面是在RS上的抓包信息 [root@husa ~]# tcpdump -i eno16777728 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno16777728, link-type EN10MB (Ethernet), capture size 65535 bytes 06:58:04.918637 IP 172.16.250.90 > 172.16.250.35: ICMP redirect 172.16.11.207 to net 172.16.11.207, length 144 06:58:05.941705 IP 172.16.250.90 > 172.16.250.35: ICMP redirect 172.16.11.207 to net 172.16.11.207, length 144 06:58:07.062513 IP 172.16.250.90 > 172.16.250.35: ICMP redirect 172.16.11.207 to net 172.16.11.207, length 144 06:58:09.036487 IP 172.16.250.90 > 172.16.250.35: ICMP redirect 172.16.11.207 to net 172.16.11.207, length 48
使用ansible-doc -s查看模块的用法,使用ansible hosts -m module -a发送命令
参考文献:http://chrisrc.me/2015-09-23/autoit-ansible/
http://afoo.me/posts/2014-06-12-understanding-ansible.html#fnref2
相关文章推荐
- 基于 ANSIBLE 自动化运维实践
- 集群运维自动化工具ansible之使用playbook安装zabbix客户端
- Python利用ansible分发处理任务
- Puppet,Chef,Ansible的共性
- Ansible中Playbook方法的标准输出定义
- Ansible之playbook自动完成硬盘分区,格式化,挂盘,并远程创建用户
- 自动化运维学习--python
- ansible常用模块用法
- ansible学习笔记(四):when在include中使用
- 浅谈开源工具自动化运维阶段
- linux ansible 自动化部署工具
- 节点配置文件(Inventory) 详解
- Ansible 安装与简单使用
- 自动化运维工具ansible学习+使用ansible批量推送公钥到远程主机[学习马哥]
- Ansible
- AIX 6.1安装python
- ansible 连接 windows (通过powershell)
- Ansible 源码安装与基本使用
- 自动发布系统