自动化运维工具ansible

自动化运维工具ansible

一、ansible安装部署 1、 自动化场景 文件：复制文件，修改文件，改文件权限等 命令：部署，打包，解压，启停等 2、自动化工具选型：企业里主机多选则saltstack,主机少选择ansible,超级多用puppet 3、ansible特性：模块化，无代理，Paramiko,pyyaml,jinja2,playbook,幂等性（可以重复执行），角色（多个playbook集合） 4、ansible架构：主机清单（记录ansible控制的主机），单一命令（模块），脚本（playbook,模块组合）,ssh协议 5、ansible工作原理：主控端可以是脚本、命令、公有云\私有云，CMDB, 有API接口，支持二次开发 6、python版本最好2.6以上 7、关闭selinux 8、安装方式：yum安装（配置epel），编译安装，git安装，pip安装 ansible --version yum info ansible 9、ansible官网：https://ansible.com/ 10、查看ansible安装的文件位置：rpm -ql ansible | less /etc/ansible/ansible.cfg #主配置文件 #inventory = /etc/ansible/hosts #library = /usr/share/my_modules/ #module_utils = /usr/share/my_module_utils/ #remote_tmp = ~/.ansible/tmp #在远程此目录下会产生.py文件，执行.py文件，工作原理 #local_tmp = ~/.ansible/tmp #在本地此目录下会产生.py文件，执行.py文件，工作原理 #plugin_filters_cfg = /etc/ansible/plugin_filters.yml #forks = 5 #poll_interval = 15 #sudo_user = root #ask_sudo_pass = True #ask_pass = True #transport = smart #remote_port = 22 #host_key_checking = False #检查对应服务器的host_key,建议取消注释 #log_path = /var/log/ansible.log #执行产生日志 #module_lang = C #module_set_locale = False /etc/ansible/hosts #主机清单文件 /etc/ansible/roles #存放角色路径 11、查看ansible程序位置 /usr/bin/ansible #主程序，临时命令执行工具 /usr/bin/ansible-doc #查看配置文档，模块功能查看工具 /usr/bin/ansible-galaxy #优秀的role代码官网平台 /usr/bin/ansible-playbook #调用playbook脚本的，类似shell里的bash /usr/bin/ansible-vault #文件加密工具 /usr/bin/ansible-console #交互工具

二、ansible测试 测试机主控端IP:192.168.1.11 [root@k8smaster ~]# ansible 192.168.1.10 -m ping [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' [WARNING]: Could not match supplied host pattern, ignoring: 192.168.1.10 [root@k8smaster ~]# ansible 192.168.1.10 -m ping The authenticity of host '192.168.1.10 (192.168.1.10)' can't be established. ECDSA key fingerprint is SHA256:8zRrAAjC1v1zWPwicojjXvaHRubZJsdp/WEE7RUun/I. ECDSA key fingerprint is MD5:3d:6c:17:60:3f:26:d6:9a:5b:03:a5:ef:a0:b7:7c:0c. Are you sure you want to continue connecting (yes/no)? yes 192.168.1.10 | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '192.168.1.10' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", "unreachable": true } [root@k8smaster ~]# ansible 192.168.1.10 -m ping -k SSH password: 192.168.1.10 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } [root@k8smaster ~]# ansible all -m ping #all代表主机清单里的所有主机 在vi /etc/ansible/hosts里可以分组 [web] 192.168.1.10 192.168.1.136 [root@k8smaster ~]# ansible web -m ping -k SSH password: 192.168.1.136 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } 192.168.1.10 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } 支持多台主机以下书写格式 web 192.168.1.10[1:3]

三、ansible常用命令 1、ansible-doc [options][module] -l #列出可用模块 -s #显示指定模块的playbook片段 示例：ansible-doc copy #copy模块使用方法，制作copy模块的py文件路径 ansible-doc -l #列出可用模块 ansible-doc -l | wc -l #统计模块的数量 ansible-doc -l | grep 模块名 #过滤具体模块 2、ansible ansible --version ansible [host-list] -m [modules] #[host-list]主机格式有多种，all ，分组名， 支持通配符*，192.168.1.* ansible web:db -m ping #[web和db]是分组名 ，支持正则表达式ansible '~(w|d)*' -m ping ansible all --list-hosts ansible [host-list] -m ping -k ansible [host-list] -m ping -u [用户] -k ansible [host-list] -m command -u long -k -a 'ls /root' -b -K #host-list主机需要做sudo授权针对long用户，-m指定模块 -u 指定用户，-k 指定用户long的密码，-a执行的参数，-b指提权成root, -K指定提权root的密码 visudo #加上下面这一行，就可以省略输入-K的密码，ansible [host-list] -m command -u long -k -a 'ls /root' -b long ALL=(ALL) NOPASSWD: ALL 3、ansible-playbook 4、ansible-vault ansible-vault encrypt hello.yml #加密，加密之后无法看hello.yml具体内容，无法执行ansible-playbook ansible-vault view hello.yml #加密之后查看的方式 ansible-vault edit hello.yml #加密之后编辑方式 ansible-vault rekey hello.yml #修改加密口令 ansible-vault create long.yml #创建新的playbook文件 ansible-vault decrypt hello.yml #解密 5、ansible-console [root@k8smaster ~]# ansible-console Welcome to the ansible console. Type help or ? to list commands. root@all (2)[f:5]$ list #f代表并发数，forks 设置并发数,list列出主机清单 192.168.1.150 192.168.1.136 root@all (2)[f:5]$ cd web #切换组 root@web (1)[f:5]$ list 192.168.1.150 root@web (1)[f:5]$

四、ssh双机互信 k8smaster本机IP:192.168.1.11 [root@k8smaster ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:vDz2Uvh0Ex8u8loEQlGVMewvcxeZ+Kanbq/GTqFC+Uc root@k8smaster The key's randomart image is: +---[RSA 2048]----+ | oo.o+o | | . o. | | . .. . o| | . ...o..+ | | S+ .E...| | .o.=.O *o.| | == *oOo. | | ..oo.+= . | | .o.===. | +----[SHA256]-----+ [root@k8smaster ~]# ssh-copy-id [目标host-list]

五、ansible执行过程原理 执行主机IP: 192.168.1.11 ansible 192.168.1.10 -m command -a "sleep 10" #以此为例 1、首先去加载配置文件 /etc/ansible/ansible.cfg，找到主机清单/etc/ansible/hosts，根据主机清单找到192.168.1.10记录 2、加载自己对应的模块文件，如command 3、在192.168.1.11主机的/root/.ansible/tmp/下生成临时的.py文件，并将该文件传输到要执行的主机清单的机器上的 $HOME/.absible/tmp/ansible-tmp-数字/xxx.py文件 4、给文件加执行权限 [root@k8smaster ansible-local-26482QnGOkt]# ansible 192.168.1.10 -m ping -vvv | grep chmod <192.168.1.10> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/0b3ee26c83 192.168.1.10 '/bin/sh -c '"'"'chmod u+x /root/.ansible/tmp/ansible-tmp-1630814768.24-64225-99241869112466/ /root/.ansible/tmp/ansible-tmp-1630814768.24-64225-99241869112466/AnsiballZ_ping.py && sleep 0'"'"'' 5、执行并返回结果 6、删除临时.py文件 [root@k8smaster ansible-local-26482QnGOkt]# ansible 192.168.1.10 -m ping -vvv | grep 'rm -f' <192.168.1.10> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/0b3ee26c83 192.168.1.10 '/bin/sh -c '"'"'rm -f -r /root/.ansible/tmp/ansible-tmp-1630814908.5-65291-88746242805616/ > /dev/null 2>&1 && sleep 0'"'"'' 192.168.1.11主机的/root/.ansible/tmp/下生成临时的.py文件: 见下方 执行状态： 1、绿色：执行成功并且不需要做改变的操作 2、黄色：执行成功并且对目标主机做变更 3、红色：执行失败

六、ansible常见模块 --limit #限定在特定主机执行 1、command #此命令不支持$,>,|,&等特殊符号 ansible 192.168.1.150 -a 'df -TH' #默认就是command 2、shell ansible 192.168.1.150 -m shell -a "echo long >/root/long.txt" ansible 192.168.1.150 -m shell -a "ps -ef | grep ssh" ansible 192.168.1.150 -a 'useradd jin' ansible 192.168.1.150 -m shell -a './2.sh' #脚本在远程主机上 ansible all -m shell -a 'tar -zcvf log.tar.gz /root/*.log' ansible all -m shell -a 'rm -f /root/f3/*' 3、script ansible 192.168.1.150 -m script -a " /root/2.sh" #脚本在主控端主机上 4、copy ansible 192.168.1.150 -m copy -a 'src=/root/2.sh dest=/root/ backup=yes' #backup是复制前备份受控端同名文件 ansible 192.168.1.150 -m copy -a 'src=/root/2.sh dest=/root/ backup=yes mode=777 owner=jin' #拥有者必须受控端存在此用户，要不 报错 ansible 192.168.1.150 -m copy -a 'content="hello\nlong" dest=/root/f2' #自定义内容 [root@k8smaster ~]# ansible-doc copy > COPY (/usr/lib/python2.7/site-packages/ansible/modules/files/copy.py) #可以看copy源码的具体PYTHON文件 5、fetch #从远程主机抓取文件，例如远程日志文件 ansible all -m fetch -a 'src=/var/log/messages dest=/data' 6、file ansible all -m file -a 'path=/root/f3 state=touch' #创建文件 ansible all -m file -a 'path=/root/f3 state=absent' #删除文件 ansible all -m file -a 'path=/root/f3 state=directory' #创建目录 ansible all -m file -a 'path=/root/f3 state=absent' #删除目录 ansible all -m file -a 'src=/etc/fstab name=/etc/fstab.link state=link' #创建软连接 [name=path=dest] ansible all -m file -a 'name=/etc/fstab.link state=absent' #删除软连接 7、hostname ansible web -m hostname -a 'name=k8snode' #不会立即生效 8、cron ansible web -m cron -a 'minute=* job="/usr/bin/wall i love you" name=wangjinlong' #创建计划任务 ansible web -m cron -a 'minute=* job="rm -rf /root/f3" name=lb' #创建计划任务 ansible web -m cron -a 'disabled=true/yes job="/usr/bin/wall i love you" name=wangjinlong' #注释计划任务，不是删除，必须指定name ansible web -m cron -a 'disabled=false/no job="/usr/bin/wall i love you" name=wangjinlong' #解注释，必须指定name ansible web -m cron -a 'job="/usr/bin/wall i love you" name=wangjinlong state=absent' #删除计划任务 9、yum ansible db -m yum -a 'name=lrzsz' #前提是目标主机存在Yum源，安装多个，用逗号分割 ansible db -m yum -a "list=installed" | grep lrzsz #查看安装的lrzsz ansible db -m yum -a 'name=lrzsz state=absent' #卸载lrzsz ansible db -m shell -a 'rpm -q lrzsz' #查看是否卸载 如果是网络上下载的rpm包，需要先用copy推送到受控主机上，然后在用yum进行安装 ansible all -m yum -a 'name=/root/lrzsz.x86_64.0.12.20-36.el7.x86_64.rpm disable_gpg_check=yes' #跳过gpgcheck检查 ansible 192.168.1.136 -m yum -a 'name=dstat update_cache=yes' # update_cache=yes相当于yum makecache 10、service ansible db -m service -a 'name=vsftpd state=started enabled=yes' # systemctl is-enabled vsftpd查看是否开机自启 #state=started、restart、reload、stopped enabled=false/no:yes/true 11、user ansible db -m user -a "name=nginx shell=/sbin/nologin system=yes home=/var/nginx groups=root,bin uid=80" ansible db -m user -a "name=nginx state=absent remove=yes" ansible db -a "getent passwd nginx" 12、group ansible db -m group -a 'name=nginx system=yes gid=80' ansible db -m group -a 'name=nginx state=ansent' 13、

七、ansible的playbook 中文文档： 马哥团队出品（参考playbook书写） ansible-playbook -C hello.yml #试运行 --limit #限定执行主机 --- #test yaml #缩进不能混用 - hosts: db remote_user: root tasks: - name: hello command: 'df -TH' ignore_errors: True #即使执行出错也继续执行 场景一、如果在playbook中对配置文件做了更新，之前已经执行过playbook ，那么无法达到重启服务效果，导致不生效 handlers和notify结合使用触发条件 场景二、针对场景一安装包，修改了配置文件，重启应用 vi http.yml --- - hosts: db gather_facts: false #不需要获取被控机器的 fact 数据的话，你可以关闭获取 fact 数据功能 remote_user: root tasks: - name: install http yum: name=httpd - name: copy config copy: src=/root/dest=/etc/ backup=yes notify: - restart service - check start - name: start service service: name=state=started handlers: - name: restart service service: name=state=restarted - name: check start shell: kill -9 nginx >/tmp/nginx.log 场景三、就想执行过程中的某一步骤 ansible-playbook -t start #start为在yml中定义的标签，可以根据标签来执行具体的某一步骤，例如重启服务，如果执行多个 标签中间用逗号隔开，多个动作可以共用一个标签 --- - hosts: db gather_facts: false remote_user: root tasks: - name: install http yum: name=httpd tags: install - name: copy config copy: src=/root/dest=/etc/ backup=yes notify: restart service - name: start service service: name=state=started tags: start handlers: - name: restart service service: name=state=restarted 查看标签信息： [root@k8smaster ~]# ansible-playbook --list-tags playbook: http.yml play #1 (db): db TAGS: [] TASK TAGS: [install, start] 场景四、变量(调用变量，做判断) 1、内置变量 ansible db -m setup | grep fqdn #setup 系统变量 ansible db -m setup -a 'filter=ansible_fqdn' ansible db -m setup -a 'filter=*address*' 2、playbook中自定义变量 ansible-playbook -e 'install_name= #'install_name=里面可以写多个变量，逗号隔开，外部引用变量 --- - hosts: db gather_facts: false remote_user: root tasks: - name: install package yum: name={{ install_name }} tags: install # - name: copy config # copy: src=/root/dest=/etc/ backup=yes # notify: restart service # - name: start service # service: name={{ ser_name }} state=started # tags: start # handlers: # - name: restart service # service: name=state=restarted ansible-playbook --- - hosts: db gather_facts: false remote_user: root vars: #内部定义变量 - install_name: httpd tasks: - name: install package yum: name={{ install_name }} tags: install # - name: copy config # copy: src=/root/dest=/etc/ backup=yes # notify: restart service # - name: start service # service: name={{ ser_name }} state=started # tags: start # handlers: # - name: restart service # service: name=state=restarted 3、主机清单中定义变量 vi /etc/ansible/hosts [db] 192.168.1.136 =long #单一变量设置 ansible-playbook hostname.yml --- - hosts: db remote_user: root tasks: - name: set hostname hostname: name={{ }}.com tail -n 10 /etc/ansible/hosts 192.168.1.136 http_port=long [db] 192.168.1.136 http_port=long [db:vars] #定义通用变量 node1=www after=com vi hostname.yml --- - hosts: db remote_user: root tasks: - name: set hostname hostname: name={{ node1 }}.{{ }}.{{ after }} 优先级：playbook内部定义变量>命令传递变量>单一变量>通用变量 场景五、定义变量yml文件，隔离出来 自定义变量文件 [root@k8smaster ansible]# cat vars.yml var1: httpd 安装httpd软件包 [root@k8smaster ansible]# cat --- - hosts: db gather_facts: false remote_user: root vars_files: - vars.yml tasks: - name: install package yum: name={{ var1 }} tags: install 场景六、使用template 查看内置变量 [root@k8smaster ansible]# ansible db -m setup | grep "process" "ansible_processor": [ "ansible_processor_cores": 4, "ansible_processor_count": 1, "ansible_processor_threads_per_core": 1, "ansible_processor_vcpus": 4, #CPU个数 nginx的配置文件 [root@k8smaster ansible]# cat nginx.conf.j2 user nginx; worker_processes {{ ansible_processor_vcpus }}; #将setup内置变量定义在nginx的配置文件里 error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } 编辑template模板 vi template.yml --- - hosts: db remote_user: root tasks: - name: copy template template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf #将本机的配置文件拷贝到目标主机上，实现根据内置系统变量来实现不同赋值 - name: start service service: name=nginx state=started 场景七、使用when [root@k8smaster ansible]# vi template.yml --- - hosts: db remote_user: root tasks: - name: copy template template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf when: ansible_distribution_major_version == "7" notify: restart service - name: copy template template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf when: ansible_distribution_major_version == "6" notify: restart service - name: start service service: name=nginx state=started handlers: - name: restart service service: name=nginx state=restarted 场景八、使用with_items迭代 vi testitem.yml --- - hosts: db remote_user: root tasks: - name: create more file file: name=/data/{{ item }} state=touch with_items: - file1 - file2 - name: install more package yum: name={{ item }} with_items: - httpd - lrzsz - vsftpd vi user.yml --- - hosts: db remote_user: root tasks: - name: create group group: name={{ item }} with_items: - g1 - g2 - name: create user user: name={{ item.name}} group={{ item.group }} with_items: - { name: 'user1', group: 'g1' } - { name: 'user2', group: 'g2' } 场景九、使用for循环 [root@k8smaster ansible]# cat for1.conf.j2 {% for port in ports %} server { listen {{ port }} } {% endfor %} [root@k8smaster ansible]# cat for.yml --- - hosts: db remote_user: root vars: ports: #用列表的形式 - 81 - 82 tasks: - name: copy file template: src=for1.conf.j2 dest=/data/for1.conf [root@k8smaster ansible]# cat for1.conf.j2 {% for port in ports %} server { listen {{ port.listen_port }} } {% endfor %} [root@k8smaster ansible]# cat for.yml --- - hosts: db remote_user: root vars: ports: #用字典的形式 - listen_port: 81 - listen_port: 82 tasks: - name: copy file template: src=for1.conf.j2 dest=/data/for1.conf [root@k8smaster ansible]# cat for1.conf.j2 {% for p in ports %} server { listen {{ p.port }} servername {{ p.name }} documentroot {{ p.rootdir }} } {% endfor %} [root@k8smaster ansible]# cat for.yml --- - hosts: db remote_user: root vars: ports: #用字典的形式 - web1: port: 80 name: long0 rootdir: /data/website1 - web2: port: 81 name: long1 rootdir: /data/website2 tasks: - name: copy file template: src=for1.conf.j2 dest=/data/for1.conf [root@k8smaster ansible]# cat for1.conf.j2 {% for p in ports %} server { listen {{ p.port }} {% if p.name is defind %} servername {{ p.name }} {% endif %} servername {{ p.name }} documentroot {{ p.rootdir }} } {% endfor %} [root@k8smaster ansible]# cat for.yml --- - hosts: db remote_user: root vars: ports: #用字典的形式 - web1: port: 80 name: long0 rootdir: /data/website1 - web2: port: 81 name: long1 rootdir: /data/website2 tasks: - name: copy file template: src=for1.conf.j2 dest=/data/for1.conf 场景十、使用roles 规划：创建目录以下目录结构 [root@k8smaster ansible]# tree . ├── playbook.yml #和roles同目录下创建nginx_roles.yml └── roles ├── http │ ├── handlers │ ├── tasks │ └── template └── nginx ├── files ├── handlers ├── tasks #group.yml user.yml yum.yml template.yml start.yml main.yml ├── template └── vars [root@k8smaster ansible]# ansible-playbook -C nginx_roles.yml PLAY [db] ***************************************************************************************************************************************************************** TASK [Gathering Facts] **************************************************************************************************************************************************** ok: [192.168.1.136] TASK [nginx : create group] *********************************************************************************************************************************************** changed: [192.168.1.136] TASK [nginx : create user] ************************************************************************************************************************************************ changed: [192.168.1.136] TASK [nginx : install package] ******************************************************************************************************************************************** changed: [192.168.1.136] TASK [nginx : copy] ******************************************************************************************************************************************************* changed: [192.168.1.136] TASK [nginx : start service] ********************************************************************************************************************************************** changed: [192.168.1.136] PLAY RECAP **************************************************************************************************************************************************************** 192.168.1.136 : ok=6 changed=5 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

nginx_roles.yml group.yml user.yml yum.yml template.yml start.yml main.yml 各自内容如下： [root@k8smaster ansible]# cat nginx_roles.yml - hosts: db remote_user: root roles: - role: nginx # - { role: ['web','} #定义标签 [root@k8smaster tasks]# cat group.yml - name: create group group: name=nginx gid=80 [root@k8smaster tasks]# cat main.yml - include: group.yml - include: user.yml - include: yum.yml - include: template.yml - include: start.yml - include: /roles/ #调用其他角色的任务 [root@k8smaster tasks]# cat start.yml - name: start service service: name=nginx state=started [root@k8smaster tasks]# cat template.yml - name: copy template: src=/root/ansible/roles/nginx/template/nginx.conf.j2 dest=/etc/nginx/nginx.conf [root@k8smaster tasks]# cat user.yml - name: create user user: name=nginx uid=80 group=nginx system=yes shell=/sbin/nologin [root@k8smaster tasks]# cat yum.yml - name: install package yum: name=nginx-1.18.0-1.el7.ngx.x86_64.rpm [root@k8smaster template]# pwd /root/ansible/roles/nginx/template [root@k8smaster template]# ll 总用量 4 -rw-r--r-- 1 root root 730 9月 7 23:34 nginx.conf.j2 cat nginx.conf.j2 user nginx; worker_processes 4; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$' '"$"$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; # include /etc/nginx/conf.d/*.conf; server { listen 80; server_name localhost; } }

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。