IT自動(dòng)化工具Ansible基礎(chǔ)入門
一、基礎(chǔ)入門
未來主體是傳統(tǒng)行業(yè)利用互聯(lián)網(wǎng)技術(shù),以云端用人工智能的方式處理大數(shù)據(jù)。從早期的All In One(所有應(yīng)用部署在一臺(tái)機(jī)器上)的簡單應(yīng)用,到后期集群、高可用、緩存、消息隊(duì)列、配置中心、主從分離、負(fù)載均衡、大數(shù)據(jù)存儲(chǔ)等尖端技術(shù)的復(fù)雜應(yīng)用,對(duì)運(yùn)維的技術(shù)專業(yè)度和綜合度技能要求越來越高,運(yùn)維交付的標(biāo)準(zhǔn)不再是以天為單位,而是以分鐘為單位。我們需要一套自動(dòng)化管理工具來幫助運(yùn)維更高質(zhì)量、更有效的完成手頭工作,以證明運(yùn)維能創(chuàng)造的價(jià)值不止于此,生活不止眼前的茍且,還有詩和遠(yuǎn)方。
1.1 定義
運(yùn)維自動(dòng)化目標(biāo):將日常重復(fù)性的工作通過規(guī)則設(shè)定使其遵循預(yù)先既定規(guī)則,在指定的范圍時(shí)間內(nèi)自動(dòng)化運(yùn)行。但整個(gè)過程無需人工參與。
Ansible是幫助運(yùn)維人員實(shí)現(xiàn)自動(dòng)化的最重要的工具之一。
Ansible名字來源于其作者喜歡的一本書《安德的游戲》,該書中Ansible是一種能跨越時(shí)空的即時(shí)通信工具,使用Ansible可以在相距數(shù)光年的距離遠(yuǎn)程實(shí)時(shí)控制前線的艦隊(duì)?wèi)?zhàn)斗。
Ansible是越來越火的一款運(yùn)維自動(dòng)化工具,其主要功能是幫助運(yùn)維實(shí)現(xiàn)IT工作的自動(dòng)化、降低人為操作失誤、提高業(yè)務(wù)自動(dòng)化率、提升運(yùn)維工作效率,常用于軟件部署自動(dòng)化、配置自動(dòng)化、管理自動(dòng)化、系統(tǒng)化開發(fā)任務(wù)、持續(xù)集成、零宕機(jī)平滑升級(jí)等。
Ansible是一款極其簡單的IT自動(dòng)化工具。Ansible操作極其簡單,功能卻非常豐富,其自身內(nèi)置的模塊數(shù)量達(dá)五百多個(gè),主要包括:
系統(tǒng)層:支持Linux、Windows等
虛擬化:VMWare、Docker、Openstack等
商業(yè)化硬件:F5、ASA等
系統(tǒng)應(yīng)用層:Apache、Zabbix、Rabbitmq、SVN、GIT
1.2 為什么選擇Ansible
Ansible基于python開發(fā),運(yùn)維人員開發(fā)門檻低
Ansible內(nèi)置模塊豐富,還有專門為商業(yè)平臺(tái)開發(fā)的功能模塊
去中心化,一個(gè)簡單的操作即可完成管理配置中心的遷移
AgentLess,客戶端無需任何配置,由管理端配置好后即可使用
1.3 工作原理
Ansible沒有客戶端,底層通信依賴于系統(tǒng)軟件,Linux系統(tǒng)基于OpenSSH通信,Windows系統(tǒng)基于Powershell,管理端必須是Linux系統(tǒng),使用者認(rèn)證通過后在管理節(jié)點(diǎn)通過Ansible工具調(diào)用各應(yīng)用模塊將指令推送至管理端執(zhí)行,并在執(zhí)行完畢后自動(dòng)刪除產(chǎn)生的臨時(shí)文件。
Ansible整個(gè)工作流程中大致有三類角色:
使用者:Ansible的使用者來源于多個(gè)維度,第一種方式,CMDB(Configuration Management Database,配置管理數(shù)據(jù)庫)運(yùn)維人員可以結(jié)合CMDB和Ansible,通過CMDB直接下發(fā)指令調(diào)用Ansible工具集完成操作者所希望達(dá)到的目標(biāo);第二種方式是API接口,運(yùn)維人員可以使用通用開發(fā)語言以API接口調(diào)用形式完成相應(yīng)的操作;第三種方式是開發(fā)人員以Ad-Hoc臨時(shí)命令方式完成相應(yīng)操作;第四種是運(yùn)維人員使用提前寫好的playbook完成相應(yīng)的操作。
Ansible工具集:ansible命令是Ansible的核心,ansible命令通過協(xié)調(diào)Inventory(命令執(zhí)行的目標(biāo)對(duì)象配置文件)、API(供第三方應(yīng)用程序調(diào)用的API接口)、M
作用對(duì)象:Ansible的作用對(duì)象,不僅僅是Linux和非Linux操作系統(tǒng)的主機(jī),同樣也可以作用于公有云和私有云的各個(gè)網(wǎng)絡(luò)設(shè)施
再從Ansible工具集來講,Ansible主要有以下幾部分組成:
Ansible Playbook:任務(wù)集,編排定義Ansible任務(wù)集的配置文件,順序依次執(zhí)行,一般為yaml或json文件
Inventory:主機(jī)清單
Modules:Ansible執(zhí)行命令的功能模塊,多數(shù)為內(nèi)置的核心模塊
Plugins:模塊功能的補(bǔ)充,如連接類型插件、循環(huán)插件、變量插件
API:供第三方應(yīng)用程序調(diào)用的應(yīng)用程序接口
Ansible執(zhí)行時(shí),這些組件的調(diào)用關(guān)系如下:
1.4 通信方式
從Ansible 1.3版本開始,默認(rèn)使用OpenSSH通信方式(底層基于SSH協(xié)議,window基于Powershell協(xié)議),支持密碼和SSH認(rèn)證
1.5 安裝
pip安裝方式:
| // 安裝python | |
| yum install python-pip python-devel -y | |
| // 安裝gcc glibc開發(fā)環(huán)境 | |
| yum install gcc glibc-devel zlib-devel rpm-build openssl-devel -y | |
| // 升級(jí)pip | |
| pip install --upgrade pip | |
| // 安裝ansible | |
| pip install ansible -upgrade |
yum安裝方式
| rpm | |
| yum install ansible -y |
安裝完后,查看ansible版本號(hào),如果有正確返回,則表示安裝成功
| [root@192-168-158-100-RedHat-7 ansible]# ansible --version | |
| ansible 2.9.27 | |
| config file = /etc/ansible/ansible.cfg | |
| configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] | |
| ansible python module location = /usr/lib/python2.7/site-packages/ansible | |
| executable location = /usr/bin/ansible | |
| python version = 2.7.5 (default, Nov 14 2023, 1606) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)] |
1.6 目錄結(jié)構(gòu)
使用命令rpm -ql ansible可以查看Ansible的安裝目錄,該輸出較多,但大致可以分為以下幾個(gè)目錄:
配置文件目錄:/etc/ansible/ 用于存放Ansible主機(jī)清單,工具功能配置等。
執(zhí)行文件目錄:/usr/bin/ansible-xxx 用于存放Ansible所有可執(zhí)行文件
庫依賴文件目錄:/usr/lib/PythonX.X/sitepackage/ansible/
help文檔目錄:/usr/share/doc/ansible-xxxx/
1.7 配置文件詳解
Ansible自身配置文件只有一個(gè),默認(rèn)存放于/etc/ansible/ansible.cfg路徑,Ansible命令執(zhí)行時(shí),會(huì)依次從當(dāng)前命令執(zhí)行路徑、當(dāng)前用戶家目錄、默認(rèn)安裝路徑尋找ansible.cfg配置文件,找到哪個(gè)就用哪個(gè)
default 基礎(chǔ)設(shè)置項(xiàng),保持默認(rèn)即可
| [defaults] | |
| # some basic default values... | |
| #inventory = /etc/ansible/hosts # 主機(jī)清單 | |
| #library = /usr/share/my_modules/ # 庫文件地址 | |
| #module_utils = /usr/share/my_module_utils/ | |
| #remote_tmp = ~/.ansible/tmp # 遠(yuǎn)程主機(jī)臨時(shí)文件存放目錄 | |
| #local_tmp = ~/.ansible/tmp # 本地臨時(shí)文件存放目錄 | |
| #plugin_filters_cfg = /etc/ansible/plugin_filters.yml | |
| #forks = 5 # 并發(fā)數(shù) | |
| #poll_interval = 15 | |
| #sudo_user = root | |
| #ask_sudo_pass = True | |
| #ask_pass = True | |
| #transport = smart | |
| #remote_port = 22 | |
| #module_lang = C | |
| #module_set_locale = False | |
| # plays will gather facts by default, which contain information about | |
| # the remote system. | |
| # | |
| # smart - gather by default, but don't regather if already gathered | |
| # implicit - gather by default, turn off with gather_facts: False | |
| # explicit - do not gather by default, must say gather_facts: True | |
| #gathering = implicit | |
| # This only affects the gathering done by a play's gather_facts directive, | |
| # by default gathering retrieves all facts subsets | |
| # all - gather all subsets | |
| # network - gather min and network facts | |
| # hardware - gather hardware facts (longest facts to retrieve) | |
| # virtual - gather min and virtual facts | |
| # facter - import facts from facter | |
| # ohai - import facts from ohai | |
| # You can combine them using comma (ex: network,virtual) | |
| # You can negate them using ! (ex: !hardware,!facter,!ohai) | |
| # A minimal set of facts is always gathered. | |
| #gather_subset = all | |
| # some hardware related facts are collected | |
| # with a maximum timeout of 10 seconds. This | |
| # option lets you increase or decrease that | |
| # timeout to something more suitable for the | |
| # environment. | |
| # gather_timeout = 10 | |
| # Ansible facts are available inside the ansible_facts.* dictionary | |
| # namespace. This setting maintains the behaviour which was the default prior | |
| # to 2.5, duplicating these variables into the main namespace, each with a | |
| # prefix of 'ansible_'. | |
| # This variable is set to True by default for backwards compatibility. It | |
| # will be changed to a default of 'False' in a future release. | |
| # ansible_facts. | |
| # inject_facts_as_vars = True | |
| # additional paths to search for roles in, colon separated | |
| #roles_path = /etc/ansible/roles | |
| # uncomment this to disable SSH key host checking | |
| #host_key_checking = False | |
| # change the default callback, you can only have one 'stdout' type enabled at a time. | |
| #stdout_callback = skippy | |
| ## Ansible ships with some plugins that require whitelisting, | |
| ## this is done to avoid running all of a type by default. | |
| ## These setting lists those that you want enabled for your system. | |
| ## Custom plugins should not need this unless plugin author specifies it. | |
| # enable callback plugins, they can output to stdout but cannot be 'stdout' type. | |
| #callback_whitelist = timer, mail | |
| # Determine whether includes in tasks and handlers are "static" by | |
| # default. As of 2.0, includes are dynamic by default. Setting these | |
| # values to True will make includes behave more like they did in the | |
| # 1.x versions. | |
| #task_includes_static = False | |
| #handler_includes_static = False | |
| # Controls if a missing handler for a notification event is an error or a warning | |
| #error_on_missing_handler = True | |
| # change this for alternative sudo implementations | |
| #sudo_exe = sudo | |
| # What flags to pass to sudo | |
| # WARNING: leaving out the defaults might create unexpected behaviours | |
| #sudo_flags = -H -S -n | |
| # SSH timeout | |
| #timeout = 10 | |
| # default user to use for playbooks if user is not specified | |
| # (/usr/bin/ansible will use current user as default) | |
| #remote_user = root | |
| # logging is off by default unless this path is defined | |
| # if so defined, consider logrotate | |
| #log_path = /var/log/ansible.log | |
| # default module name for /usr/bin/ansible | |
| #module_name = command | |
| # use this shell for commands executed under sudo | |
| # you may need to change this to bin/bash in rare instances | |
| # if sudo is constrained | |
| #executable = /bin/sh | |
| # if inventory variables overlap, does the higher precedence one win | |
| # or are hash values merged together? The default is 'replace' but | |
| # this can also be set to 'merge'. | |
| #hash_behaviour = replace | |
| # by default, variables from roles will be visible in the global variable | |
| # scope. To prevent this, the following option can be enabled, and only | |
| # tasks and handlers within the role will see the variables there | |
| #private_role_vars = yes | |
| # list any Jinja2 extensions to enable here: | |
| #jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n | |
| # if set, always use this private key file for authentication, same as | |
| # if passing --private-key to ansible or ansible-playbook | |
| #private_key_file = /path/to/file | |
| # If set, configures the path to the Vault password file as an alternative to | |
| # specifying --vault-password-file on the command line. | |
| #vault_password_file = /path/to/vault_password_file | |
| # format of string {{ ansible_managed }} available within Jinja2 | |
| # templates indicates to users editing templates files will be replaced. | |
| # replacing {file}, {host} and {uid} and strftime codes with proper values. | |
| #ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} | |
| # {file}, {host}, {uid}, and the timestamp can all interfere with idempotence | |
| # in some situations so the default is a static string: | |
| #ansible_managed = Ansible managed | |
| # by default, ansible-playbook will display "Skipping [host]" if it determines a task | |
| # should not be run on a host. Set this to "False" if you don't want to see these "Skipping" | |
| # messages. NOTE: the task header will still be shown regardless of whether or not the | |
| # task is skipped. | |
| #display_skipped_hosts = True | |
| # by default, if a task in a playbook does not include a name: field then | |
| # ansible-playbook will construct a header that includes the task's action but | |
| # not the task's args. This is a security feature because ansible cannot know | |
| # if the *module* considers an argument to be no_log at the time that the | |
| # header is printed. If your environment doesn't have a problem securing | |
| # stdout from ansible-playbook (or you have manually specified no_log in your | |
| # playbook on all of the tasks where you have secret information) then you can | |
| # safely set this to True to get more informative messages. | |
| #display_args_to_stdout = False | |
| # by default (as of 1.3), Ansible will raise errors when attempting to dereference | |
| # Jinja2 variables that are not set in templates or action lines. Uncomment this line | |
| # to revert the behavior to pre-1.3. | |
| #error_on_undefined_vars = False | |
| # by default (as of 1.6), Ansible may display warnings based on the configuration of the | |
| # system running ansible itself. This may include warnings about 3rd party packages or | |
| # other conditions that should be resolved if possible. | |
| # to disable these warnings, set the following value to False: | |
| #system_warnings = True | |
| # by default (as of 1.4), Ansible may display deprecation warnings for language | |
| # features that should no longer be used and will be removed in future versions. | |
| # to disable these warnings, set the following value to False: | |
| #deprecation_warnings = True | |
| # (as of 1.8), Ansible can optionally warn when usage of the shell and | |
| # command module appear to be simplified by using a default Ansible module | |
| # instead. These warnings can be silenced by adjusting the following | |
| # setting or adding warn=yes or warn=no to the end of the command line | |
| # parameter string. This will for example suggest using the git module | |
| # instead of shelling out to the git command. | |
| # command_warnings = False | |
| # set plugin path directories here, separate with colons | |
| #action_plugins = /usr/share/ansible/plugins/action | |
| #become_plugins = /usr/share/ansible/plugins/become | |
| #cache_plugins = /usr/share/ansible/plugins/cache | |
| #callback_plugins = /usr/share/ansible/plugins/callback | |
| #connection_plugins = /usr/share/ansible/plugins/connection | |
| #lookup_plugins = /usr/share/ansible/plugins/lookup | |
| #inventory_plugins = /usr/share/ansible/plugins/inventory | |
| #vars_plugins = /usr/share/ansible/plugins/vars | |
| #filter_plugins = /usr/share/ansible/plugins/filter | |
| #test_plugins = /usr/share/ansible/plugins/test | |
| #terminal_plugins = /usr/share/ansible/plugins/terminal | |
| #strategy_plugins = /usr/share/ansible/plugins/strategy | |
| # by default, ansible will use the 'linear' strategy but you may want to try | |
| # another one | |
| #strategy = free | |
| # by default callbacks are not loaded for /bin/ansible, enable this if you | |
| # want, for example, a notification or logging callback to also apply to | |
| # /bin/ansible runs | |
| #bin_ansible_callbacks = False | |
| # don't like cows? that's unfortunate. | |
| # set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 | |
| #nocows = 1 | |
| # set which cowsay stencil you'd like to use by default. When set to 'random', | |
| # a random stencil will be selected for each task. The selection will be filtered | |
| # against the `cow_whitelist` option below. | |
| #cow_selection = default | |
| #cow_selection = random | |
| # when using the 'random' option for cowsay, stencils will be restricted to this list. | |
| # it should be formatted as a comma-separated list with no spaces between names. | |
| # NOTE: line continuations here are for formatting purposes only, as the INI parser | |
| # in python does not support them. | |
| #cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes, | |
| # hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus, | |
| # stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www | |
| # don't like colors either? | |
| # set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1 | |
| #nocolor = 1 | |
| # if set to a persistent type (not 'memory', for example 'redis') fact values | |
| # from previous runs in Ansible will be stored. This may be useful when | |
| # wanting to use, for example, IP information from one group of servers | |
| # without having to talk to them in the same playbook run to get their | |
| # current IP information. | |
| #fact_caching = memory | |
| #This option tells Ansible where to cache facts. The value is plugin dependent. | |
| #For the jsonfile plugin, it should be a path to a local directory. | |
| #For the redis plugin, the value is a hostdatabase triplet: fact_caching_connection = localhost0 | |
| #fact_caching_connection=/tmp | |
| # retry files | |
| # When a playbook fails a .retry file can be created that will be placed in ~/ | |
| # You can enable this feature by setting retry_files_enabled to True | |
| # and you can change the location of the files by setting retry_files_save_path | |
| #retry_files_enabled = False | |
| #retry_files_save_path = ~/.ansible-retry | |
| # squash actions | |
| # Ansible can optimise actions that call modules with list parameters | |
| # when looping. Instead of calling the module once per with_ item, the | |
| # module is called once with all items at once. Currently this only works | |
| # under limited circumstances, and only with parameters named 'name'. | |
| #squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper | |
| # prevents logging of task data, off by default | |
| #no_log = False | |
| # prevents logging of tasks, but only on the targets, data is still logged on the master/controller | |
| #no_target_syslog = False | |
| # controls whether Ansible will raise an error or warning if a task has no | |
| # choice but to create world readable temporary files to execute a module on | |
| # the remote machine. This option is False by default for security. Users may | |
| # turn this on to have behaviour more like Ansible prior to 2.1.x. See | |
| # https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user | |
| # for more secure ways to fix this than enabling this option. | |
| #allow_world_readable_tmpfiles = False | |
| # controls the compression level of variables sent to | |
| # worker processes. At the default of 0, no compression | |
| # is used. This value must be an integer from 0 to 9. | |
| #var_compression_level = 9 | |
| # controls what compression method is used for new-style ansible modules when | |
| # they are sent to the remote system. The compression types depend on having | |
| # support compiled into both the controller's python and the client's python. | |
| # The names should match with the python Zipfile compression types: | |
| # * ZIP_STORED (no compression. available everywhere) | |
| # * ZIP_DEFLATED (uses zlib, the default) | |
| # These values may be set per host via the ansible_module_compression inventory | |
| # variable | |
| #module_compression = 'ZIP_DEFLATED' | |
| # This controls the cutoff point (in bytes) on --diff for files | |
| # set to 0 for unlimited (RAM may suffer!). | |
| #max_diff_size = 1048576 | |
| # This controls how ansible handles multiple --tags and --skip-tags arguments | |
| # on the CLI. If this is True then multiple arguments are merged together. If | |
| # it is False, then the last specified argument is used and the others are ignored. | |
| # This option will be removed in 2.8. | |
| #merge_multiple_cli_flags = True | |
| # Controls showing custom stats at the end, off by default | |
| #show_custom_stats = True | |
| # Controls which files to ignore when using a directory as inventory with | |
| # possibly multiple sources (both static and dynamic) | |
| #inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo | |
| # This family of modules use an alternative execution path optimized for network appliances | |
| # only update this setting if you know how this works, otherwise it can break module execution | |
| #network_group_modules=eos, nxos, ios, iosxr, junos, vyos | |
| # When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as | |
| # a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain | |
| # jinja2 templating language which will be run through the templating engine. | |
| # ENABLING THIS COULD BE A SECURITY RISK | |
| #allow_unsafe_lookups = False | |
| # set default errors for all plays | |
| #any_errors_fatal = False |
privilege_escalation 部分公司不希望直接以Root最高管理員權(quán)限直接部署應(yīng)用,往往會(huì)開通普通用戶并授權(quán)sudo權(quán)限來進(jìn)行相關(guān)操作,該部分是sudo提升權(quán)限的配置
| [privilege_escalation] | |
| #become=True | |
| #become_method=sudo | |
| #become_user=root | |
| #become_ask_pass=False |
ssh_connection Ansible默認(rèn)使用SSH協(xié)議連接,保持默認(rèn)即可
| [ssh_connection] | |
| # ssh arguments to use | |
| # Leaving off ControlPersist will result in poor performance, so use | |
| # paramiko on older platforms rather than removing it, -C controls compression use | |
| #ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s | |
| # The base directory for the ControlPath sockets. | |
| # This is the "%(directory)s" in the control_path option | |
| # | |
| # Example: | |
| # control_path_dir = /tmp/.ansible/cp | |
| #control_path_dir = ~/.ansible/cp | |
| # The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname, | |
| # port and username (empty string in the config). The hash mitigates a common problem users | |
| # found with long hostnames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format. | |
| # In those cases, a "too long for Unix domain socket" ssh error would occur. | |
| # | |
| # Example: | |
| # control_path = %(directory)s/%%h-%%r | |
| #control_path = | |
| # Enabling pipelining reduces the number of SSH operations required to | |
| # execute a module on the remote server. This can result in a significant | |
| # performance improvement when enabled, however when using "sudo:" you must | |
| # first disable 'requiretty' in /etc/sudoers | |
| # | |
| # By default, this option is disabled to preserve compatibility with | |
| # sudoers configurations that have requiretty (the default on many distros). | |
| # | |
| #pipelining = False | |
| # Control the mechanism for transferring files (old) | |
| # * smart = try sftp and then try scp [default] | |
| # * True = use scp only | |
| # * False = use sftp only | |
| #scp_if_ssh = smart | |
| # Control the mechanism for transferring files (new) | |
| # If set, this will override the scp_if_ssh option | |
| # * sftp = use sftp to transfer files | |
| # * scp = use scp to transfer files | |
| # * piped = use 'dd' over SSH to transfer files | |
| # * smart = try sftp, scp, and piped, in that order [default] | |
| #transfer_method = smart | |
| # if False, sftp will not use batch mode to transfer files. This may cause some | |
| # types of file transfer failures impossible to catch however, and should | |
| # only be disabled if your sftp version has problems with batch mode | |
| #sftp_batch_mode = False | |
| # The -tt argument is passed to ssh when pipelining is not enabled because sudo | |
| # requires a tty by default. | |
| #usetty = True | |
| # Number of times to retry an SSH connection to a host, in case of UNREACHABLE. | |
| # For each retry attempt, there is an exponential backoff, | |
| # so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max). | |
| #retries = 3 |
accelerate 加速配置相關(guān)
| [accelerate] | |
| #accelerate_port = 5099 | |
| #accelerate_timeout = 30 | |
| #accelerate_connect_timeout = 5.0 | |
| # The daemon timeout is measured in minutes. This time is measured | |
| # from the last activity to the accelerate daemon. | |
| #accelerate_daemon_timeout = 30 | |
| # If set to yes, accelerate_multi_key will allow multiple | |
| # private keys to be uploaded to it, though each user must | |
| # have access to the system via SSH to add a new key. The default | |
| # is "no". | |
| #accelerate_multi_key = yes |
color 輸出顏色相關(guān)配置
| [colors] | |
| #highlight = white | |
| #verbose = blue | |
| #warn = bright purple | |
| #error = red | |
| #debug = dark gray | |
| #deprecate = purple | |
| #skip = cyan | |
| #unreachable = red | |
| #ok = green | |
| #changed = yellow | |
| #diff_add = green | |
| #diff_remove = red | |
| #diff_lines = cyan |
1.8 系列命令和使用場(chǎng)景
前面提到了,ansible相關(guān)命令的可執(zhí)行文件均放在/usr/bin/目錄下,如下:
| [root@192-168-158-100-RedHat-7 ansible-2.9.27]# ll /usr/bin/ | grep 'ansible' | |
| lrwxrwxrwx 1 root root 20 Jul 26 2023 ansible -> /usr/bin/ansible-2.7 | |
| lrwxrwxrwx 1 root root 20 Jul 26 2023 ansible-2 -> /usr/bin/ansible-2.7 | |
| -rwxr-xr-x 1 root root 5933 Jan 16 2022 ansible-2.7 | |
| lrwxrwxrwx 1 root root 7 Jul 26 2023 ansible-config -> ansible | |
| -rwxr-xr-x 1 root root 13432 Jan 16 2022 ansible-connection | |
| lrwxrwxrwx 1 root root 28 Jul 26 2023 ansible-console -> /usr/bin/ansible-console-2.7 | |
| lrwxrwxrwx 1 root root 28 Jul 26 2023 ansible-console-2 -> /usr/bin/ansible-console-2.7 | |
| lrwxrwxrwx 1 root root 7 Jul 26 2023 ansible-console-2.7 -> ansible | |
| lrwxrwxrwx 1 root root 24 Jul 26 2023 ansible-doc -> /usr/bin/ansible-doc-2.7 | |
| lrwxrwxrwx 1 root root 24 Jul 26 2023 ansible-doc-2 -> /usr/bin/ansible-doc-2.7 | |
| lrwxrwxrwx 1 root root 7 Jul 26 2023 ansible-doc-2.7 -> ansible | |
| lrwxrwxrwx 1 root root 27 Jul 26 2023 ansible-galaxy -> /usr/bin/ansible-galaxy-2.7 | |
| lrwxrwxrwx 1 root root 27 Jul 26 2023 ansible-galaxy-2 -> /usr/bin/ansible-galaxy-2.7 | |
| lrwxrwxrwx 1 root root 7 Jul 26 2023 ansible-galaxy-2.7 -> ansible | |
| lrwxrwxrwx 1 root root 7 Jul 26 2023 ansible-inventory -> ansible | |
| lrwxrwxrwx 1 root root 29 Jul 26 2023 ansible-playbook -> /usr/bin/ansible-playbook-2.7 | |
| lrwxrwxrwx 1 root root 29 Jul 26 2023 ansible-playbook-2 -> /usr/bin/ansible-playbook-2.7 | |
| lrwxrwxrwx 1 root root 7 Jul 26 2023 ansible-playbook-2.7 -> ansible | |
| lrwxrwxrwx 1 root root 25 Jul 26 2023 ansible-pull -> /usr/bin/ansible-pull-2.7 | |
| lrwxrwxrwx 1 root root 25 Jul 26 2023 ansible-pull-2 -> /usr/bin/ansible-pull-2.7 | |
| lrwxrwxrwx 1 root root 7 Jul 26 2023 ansible-pull-2.7 -> ansible | |
| lrwxrwxrwx 1 root root 26 Jul 26 2023 ansible-vault -> /usr/bin/ansible-vault-2.7 | |
| lrwxrwxrwx 1 root root 26 Jul 26 2023 ansible-vault-2 -> /usr/bin/ansible-vault-2.7 | |
| lrwxrwxrwx 1 root root 7 Jul 26 2023 ansible-vault-2.7 -> ansible |
大致分為以下幾類: 1) ansible命令 日常工作中使用率非常高的命令之一,主要在非固化需求、臨時(shí)一次性操作、二次開發(fā)接口調(diào)用場(chǎng)景下使用。命令格式如下: ansible
| [root@192-168-158-100-RedHat-7 ansible-2.9.27]# ansible all -m win_ping | |
| 192.168.158.104 | SUCCESS => { | |
| "changed": false, | |
| "ping": "pong" | |
| } |
ansible命令輸出用紅綠黃來區(qū)分執(zhí)行結(jié)果成功與失敗 
2) ansible-doc命令 ansible-doc可以查看ansible各個(gè)模塊的文檔說明,功能類似于man命令 ansible支持的window模塊大多以“win_”開頭
| //查看ansible各個(gè)模塊,可以看到ansible支持的windows模塊大多以"win_"開頭,例如,linux中使用的ping模塊,windows中為win_ping | |
| ansible-doc -l | |
| //查看某個(gè)具體的模塊 | |
| ansible-doc win_ping |
3) ansible-galaxy命令 模塊管理器,類似python中的pip,可以根據(jù)安裝量和下載量等信息,查找和安裝相應(yīng)的roles
| ansible-galaxy [init|info|list|install|remove] [options].... |
4) ansible-playbook命令 通過預(yù)先編寫好的playbook文件實(shí)現(xiàn)批量管理,要實(shí)現(xiàn)的功能與命令ansible一樣,可以理解為按一定條件組成的ansible任務(wù)集 5) ansible-pull命令 ansible的另外一種工作模式,默認(rèn)為push模式 6) ansible-vault命令 用于配置文件加密,如果編寫的playbook文件中有敏感信息,可以使用ansible-valut進(jìn)行加密解密,防止他人隨意查看
| [root@192-168-158-100-RedHat-7 ansible-2.9.27]# ansible-vault encrypt test.yaml | |
| New Vault password: | |
| Confirm New Vault password: | |
| Encryption successful | |
| [root@192-168-158-100-RedHat-7 ansible-2.9.27]# cat test.yaml | |
| $ANSIBLE_VAULT;1.1;AES256 | |
| 36353131383762396361623833653734356261666435633335636338333834393535353839383962 | |
| 6237316263616662336161353433643435663737323431350a626338393561623639653961656238 | |
| 66663031626464343661393732633264366265653734363139343330396430386364343232366138 | |
| 3430326166326336630a343062623461633862366266363963376231343732623861666336326533 | |
| 65346363386338636161613833646137306562636566633434373037313630636161 | |
| [root@192-168-158-100-RedHat-7 ansible-2.9.27]# ansible-vault decrypt test.yaml | |
| Vault password: | |
| Decryption successful |
1.9 Inventory配置文件詳解
Inventory是ansible管理主機(jī)信息的配置文件,默認(rèn)存放于/etc/ansible/hosts。Ansible在使用時(shí)通過-i或者--inventory-file來制定文件讀取,如ansible -i /etc/ansible/hosts webs -m ping,如果只有一個(gè)Inventory時(shí)可以不用指定路徑,默認(rèn)讀取/etc/ansible/hosts。inventory可以同時(shí)存在多個(gè),而且支持動(dòng)態(tài)生成。
1)主機(jī)和組
Inventory配置文件遵循ini文件風(fēng)格,中括號(hào)里的字符為組名,并且支持將同一個(gè)主機(jī)同時(shí)歸并到多個(gè)不同的組中。若主機(jī)使用了非默認(rèn)的ssh端口,還可以在主機(jī)名稱之后使用冒號(hào)加端口號(hào)來標(biāo)明
| #“#”開頭的行表示該行為注釋行,即當(dāng)時(shí)行的配置不生效 | |
| # Inventory 可以直接為 IP 地址 | |
| 192.168.37.149# Inventory 同樣支持 Hostname 的方式,后跟冒號(hào)加數(shù)字表示端口號(hào),默認(rèn) 22 號(hào)端口ntp.magedu.com:2222 | |
| nfs .magedu.com | |
| # 中括號(hào)內(nèi)的內(nèi)容表示一個(gè)分組的開始,緊隨其后的主機(jī)均屬于該組成員,空行后的主機(jī)亦屬于該組,即web2.magedu.com這臺(tái)主機(jī)也屬于[websevers]組 | |
| [websevers] | |
| web1 .magedu.com | |
| web[10:20].magedu.com #[10:20]表示10~20 之間的所有數(shù)字(包括10和20),即表示 web10.magedu.com、web11.magedu.com……web20.magedu.com 的所有主機(jī) | |
| web2 .magedu.com[dbservers] | |
| db-a.magedu.com | |
| db-[b:f].magedu.com #[b:f]表示b到f之間的所有數(shù)字(包括b和f),即表示 db-b.magedu.com、db-e.magedu.com…db-f.magedu.com的所有主機(jī) |
2) 定義主機(jī)變量
| [webservers] | |
| web1.magedu.com http_port=808 maxRequestsPerchild=801 #自定義http_port 的端口號(hào)為808,配置maxRequestsPerchild為801 | |
3) 定義組變量
| [groupservers] | |
| webl .magedu.com | |
| web2 .magedu.com | |
| [groupservers:vars] | |
| ntp_server=ntp.magedu.com #定義groupservers 組中所有主機(jī)ntp_server 值為 ntp.magedu.com | |
| nfs_server=nfs.magedu.com #定義groupservers 組中所有主機(jī)nfs_server 值為 nfs.magedu.com | |
4) 定義組嵌套及變量
| [apache] | |
| httpdl.magedu.com | |
| httpd2.magedu.com | |
| [nginx] | |
| ngx1.magedu.com | |
| ngx2.magedu.com | |
| [webservers:children] | |
| apache | |
| nginx | |
| [webservers:vars] | |
| ntp_server=ntp.magedu.com |
二、兩大常用命令
介紹了Ansible的各項(xiàng)元素、系列命令、Inventory基礎(chǔ),這些是掌握Ansible的基礎(chǔ),本篇接著介紹Ansible兩大神器Ad-Hoc命令集和playbook,通過模擬真實(shí)的案例和應(yīng)用場(chǎng)景更深入地了解Ansible。
2.1 Ad-Hoc命令集
1)使用場(chǎng)景
Ad-Hoc源自拉丁語“ad hoc”,意思是“為了這個(gè)目的”或“特定目的”。我們可以理解為解決一些簡單或者平時(shí)工作中臨時(shí)遇到的任務(wù)所做的“臨時(shí)操作”。比如:臨時(shí)向某一集群中各個(gè)服務(wù)器推送一個(gè)文件等
2)命令集介紹
Ad-Hoc命令集由/usr/bin/ansible實(shí)現(xiàn),其命令語法如下:
|
ansible |
可用[options]有:
-i PATH,指定inventory信息,默認(rèn)/etc/ansible/hosts
-f NUM, 并發(fā)線程數(shù),默認(rèn)5個(gè)線程
--private-key=PRIVATE_KEY_FILE:指定密鑰文件
-m NAME,指定使用的模塊
-M DIRECTORY,指定模塊存放路徑
-a 'ARGUMENTS',模塊參數(shù)
-k,認(rèn)證密碼
-o,標(biāo)準(zhǔn)輸出至一行
-s,相當(dāng)于Linux系統(tǒng)下的sudo命令
-t DIRECTORY,輸出信息至DIRECTORY目錄下,結(jié)果文件為遠(yuǎn)程主機(jī)名
-T SECONDS,指定連接遠(yuǎn)程主機(jī)的最大超時(shí)時(shí)間,單位是秒
-B NUM,后臺(tái)執(zhí)行命令,超Num秒后中止正在執(zhí)行的任務(wù)
-P NUM,定期返回后臺(tái)任務(wù)進(jìn)度
-u USERNAME,指定遠(yuǎn)程主機(jī)以USERNAME運(yùn)行命令
--list-hosts,列出符合條件的主機(jī)列表,不執(zhí)行任何命令 命令執(zhí)行流程: 
場(chǎng)景1:檢查主機(jī)是否存活 執(zhí)行命令: ansible linux -m ping 返回結(jié)果:
| [root@192-168-158-100-RedHat-7 .ssh]# ansible linux -m ping | |
| 192.168.158.16 | SUCCESS => { | |
| "ansible_facts": { | |
| "discovered_interpreter_python": "/usr/bin/python" | |
| }, | |
| "changed": false, | |
| "ping": "pong" | |
| } | |
| 192.168.158.23 | SUCCESS => { | |
| "ansible_facts": { | |
| "discovered_interpreter_python": "/usr/bin/python" | |
| }, | |
| "changed": false, | |
| "ping": "pong" | |
| } | |
| 192.168.158.176 | SUCCESS => { | |
| "ansible_facts": { | |
| "discovered_interpreter_python": "/usr/bin/python" | |
| }, | |
| "changed": false, | |
| "ping": "pong" | |
| } | |
“l(fā)inux”組下有三臺(tái)linux機(jī)器,看下第一臺(tái)機(jī)器的輸出 “172.168.158.16”是命令執(zhí)行的主機(jī); “Success”表示命令執(zhí)行成功; “=>{}”表示詳細(xì)返回結(jié)果如下; ““changed”:false”表示沒有對(duì)主機(jī)做變更;““ping”:"pong"”表示執(zhí)行ping命令返回了pong
場(chǎng)景2:返回Linux組所有主機(jī)的hostname 執(zhí)行命令: ansible linux -m command -a 'hostname' 返回結(jié)果:
| [root@192-168-158-100-RedHat-7 .ssh]# ansible linux -m command -a 'hostname' | |
| 192.168.158.16 | CHANGED | rc=0 >> | |
| k8sworker | |
| 192.168.158.23 | CHANGED | rc=0 >> | |
| k8smaster | |
| 192.168.158.176 | CHANGED | rc=0 >> | |
| 192-168-158-176-RedHat-7 | |
場(chǎng)景3:返回Linux組所有機(jī)器 執(zhí)行命令 ansible linux --list-hosts 返回結(jié)果
| [root@192-168-158-100-RedHat-7 .ssh]# ansible linux --list-hosts | |
| hosts (3): | |
| 192.168.158.23 | |
| 192.168.158.16 | |
| 192.168.158.176 |
鏈接:https://www.cnblogs.com/wenha/p/18690986
-
互聯(lián)網(wǎng)
+關(guān)注
關(guān)注
54文章
11217瀏覽量
105033 -
IT
+關(guān)注
關(guān)注
2文章
877瀏覽量
64034 -
自動(dòng)化
+關(guān)注
關(guān)注
29文章
5723瀏覽量
81144
原文標(biāo)題:二、兩大常用命令
文章出處:【微信號(hào):magedu-Linux,微信公眾號(hào):馬哥Linux運(yùn)維】歡迎添加關(guān)注!文章轉(zhuǎn)載請(qǐng)注明出處。
發(fā)布評(píng)論請(qǐng)先 登錄
相關(guān)推薦
誠聘高級(jí)運(yùn)維自動(dòng)化工程師
CasePlayer2--單元測(cè)試自動(dòng)化工具
紅帽推出Ansible 2.2 :為開源自動(dòng)化框架奠定牢靠的基礎(chǔ)
ansible-first-book 自動(dòng)化運(yùn)維工具
模擬EDA自動(dòng)化工具如今已經(jīng)登場(chǎng)
利用Ansible實(shí)現(xiàn)OpenStack自動(dòng)化
利用Ansible實(shí)現(xiàn)OpenStack自動(dòng)化
一文詳解Ansible的自動(dòng)化運(yùn)維
Ansible Container容器自動(dòng)化構(gòu)建部署工具
使用Ansible的OpenStack自動(dòng)化
什么是Ansible
EsDA — 嵌入式系統(tǒng)設(shè)計(jì)自動(dòng)化工具
如何應(yīng)用編碼標(biāo)準(zhǔn)和自動(dòng)化工具 提高代碼質(zhì)量
網(wǎng)絡(luò)設(shè)備自動(dòng)化運(yùn)維工具—ansible入門筆記介紹
工商網(wǎng)監(jiān)
評(píng)論