ansible初体验
1. 选型
工具 | 说明 | 缺点 |
xshell | 不适应机器过多场景,需要连接后才能用 | |
for+ssh/scp+密钥认证 | 密钥认证,免密码登录 scp传输文本/脚本 ssh远程执行命令或脚本 | 串行 |
saltstack | 需要安装客户端 | |
ansible | 无客户端(密钥认证)批量部署环境 | 需要新python版本,被红帽收购了 |
Terraform | 关注基础设施(云环境),一键创建100台云服务器,一键创建负载均衡,数据库产品 |
2. ansible架构
- 通过主机清单连接管理被控端
- 命令行执行模块
- 使用playbook剧本(核心)
3. 环境准备
环境准备 | 主机名 | ip |
ansible管理端 | m02(增加核心数 4c或8c) | 10.0.0.62/172.16.1.62 |
被管理端 | web01,web02,db01,nfs01,backup...... |
3.1. 安装ansible
1.安装pip工具 yum install -y python3-pip 2.升级pip python3 -m pip install -i https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simple --upgrade pip 3.pip源(加速pip下载软件) pip3 config set global.index-url https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simple 4.安装ansible pip3 install ansible 5.创建ansible配置文件(默认没有) mkdir -p /etc/ansible/ cat >/etc/ansible/ansible.cfg<<'EOF' [defaults] host_key_checking = False deprecation_warnings = False interpreter_python=/usr/bin/python3 [inventory] [privilege_escalation] [paramiko_connection] [ssh_connection] [persistent_connection] [accelerate] [selinux] [colors] [diff] EOF3.2. 检查
[root@m02 ~]# ansible --version /usr/local/lib/python3.7/site-packages/ansible/parsing/vault/__init__.py:44: CryptographyDeprecationWarning: Python 3.7 is no longer supported by the Python core team and support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.7. from cryptography.exceptions import InvalidSignature ansible [core 2.11.12] config file = /etc/ansible/ansible.cfg configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/lib/python3.7/site-packages/ansible ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections executable location = /usr/local/bin/ansible python version = 3.7.9 (default, Jun 10 2022, 11:25:35) [GCC 7.3.0] jinja version = 3.1.6 libyaml = True3.3. 解决CryptographyDeprecationWarning提示
[root@m02 ~]# pip install cryptography==36.0.1 Looking in indexes: https://mirrors.tuna.tsinghua.edu.cn/pypi/web/simple Collecting cryptography==36.0.1 Downloading https://mirrors.tuna.tsinghua.edu.cn/pypi/web/packages/d8/0c/c0f8790bdeff9813722811500fd735c40a6c50fe0b4f8f6f4444f7a49cc0/cryptography-36.0.1-cp36-abi3-manylinux_2_24_x86_64.whl (3.6 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.6/3.6 MB 728.3 kB/s eta 0:00:00 Requirement already satisfied: cffi>=1.12 in /usr/lib64/python3.7/site-packages (from cryptography==36.0.1) (1.14.1) Requirement already satisfied: pycparser in /usr/lib/python3.7/site-packages (from cffi>=1.12->cryptography==36.0.1) (2.20) Installing collected packages: cryptography Attempting uninstall: cryptography Found existing installation: cryptography 45.0.5 Uninstalling cryptography-45.0.5: Successfully uninstalled cryptography-45.0.5 Successfully installed cryptography-36.0.1 WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv [root@m02 ~]# ansible --version ansible [core 2.11.12] config file = /etc/ansible/ansible.cfg configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/lib/python3.7/site-packages/ansible ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections executable location = /usr/local/bin/ansible python version = 3.7.9 (default, Jun 10 2022, 11:25:35) [GCC 7.3.0] jinja version = 3.1.6 libyaml = True3.4. 配置主机清单
[lb] 172.16.1.[5:6] [web] 172.16.1.[7:10] [db] 172.16.1.[51:52] [nfs] 172.16.1.31 [bak] 172.16.1.41 #创建data分组,子组有db组,nfs组,bak组 [data:children] db nfs bak- 需求:100台机器,100个密码,如何管理?
- 解决:
主机清单文件中指定密码 [web] 10.0.0.7 ansible_user=root ansible_port=22 ansible_password=Lidao996 10.0.0.8 ansible_user=root ansible_port=22 ansible_password=Lidao9964. 使用ansible
4.1. ping模块
- 检查主机是否可以被管理
ansible -i /etc/ansible/hosts all -m ping -i 指定主机清单(如果不指定,默认是/etc/ansible/hosts)4.2. command模块
- 在被管理主机上执行简单的命令
ansible lb -m command -a 'hostname -I'4.3. shell模块
- 类似command模块,支持负载一点的命令
ansible lb -m shell -a 'rpm -qa | grep tree'4.4. script模块
ansible lb -m script -a '/server/scripts/script.sh'5. ansible模块
模块分类 | 模块 | 说明/选项 |
执行命令/脚本 | command | 一般用于执行简单命令 不支持特殊符号 默认的模块 |
shell | 与command类似,支持特殊符号 | |
script | 1.分发脚本(管理端指定的文件) 2.执行脚本(运行) | |
文件,目录 | file | touch,mkdir,rm,chown,chmod,ln -s 文件,目录,软链接 path=路径(目录,目录下的文件) src=源文件(创建软链接) mode=0644,0755,owner,group state=touch/directory/link/absent |
用户 | user | name=user(用户名) uid=uid(用户uid) shell=/sbin/nologin(用户shell) create_home=false/true(是否创建家目录) state=present/absent(添加/删除) |
安装软件包 | yum/apt | name=tree(软件包名) state=present/absent(安装或卸载) |
拷贝 | copy | 类似scp,拷贝文件或压缩包,不要拷贝目录 src=/etc/hosts(管理机源文件) dest=/etc/hosts(被管理机位置) |
服务管理 | systemd | 服务管理,开机自启动,开启,关闭,重启 name=nginx(服务名) enabled=yes/no(是否开机自启动) state=started/stopped/restarted/reloaded |
5.1. file
创建目录 ansible all -m file -a 'path=/dir/ state=directory' 创建文件 ansible all -m file -a 'path=/dir/test.txt state=touch' 创建软链接 ansible all -m file -a 'src=/etc/hosts path=/dir/ state=link' 删除(极其危险) ansible web -m file -a 'path=/dir/ state=absent' 创建文件或目录的时候同时需改权限,所有者,用户组等内容 ansible all -m file -a 'path=/dir/ mode=0700 user=zbl group=zbl state=directory'Collection Index — Ansible Community Documentation
- user和group模块
- group用户组模块
- user用户模块
5.2. user group
添加www-ans用户,uid,gid 2999 虚拟用户 添加用户组,指定gid ansible all -m group -a 'name=www-ans gid=2999 state=present' ansible all -m user -a 'name=www-ans uid=2999 group=www-ans shell=/sbin/nologin create_home=false state=present' ansible all -a 'grep www-ans /etc/passwd /etc/group'5.3. yum
- 安装软件
#安装软件 ansible all -m yum -a 'name=tree'5.4. copy
- 分发配置
ansible all -m copy -a 'src=/etc/hosts dest=/etc/hosts backup=yes' src=源文件 dest=目标 backup=是否备份5.5. systemd
- 启动服务
#开启nginx并设置开启自启动 ansible web -m systemd -a 'name=nginx enabled=true state=started' #关闭firewalld并禁止开机自启动 ansible web -m systemd -a 'name=firewalld enabled=false state=stopped'6. 总结
- 主机清单
- ansible模块