Ansible自动化运维工具及其常用模块
Ansible自动化运维工具及其常用模块
一、Ansible简介
1. Ansible概述
Ansible是一个基于Python开发的配置管理和应用部署工具,现在也在自动化管理领域大放异彩。它融合了众多老牌运维工具的优点,Puppet和Saltstack能实现的功能,Ansible基本上都可以实现。
2. Ansible作用
Ansible能批量配置、部署、管理上千台主机。比如以前需要切换到每个主机上执行的一或多个操作,使用Ansible只需在固定的一台Ansible控制节点上去完成所有主机的操作。
3. Ansible的工作模块
Ansible是基于模块工作的,它只是提供了一种运行框架,它本身没有完成任务的能力,真正执行操作的是Ansible的模块, 比如copy模块用于拷贝文件到远程主机上,service模块用于管理服务的启动、停止、重启等。
4. 常用的自动化运维工具及区别
5. Ansible的主要特点
Ansible其中一个比较鲜明的特性是Agentless,即无Agent的存在,它就像普通命令一样,并非C/S软件,也只需在某个作为控制节点的主机上安装一次Ansible即可,通常它基于ssh连接来控制远程主机,远程主机上不需要安装Ansible或其它额外的服务。
Ansible的另一个比较鲜明的特性是它的绝大多数模块都具备幂等性(idempotence)。所谓幂等性,指的是多次操作或多次执行对系统资源的影响是一致的。比如执行 systemctl stop xxx 命令来停止服务,当发现要停止的目标服务已经处于停止状态, 它什么也不会做,所以多次停止的结果仍然是停止,不会改变结果,它是幂等的,而 systemctl restart xxx 是非幂等的。
Ansible的很多模块在执行时都会先判断目标节点是否要执行任务,所以,可以放心大胆地让Ansible去执行任务,重复执行某个任务绝大多数时候不会产生任何副作用。
6. Ansible的工作机制
使用者在使用时,在服务器终端输入命令或者playbooks,会通过预定好的规则将playbook拆解为play,再组织成ansible可以识别的任务,调用模块和插件,根据主机清单通过SSH将临时文件发给远程的客户端执行并返回结果,执行结束后自动删除
二、Ansible部署
1. Ansible环境安装部署
服务器 | IP地址 | 主机名 | 主要软件 |
---|---|---|---|
管理端 | 192.168.122.10 | ansible | ansible |
被管理端 | 192.168.122.11 | node1 | - |
被管理端 | 192.168.122.12 | node2 | - |
被管理端 | 192.168.122.13 | node3 | - |
2. 管理端安装ansible
[root@ansible ~]# yum install -y epel-release.noarch
[root@ansible ~]# yum install -y ansible
3. ansible目录结构
[root@ansible ~]# yum install -y ansible
[root@ansible ~]# tree /etc/ansible
/etc/ansible
├── ansible.cfg
├── hosts
└── roles
● ansible.cfg
ansible的配置文件,一般无需修改
● hosts
ansible的主机清单,用于存储需要管理的远程主机的相关信息
● roles
公共角色目录
4. 配置主机清单
[root@ansible ~]# cd /etc/ansible/
[root@ansible ansible]# vim hosts
##配置组名
[webservers]
#组里面包含的被管理的主机IP地址或主机名
#主机名需要先修改/etc/hosts文件,更新ip映射
192.168.122.11
[dbservers]
192.168.122.12
5. 配置密钥对验证
5.1 生成密钥对
[root@ansible ansible]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
#回车
Enter passphrase (empty for no passphrase):
#回车
Enter same passphrase again:
#回车
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Rnc5ypBw0tT11X4pzu6p9vu3Yro5TESazT+LIRldKbw root@ansible
The key's randomart image is:
+---[RSA 2048]----+
| ooo.... . o|
| +...+ = ..|
| + O B ...|
| . B E o .o|
| S * + . .|
| . o o = |
| + + o |
| =.=. .|
| .=O=+oo|
+----[SHA256]-----+
5.2 复制公钥至node1并验证
[root@ansible ansible]# ssh-copy-id root@192.168.122.11
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.122.11's password:
#输入密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.122.11'"
and check to make sure that only the key(s) you wanted were added.
[root@ansible ansible]# ssh root@192.168.122.11
Last login: Thu Oct 21 16:24:17 2021
[root@node1 ~]#
#实现免密登录
[root@node1 ~]# ifconfig ens33 | awk "NR==2 {print \$2}"
192.168.122.11
[root@node1 ~]# ifconfig ens33 | awk 'NR==2 {print $2}'
192.168.122.11
[root@node1 ~]# echo $(ifconfig ens33 | awk 'NR==2 {print $2}' | cut -d " " -f 2)
192.168.122.11
[root@node1 ~]# exit
登出
5.3 复制公钥至node2并验证
[root@ansible ansible]# ssh-copy-id root@192.168.122.12
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.122.12 (192.168.122.12)' can't be established.
ECDSA key fingerprint is SHA256:VZGGMMTK4KF/0n10SPQZ5+gjbPWA+2INFv05R3MSlog.
ECDSA key fingerprint is MD5:fa:3c:f3:ee:f1:b2:91:06:95:94:f2:94:04:d3:69:5c.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.122.12's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.122.12'"
and check to make sure that only the key(s) you wanted were added.
[root@ansible ansible]# ssh root@192.168.122.12
Last login: Thu Oct 21 16:24:38 2021
[root@node2 ~]# ifconfig ens33 | awk "NR==2 {print \$2}"
192.168.122.12
[root@node2 ~]# ifconfig ens33 | awk 'NR==2 {print $2}'
192.168.122.12
[root@node2 ~]# echo $(ifconfig ens33 | awk 'NR==2 {print $2}' | cut -d " " -f 2)
192.168.122.12
#实现免密登录
[root@node2 ~]# exit
登出
三、Ansible命令行模块
命令格式:ansible <组名> -m <模块> -a <参数列表>
● ansible-doc -l
列出所有已安装的模块,按q退出
[root@ansible ansible]# ansible-doc -l
fortios_router_community_list Configure community lists in Fortinet's FortiOS and FortiGate
azure_rm_devtestlab_info Get Azure DevTest Lab facts
ecs_taskdefinition register a task definition in ecs
avi_alertscriptconfig Module for setup of AlertScriptConfig Avi RESTful Object
tower_receive Receive assets from Ansible Tower
netapp_e_iscsi_target NetApp E-Series manage iSCSI target configuration
azure_rm_acs Manage an Azure Container Service(ACS) instance
fortios_log_syslogd2_filter Filters for remote system server in Fortinet's FortiOS and Fort...
junos_rpc Runs an arbitrary RPC over NetConf on an Juniper JUNOS device
na_elementsw_vlan NetApp Element Software Manage VLAN
pn_ospf CLI command to add/remove ospf protocol to a vRouter
pn_snmp_vacm CLI command to create/modify/delete snmp-vacm
cp_mgmt_service_sctp Manages service-sctp objects on Check Point over Web Services A...
onyx_ospf Manage OSPF protocol on Mellanox ONYX network devices
icx_command Run arbitrary commands on remote Ruckus ICX 7000 series switche...
cs_snapshot_policy Manages volume snapshot policies on Apache CloudStack based clo...
nxos_install_os Set boot options like boot, kickstart image and issu
cnos_static_route Manage static IP routes on Lenovo CNOS network devices
win_eventlog Manage Windows event logs
vmware_category Manage VMware categories
vmware_host_feature_info Gathers info about an ESXi host's feature capability informatio...
avi_cluster Module for setup of Cluster Avi RESTful Object
na_ontap_user NetApp ONTAP user configuration and management
aci_l3out Manage Layer 3 Outside (L3Out) objects (l3ext:Out)
memset_server_info Retrieve server information
gcp_compute_subnetwork_info Gather info for GCP Subnetwork
azure_rm_virtualmachinescalesetextension Manage Azure Virtual Machine Scale Set (VMSS) extensions
1. command模块
在远程主机执行命令,不支持管道,重定向等shell的特性。
1.1 列出指定模块的描述信息和操作动作
● ansible-doc -s command
[root@ansible ansible]# ansible-doc -s command
- name: Execute commands on targets
command:
argv: # Passes the command as a list rather than a string. Use `argv' to avoid quoting values that would
otherwise be interpreted incorrectly (for example "user name").
Only the string or the list form can be provided, not both. One or
the other must be provided.
chdir: # Change into this directory before running the command.
cmd: # The command to run.
creates: # A filename or (since 2.0) glob pattern. If it already exists, this step *won't* be run.
free_form: # The command module takes a free form command to run. There is no actual parameter named 'free
form'.
removes: # A filename or (since 2.0) glob pattern. If it already exists, this step *will* be run.
stdin: # Set the stdin of the command directly to the specified value.
stdin_add_newline: # If set to `yes', append a newline to stdin data.
strip_empty_ends: # Strip empty lines from the end of stdout/stderr in result.
warn: # Enable or disable task warnings.
1.2 指定ip执行date
● ansible 192.168.122.11 -m command -a 'date'
[root@ansible ansible]# ansible 192.168.122.11 -m command -a 'date'
192.168.122.11 | CHANGED | rc=0 >>
2021年 10月 21日 星期四 17:21:39 CST
1.3 指定组执行date
● ansible webservers -m command -a 'date'
● ansible dbservers -m command -a 'date'
[root@ansible ansible]# ansible webservers -m command -a 'date'
192.168.122.11 | CHANGED | rc=0 >>
2021年 10月 21日 星期四 17:36:45 CST
[root@ansible ansible]# ansible dbservers -m command -a 'date'
192.168.122.12 | CHANGED | rc=0 >>
2021年 10月 21日 星期四 17:36:50 CST
1.4 all代表所有hosts主机
● ansible all -m command -a 'date'
[root@ansible ansible]# ansible all -m command -a 'date'
192.168.122.11 | CHANGED | rc=0 >>
2021年 10月 21日 星期四 17:38:10 CST
192.168.122.12 | CHANGED | rc=0 >>
2021年 10月 21日 星期四 17:38:10 CST
1.5 如省略-m模块,则默认运行command模块
● ansible all -a 'ls /'
[root@ansible ansible]# ansible all -a 'ls /'
192.168.122.12 | CHANGED | rc=0 >>
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
share
srv
sys
tmp
usr
var
192.168.122.11 | CHANGED | rc=0 >>
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
1.6 常用的参数
chdir:在远程主机上运行命令前提前进入目录
creates:判断指定文件是否存在,如果存在,不执行后面的操作
removes:判断指定文件是否存在,如果存在,执行后面的操作
[root@ansible ansible]# ansible all -m command -a "chdir=/home ls ./"
123456
192.168.122.12 | CHANGED | rc=0 >>
123456
2. shell模块
在远程主机执行命令,相当于调用远程主机的shell进程,然后在该shell下打开有一个子shell运行命令(支持管段符号等功能)
[root@ansible ansible]# ansible-doc -s shell
- name: Execute shell commands on targets
shell:
chdir: # Change into this directory before running the command.
cmd: # The command to run followed by optional arguments.
creates: # A filename, when it already exists, this step will *not* be run.
executable: # Change the shell used to execute the command. This expects an absolute path to the executable.
free_form: # The shell module takes a free form command to run, as a string. There is no actual parameter named
'free form'. See the examples on how to use this module.
removes: # A filename, when it does not exist, this step will *not* be run.
stdin: # Set the stdin of the command directly to the specified value.
stdin_add_newline: # Whether to append a newline to stdin data.
warn: # Whether to enable task warnings.
2.1 创建用户/更改密码
● ansible webservers -m shell -a 'useradd test'
● ansible webservers -m shell -a 'echo 123456 | passwd --stdin test'
[root@ansible ansible]# ansible webservers -m shell -a 'useradd test'
192.168.122.11 | CHANGED | rc=0 >>
[root@ansible ansible]# ansible webservers -m shell -a 'echo 123456 | passwd --stdin test'
192.168.122.11 | CHANGED | rc=0 >>
更改用户 test 的密码 。
passwd:所有的身份验证令牌已经成功更新。
2.2 查看ip
● ansible webservers -m shell -a 'ifconfig ens33 | awk "NR==2 {print $2}"'
[root@ansible ansible]# ansible webservers -m shell -a 'ifconfig ens33 | awk "NR==2 {print \$2}"'
192.168.122.11 | CHANGED | rc=0 >>
192.168.122.11
[root@ansible ansible]# ansible webservers -m shell -a "ifconfig ens33 | awk 'NR==2 {print \$2}'"
192.168.122.11 | CHANGED | rc=0 >>
192.168.122.11
● ansible webservers -m shell -a 'echo $(ifconfig ens33 | awk "NR==2 {print}") | cut -d " " -f 2'
[root@ansible ansible]# ansible webservers -m shell -a 'echo $(ifconfig ens33 | awk "NR==2 {print}") | cut -d " " -f 2'
192.168.122.11 | CHANGED | rc=0 >>
192.168.122.11
3. cron模块
在远程主机定义任务计划。其中有两种状态(state):present表示添加(默认,可省略),absent表示移除
3.1 列出指定模块的描述信息和操作动作
● ansible-doc -s cron
[root@ansible ansible]# ansible-doc -s cron
- name: Manage cron.d and crontab entries
cron:
backup: # If set, create a backup of the crontab before it is modified. The location of the backup is
returned in the `backup_file' variable by this module.
cron_file: # If specified, uses this file instead of an individual user's crontab. If this is a relative path,
it is interpreted with respect to `/etc/cron.d'. If it is absolute,
it will typically be `/etc/crontab'. Many linux distros expect (and
some require) the filename portion to consist solely of upper- and
lower-case letters, digits, underscores, and hyphens. To use the
`cron_file' parameter you must specify the `user' as well.
day: # Day of the month the job should run ( 1-31, *, */2, etc )
disabled: # If the job should be disabled (commented out) in the crontab. Only has effect if `state=present'.
env: # If set, manages a crontab's environment variable. New variables are added on top of crontab.
`name' and `value' parameters are the name and the value of
environment variable.
hour: # Hour when the job should run ( 0-23, *, */2, etc )
insertafter: # Used with `state=present' and `env'. If specified, the environment variable will be inserted after
the declaration of specified environment variable.
insertbefore: # Used with `state=present' and `env'. If specified, the environment variable will be inserted
before the declaration of specified environment variable.
job: # The command to execute or, if env is set, the value of environment variable. The command should
not contain line breaks. Required if `state=present'.
minute: # Minute when the job should run ( 0-59, *, */2, etc )
month: # Month of the year the job should run ( 1-12, *, */2, etc )
name: # Description of a crontab entry or, if env is set, the name of environment variable. Required if
`state=absent'. Note that if name is not set and `state=present',
then a new crontab entry will always be created, regardless of
3.1 常用的参数
minute/hour/day/month/weekday:分/时/日/月/周
job:任务计划要执行的命令
name:任务计划的名称
3.2 设置计划任务
● ansible webservers -m cron -a 'minute="*/1" job="/bin/echo helloworld" name="test crontab"'
[root@ansible ansible]# ansible webservers -m cron -a 'minute="*/1" job="/bin/echo helloworld" name="test crontab"'
192.168.122.11 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"envs": [],
"jobs": [
"test crontab"
]
}
3.3 查看计划任务
● ansible webservers -a 'crontab -l'
[root@ansible ansible]# ansible webservers -a 'crontab -l'
192.168.122.11 | CHANGED | rc=0 >>
#Ansible: test crontab
*/1 * * * * /bin/echo helloworld
3.4 移除计划任务
● ansible webservers -m cron -a 'name="test crontab" state=absent'
[root@ansible ansible]# ansible webservers -m cron -a 'name="test crontab" state=absent'
192.168.122.11 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"envs": [],
"jobs": []
}
[root@ansible ansible]# ansible webservers -a 'crontab -l'
192.168.122.11 | CHANGED | rc=0 >>
移除计划任务,若该计划任务没有取名字,name=None即可。
若有多个计划任务没有取名字,name=None将批量删除所有未取名任务。
4. user模块
用户管理的模块
4.1 列出指定模块的描述信息和操作动作
● ansible-doc -s user
[root@ansible ansible]# ansible-doc -s user
- name: Manage user accounts
user:
append: # If `yes', add the user to the groups specified in `groups'. If `no', user will only be added to
the groups specified in `groups', removing them from all other
groups. Mutually exclusive with `local'
authorization: # Sets the authorization of the user. Does nothing when used with other platforms. Can set multiple
authorizations using comma separation. To delete all
authorizations, use `authorization='''. Currently supported on
Illumos/Solaris.
comment: # Optionally sets the description (aka `GECOS') of user account.
create_home: # Unless set to `no', a home directory will be made for the user when the account is created or if
the home directory does not exist. Changed from `createhome' to
`create_home' in Ansible 2.5.
expires: # An expiry time for the user in epoch, it will be ignored on platforms that do not support this.
Currently supported on GNU/Linux, FreeBSD, and DragonFlyBSD. Since
Ansible 2.6 you can remove the expiry time specify a negative
value. Currently supported on GNU/Linux and FreeBSD.
force: # This only affects `state=absent', it forces removal of the user and associated directories on
supported platforms. The behavior is the same as `userdel --force',
check the man page for `userdel' on your system for details and
support. When used with `generate_ssh_key=yes' this forces an
existing key to be overwritten.
generate_ssh_key: # Whether to generate a SSH key for the user in question. This will *not* overwrite an existing SSH
key unless used with `force=yes'.
group: # Optionally sets the user's primary group (takes a group name).
groups: # List of groups user will be added to. When set to an empty string `''', the user is removed from
all groups except the primary group. Before Ansible 2.3, the only
4.2 常用参数
常用参数 | 说明 |
---|---|
name | 用户名,必选参数 |
state=present/absent | 创建账号或者删除账号,present表示创建,absent表示删除 |
system=yes/no | 是否为系统账号 |
uid | 用户uid |
group | 用户基本组 |
shell | 默认使用的shell |
move_home=yse/no | 如果设置的家目录已经存在,是否将已经存在的家目录进行移动 |
password | 用户的密码,建议使用加密后的字符串 |
comment | 用户的注释信息 |
remove=yes/no | 当state=absent时,是否删除用户的家目录 |
4.3 用户控制
创建用户test01
● ansible dbservers -m user -a 'name="test01"'
[root@ansible ansible]# ansible dbservers -m user -a 'name="test01"'
192.168.122.12 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": "",
"create_home": true,
"group": 1002,
"home": "/home/test01",
"name": "test01",
"shell": "/bin/bash",
"state": "present",
"system": false,
"uid": 1002
}
查看passwd
● ansible dbservers -n 1 'tail /etc/passwd'
[root@ansible ansible]# ansible dbservers -a 'tail -n 1 /etc/passwd'
192.168.122.12 | CHANGED | rc=0 >>
test01:x:1002:1002::/home/test01:/bin/bash
删除用户test1
● ansible dbservers -m user -a 'name="test01" state=absent'
[root@ansible ansible]# ansible dbservers -m user -a 'name="test01" state=absent'
192.168.122.12 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"force": false,
"name": "test01",
"remove": false,
"state": "absent"
}
[root@ansible ansible]# ansible dbservers -a 'tail -n 1 /etc/passwd'
192.168.122.12 | CHANGED | rc=0 >>
nginx:x:1001:1001::/home/nginx:/sbin/nologin
5. group模块
用户组管理的模块
5.1 列出指定模块的描述信息和操作动作
● ansible-doc -s group
[root@ansible ansible]# ansible-doc -s group
- name: Add or remove groups
group:
gid: # Optional `GID' to set for the group.
local: # Forces the use of "local" command alternatives on platforms that implement it. This is useful in
environments that use centralized authentication when you want to
manipulate the local groups. (e.g. it uses `lgroupadd' instead of
`groupadd'). This requires that these commands exist on the
targeted host, otherwise it will be a fatal error.
name: # (required) Name of the group to manage.
non_unique: # This option allows to change the group ID to a non-unique value. Requires `gid'. Not supported on
macOS or BusyBox distributions.
state: # Whether the group should be present or not on the remote host.
system: # If `yes', indicates that the group created is a system group.
5.2 用户组管理
创建mysql组
● ansible dbservers -m group -a 'name=mysql gid=2222 system=yes'
[root@ansible ansible]# ansible dbservers -m group -a 'name=mysql gid=2222 system=yes'
192.168.122.12 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"gid": 2222,
"name": "mysql",
"state": "present",
"system": true
}
● ansible dbservers -a 'tail -n 1 /etc/group'
[root@ansible ansible]# ansible dbservers -a 'tail -n 1 /etc/group'
192.168.122.12 | CHANGED | rc=0 >>
mysql:x:2222
将test01用户添加到mysql组中
● ansible dbservers -m user -a 'name=test01 uid=2222 system=yes group=mysql'
[root@ansible ansible]# ansible dbservers -m user -a 'name=test01 uid=2222 system=yes group=mysql'
192.168.122.12 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": "",
"create_home": true,
"group": 2222,
"home": "/home/test01",
"name": "test01",
"shell": "/bin/bash",
"state": "present",
"stderr": "useradd:警告:此主目录已经存在。\n不从 skel 目录里向其中复制任何文件。\n",
"stderr_lines": [
"useradd:警告:此主目录已经存在。",
"不从 skel 目录里向其中复制任何文件。"
],
"system": true,
"uid": 2222
}
● ansible dbservers -a 'tail -n 1 /etc/passwd'
[root@ansible ansible]# ansible dbservers -a 'tail -n 1 /etc/passwd'
192.168.122.12 | CHANGED | rc=0 >>
test01:x:2222:2222::/home/test01:/bin/bash
● ansible dbservers -a 'id test01'
[root@ansible ansible]# ansible dbservers -a 'id test01'
192.168.122.12 | CHANGED | rc=0 >>
uid=2222(test01) gid=2222(mysql) 组=2222(mysql)
6. copy模块
用于复制指定主机文件到远程主机
● ansible-doc -s copy
[root@ansible ansible]# ansible-doc -s copy
- name: Copy files to remote locations
copy:
attributes: # The attributes the resulting file or directory should have. To get supported flags look at the man
page for `chattr' on the target system. This string should contain
the attributes in the same order as the one displayed by `lsattr'.
The `=' operator is assumed as default, otherwise `+' or `-'
operators need to be included in the string.
backup: # Create a backup file including the timestamp information so you can get the original file back if
you somehow clobbered it incorrectly.
checksum: # SHA1 checksum of the file being transferred. Used to validate that the copy of the file was
successful. If this is not provided, ansible will use the local
calculated checksum of the src file.
content: # When used instead of `src', sets the contents of a file directly to the specified value. Works
only when `dest' is a file. Creates the file if it does not exist.
For advanced formatting or if `content' contains a variable, use
the [template] module.
decrypt: # This option controls the autodecryption of source files using vault.
dest: # (required) Remote absolute path where the file should be copied to. If `src' is a directory, this
must be a directory too. If `dest' is a non-existent path and if
either `dest' ends with "/" or `src' is a directory, `dest' is
created. If `dest' is a relative path, the starting directory is
determined by the remote host. If `src' and `dest' are files, the
parent directory of `dest' is not created and the task fails if it
does not already exist.
directory_mode: # When doing a recursive copy set the mode for the directories. If this is not set we will use the
system defaults. The mode is only set on directories which are
newly created, and will not affect those that already existed.
6.1 常用参数
常用参数 | 说明 |
---|---|
dest | 指出复制文件的目标及位置,使用绝对路径,如果是源目录,指目标也要是目录,如果目标文件已经存在会覆盖原有的内容 |
src | 指出源文件的路径,可以使用相对路径或绝对路径,支持直接指定目录,如果源是目录则目标也要是目录 |
mode | 指出复制时,目标文件的权限 |
owner | 指出复制时,目标文件的属主 |
group | 指出复制时,目标文件的属组 |
content | 指出复制到目标主机上的内容,不能与src一起使用 |
6.2 复制管理
● ansible dbservers -m copy -a 'src=/etc/fstab dest=/opt/fstab.bak owner=root mode=640'
[root@ansible ansible]# ansible dbservers -m copy -a 'src=/etc/fstab dest=/opt/fstab.bak owner=root mode=640'
192.168.122.12 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "f033278c56c47bf1856d94f85f80e01d9a6bf399",
"dest": "/opt/fstab.bak",
"gid": 0,
"group": "root",
"md5sum": "7b3dbae60210e8febb95ec755c16d7ed",
"mode": "0640",
"owner": "root",
"size": 501,
"src": "/root/.ansible/tmp/ansible-tmp-1634816703.21-12851-219551934743358/source",
"state": "file",
"uid": 0
}
● ansible dbservers -a 'ls -l /opt'
[root@ansible ansible]# ansible dbservers -a 'ls -l /opt'
192.168.122.12 | CHANGED | rc=0 >>
总用量 14724
drwxr-xr-x 2 root root 88 10月 20 19:17 consul
drwx--x--x 4 root root 28 10月 20 19:08 containerd
-rw-r----- 1 root root 501 10月 21 19:45 fstab.bak
drwxrwxr-x 18 123456 123456 4096 10月 17 02:22 php-7.1.10
-rw-r--r-- 1 root root 15069098 8月 4 2018 php-7.1.10.tar.bz2
drwxr-xr-x. 2 root root 6 3月 26 2015 rh
● ansible dbservers -a 'cat /opt/fstab.bak'
[root@ansible ansible]# ansible dbservers -a 'cat /opt/fstab.bak'
192.168.122.12 | CHANGED | rc=0 >>
#
# /etc/fstab
# Created by anaconda on Tue Jun 8 02:45:07 2021
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=a001f3da-084b-4086-a845-1d9841e4e273 / xfs defaults 0 0
UUID=3c126149-e941-45da-b7b2-295bbb9d9ba3 /boot xfs defaults 0 0
UUID=cf45ed0f-c177-44b9-9874-e56eab1fefdb swap swap defaults 0 0
将helloworld写入/opt/hello.txt文件中
● ansible dbservers -m copy -a 'content="helloworld" dest=/opt/hello.txt'
[root@ansible ansible]# ansible dbservers -m copy -a 'content="helloworld" dest=/opt/hello.txt'
192.168.122.12 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "6adfb183a4a2c94a2f92dab5ade762a47889a5a1",
"dest": "/opt/hello.txt",
"gid": 0,
"group": "root",
"md5sum": "fc5e038d38a57032085441e7fe7010b0",
"mode": "0644",
"owner": "root",
"size": 10,
"src": "/root/.ansible/tmp/ansible-tmp-1634816859.21-12943-32638067870190/source",
"state": "file",
"uid": 0
}
● ansible dbservers -a 'cat /opt/hello.txt'
[root@ansible ansible]# ansible dbservers -a 'cat /opt/hello.txt'
192.168.122.12 | CHANGED | rc=0 >>
helloworld
7. file模块
设置文件属性
7.1 列出指定模块的描述信息和操作动作
● ansible-doc -s file
[root@ansible ansible]# ansible-doc -s file
- name: Manage files and file properties
file:
access_time: # This parameter indicates the time the file's access time should be set to. Should be `preserve'
when no modification is required, `YYYYMMDDHHMM.SS' when using
default time format, or `now'. Default is `None' meaning that
`preserve' is the default for `state=[file,directory,link,hard]'
and `now' is default for `state=touch'.
access_time_format: # When used with `access_time', indicates the time format that must be used. Based on default Python
format (see time.strftime doc).
attributes: # The attributes the resulting file or directory should have. To get supported flags look at the man
page for `chattr' on the target system. This string should contain
the attributes in the same order as the one displayed by `lsattr'.
The `=' operator is assumed as default, otherwise `+' or `-'
operators need to be included in the string.
follow: # This flag indicates that filesystem links, if they exist, should be followed. Previous to Ansible
2.5, this was `no' by default.
force: # Force the creation of the symlinks in two cases: the source file does not exist (but will appear
later); the destination exists and is a file (so, we need to unlink
the `path' file and create symlink to the `src' file in place of
it).
group: # Name of the group that should own the file/directory, as would be fed to `chown'.
mode: # The permissions the resulting file or directory should have. For those used to `/usr/bin/chmod'
remember that modes are actually octal numbers. You must either add
a leading zero so that Ansible's YAML parser knows it is an octal
number (like `0644' or `01777') or quote it (like `'644'' or
`'1777'') so Ansible receives a string and can do its own
conversion from string into number. Giving Ansible a number without
following one of these rules will end up with a decimal number
7.2 文件属性管理
修改文件的属主属组权限等
● ansible dbservers -m file -a 'owner=test01 group=mysql mode=644 path=/opt/fstab.bak'
[root@ansible ansible]# ansible dbservers -m file -a 'owner=test01 group=mysql mode=644 path=/opt/fstab.bak'
192.168.122.12 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"gid": 2222,
"group": "mysql",
"mode": "0644",
"owner": "test01",
"path": "/opt/fstab.bak",
"size": 501,
"state": "file",
"uid": 2222
}
设置/opt/fstab.link为/opt/fstab.bak的链接文件
● ansible dbservers -m file -a 'path=/opt/fstab.link src=/opt/fstab.bak state=link'
[root@ansible ansible]# ansible dbservers -m file -a 'path=/opt/fstab.link src=/opt/fstab.bak state=link'
192.168.122.12 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"dest": "/opt/fstab.link",
"gid": 0,
"group": "root",
"mode": "0777",
"owner": "root",
"size": 14,
"src": "/opt/fstab.bak",
"state": "link",
"uid": 0
}
创建一个文件
● ansible dbservers -m file -a "path=/opt/abc.txt state=touch"
[root@ansible ansible]# ansible dbservers -m file -a "path=/opt/abc.txt state=touch"
192.168.122.12 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"dest": "/opt/abc.txt",
"gid": 0,
"group": "root",
"mode": "0644",
"owner": "root",
"size": 0,
"state": "file",
"uid": 0
}
删除一个文件
● ansible dbservers -m file -a "path=/opt/abc.txt state=absent"
[root@ansible ansible]# ansible dbservers -m file -a "path=/opt/abc.txt state=absent"
192.168.122.12 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"path": "/opt/abc.txt",
"state": "absent"
}
8. hostname模块
用于管理远程主机上的主机名
● ansible dbservers -m hostname -a "name=mysql01"
[root@ansible ansible]# ansible dbservers -m hostname -a "name=mysql01"
192.168.122.12 | CHANGED => {
"ansible_facts": {
"ansible_domain": "",
"ansible_fqdn": "mysql01",
"ansible_hostname": "mysql01",
"ansible_nodename": "mysql01",
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"name": "mysql01"
}
9. ping模块
检测远程主机的连通性
● ansible all -m ping
[root@ansible ansible]# ansible all -m ping
192.168.122.12 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
192.168.122.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
10. yum模块
● ansible-doc -s yum
[root@ansible ansible]# ansible-doc -s yum
- name: Manages packages with the `yum' package manager
yum:
allow_downgrade: # Specify if the named package and version is allowed to downgrade a maybe already installed higher
version of that package. Note that setting allow_downgrade=True can
make this module behave in a non-idempotent way. The task could end
up with a set of packages that does not match the complete list of
specified packages to install (because dependencies between the
downgraded package and others can cause changes to the packages
which were in the earlier transaction).
autoremove: # If `yes', removes all "leaf" packages from the system that were originally installed as
dependencies of user-installed packages but which are no longer
required by any such package. Should be used alone or when state is
`absent' NOTE: This feature requires yum >= 3.4.3 (RHEL/CentOS 7+)
bugfix: # If set to `yes', and `state=latest' then only installs updates that have been marked bugfix
related.
conf_file: # The remote yum configuration file to use for the transaction.
disable_excludes: # Disable the excludes defined in YUM config files. If set to `all', disables all excludes. If set
to `main', disable excludes defined in [main] in yum.conf. If set
to `repoid', disable excludes defined for given repo id.
disable_gpg_check: # Whether to disable the GPG checking of signatures of packages being installed. Has an effect only
if state is `present' or `latest'.
disable_plugin: # `Plugin' name to disable for the install/update operation. The disabled plugins will not persist
beyond the transaction.
disablerepo: # `Repoid' of repositories to disable for the install/update operation. These repos will not persist
beyond the transaction. When specifying multiple repos, separate
them with a `","'. As of Ansible 2.7, this can alternatively be a
list instead of `","' separated string
安装服务
● ansible webservers -m yum -a 'name=httpd'
[root@ansible ansible]# ansible webservers -m yum -a 'name=httpd'
192.168.122.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"msg": "",
"rc": 0,
"results": [
"httpd-2.4.6-67.el7.centos.x86_64 providing httpd is already installed"
]
}
卸载服务
● ansible webservers -m yum -a 'name=httpd state=absent'
[root@ansible ansible]# ansible webservers -m yum -a 'name=httpd state=absent'
192.168.122.11 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"changes": {
"removed": [
"httpd"
]
},
"msg": "",
"rc": 0,
"results": [
"已加载插件:fastestmirror, langpacks\n正在解决依赖关系\n--> 正在检查事务\n---> 软件包 httpd.x86_64.0.2.4.6-67.el7.centos 将被 删除\n--> 解决依赖关系完成\n\n依赖关系解决\n\n================================================================================\n Package 架构 版本 源 大小\n================================================================================\n正在删除:\n httpd x86_64 2.4.6-67.el7.centos @local 9.4 M\n\n事务概要\n================================================================================\n移除 1 软件包\n\n安装大小:9.4 M\nDownloading packages:\nRunning transaction check\nRunning transaction test\nTransaction test succeeded\nRunning transaction\n 正在删除 : httpd-2.4.6-67.el7.centos.x86_64 1/1 \n 验证中 : httpd-2.4.6-67.el7.centos.x86_64 1/1 \n\n删除:\n httpd.x86_64 0:2.4.6-67.el7.centos \n\n完毕!\n"
]
}
11. service/systemd 模块
用于管理远程主机上的管理服务的运行状态
● ansible-doc -s service
[root@ansible ansible]# ansible-doc -s service
- name: Manage services
service:
arguments: # Additional arguments provided on the command line.
enabled: # Whether the service should start on boot. *At least one of state and enabled are required.*
name: # (required) Name of the service.
pattern: # If the service does not respond to the status command, name a substring to look for as would be
found in the output of the `ps' command as a stand-in for a status
result. If the string is found, the service will be assumed to be
started.
runlevel: # For OpenRC init scripts (e.g. Gentoo) only. The runlevel that this service belongs to.
sleep: # If the service is being `restarted' then sleep this many seconds between the stop and start
command. This helps to work around badly-behaving init scripts that
exit immediately after signaling a process to stop. Not all service
managers support sleep, i.e when using systemd this setting will be
ignored.
state: # `started'/`stopped' are idempotent actions that will not run commands unless necessary.
`restarted' will always bounce the service. `reloaded' will always
reload. *At least one of state and enabled are required.* Note that
reloaded will start the service if it is not already started, even
if your chosen init system wouldn't normally.
use: # The service module actually uses system specific modules, normally through auto detection, this
setting can force a specific module. Normally it uses the value of
the 'ansible_service_mgr' fact and falls back to the old 'service'
module when none matching is found.
11.1 常用参数
常用参数 | 说明 |
---|---|
name | 被管理的服务名称 |
state=started\stopped\restarted | 动作包含启动关闭或者重启 |
enabled=yes\no | 表示是否设置该服务开机自启 |
runlevel | 如果设定了enabled开机自启去,则要定义在哪些运行目标下自启动 |
11.2 服务管理
查看web服务器httpd运行状态
● ansible webservers -a 'systemctl status httpd'
[root@ansible ansible]# ansible webservers -m yum -a 'name=httpd'
[root@ansible ansible]# ansible webservers -a 'systemctl status httpd'
192.168.122.11 | FAILED | rc=3 >>
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Docs: man:httpd(8)
man:apachectl(8)
10月 21 13:36:01 client systemd[1]: Unit httpd.service cannot be reloaded because it is inactive.non-zero return code
启动httpd服务
● ansible webservers -m service -a 'enabled=true name=httpd state=started'
[root@ansible ~]# ansible webservers -m service -a 'enabled=true name=httpd state=started'
192.168.122.11 | CHANGED => {
······
12. script 模块
实现远程批量运行本地的 shell 脚本
● ansible-doc -s script
[root@ansible ~]# ansible-doc -s script
- name: Runs a local script on a remote node after transferring it
script:
chdir: # Change into this directory on the remote node before running the script.
cmd: # Path to the local script to run followed by optional arguments.
creates: # A filename on the remote node, when it already exists, this step will *not* be run.
decrypt: # This option controls the autodecryption of source files using vault.
executable: # Name or path of a executable to invoke the script with.
free_form: # Path to the local script file followed by optional arguments.
removes: # A filename on the remote node, when it does not exist, this step will *not* be run.
12.1 准备脚本
[root@ansible ~]# vim test.sh
#!/bin/bash
echo "hello ansible from script" > /opt/script.txt
12.2 script执行脚本
● ansible webservers -m script -a 'test.sh'
[root@ansible ~]# chmod +x test.sh
[root@ansible ~]# ansible webservers -m script -a 'test.sh'
192.168.122.11 | CHANGED => {
"changed": true,
"rc": 0,
"stderr": "Shared connection to 192.168.122.11 closed.\r\n",
"stderr_lines": [
"Shared connection to 192.168.122.11 closed."
],
"stdout": "",
"stdout_lines": []
}
[root@ansible ~]# ansible webservers -a 'cat /opt/script.txt'
192.168.122.11 | CHANGED | rc=0 >>
hello ansible from script
13. setup 模块
获取指定主机的facts信息
facts组件是用来收集被管理节点信息的,使用 setup 模块可以获取这些信息
● ansible-doc -s setup
[root@ansible ~]# ansible-doc -s setup
- name: Gathers facts about remote hosts
setup:
fact_path: # Path used for local ansible facts (`*.fact') - files in this dir will be run (if executable) and
their results be added to `ansible_local' facts if a file is not
executable it is read. Check notes for Windows options. (from 2.1
on) File/results format can be JSON or INI-format. The default
`fact_path' can be specified in `ansible.cfg' for when setup is
automatically called as part of `gather_facts'.
filter: # If supplied, only return facts that match this shell-style (fnmatch) wildcard.
gather_subset: # If supplied, restrict the additional facts collected to the given subset. Possible values: `all',
`min', `hardware', `network', `virtual', `ohai', and `facter'. Can
specify a list of values to specify a larger subset. Values can
also be used with an initial `!' to specify that that specific
subset should not be collected. For instance:
`!hardware,!network,!virtual,!ohai,!facter'. If `!all' is specified
then only the min subset is collected. To avoid collecting even the
min subset, specify `!all,!min'. To collect only specific facts,
use `!all,!min', and specify the particular fact subsets. Use the
filter parameter if you do not want to display some collected
facts.
gather_timeout: # Set the default timeout in seconds for individual fact gathering.
13.1 获取指定主机的facts信息
● ansible webservers -m setup
[root@ansible ~]# ansible webservers -m setup
192.168.122.11 | SUCCESS => {
"ansible_facts": {
·····
13.2 过滤获取指定主机的指定facts信息
使用filter可以筛选指定的facts信息
● ansible dbservers -m setup -a 'filter=*ipv4'
[root@ansible ~]# ansible dbservers -m setup -a 'filter=*ipv4'
192.168.122.12 | SUCCESS => {
"ansible_facts": {
"ansible_default_ipv4": {
"address": "192.168.122.12",
"alias": "ens33",
"broadcast": "192.168.122.255",
"gateway": "192.168.122.2",
"interface": "ens33",
"macaddress": "00:0c:29:55:18:bd",
"mtu": 1500,
"netmask": "255.255.255.0",
"network": "192.168.122.0",
"type": "ether"
},
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false
}
四、inventory 主机清单
Inventory支持对主机进行分组,每个组内可以定义多个主机,每个主机都可以定义在任何一个或多个主机组内。
1. 列表表示
如果是名称类似的主机,可以使用列表的方式标识各个主机。
[root@ansible ~]# vim /etc/ansible/hosts
[webservers]
192.168.122.11:2222
#冒号后定义远程连接端口,默认是 ssh 的 22 端口
192.168.122.1[2:5]
[dbservers]
db-[a:f].example.org
#支持匹配 a~f
2. inventory 中的变量
Inventory变量名 | 含义 |
---|---|
ansible_host | ansible连接节点时的IP地址 |
ansible_port | 连接对方的端口号,ssh连接时默认为22 |
ansible_user | 连接对方主机时使用的主机名。不指定时,将使用执行ansible或ansible-playbook命令的用户 |
ansible_password | 连接时的用户的ssh密码,仅在未使用密钥对验证的情况下有效 |
ansible_ssh_private_key_file | 指定密钥认证ssh连接时的私钥文件 |
ansible_ssh_common_args | 提供给ssh、sftp、scp命令的额外参数 |
ansible_become | 允许进行权限提升 |
ansible_become_method | 指定提升权限的方式,例如可使用sudo/su/runas等方式 |
ansible_become_user | 提升为哪个用户的权限,默认提升为root |
ansible_become_password | 提升为指定用户权限时的密码 |
3. 变量
3.1 主机变量
[root@ansible ~]# vim /etc/ansible/hosts
[webservers]
192.168.122.11 ansible_port=22 ansible_user=root ansible_password=123456
3.2 组变量
[webservers:vars]
#表示为 webservers 组内所有主机定义变量
ansible_user=root
ansible_password=123456
[all:vars]
#表示为所有组内的所有主机定义变量
ansible_port=22
3.3 组嵌套
[nginx]
192.168.122.11
192.168.122.12
192.168.122.13
[apache]
192.168.122.3[0:3]
[webs:children]
#表示为 webs 主机组中包含了 nginx 组和 apache 组内的所有主机
nginx
apache