1:相关工具
1:/usr/bin/ansible # 主程序,临时命令执行工具
2:/usr/bin/ansible-doc # 查看配置文档,模块功能查看工具
3:/usr/bin/ansible-galaxy # 下载/上传优秀代码或Roles模块的官网平台
4:/usr/bin/ansible-playbook # 定制自动化任务,编排剧本工具
5:/usr/bin/ansible-pull # 远程执行命令的工具
6:/usr/bin/ansible-vault # 文件加密工具
7:/usr/bin/ansible-console # 基于Console界面与用户交互的执行工具
2:ansible实现管理的主要方式
1:Ad-Hoc # 即利用ansible命令,主要用于临时命令使用场景
2:Ansible-playbook # 主要用于长期规划好的,大型项目的场景,需要有前期的规划过程
3:ansible-doc
此工具用来显示模块帮助
ansible-doc [options] [module...]
# 列出所有模块
[root@ansible-manager ~]# ansible-doc -l
# 查看指定模块帮助用法
[root@ansible-manager ~]# ansible-doc ping
# 查看指定模块帮助用法
[root@ansible-manager ~]# ansible-doc -s ping
# 查看版本
[root@ansible-manager ~]# ansible-doc --version or
4:ansible
1:此工具通过ssh协议,实现对远程主机的配置管理、应用部署、任务执行等功能
2:建议:使用此工具前,先配置ansible主控端能基于密钥认证的方式联系各个被管理节点
3:范例:这里使用免密测试哦
# 生成公钥和私钥
[root@ansible-manager ~]# ssh-keygen -P ''
# 拷贝免密
[root@ansible-manager ~]# for i in {10..12};do ssh-copy-id root@10.0.0.$i;done
# ansible格式
ansible <host-pattern> [-m module_name] [-a args]
# 说明
--version # 显示版本
-m module # 指定模块,默认为command
-v # 详细过程 –vv -vvv更详细
--list-hosts # 显示主机列表,可简写 --list
-k, --ask-pass # 提示输入ssh连接密码,默认Key验证
-C, --check # 检查,并不执行
-T, --timeout=TIMEOUT # 执行命令的超时时间,默认10s
-u, --user=REMOTE_USER # 执行远程执行的用户
-b, --become # 代替旧版的sudo 切换
--become-user=USERNAME # 指定sudo的runas用户,默认为root
-K, --ask-become-pass # 提示输入sudo时的口令
4.1:ansible的Host-pattern
4.1.1:表示所有Inventory中的所有主机
[root@ansible-manager ~]# ansible all -m ping
10.0.0.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
10.0.0.12 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
# 用于匹配被控制的主机的列表
4.1.2:*:通配符
# hosts文件
[root@ansible-manager ~]# cat /etc/ansible/hosts | grep -v "^#"
[web]
10.0.0.11
[db]
10.0.0.12
10.0.0.11
# 示例
[root@ansible-manager ~]# ansible "*" -m ping or ansible "10.0.0.*" -m ping or ansible "serv*" -m ping
# 解释:这里的*可以用于网段匹配和主机组的匹配哦
10.0.0.12 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
10.0.0.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
4.1.3:或关系
# hosts文件
[root@ansible-manager ~]# cat /etc/ansible/hosts | grep -v "^#"
[web]
10.0.0.11
[db]
10.0.0.12
10.0.0.11
# 示例
[root@ansible-manager ~]# ansible "web:db" -m ping or ansible "10.0.0.11:10.0.0.12" -m ping
10.0.0.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
10.0.0.12 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
4.1.4:逻辑与
# 在web组并且在db组中的主机
# hosts文件
[root@ansible-manager ~]# cat /etc/ansible/hosts | grep -v "^#"
[web]
10.0.0.11
[db]
10.0.0.12
10.0.0.11
# 示例
[root@ansible-manager ~]# ansible "web:&db" -m ping
10.0.0.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
4.1.5:逻辑非
# 在web组,但不在db组中的主机
# 注意:此处为单引号
# hosts文件
[root@ansible-manager ~]# cat /etc/ansible/hosts | grep -v "^#"
[web]
10.0.0.11
[db]
10.0.0.12
# 示例
[root@ansible-manager ~]# ansible 'web:!db' -m ping
10.0.0.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
4.1.6:综合逻辑
# hosts 文件
[root@ansible-manager ~]# cat /etc/ansible/hosts | grep -v "^#"
[web]
10.0.0.11
[db]
10.0.0.12
[ftp]
10.0.0.11
[app]
10.0.0.12
# 示例
[root@ansible-manager ~]# ansible 'web:db:&app:!ftp' -m ping
10.0.0.12 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
4.1.7:正则表达式
# hosts文件
[root@ansible-manager ~]# cat /etc/ansible/hosts | grep -v "^#"
[web]
10.0.0.11
[db]
10.0.0.12
[ftp]
10.0.0.11
[app]
10.0.0.12
# 示例
[root@ansible-manager ~]# ansible "~(web|db).*" -m ping
10.0.0.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
10.0.0.12 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
5:ansible命令执行过程
1:加载自己的配置文件 默认/etc/ansible/ansible.cfg
2:加载自己对应的模块文件,如:command
3:通过ansible将模块或命令生成对应的临时py文件,并将该文件传输至远程服务器的对应执行用户$HOME/.ansible/tmp/ansible-tmp-数字/XXX.PY文件
4:给文件+x执行
5:执行并返回结果
6:删除临时py文件,退出
6:ansible 的执行状态
[root@ansible-manager ~]# grep -A 14 '\[colors\]' /etc/ansible/ansible.cfg
[colors]
#highlight = white
#verbose = blue
#warn = bright purple
#error = red
#debug = dark gray
#deprecate = purple
#skip = cyan
#unreachable = red
#ok = green
#changed = yellow
#diff_add = green
#diff_remove = red
#diff_lines = cyan
1:绿色:执行成功并且不需要做改变的操作
2:黄色:执行成功并且对目标主机做变更
3:红色:执行失败
7:ansible使用范例
# 以zhangsan用户执行ping存活检测
# 前提是要么免密,要么密码统一哦
[root@ansible-manager ~]# ansible all -m ping -u zhangsan -k
SSH password:
10.0.0.12 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
10.0.0.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
# 以zhangsan sudo至root执行ping存活检测,前提是用户要有sudo的权限哦
# 客户端需要配置如下参数
[root@virtual_host ~]# cat /etc/sudoers
---
zhangsan ALL=(ALL) NOPASSWD: ALL
---
# 示例
[root@ansible-manager ~]# ansible all -m ping -u zhangsan -k -b
SSH password:
10.0.0.12 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
10.0.0.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
# 以zhangsan sudo至lisi用户执行ping存活检测
[root@ansible-manager ~]# ansible all -m ping -u zhangsan -k -b --become-user=lisi
SSH password:
[WARNING]: Module remote_tmp /home/lisi/.ansible/tmp did not exist and was created with a mode of 0700, this may cause issues when
running as another user. To avoid this, create the remote_tmp dir with the correct permissions manually
10.0.0.12 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
10.0.0.11 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
# 以zhangsan sudo至root用户执行ls
[root@ansible-manager ~]# ansible all -m command -u zhangsan -a "whoami" -b --become-user=root -k -K
SSH password: # 这次密码是zhangsan的
BECOME password[defaults to SSH password]: # 这次密码是被切换用户的,也就是root
10.0.0.11 | CHANGED | rc=0 >>
root
10.0.0.12 | CHANGED | rc=0 >>
root
5:ansible-playbook
此工具用于执行编写好的 playbook 任务
# hosts文件
[root@ansible-manager ~]# cat /etc/ansible/hosts | grep -v "^#"
[web]
10.0.0.11
10.0.0.12
# 示例
[root@ansible-manager ~]# cat hello.yaml
---
- hosts: web # 主机组
remote_user: root # 远程执行命令用户
tasks:
- name: Hello World # 任务名称
command: echo "Hello World" # 具体执行命令
# 执行
[root@ansible-manager ~]# ansible-playbook hello.yaml
PLAY [web] ********************************************************************************************
TASK [Gathering Facts] ********************************************************************************
ok: [10.0.0.11]
ok: [10.0.0.12]
TASK [Hello World] *******************************************************************************************************
changed: [10.0.0.11]
changed: [10.0.0.12]
PLAY RECAP ********************************************************************************************
10.0.0.11 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
10.0.0.12 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
6:ansible-vault
# 格式
ansible-vault [create|decrypt|edit|encrypt|rekey|view]
6.1:ansible-vault encrypt
# 该命令用于加密 yaml
[root@ansible-manager ~]# ansible-vault encrypt hello.yaml
New Vault password: # 输入加密密码
Confirm New Vault password: # 确认密码
Encryption successful # 加密完成
# 查看加密文件
[root@ansible-manager ~]# cat hello.yaml
$ANSIBLE_VAULT;1.1;AES256
33623564313431316335663364666264656330393866653335663962326561613933356262663962
3731303133616434366365636435393065333336376239320a383639393730656466353263643630
64613332663236303339643131303430653461666234313866643039313237646237313236346366
3961333762346637630a316430626166613562623133393431346663636337633638643134313730
62313665653439663862643432346630373834666163623433303433653238643831336534323331
37623833393064313733376363613164346339303132363633656563633862333533626661393436
65653531653863626363303961313862636434383930373731323836386364373264383037633839
63376339636234613133363063633032653666643032633232323439326634373731326534653562
30666436343532363435396536616336653161303639306162643966383533386562
6.2:ansible-vault decrypt
# 该命令用于解密 yaml
[root@ansible-manager ~]# ansible-vault decrypt hello.yaml
Vault password: # 输入加密时使用的的密码
Decryption successful # 解密完成
# 检查 yaml
[root@ansible-manager ~]# cat hello.yaml
---
- hosts: web
remote_user: root
tasks:
- name: Hello World
command: echo "Hello World"
6.3:ansible-vault view
# 此功能用于查看加密的yaml,前提是yaml必须通过 ansible-vault encrypt 这个命令加密过后的yaml
# 示例如下
[root@ansible-manager ~]# ansible-vault encrypt hello.yaml
New Vault password:
Confirm New Vault password:
Encryption successful
[root@ansible-manager ~]# ansible-vault view hello.yaml
Vault password:
---
- hosts: web
remote_user: root
tasks:
- name: Hello World
command: echo "Hello World"
6.4:ansible-vault edit
# 该功能用于直接编辑加密的yaml文件,同上必须是 通过 ansible-vault encrypt 这个命令加密过后的yaml
# 示例
[root@ansible-manager ~]# ansible-vault edit hello.yaml
Vault password:
[root@ansible-manager ~]# ansible-vault view hello.yaml
Vault password:
---
- hosts: web
remote_user: root
tasks:
- name: Hello Zhangsan
command: echo "Hello Zhangsan"
6.5:ansible-vault rekey
# 该命令用于修改目前加密yaml的口令
# 示例如下
[root@ansible-manager ~]# ansible-vault rekey hello.yaml
Vault password: # 旧的口令
New Vault password: # 新的口令
Confirm New Vault password: # 重复新的口令
Rekey successful # 修改完成
6.6:ansible-vault create
# 该命令主要用于直接创建带密码的yaml
# 示例
[root@ansible-manager ~]# ansible-vault edit new_hello.yaml
Vault password: # 输入加密口令
[root@ansible-manager ~]# ansible-vault view new_hello.yaml
Vault password: # 使用口令查看创建好的yaml
---
- hosts: web
remote_user: root
tasks:
- name: Hello Lisi
command: echo "Hello Lisi
7:ansible-console
此工具可交互执行命令,支持tab,ansible 2.0+新增
提示符格式:执行用户@当前操作的主机组 (当前组的主机数量)[f:并发数]$
常用子命令:
1:设置并发数: forks n 例如: forks 10
2:切换组: cd 主机组 例如: cd web
3:列出当前组主机列表: list
4:列出所有的内置命令: ?或help
# hosts文件
[root@ansible-manager ~]# cat /etc/ansible/hosts | grep -v "^#"
[web]
10.0.0.11
10.0.0.12
[db]
10.0.0.11
[app]
10.0.0.12
# 示例如下
[root@ansible-manager ~]# ansible-console
Welcome to the ansible console.
Type help or ? to list commands.
root@all (2)[f:5]$ list
10.0.0.11
10.0.0.12
root@all (2)[f:5]$ cd web
root@web (2)[f:5]$ list
10.0.0.11
10.0.0.12
root@web (2)[f:5]$ cd db
root@db (1)[f:5]$ list
10.0.0.11
root@db (1)[f:5]$ cd app
root@app (1)[f:5]$ list
10.0.0.12
root@web (1)[f:5]$ yum name=nginx state=present # 安装服务
10.0.0.11 | SUCCESS => {
"changed": false,
"msg": "",
"rc": 0,
"results": [
"1:nginx-1.20.1-9.el7.x86_64 providing nginx is already installed"
]
}
root@web (1)[f:5]$ service name=nginx state=started # 启动服务
10.0.0.11 | CHANGED => {
"changed": true,
"name": "nginx",
"state": "started",
---
# 去web服务器看看
[root@virtual_host ~]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2021-12-28 02:25:30 EST; 2min 0s ago
# 这里我就不演示help了,因为太多了QAQ~
8:ansible-galaxy
此工具会连接 https://galaxy.ansible.com 下载相应的roles
# 示例
# 列出所有已安装的galaxy
[root@ansible-manager ~]# ansible-galaxy list
# /usr/share/ansible/roles
# /etc/ansible/roles
# 安装galaxy
[root@ansible-manager ~]# ansible-galaxy role list
# /root/.ansible/roles
- geerlingguy.mysql, 3.5.0
- geerlingguy.redis, 1.7.0
# /usr/share/ansible/roles
# /etc/ansible/roles
#删除galaxy
[root@ansible-manager ~]# ansible-galaxy remove geerlingguy.mysql
- successfully removed geerlingguy.mysql
[root@ansible-manager ~]# ansible-galaxy role list
# /root/.ansible/roles
- geerlingguy.redis, 1.7.0
# /usr/share/ansible/roles
# /etc/ansible/roles