absible笔记第一章 (ansibles基础与playbook常用模块)
一、 ansibles基础与playbook
1.优先级问题
ANSIBLE_CONFIG
ansible.cfg 项目目录
.ansible.cfg 当前用户的家目录
/etc/ansible/ansible.cfg
2.配置文件说明
[root@manager ~]# cat /etc/ansible/ansible.cfg
#inventory = /etc/ansible/hosts #主机列表配置文件
#library = /usr/share/my_modules/ #库文件存放目录
#remote_tmp = ~/.ansible/tmp #临时py文件存放在远程主机目录
#local_tmp = ~/.ansible/tmp #本机的临时执行目录
#forks = 5 #默认并发数
#sudo_user = root #默认sudo用户
#ask_sudo_pass = True #每次执行是否询问sudo的ssh密码
#ask_pass = True #每次执行是否询问ssh密码
#remote_port = 22 #远程主机端口
host_key_checking = False #跳过检查主机指纹
log_path = /var/log/ansible.log #ansible日志
ssh-keygen
首先产生公钥,私钥
yum install
sshpass 安装此工具sshpass
sshpass -p 'xxxx' ssh-copy-id -o
StrictHostKeyChecking=no root@172.17.0.112 只要在分发的这台服务器上安装即可,其他的机器不用安装
然后将ip地址进行循环这样可以完成
for host in $()
do
sshpass -p '密码'
ssh-copy-id -o StrictHostKeyChecking=no root@${host}
done
3.常用模块
其他模块详解:https://blog.csdn.net/u010230019/article/details/128477679
(1) yum模块(安装present 卸载absent 升级latest 排除exclude 指定仓库enablerepo)
#示例一、安装当前最新的Apache软件,如果存在则更新
# ansible oldboy -m yum -a "name=httpd state=latest" -i hosts
- name: install the latest version of Apache
yum:
name: httpd
state: latest
#示例二、安装当前最新的Apache软件,通过epel仓库安装
# ansible oldboy -m yum -a "name=httpd state=latest enablerepo=epel" -i hosts
- name: install the latest version of Apache from the testing repo
yum:
name: httpd
enablerepo: epel
state: present
#示例三、通过公网URL安装rpm软件
# ansible oldboy -m yum -a "name=https://mirrors.aliyun.com/zabbix/zabbix/4.2/rhel/7/x86_64/zabbix-agent-4.2.3-2.el7.x86_64.rpm state=latest" -i hosts
#示例四、更新所有的软件包,但排除和kernel相关的
# ansible oldboy -m yum -a "name=* state=latest exclude=kernel*,foo*" -i hosts
- name: upgrade all packages, excluding kernel & foo related packages
yum:
name: '*'
state: latest
exclude: kernel*,foo*
#示例五、删除Apache软件
# ansible oldboy -m yum -a "name=httpd state=absent" -i hosts
#实例六、安装多个软件包
- name: ensure a list of packages installed
yum:
name: "{{ packages }}"
vars:
packages:
- httpd
- httpd-tools
- name: Install a list of packages
yum:
name:
- nginx
- postgresql
- postgresql-server
state: present
#实例七、只下载软件包,但不安装。
- name: Download the nginx package but do not install it
yum:
name:
- nginx
state: latest
download_only: true
(2)copy模块
#示例一、将本地的httpd.conf文件Listen端口修改为9999,然后推送到远端服务。
# ansible oldboy -m copy -a "src=./httpd.conf dest=/etc/httpd/conf/httpd.conf owner=root group=root mode=644" -i hosts
- name: Copy file with owner and permissions
copy:
src: ./httpd.conf
dest: /etc/httpd/conf/httpd.conf
owner: foo
group: foo
mode: '0644'
#示例二、将本地的httpd.conf文件Listen端口修改为9090,然后推送到远端,检查远端是否存在上一次的备份文件
# ansible oldboy -m copy -a "src=./httpd.conf dest=/etc/httpd/conf/httpd.conf owner=root group=root mode=644 backup=yes" -i hosts
- name: Copy a new "ntp.conf file into place, backing up the original if it differs from the copied version
copy:
src: /mine/ntp.conf
dest: /etc/ntp.conf
owner: root
group: root
mode: '0644'
backup: yes
#示例三、往远程的主机文件中写入内容
# ansible oldboy -m copy -a "content=HttpServer... dest=/var/www/html/index.html" -i host
(3)git-url和file模块
-------get_url
#示例一、下载互联网的软件至本地
url ==> http https ftp
# ansible oldboy -m get_url -a "url=http://fj.xuliangwei.com/public/ip.txt dest=/var/www/html/" -i hosts
- name: Download foo.conf
get_url:
url: http://example.com/path/file.conf
dest: /etc/foo.conf
mode: '0440'
#示例二、下载互联网文件并进行md5校验(了解)
# ansible oldboy -m get_url -a "url=http://fj.xuliangwei.com/public/ip.txt dest=/var/www/html/ checksum=md5:7b86f423757551574a7499f0aae" -i hosts
- name: Download file with check (md5)
get_url:
url: http://example.com/path/file.conf
dest: /etc/foo.conf
checksum: md5:66dffb5228a211e61d6d7ef4a86f5758
#示例三、下载互联网个人网站文件,不进行ssl校验
- name: Download foo.conf
get_url:
url: http://example.com/path/file.conf
dest: /etc/foo.conf
mode: '0440'
validate_certs: fales
validate_certs:
验证证书
如果“否”,则不会验证SSL证书。
这只能在使用自签名证书的个人控制网站上使用。
[默认值:True]
类型:bool
-------file 创建目录 授权
#示例一、创建(或删除)文件,并设定属主、属组、权限默认755。
# ansible oldboy -m file -a "path=/var/www/html/tt.html state=touch owner=apache group=apache mode=644" -i hosts
- name: Change file ownership, group and permissions
file:
path: /etc/foo.conf
owner: foo
group: foo
mode: '0644'
- name: Remove file (delete file)
file:
path: /etc/foo.txt
state: absent
#示例二、创建目录,并设定属主、属组、权限。
# ansible oldboy -m file -a "path=/var/www/html/dd state=directory owner=apache group=apache mode=755" -i hosts
#示例三、递归授权目录的方式。
# ansible oldboy -m file -a "path=/var/www/html/ owner=apache group=apache mode=755" -i hosts
# ansible oldboy -m file -a "path=/var/www/html/ owner=apache group=apache recurse=yes" -i hosts
- name: Recursively change ownership of a directory
file:
path: /etc/foo
state: directory
recurse: yes
owner: foo
group: foo
#实例四: 创建两个软连接
- name: Create two hard links
file:
src: '/tmp/{{ item.src }}'
dest: '{{ item.dest }}'
state: hard
loop:
- { src: x, dest: y }
- { src: z, dest: k }
#实例五、修改文件的修改和访问时间
- name: Update modification and access time of given file
file:
path: /etc/some_file
state: file
modification_time: now
access_time: now
(4)service启动模块
#示例一、启动Httpd服务
[root@ansible ~]# ansible oldboy -m service -a "name=httpd state=started"
#示例二、重载Httpd服务
[root@ansible ~]# ansible oldboy -m service -a "name=httpd state=reloaded"
#示例三、重启Httpd服务
[root@ansible ~]# ansible oldboy -m service -a "name=httpd state=restarted"
#示例四、停止Httpd服务
[root@ansible ~]# ansible oldboy -m service -a "name=httpd state=stopped"
#示例五、启动Httpd服务,并加入开机自启
[root@ansible ~]# ansible oldboy -m service -a "name=httpd state=started enabled=yes"
模块网址:https://www.jianshu.com/p/54b8460f68ea
ansible localhost -m debug -a "msg={{ '123' | password_hash('sha512', 'salt') }}"
ansible webservers -m user -a 'name=jsm password="$6$salt$jkHSO0tOjmLW0S1NFlw5veSIDRAVsiQQMTrkOKy4xdCCLPNIsHhZkIRlzfzIvKyXeGdOfCBoW1wJZPLyQ9Qx/1" create_home=yes'
EXAMPLES:
- name: Start service httpd, if not started
service:
name: httpd
state: started
- name: Stop service httpd, if started
service:
name: httpd
state: stopped
- name: Restart service httpd, in all cases
service:
name: httpd
state: restarted
- name: Reload service httpd, in all cases
service:
name: httpd
state: reloaded
- name: Enable service httpd, and not touch the state
service:
name: httpd
enabled: yes
- name: Start service foo, based on running process /usr/bin/foo
service:
name: foo
pattern: /usr/bin/foo
state: started
- name: Restart network service for interface eth0
service:
name: network
state: restarted
args: eth0
(5)user-group模块
group
#示例一、创建news基本组,指定uid为9999
# ansible oldboy -m group -a "name=news gid=9999 state=present" -i hosts
#示例二、创建http系统组,指定uid为8888
# ansible oldboy -m group -a "name=http gid=8888 system=yes state=present" -i hosts
#示例三、删除news基本组
# ansible oldboy -m group -a "name=news state=absent" -i hosts
-----------------
user
#示例一、创建joh用户,uid是1040,主要的组是adm
# ansible oldboy -m user -a "name=joh uid=1040 group=adm" -i hosts
#示例二、创建joh用户,登录shell是/sbin/nologin,追加bin、sys两个组
# ansible oldboy -m user -a "name=joh shell=/sbin/nologin groups=bin,sys" -i hosts
#示例三、创建jsm用户,为其添加123作为登录密码,并且创建家目录
# echo "123" | openssl passwd -1 -stdin
# ansible localhost -m debug -a "msg={{ '123' | password_hash('sha512', 'salt') }}"
$6$salt$jkHSO0tOjmLW0S1NFlw5veSIDRAVsiQQMTrkOKy4xdCCLPNIsHhZkIRlzfzIvKyXeGdOfCBoW1wJZPLyQ9Qx/1
# ansible oldboy -m user -a 'name=jsm password=$6$salt$jkHSO0tOjmLW0S1NFlw5veSIDRAVsiQQMTrkOKy4xdCCLPNIsHhZkIRlzfzIvKyXeGdOfCBoW1wJZPLyQ9Qx/1 create_home=yes'
#示例四、移除joh用户
# ansible oldboy -m user -a 'name=joh state=absent remove=yes' -i hosts
#示例五、创建http用户,并为该用户创建2048字节的私钥,存放在~/http/.ssh/id_rsa
# ansible oldboy -m user -a 'name=http generate_ssh_key=yes ssh_key_bits=2048 ssh_key_file=.ssh/id_rsa' -i hosts
EXAMPLES:
- name: Add the user 'johnd' with a specific uid and a primary group of 'admin'
user:
name: johnd
comment: John Doe
uid: 1040
group: admin
- name: Add the user 'james' with a bash shell, appending the group 'admins' and 'developers' to the user's groups
user:
name: james
shell: /bin/bash
groups: admins,developers
append: yes
- name: Remove the user 'johnd'
user:
name: johnd
state: absent
remove: yes
- name: Create a 2048-bit SSH key for user jsmith in ~jsmith/.ssh/id_rsa
user:
name: jsmith
generate_ssh_key: yes
ssh_key_bits: 2048
ssh_key_file: .ssh/id_rsa
- name: Added a consultant whose account you want to expire
user:
name: james18
shell: /bin/zsh
groups: developers
expires: 1422403387
- name: Starting at Ansible 2.6, modify user, remove expiry time
user:
name: james18
expires: -1
———————————authorized_key模块分发公钥免密登录
#demo1:将本机的ssh秘钥分发到其他主机上
- name: Set authorized key took from file
authorized_key:
key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}" #本机的公钥地址
user: root #被控制的远程服务上的用户名
state: present
#demo2:删除远程主机上指定的当前的ssh公钥
- name: Set authorized key took from file
authorized_key:
key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}" #本机的公钥地址
user: root #被控制的远程服务上的用户名
state: absent #删除远程主机上指定的当前ssh公钥
#demo3:分发当前ssh公钥并清除之前所有的公钥
- name: Set authorized key took from file
authorized_key:
exclusive: True #清除远程主机之前所有的其他公钥
key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}" #本机的公钥地址
user: root #被控制的远程服务上的用户名
state: present #模式为添加公钥
(6)cron模块
#示例一、添加定时任务。每分钟执行一次ls * * * * * ls >/dev/null
# ansible oldboy -m cron -a "name=job1 job='ls >/dev/null'" -i hosts
#示例二、添加定时任务, 每天的凌晨2点和凌晨5点执行一次ls。"0 5,2 * * ls >/dev/null
# ansible oldboy -m cron -a "name=job2 minute=0 hour=5,2 job='ls >/dev/null'" -i hosts
#示例三、关闭定时任务,使定时任务失效
# ansible oldboy -m cron -a "name=job2 minute=0 hour=5,2 job='ls >/dev/null' disabled=yes" -i hosts
(7)mount模块
present 将挂载信息写入/etc/fstab unmounted 卸载临时,不会清理/etc/fstab
mounted 先挂载,在将挂载信息/etc/fstab absent 卸载临时,也会清理/etc/fstab
#环境准备:将172.16.1.61作为nfs服务端,172.16.1.7、172.16.1.8作为nfs客户端挂载
# ansible localhost -m yum -a 'name=nfs-utils state=present'
# ansible localhost -m file -a 'path=/ops state=directory'
# ansible localhost -m copy -a 'content="/ops 172.16.1.0/24(rw,sync)" dest=/etc/exports'
# ansible localhost -m service -a "name=nfs state=restarted"
#示例一、挂载nfs存储至本地的/opt目录,并实现开机自动挂载
# ansible oldboy -m mount -a "src=172.16.1.61:/ops path=/opt fstype=nfs opts=defaults state=mounted"
#示例三、永久卸载nfs的挂载,会清理/etc/fstab
# ansible webservers -m mount -a "src=172.16.1.61:/ops path=/opt fstype=nfs opts=defaults state=absent"
selinux模块
# ansible oldboy -m selinux -a "state=disabled" -i hosts
firewalld模块
# ansible oldboy -m service -a "name=firewalld state=started" -i hosts
示例一 永久放行https的流量,只有重启才会生效
# ansible oldboy -m firewalld -a "zone=public service=https permanent=yes state=enabled" -i hosts
示例一 永久放行8081端口的流量,只有重启才会生效
# ansible oldboy -m firewalld -a "zone=public port=8080/tcp permanent=yes state=enabled" -i hosts
示例一 放行8080-8090的所有tcp端口流量,临时和永久都生效.
# ansible oldboy -m firewalld -a "zone=public port=8080-8090/tcp permanent=yes immediate=yes state=enabled" -i hosts
