Ansiable自动化运维工具使用

1)Ansiable简介

　　Ansible是一个轻量级的自动化运维工具，基于Python开发，集合了众多运维工具（puppet、cfengine、chef、func、fabric）的优点于一身，可以实现批量的系统配置、程序部署、批量运行命令等功能。现在自动化运维工具在实现远程管理时主要有以下两种分类：

agent类：被管理端需要安装agentd程序，如puppet、func、saltstack；

agent less类：在被管理端无需agentd程序，可以通过ssh服务来直接管理，如ansible

1.1)ansiable架构

 

1. 被管理的主机需要提前定义在主机列表文件中，和saltstack的认证类似。
2. ansible的大部分管理工作都是通过核心模块来完成，如定义哪个主机需要安装哪个服务等。
3. 可以自定义模块来完成ansible本身不具备的功能。
4. 把需要完成的任务定义在一个YAML格式编写的文件中，可以多次调用。

 

2)安装Ansiable

[root@s-30 ansible]#yum install ansible -y
...省略若干...
[root@s-30 ansible]# ansible --version
ansible 2.4.2.0
  config file = /etc/ansible/ansible.cfg　　　　#Ansiable服务主配置文件
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Apr 11 2018, 07:36:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
[root@s-30 ansible]# 

2.1)ansiable的基础配置

1、ansible服务主配置文件：/etc/ansible/ansible.cfg，该文件基本可以不用动。

2、主机列表配置文件：/etc/ansible/hosts，被管理的每个主机都需要在此文件中有定义。如果没有定义在主机列表文件中，执行命令会提示“No hosts matched”

[root@s-30 ansible]# vim hosts 

# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
#   - Comments begin with the '#' character
#   - Blank lines are ignored
#   - Groups of hosts are delimited by [header] elements
#   - You can enter hostnames or ip addresses
#   - A hostname/ip can be a member of multiple groups

# Ex 1: Ungrouped hosts, specify before any group headers.

## green.example.com　　　　　　　　　　　　　　#这里填写被管理主机的ip或者域名
## blue.example.com
## 192.168.100.1
# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
#   - Comments begin with the '#' character
#   - Blank lines are ignored
#   - Groups of hosts are delimited by [header] elements
#   - You can enter hostnames or ip addresses
#   - A hostname/ip can be a member of multiple groups

# Ex 1: Ungrouped hosts, specify before any group headers.

## green.example.com
## blue.example.com
## 192.168.100.1
## 192.168.100.10

# Ex 2: A collection of hosts belonging to the 'webservers' group

## [webservers]　　　　　　　　　　#定义了webservers组，被管理的主机添加到这个组，引用这个组就代表引用这里面的所有主机
## alpha.example.org
## beta.example.org
## 192.168.1.100
## 192.168.1.110

# If you have multiple hosts following a pattern you can specify
# them like this:

## www[001:006].example.com

# Ex 3: A collection of database servers in the 'dbservers' group

## [dbservers]
## 
## db01.intranet.mydomain.net
## db02.intranet.mydomain.net
## 10.25.1.56
## 10.25.1.57

# Here's another example of host ranges, this time there are no
# leading 0s:

## db-[99:101]-node.example.com

ansible默认使用SSH服务管理，每次需要输入被管理服务器的账号密码，为避免繁琐可以使用SSH免秘钥登录的方式，将服务器端生成的秘钥发送给其他被管理的机器；或者将登录信息记录在inventory主机列表文件中，ssh免秘钥分配。

1、使用ssh-keygen命令创建密钥对

[root@s-30 ansible]# ssh-keygen  -t  rsa #除了rsa格式，还有dsa格式，只不过rsa可以实现加密认证也可以进行签名认证，dsa只能用于签名认证
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ansiable　　#输入要保存的秘钥文件
Enter passphrase (empty for no passphrase): 　　　　　　　　#输入密码短语（不能为空）
Enter same passphrase again: 　　　　　　　　　　　　　　　　　#再输入上面的密码短语
Your identification has been saved in ansiable.
Your public key has been saved in ansiable.pub.
The key fingerprint is:
SHA256:asYsq1zmMusIAMlhTG+Ay4c/18lZO2SC8uqg8GZJ/Pg root@s-30
The key's randomart image is:
+---[RSA 2048]----+
|+=               |
|+o+              |
|+o.o  .          |
|oo.o . . +       |
|..o o o S .      |
|. oo = * o       |
|oo +B *   .      |
|++O=.=           |
|o+BBE            |
+----[SHA256]-----+
[root@s-30 ansible]# 

2、找到创建的秘钥对，公钥就是需要放在每台被管理机器上的文件。

[root@s-30 /]# cd /root/.ssh
[root@s-30 .ssh]# ls
id_rsa  id_rsa.pub  known_hosts
[root@s-30 .ssh]# ll
total 12
-rw------- 1 root root 1679 Oct 17 04:57 id_rsa
-rw-r--r-- 1 root root  391 Oct 17 04:57 id_rsa.pub
-rw-r--r-- 1 root root  176 Oct 22 23:39 known_hosts

 

[root@s-30 bin]# ssh-copy-id  -i /root/.ssh/id_rsa.pub root@192.168.31.129　　#用ssh-copy-id像另一台主机发公钥
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.31.129 (192.168.31.129)' can't be established.
ECDSA key fingerprint is SHA256:JJIUQQvA7RQEwj/6oMBI4mcKUbodDDQFQO4VVqE/D/E.
ECDSA key fingerprint is MD5:87:19:f6:04:79:a7:af:24:36:01:9c:10:9d:2a:ac:90.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.31.129's password: 
Permission denied, please try again.
root@192.168.31.129's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.31.129'"
and check to make sure that only the key(s) you wanted were added.

[root@s-30 bin]# ssh 192.168.31.129 ifconfig　　　　　　　　　　　　#检测是否分发成功
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.31.129  netmask 255.255.255.0  broadcast 192.168.31.255
        inet6 fe80::a1be:8b76:26c5:2f5e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:2e:b4:f9  txqueuelen 1000  (Ethernet)
        RX packets 111  bytes 18471 (18.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 117  bytes 17770 (17.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@s-30 bin]#