22 Ansible相关工具、ansible、ansible-vault、ansible-console、ansible-galaxy
Ansible相关工具
命令 | 解释 |
---|---|
/usr/bin/ansible | 主程序,临时命令执行工具 |
/usr/bin/ansible-doc | 查看配置文档,模块功能查看工具,相当于man |
/usr/bin/ansible-playbook | 定制自动化任务,编排剧本工具,相当于脚本/usr/bin/ansible-pull 远程执行命令的工具 |
/usr/bin/ansible-vault | 文件加密工具 |
/usr/bin/ansible-console | 基于Console界面与用户交互的执行工具 |
/usr/bin/ansible-galaxy | 下载/上传优秀代码或Roles模块的官网平台 |
利用ansible实现管理的主要方式:
- Ad-Hoc即利用ansible命令,主要用于临时命令使用场景
- Ansible-playbook主要用于长期规划好的,大型项目的场景,需要有前期的规划过程
ansible-doc
此工具用来显示模块帮助,相当于man
格式:
ansible-doc[options][module...]
-l,--list # 列出可用模块
-s,--snippet # 显示指定模块的playbook片段
范例:
#列出所有模块
[root@localhost ~]# ansible-doc -l
#查看指定模块帮助用法
[root@localhost ~]# ansible-doc ping
[root@localhost ~]# ansible-doc -l | wc -l
3387
ansible
此工具通过ssh协议,实现对远程主机的配置管理、应用部署、任务执行等功能。
建议:使用此工具前,先配置ansible主控端能基于密钥认证的方式联系各个被管理节点
- 范例:利用sshpass批量实现基于key验证脚本
[root@instance-gvpb80ao ~]# vim /etc/ssh/ssh_config
StrictHostKeyChecking no
[root@instance-gvpb80ao ~]# cat hosts.list
172.16.0.4
[root@instance-gvpb80ao ~]# vim push_ssh_key.sh
#批量传输ssh密钥脚本
#!/bin/bash
rpm -q sshpass &> /dev/null || yum -y install sshpass
[ -f /root/.ssh/id_rsa ] || ssh-keygen -f /root/.ssh/id_rsa -P ''
export SSHPASS=1 #密码
while read IP;do
sshpass -e ssh-copy-id -o StrictHostKeyChecking=no $IP
done<hosts #在当前目录编辑一个hosts文件 存放ip
Ansible格式
#语法
ansible <hosts> -m [module_name] -a [执行命令]
选项说明:
--version #显示版本
-m module #指定模块,默认为command
-v #详细过程 –vv -vvv更详细
--list-hosts #显示主机列表,可简写 --list
-C, --check #检查,并不执行
-T, --timeout=TIMEOUT #执行命令的超时时间,默认10s
-k, --ask-pass #提示输入ssh连接密码,默认Key验证
-u, --user=REMOTE_USER #执行远程执行的用户
-b, --become #代替旧版的sudo 切换
--become-user=USERNAME #指定sudo的runas用户,默认为root
-K, --ask-become-pass #提示输入sudo时的口令
ansible的Host-pattern
用于匹配被控制的主机的列表。
- 范例:
[root@instance-gvpb80ao ~]# cat /etc/ansible/hosts
172.16.0.4
[root@instance-gvpb80ao ~]# ansible all -m ping
172.16.0.4 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
通配符
[root@instance-gvpb80ao ~]# cat /etc/ansible/hosts
[私网]
172.16.0.4
[公网]
106.13.81.75
# 第一种方式
[root@instance-gvpb80ao ~]# ansible "*" -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
172.16.0.4 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
106.13.81.75 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
# 第二种方式
[root@instance-gvpb80ao ~]# ansible "私网" -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
172.16.0.4 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
# 第三种方式
[root@instance-gvpb80ao ~]# ansible '172*' -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
172.16.0.4 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
# 第四种方式
[root@instance-gvpb80ao ~]# ansible '172.16.0.4 106.13.81.75' -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
172.16.0.4 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
106.13.81.75 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
或关系
# 在公网组里面或者在私网组里面
[root@instance-gvpb80ao ~]# ansible '公网:私网' -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
172.16.0.4 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
106.13.81.75 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
逻辑与
# 在公网组并且在私网组
[root@instance-gvpb80ao ~]# cat /etc/ansible/hosts
[私网]
172.16.0.4
106.13.81.75
[公网]
106.13.81.75
[root@instance-gvpb80ao ~]# ansible '公网:&私网' -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
106.13.81.75 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
逻辑非
# 在公网组不在私网组
[root@instance-gvpb80ao ~]# cat /etc/ansible/hosts
[私网]
172.16.0.4
[公网]
106.13.81.75
[root@instance-gvpb80ao ~]# ansible '公网:!私网' -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
106.13.81.75 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
正则表达式
[root@instance-gvpb80ao ~]# cat /etc/ansible/hosts
[private]
172.16.0.4
[public]
106.13.81.75
# 以pu开头
[root@instance-gvpb80ao ~]# ansible '~pu' -m ping
106.13.81.75 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
具体模块
[root@instance-gvpb80ao ~]# ansible private --list-hosts
hosts (1):
172.16.0.4
ansible命令执行过程
- 加载自己的配置文件,默认/etc/ansible/ansible.cfg
- 加载自己对应的模块文件,如:ping。通过ansible将模块或命令生成对应的临时py文件,并将该文件传输至远程服务器的对应执行用户$HOME/.ansible/tmp/ansible-tmp-数字/XXX.PY文件
- 给文件+x执行
- 执行并返回结果
- 删除临时py文件,退出
ansible的执行状态
[root@instance-gvpb80ao tmp]# grep -A 14 '\[colors\]' /etc/ansible/ansible.cfg
[colors]
#highlight = white
#verbose = blue
#warn = bright purple
#error = red
#debug = dark gray
#deprecate = purple
#skip = cyan
#unreachable = red
#ok = green
#changed = yellow
#diff_add = green
#diff_remove = red
#diff_lines = cyan
- 绿色:执行成功并且不需要做改变的操作
- 黄色:执行成功并且对目标主机做变更
- 红色:执行失败
ansible使用范例
#以www用户执行ping存活检测
[root@m01 ansible]# ansible web -m ping -u www -k
SSH password: #这里输入的是www密码
web02 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
web01 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
web03 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
#以www sudo至root用户执行ls
#准备工作
[root@web01 ~]# vim /etc/sudoers
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
www ALL=(ALL) ALL
[root@m01 ansible]# ansible web01 -u www -a 'ls /root' -b --become-user=root -K -k
SSH password: #提权密码(root)
BECOME password[defaults to SSH password]: #www用户ssh连接密码
web01 | CHANGED | rc=0 >>
1.txt
anaconda-ks.cfg
scripts
Ansible-playbook
此工具用于执行编写好的 playbook 任务
[root@m01 ~]# cat hello.yaml
- hosts: web01
remote_user: root
gather_facts: no
tasks:
- name: hello world
shell: echo "hello world" > /root/hello.txt
[root@instance-gvpb80ao ~]# ansible-playbook hello.yaml
[root@m01 ~]# ansible-playbook hello.yaml
PLAY [web01] ***********************************************************************
TASK [hello world] *****************************************************************
changed: [web01]
PLAY RECAP *************************************************************************
web01 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[root@web01 ~]# ll
total 8
-rw-r--r-- 1 root root 0 May 27 11:54 1.txt
-rw-------. 1 root root 1730 Apr 15 09:47 anaconda-ks.cfg
-rw-r--r-- 1 root root 12 May 28 19:31 hello.txt
drwxr-xr-x 2 root root 32 Apr 23 12:02 scripts
[root@web01 ~]# cat hello.txt
hello world
ansible-vault
此工具可以用于加密解密yml文件。
格式
create #创建一个新的加密剧本
decrypt #解密剧本
edit #输密编辑剧本
view #查看加密剧本
encrypt #加密 YAML file
encrypt_string #给字符串加密
rekey #改密
范例
#create
[root@m01 ~]# ansible-vault create 1.yaml
New Vault password:
Confirm New Vault password:
[root@m01 ~]# cat 1.yaml
$ANSIBLE_VAULT;1.1;AES256
31666134623337303165366133396236333665333238653437383766386530633561303230386432
6631316637396363663331363830646566303365646261370a306637396233373030356332356161
64326563623336333637363063653563656338386361386630616262346461633365626331356430
6464333634383362610a303463353238616138616438636532313863373537346330666133343136
66663630663062333133633034353162396338346233363133616636396237663261376138633861
33353638613834386661363839623034303133363566376131643430386637363963383633336565
62656537623061353961343865626231323138366338663966333164343363633731333366626636
37313063393433313232646362373361393230623161303934336431373861366331626138666232
66343461353932396165666136353666396466616137396662653936656437383062643334303365
35663162326636326338366235336333393934393239336363613131626335323431393466636364
613863353065353632376661343162633836
#decrypt
[root@m01 ~]# ansible-vault decrypt 1.yaml
Vault password:
Decryption successful
[root@m01 ~]# cat 1.yaml
- hosts: web01
remote_user: root
gather_facts: no
tasks:
- name: hello world
shell: echo "hello world" > /root/hello.txt
#encrypt
[root@m01 ~]# ansible-vault encrypt 1.yaml
New Vault password:
Confirm New Vault password:
Encryption successful
#view
[root@m01 ~]# ansible-vault view 1.yaml
Vault password:
- hosts: web01
remote_user: root
gather_facts: no
tasks:
- name: hello world
shell: echo "hello world" > /root/hello.txt
#rekey
[root@m01 ~]# ansible-vault rekey 1.yaml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
ansible-console
此工具可交互执行命令,支持tab,ansible 2.0+新增
提示符格式
执行用户@当前操作的主机组 (当前组的主机数量)[f:并发数]$
常用子命令
- 设置并发数: forks n 例如: forks 3 #一次执行三组
- 切换组: cd 主机组 例如: cd web
- 列出当前组主机列表: list
- 列出所有的内置命令: ?或help
范例:
[root@m01 ~]# ansible-console
Welcome to the ansible console.
Type help or ? to list commands.
root@all (10)[f:5]$ cd web
root@web (3)[f:5]$ ping
web03 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
web02 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
web01 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
root@web (3)[f:5]$ list
web01
web02
web03
root@web (3)[f:5]$ forks 3
ansible-galaxy
此工具会连接 https://galaxy.ansible.com 下载相应的roles
# 查看列表
[root@instance-gvpb80ao ~]# ansible-galaxy list
# /root/.ansible/roles
- geerlingguy.nginx, 3.0.0
# /usr/share/ansible/roles
# /etc/ansible/roles
# 下载nginx roles
[root@instance-gvpb80ao ~]# ansible-galaxy install geerlingguy.nginx
- downloading role 'nginx', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-nginx/archive/3.0.0.tar.gz
- extracting geerlingguy.nginx to /root/.ansible/roles/geerlingguy.nginx
- geerlingguy.nginx (3.0.0) was installed successfully
# 删除
[root@instance-gvpb80ao ~]# ansible-galaxy remove geerlingguy.nginx
- successfully removed geerlingguy.nginx