Ansible

最新推荐文章于 2023-02-28 17:16:11 发布

乔大辉子

最新推荐文章于 2023-02-28 17:16:11 发布

阅读量362

点赞数

文章标签： linux

本文链接：https://blog.csdn.net/qq_26363645/article/details/106146670

版权

Ansible是什么

Ansible可以实现一条命令完成多件事情
一台服务器上的多件事
多台服务器上的多件事

配置文件查找优先级
ANSIBLE_CONFIG #全局
ansible.cfg #项目目录
.ansible.cfg
/etc/ansible/ansible.cfg

Ansible Inventory 主机清单

Ansible Ad-Hoc 模块

1.yum  | yum_repository 
2.copy
3.file
4.service|systemd
5.cron
6.mount
7.user
8.group
9.shell  | command
10.firewalld  | selinux

1.yum：装软件

name:			软件包名称  | URL地址  |  本地的某个路径下的rpm包
state:			具体动作  present  absent  latest
exclude:		排除
enablerepo		通过哪个仓库安装
disablerepo		安装时不使用哪个仓库

#示例一、安装当前最新的Apache软件，如果存在则不安装
[root@manager ~/ansible-project1]# ansible oldboy -m yum -a "name=httpd state=latest"

#示例二、安装当前最新的Apache软件，通过epel仓库安装
[root@manager ~]# ansible oldboy -m yum -a "name=httpd enablerepo=epel state=present"

#示例三、通过公网URL安装rpm软件
[root@manager ~/ansible-project1]# ansible oldboy -m yum -a "name=http://192.168.16.236/zabbix/4.0/rhel/7/x86_64/zabbix-agent-4.0.0-2.el7.x86_64.rpm state=present"

#示例五、更新所有的软件包，但排除和kernel相关的
[root@manager ~/ansible-project1]# ansible oldboy -m yum -a "name='*' state=latest exclude="kernel*""   


#示例六、删除Apache软件
[root@manager ~/ansible-project1]# ansible oldboy -m yum -a "name=httpd state=absent"

2.copy

src				#当前管理机的配置文件路径
content			#要写入的内容
dest			#目标文件的配置文件路径
owner			#属主
group			#属组
mode			#权限
backup			#备份  （每个变更进行备份）

[root@manager ~/ansible-project1]# ansible oldboy -m copy -a 'src=./hosts dest=/tmp/ owner=root group=root mode=600 backup=yes'

管理httpd配置文件
[root@manager ~/ansible-project1]# ansible oldboy -m copy -a "src=./files/httpd.conf dest=/etc/httpd/conf/httpd.conf owner=root group=root mode=0644 backup=yes"

3.systemd

name：		服务名称
state： 	started stopped restarted  reloaded
enabled：   开机自启动  yes|no

1.启动httpd服务
[root@manager ~/ansible-project1]# ansible oldboy -m systemd -a "name=httpd state=started"

2.开机自启动
[root@manager ~/ansible-project1]# ansible oldboy -m systemd -a "name=httpd state=started enabled=yes"

4.file模块

path: /work					#在被控端哪个路径下创建目录 | 文件
state: directory  touch		# directory 目录  touch 文件
owner: root
group: root
mode: '0755'
recurse: yes 递归授权

[root@manager ~/ansible-project1]# ansible oldboy -m file -a "path=/ansible_data state=directory owner=root group=root mode=0755"

5.group

name: 		组名称
state: 		present  absent
gid：		组id

[root@manager ~/ansible-project1]# ansible oldboy -m group -a "name=test gid=8888 state=present"
[root@manager ~/ansible-project1]# ansible oldboy -m group -a "name=test state=absent"

6.user

name:				指定用户名称
uid: 				指定用户的uid
group: 				指定用户的组名称  或 组 GID
groups: 			指定用户的附加组（附加组需存在） append：yes 给一个用户追加附加组
create_home			创建用户家目录/home/Username   默认yes | no 
shell: 				指定登录用户的bash  /bin/bash  /sbin/nologin
system:             指定系统用户
password

1.创建一个dev用户，uid为9999    属于test主的组，附加组为admin，root组
[root@manager ~/ansible-project1]# ansible oldboy -m user -a "name=dev uid=9999 group=test groups=adm,root shell=/bin/bash create_home=yes"

2.追加两个组给dev用户
[root@manager ~/ansible-project1]# ansible oldboy -m user -a "name=dev groups=bin,daemon append=yes"

3.创建一个系统用户ops，没有家目录  不允许登录系统
[root@manager ~/ansible-project1]# ansible oldboy -m user -a "name=ops system=yes shell=/sbin/nologin create_home=no"


4.创建一个普通用户，可登录  devops  123456
ansible all -i localhost, -m debug -a "msg={{ '123456' | password_hash('sha512', 'mysecretsalt') }}"
    "msg": "$6$mysecretsalt$ZB9R8AirQYAXhtfhOo2qdJz52FyNI6v3L6Uc3KNRP.arBKIYpcuEyQewT5qBAHoyQFwHkW6Z551Ql.cZ53GeY0"
	
[root@manager ~/ansible-project1]# ansible oldboy -m user -a 'name=devops password="$6$mysecretsalt$ZB9R8AirQYAXhtfhOo2qdJz52FyNI6v3L6Uc3KNRP.arBKIYpcuEyQewT5qBAHoyQFwHkW6Z551Ql.cZ53GeY0"'

7.mount

src：   源设备  （磁盘 | 光盘|  远程的共享的地址） src=172.16.1.31:/data
path: 	挂载点
fstype: 设备类型  nfs xfs ext4 iso9660 ....
opts: 	挂载选项  defaults
state: 
	absent  mounted 		永久
	present unmounted		临时

1.挂载172.16.1.31/data/blog  挂载至本地的/opt  
[root@manager ~/ansible-project1]# ansible oldboy -m mount -a "src=172.16.1.31:/data/blog path=/opt fstype=nfs opts=defaults state=mounted"

[root@manager ~/ansible-project1]# ansible oldboy -m mount -a "src=172.16.1.31:/data/blog path=/opt fstype=nfs opts=defaults state=unmounted"

8.selinux

[root@manager ~/ansible-project1]# ansible oldboy -m selinux -a "state=disabled"

9.firewalld

zone: 				指定区域 默认public
service: 			指定服务名称
port:				指定端口
state: 				启用或禁止
masquerade: 		开机地址伪装 yes
immediate:			临时生效 yes
permanent: 			永久生效
source: 			来源IP
rich_rule: rule service name="ftp" audit limit value="1/m" accept

1.放行http服务
[root@manager ~/ansible-project1]# ansible 172.16.1.31 -m firewalld -a "zone=public  service=http state=enabled immediate=yes permanent=yes"

2.放行tcp80端口
[root@manager ~/ansible-project1]# ansible 172.16.1.31 -m firewalld -a "zone=public  port=80/tcp state=enabled immediate=yes permanent=yes"

3.将5555端口转发到 172.16.1.7 22  端口 开启masquerade地址伪装
[root@manager ~/ansible-project1]# ansible 172.16.1.31 -m firewalld -a "zone=public rich_rule='rule family=ipv4 forward-port port=5555 protocol=tcp to-port=22 to-addr=172.16.1.7'  state=enabled immediate=yes"
[root@manager ~/ansible-project1]# ansible 172.16.1.31 -m firewalld -a "zone=public masquerade=yes state=enabled immediate=yes"


4.配置基于来源IP  10.0.0.1主机 放行 22 端口
[root@manager ~/ansible-project1]# ansible 172.16.1.31 -m firewalld -a "zone=public rich_rule='rule family=ipv4 source address=10.0.0.100/32 service name=ssh accept'  state=enabled immediate=yes"

10.cron

1.添加一个定时任务 （能不能执行跟cron模块没有关系）
[root@manager ~/ansible-project1]# ansible oldboy -m cron -a "name='Backup scripts' minute=00 hour=05 user=root job='/bin/bash /scripts/check_data.sh &>/dev/null'"

2.删除定时任务
[root@manager ~/ansible-project1]# ansible oldboy -m cron -a "name='Backup scripts' minute=00 hour=05 user=root job='/bin/bash /scripts/check_data.sh &>/dev/null' state=absent"

11.yum_repository

name: 			仓库名称，并且是文件的名称
description: 	描述--
baseurl: 		仓库的地址|很重要  http:// https:// ftp:// file://
enabled: 		是否启用该仓库yes
gpgcheck: 		不对下载的软件包进行检查

[root@manager ~/ansible-project1]# ansible oldboy -m yum_repository -a 'name=rpmforge description="RPMforge YUM Repo" baseurl="https://mirrors.tuna.tsinghua.edu.cn/centos/$releasever/os/$basearch/" enabled=yes gpgcheck=no'

ansible-doc

1.使用ansible 的 ad-hoc 搭建 NFS 服务

1.安装nfs
	# ansible nfs -m yum -a "name=nfs-utils state=present"

2.配置nfs
[root@manager ~/ansible-project1]# cat exports.j2 
/data/blog 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666) 
/data/zh 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
/data/ansible 172.16.1.0/24(rw,sync,all_squash,anonuid=666,anongid=666)

[root@manager ~/ansible-project1]# ansible nfs -m copy -a "src=./exports.j2 dest=/etc/exports owner=root group=root mode=0644 backup=yes"

3.根据配置文件进行初始化操作   创建用户  创建目录 授权

[root@manager ~/ansible-project1]# ansible nfs -m group -a "name=www gid=666 state=present"
[root@manager ~/ansible-project1]# ansible nfs -m user -a "name=www uid=666 group=www  state=present"

[root@manager ~/ansible-project1]# ansible nfs -m file -a "path=/data/ansible state=directory owner=www group=www mode=755 recurse=yes"

3.启动nfs
[root@manager ~/ansible-project1]# ansible nfs -m systemd -a "name=nfs state=restarted enabled=yes"

2.使用ansible 的 ad-hoc 实现 NFS 挂载

1.安装nfs-utils工具
	[root@manager ~/ansible-project1]# ansible web -m yum -a "name=nfs-utils state=present"

2.使用mount挂载即可
	[root@manager ~/ansible-project1]# ansible web -m mount -a "src=172.16.1.31:/data/ansible path=/mnt fstype=nfs opts=defaults state=mounted"

- hosts: nfs
  tasks:
    - name: Installed NFS Server
      yum:
        name: nfs-utils
        state: present

    - name: Configure NFS Server
      copy:
        src: ./exports.j2
        dest: /etc/exports
        owner: root
        group: root
        mode: 0644

    - name: Create NFS Group
      group:
        name: www
        gid: 666
  
    - name: Create NFS User
      user: 
        name: www
        uid: 666
        group: 666

    - name: Create NFS Share directory
      file:
        path: /data/ansible
        state: directory
        owner: www
        group: www
        mode: 755

    - name: Restart NFS Server
      systemd: 
        name: nfs
        state: restarted	
			
		
[root@manager ~/ansible-project1]# cat nfs-client.yml 
- hosts: web
  tasks:
    - name: Mount NFS Server
      mount: 
        src: 172.16.1.31:/data/ansible 
        path: /mnt
        fstype: nfs
        opts: defaults 
        state: mounted

playbook中的vars_file设定变量

1.装软件
- name: ensure a list of packages installed
  yum:
    name: "{{ packages }}"
  vars:
    packages:
    - httpd
    - httpd-tools

2.拷贝多分配置文件  1个tasks拷贝多个文件    字典
    - name: Copy Rsync Configure
      copy:
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
        mode: "{{ item.mode }}"
      loop:
        - { src: ./rsyncd.conf.j2 , dest: /etc/rsyncd.conf , mode: '0644' }
        - { src: ./rsync.passwd.j2  , dest: /etc/rsync.passwd , mode: '0600' }
      notify: Restart Rsync Server


3.批量启动服务      1个tasks启动多个服务     列表
    - name: Systemd Httpd Server
      systemd:
        name: "{{ item }}"
        state: started
        enabled: yes
      loop:
        - httpd
        - firewalld

Ansible 判断when

1.根据不同的操作系统，安装不同的软件	
[root@manager ~/ansible_variables]# cat play_14.yml 
- hosts: all
tasks:
  - name: Installed Httpd Server Centos
    yum:
      name: httpd
      state: present
    when: ( ansible_distribution == "Ubuntu" ) 
  	
  
[root@manager ~/ansible_variables]# cat play_14.yml 
- hosts: all
tasks:
  - name: Installed Httpd Server Centos
    yum:
      name: httpd
      state: present
    when: ( ansible_distribution == "CentOS" ) and 
          ( ansible_distribution_major_version == "7")	
  
  - name: Installed Httpd Server Centos
    yum:
      name: httpd2
      state: present
    when: ( ansible_distribution == "CentOS" ) and  
          ( ansible_distribution_major_version == "6")

	2.根据不同的主机名称，配置不同的源     all-->   web--->nginx_repo
[root@manager ~/ansible_variables]# cat play_15.yml 
- hosts: all
  tasks:
    - name: This is when repo
      yum_repository:
        name: oldxu
        description: oldxu
        baseurl: http://nginx.org/packages/centos/$releasever/$basearch/
        gpgcheck: no
      when: ( ansible_hostname is match ("web*") )

触发器 Handlers

1.特殊Tasks   
2.不会被正常的TASKS调用。
3.当有notify调用时，才会被执行。

注意：无论Handlers被调用多少次，最终只会在正常的Tasks结束后，才执行。

tag标签

(tasks较多时，需要对指定的某个tasks进行调试)
将tasks与标签捆绑–> 后期针对指定的tag进行执行
1.支持一个tasks对应一个tag标签
2.支持一个tasks对应多个tag标签
1.执行指定的标签
ansible-playbook redis_server.yml -t install
2.除了某个tags，其余都执行
ansible-playbook redis_server.yml --skip-tags install

ignore_errors 忽略错误

[root@manager ~/ansible_tasks]# vim task_2.yml
- hosts: all
  tasks:
	- name: Ignore False
	  command: /bin/false
	  ignore_errors: yes

	- name: touch new file
	  file: path=/tmp/bgx_ignore state=touch

force_handlers

- hosts: web
  force_handlers: yes    <---当handlers被调起，无论中间的tasks是否错误，都会执行handlers任务

changed_when

[root@manager ~/ansible_tasks]# cat  task3.yml 
- hosts: web
  tasks:

[root@manager ~/ansible_tasks]# cat task4.yml 
- hosts: web
  vars:
    - cloud_server_name: cloud.qxh.com
  tasks:
    - name: Configure Nginx Conf
      template:
        src: proxy_cloud.qxh.com.conf.j2
        dest: /tmp/proxy.conf


[root@manager ~/ansible_tasks]# cat proxy_cloud.qxh.com.conf.j2 
upstream {{ cloud_server_name }} {
{% for host in  groups['web'] %}
    server {{ host }}:80;	
{% endfor %}
}

server {
	listen 80;
	server_name {{ cloud_server_name }};
	location / {
		proxy_pass http://{{ cloud_server_name }};
	}
}

playbooy 目录结构

nginx
	tasks				<--tasks任务
		main.yml
	handlers			<--handlers触发器
		main.yml
	templates			<--模板文件
		main.yml
	vars				<--变量
		main.yml
	files				<--文件 tar|zip
	meta				<--依赖间关系