Ansible Playbooks的简单使用—搭建httpd服务、模板、变量使用以及playboos的一些简单应用

前言：

本篇博客是在ansible搭建完毕的基础上进行：
自动化运维工具Ansible的搭建

一、设置在.yml文件中Tab键为两个空格

这是.yml文件的格式要求

[devops@server1 ~]$ vim .vimrc
autocmd filetype yaml setlocal ai ts=2 sw=2 et

二、建立playbook.yml文件，发布剧本

1、编辑playbook.yml文件

[devops@server1 ansible]$ vim playbook.yml
[devops@server1 ansible]$ cat playbook.yml 
---
# deploy apache
- hosts: webservers				#哪些主机
  tasks:						#任务
    - name: install httpd		#下载httpd服务
      yum:
        name: httpd
        state: latest
        
    - name: start httpd			#启动httpd服务
      service:
        name: httpd
        state: started

• 查看剧本hosts主机列表

[devops@server1 ansible]$ ansible-playbook playbook.yml --list-hosts

playbook: playbook.yml

  play #1 (webservers): webservers	TAGS: []
    pattern: [u'webservers']
    hosts (2):
      server2
      server3

• 查看剧本任务列表：

[devops@server1 ansible]$ ansible-playbook playbook.yml --list-tasks

playbook: playbook.yml

  play #1 (webservers): webservers	TAGS: []
    tasks:
      install httpd	TAGS: []
      start httpd	TAGS: []

2、发布剧本文件

[devops@server1 ansible]$ ansible-playbook playbook.yml --syntax-check  	#对剧本playbook进行语法检测
[devops@server1 ansible]$ ansible-playbook playbook.yml		#执行剧本

3、测试

我们编辑剧本，使访问到的内容指定下来

[devops@server1 ansible]$ vim playbook.yml		#更改剧本，添加任务
---
# deploy apache
- hosts: webservers
  tasks:
    - name: install httpd
      yum:
        name: httpd
        state: latest

    - name: create index.html
      copy:
        content: "www.westos.com\n"
        dest: /var/www/html/index.html

    - name: start httpd
      service:
        name: httpd
        state: started

• 发布
  
• 测试
  

三、添加任务

1、编写playbook.yml文件

[devops@server1 ansible]$ vim playbook.yml
---
# deploy apache
- hosts: webservers
  tasks:
    - name: install httpd
      yum:
        name: httpd
        state: latest

    - name: create index.html
      copy:
        content: "www.westos.com\n"
        dest: /var/www/html/index.html

    - name: configure httpd
      copy:
        src: files/httpd.conf							#将当前所在目录下的files目录中的httpd.conf文件拷贝到目标主机的指定目录中
        dest: /etc/httpd/conf/httpd.conf
        owner: root
        group: root
        mode: 644

    - name: start httpd
      service:
        name: httpd
        state: started

2、建立files目录及相关文件

[devops@server1 ansible]$ mkdir files
[devops@server1 ansible]$ cd files/
[devops@server1 files]$ ls
[devops@server1 files]$ scp server3:/etc/httpd/conf/httpd.conf .		#将server3的httpd配置文件拷贝到当前
httpd.conf                                                  100%   11KB  11.5KB/s   00:00    
[devops@server1 files]$ ls
httpd.conf
[devops@server1 files]$ cd ..
[devops@server1 ansible]$ ls
ansible.cfg  files  inventory  playbook.yml

3、语法检测、发布

[devops@server1 ansible]$ ansible-playbook playbook.yml --syntax-check
[devops@server1 ansible]$ ansible-playbook playbook.yml

我们可以采用文件的md5码来判断是否是同样的内容：

[devops@server1 ansible]$ md5sum files/httpd.conf

• 设定开机自启动

[devops@server1 ansible]$ vim playbook.yml
---
# deploy apache
- hosts: webservers
  tasks:
    - name: install httpd
      yum:
        name: httpd
        state: latest

    - name: create index.html
      copy:
        content: "www.westos.com\n"
        dest: /var/www/html/index.html

    - name: configure httpd
      copy:
        src: files/httpd.conf
        dest: /etc/httpd/conf/httpd.conf
        owner: root
        group: root
        mode: 644

    - name: start httpd
      service:
        name: httpd
        state: started
        enabled: true

[devops@server1 ansible]$ ansible-playbook playbook.yml --syntax-check

playbook: playbook.yml
[devops@server1 ansible]$ ansible-playbook playbook.yml

四、编写触发器，实现文件更改则重启服务，不更改则不做操作

1、编写剧本playbook

[devops@server1 ansible]$ vim playbook.yml

---
# deploy apache
- hosts: webservers
  tasks:
    - name: install httpd
      yum:
        name: httpd
        state: latest

    - name: create index.html
      copy:
        content: "www.westos.com\n"
        dest: /var/www/html/index.html

    - name: configure httpd
      copy:
        src: files/httpd.conf
        dest: /etc/httpd/conf/httpd.conf
        owner: root
        group: root
        mode: 644
      notify: restart httpd

    - name: start httpd
      service:
        name: httpd
        state: started
        enabled: true

  handlers:
    - name: restart httpd
      service:
        name: httpd
        state: restarted

2、更改files目录下的httpd.conf文件

[devops@server1 ansible]$ vim files/httpd.conf
 42 Listen 8080

3、测试发布playbooks文件，查看更改是否生效

[devops@server1 ansible]$ ansible-playbook playbook.yml --syntax-check

playbook: playbook.yml
[devops@server1 ansible]$ ansible-playbook playbook.yml

• 查看是否生效
  
  
  端口更改成功，记住实验后改过来哈

五、实现防火墙配置（生产环境中）

1、编写playbook.yml文件

# deploy apache
- hosts: webservers
  tasks:
    - name: install httpd
      yum:
        name: httpd
        state: latest

    - name: create index.html
      copy:
        content: "www.westos.com\n"
        dest: /var/www/html/index.html

    - name: configure httpd
      copy:
        src: files/httpd.conf
        dest: /etc/httpd/conf/httpd.conf
        owner: root
        group: root
        mode: 644
      notify: restart httpd

    - name: start httpd
      service:
        name: httpd
        state: started
        enabled: true

    - name: start firewalld
      service:
        name: firewalld
        state: started
        enabled: true

    - name: configure firewalld
      firewalld:
        service: http
        state: enabled
        permanent: yes
        immediate: yes

  handlers:
    - name: restart httpd
      service:
        name: httpd
        state: restarted

2、检测剧本是否语法正确，推送

[devops@server1 ansible]$ ansible-playbook playbook.yml --syntax-check

playbook: playbook.yml
[devops@server1 ansible]$ ansible-playbook playbook.yml

3、查看server2是否防火墙开启

防火墙已经开启，并且http已经加入防火墙的白名单中。

六、使用变量完成动态http服务部署

1、系统变量的两种表示方法

（1）表示方法

[devops@server1 ansible]$ vim playbook.yml
更改如下配置：
    - name: create index.html
      copy:
        content: "{{ ansible_facts['hostname'] }}\n"
        dest: /var/www/html/index.html

发布

[devops@server1 ansible]$ ansible-playbook playbook.yml

测试：

（2）表示方法

[devops@server1 ansible]$ vim playbook.yml

    - name: create index.html
      copy:
        content: "{{ ansible_facts.hostname }}\n"
        dest: /var/www/html/index.html

发布：

[devops@server1 ansible]$ ansible-playbook playbook.yml

检测：

查看本机系统变量

[devops@server1 ansible]$ ansible test -m setup|less

小练习：将发布内容改为 主机名 IP

[devops@server1 ansible]$ ansible test -m setup|less
    - name: create index.html
      copy:
        content: "{{ ansible_facts.hostname }} {{ ansible_facts['default_ipv4']['address'] }}\n"
        dest: /var/www/html/index.html

2、单独发布模板中的一个任务

[devops@server1 ansible]$ vim playbook.yml

    - name: create index.html
      copy:
        content: "{{ ansible_facts.hostname }} {{ ansible_facts['default_ipv4']['address'] }}\n"
        dest: /var/www/html/index.html
      tags: one

发布时加上-t参数

3、使用template模块，编写带有变量的http配置文件

[devops@server1 ansible]$ vim playbook.yml

---
# deploy apache
- hosts: webservers
  vars:
    http_port: 80
  tasks:
    - name: install httpd
      yum:
        name: httpd
        state: latest

    - name: create index.html
      copy:
        content: "{{ ansible_facts.hostname }} {{ ansible_facts['default_ipv4']['address'] }}\n"
        dest: /var/www/html/index.html
      tags: one

    - name: configure httpd
      template:
        src: files/httpd.conf.j2
        dest: /etc/httpd/conf/httpd.conf
        owner: root
        group: root
        mode: 644
      notify: restart httpd

    - name: start httpd
      service:
        name: httpd
        state: started
        enabled: true

    - name: start firewalld
      service:
        name: firewalld
        state: started
        enabled: true

    - name: configure firewalld
      firewalld:
        service: http
        state: enabled
        permanent: yes
        immediate: yes
  handlers:
    - name: restart httpd
      service:
        name: httpd
        state: restarted

将子目录下files/httpd.conf重命名为httpd.conf.j2

[devops@server1 ansible]$ mv files/httpd.conf files/httpd.conf.j2

编辑httpd.conf.j2文件：

[devops@server1 ansible]$ vim files/httpd.conf.j2
 42 Listen {{ http_port }}

推送：

4、编写yml文件，实现读取并存储系统信息

[devops@server1 ansible]$ mkdir templates
[devops@server1 ansible]$ vim hostinfo.yml
---
- hosts: all
  tasks:
    - name: create infofile
      template:
        src: templates/info.j2
        dest: /mnt/hostinfo
[devops@server1 ansible]$ cd templates/
[devops@server1 templates]$ vim info.j2
主机名: {{ ansible_facts['hostname'] }}
主机IP地址: {{ ansible_facts['default_ipv4']['address'] }}
根分区大小: {{ ansible_facts['devices']['dm-0']['size'] }}
系统内核: {{ ansible_facts['distribution_version'] }}

语法检测及推送：

[devops@server1 ansible]$ ansible-playbook hostinfo.yml --syntax-check

playbook: hostinfo.yml
[devops@server1 ansible]$ ansible-playbook hostinfo.yml

5、我们也可以实现通过各种变量，配置不同的主机配置不同的服务：

示例：

[devops@server1 ansible]$ vim install.yml

---
- hosts: all
  tasks:
    - name: install httpd
      yum:
        name: httpd
        state: present
      when: ansible_facts['hostname'] == 'server2'
      
    - name: install mariadb
      yum:
        name: mariadb
        state: present         
      when: ansible_facts['hostname'] == 'server3'

语法检测，推送：

也可以使用类似python中列表的方式，指定下载服务：

[devops@server1 ansible]$ vim install.yml
---
- hosts: all
  tasks:
    - name: install httpd
      yum:
        name: '{{ item }}'
        state: present
      when: ansible_facts['hostname'] == 'server2'
      loop:
        - httpd
        - mariadb
        - php
        - php-mysql

    - name: install mariadb
      yum:
        name: mariadb
        state: present
      when: ansible_facts['hostname'] == 'server3'

6、使用ansible快速布置每一台主机的解析

[devops@server1 ansible]$ vim hostinfo.yml
---
- hosts: all
  tasks:
    - name: create infofile
      template:
        src: templates/info.j2
        dest: /mnt/hostinfo
        
    - name: create hosts
      template:
        src: templates/host.j2
        dest: /etc/hosts
        owner: root
        group: root
        mode: 644

[devops@server1 ansible]$ vim templates/host.j2
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.254.250  content.example.com
{% for host in groups['webservers'] %}
{{ hostvars[host]['ansible_facts']['eth0']['ipv4']['address'] }}        {{ hostvars[host]['ansible_facts']['hostname'] }}
{% endfor %}

[test]
server2
server1
[db]
server3

[webservers:children]
test
db

[devops@server1 ansible]$ ssh-copy-id server1

推送：

[devops@server1 ansible]$ ansible-playbook  hostinfo.yml

7、批量添加用户

[devops@server1 ansible]$ vim adduser.yml
---
- hosts:  all
  tasks:
    - name: create users
      user:
        name: "{{ item }}"
        state: present
        password: redhat
      loop:
        - user1
        - user2
        - user3
        - user4

推送：

[devops@server1 ansible]$ ansible-playbook adduser.yml

我们发现这样添加用户密码是可见的，非常不安全：

[devops@server1 vars]$ pwd
/home/devops/ansible/vars
[devops@server1 vars]$ ls
userlist.yml
[devops@server1 vars]$ ansible-vault encrypt userlist.yml
New Vault password: 
Confirm New Vault password: 
Encryption successful

加密

加密后没有密码，会显示加密字符

[devops@server1 vars]$ ansible-vault view userlist.yml 
Vault password: 
---
userlist:
  - user: user1
    pass: redhat
  - user: user2
    pass: redhat

[devops@server1 ansible]$ vim adduser.yml
---
---
- hosts: all
  vars_files:
    - vars/userlist.yml
  tasks:
    - name: create users
      user:
        name: "{{ item.user }}"
        state: present
        password: "{{ item.pass }}"
      loop: "{{ userlist }}"

推送：


我们发现密码这里在系统上是明文的，这是不合情理的

---
- hosts: all
  vars_files:
    - vars/userlist.yml
  tasks:
    - name: create users
      user:
        name: "{{ item.user }}"
        state: present
        password: "{{ item.pass | password_hash('sha512','mysecretsalt') }}"
      loop: "{{ userlist }}"

推送


如果我们对两个文件都加密了，那么一定要密码相同，因为推送时只会输入一次密码：

[devops@server1 ansible]$ ansible-vault encrypt adduser.yml 
New Vault password: 
Confirm New Vault password: 
Encryption successful
[devops@server1 ansible]$ cat adduser.yml 
$ANSIBLE_VAULT;1.1;AES256
39343764323338313834643332373133336533343431383831323466663530383535613563656438
6662323162303464343134353565633530626635663162310a613065666135663538326361343561
38633433326264626362616565663133373135663031346330613238336165633530646533613232
3161643230313130660a366539363232373436623338613132353466623731643337343166646465
33376130343138626238303362313134323166613365363364373164376132323335323934623830
61343437633230313161313933363662633936376338613636656363336361316636616437623839
36366232663333386130613035303435376462343335643463613466633537303039343237616639
64626139613935376135613131363236666233373937373666613038356138636137666561636439
37313162353334343263663062363832366564613238336235663664663539316162633338633331
39636435323036386639633337353634396266316536356466643461313963356562393262336565
63323431656132383535383635386530633635366664383335373430343734323137323434323966
63353562643733626335393765636433383466353739383536666236666564353565633533373465
38666138613462353433383836323338393766633938343934396435363862383834323762623230
37333038666432383439626462363635366432303037386533343164313361343539663232613166
64313263393830386238346637396238353963653235306564643765343538363235623461353564
30653035623839316239343066653736613765633164373036336461353334646330316332633661
61616331666665646164623735393866376139323939396265373434313237643665

这里发现解析文件的权限有点问题

[devops@server1 ansible]$ vim hostinfo.yml

---
- hosts: all
  tasks:
    - name: create infofile
      template:
        src: templates/info.j2
        dest: /mnt/hostinfo

    - name: create hosts
      template:
        src: templates/host.j2
        dest: /etc/hosts
        owner: root
        group: root
        mode: 0644

推送
[devops@server1 ansible]$ ansible-playbook hostinfo.yml