自动化运维–Ansible
1.Ansible介绍:
(1)
Ansible不需要安装客户端,通过sshd去通信(无密钥登录)。
(2)Ansible基于模块工作,模块可以由任何语言开发
。
(3)Ansible不仅支持命令行使用模块,也支持编写Yaml格式的playbook,易于编写和阅读。
(4)Ansible安装十分简单
,CentOS上可直接Yum安装
。
(5)Ansible有提供UI(浏览器图形化)
2.Ansible架构图如图所示:
一: Ansible安装
一. 环境准备
1.1 修改主机名和映射文件(2台)
[root@localhost ~]# hostnamectl set-hostname ansible-test1//修改主机名
[root@localhost ~]# logout
[root@localhost ~]# bash
[root@ansible-test1 ~]#
[root@ansible-test1 ~]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.153.10 ansible-test1 //添加两台主机的IP和主机名
192.168.153.20 ansible-test2
1.2 关闭防火墙和SELinux,并修改/etc/hosts文件(2台)
[root@ansible-test1 ~]# systemctl stop firewalld
[root@ansible-test1 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@ansible-test1 ~]# setenforce 0// 暂时关闭selinux,重启及失效
[root@ansible-test1 ~]# vi /etc/selinux/config
将SELINUX=disabled 将此处改为disabled //永久关闭selinux
二: yum安装Ansible
准备两台机器anisble-01和anisble-02,,只需要在anisble-01上安装ansible,先安装epel仓库。
2.1 查看自带源版本的ansible
[root@ansible-test1 ~]# yum list |grep ansible //可以看到自带源里就有2.4版本的ansible
[root@ansible-test1 ~]# yum list |grep ansible
centos-release-ansible-27.noarch 1-1.el7 extras
centos-release-ansible-28.noarch 1-1.el7 extras
centos-release-ansible-29.noarch 1-1.el7 extras
centos-release-ansible26.noarch 1-3.el7.centos extras
2.2 安装ansible
[root@ansible-test1 ~]# yum install epel-release -y
[root@ansible-test1 ~]# yum install -y ansible
[root@ansible-test1 ~]# ansible --version//查看ansible的版本
ansible 2.9.21
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Nov 20 2015, 02:00:19) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)]
2.3 免密配置
anisble-01上生成密钥对ssh-keygen -t rsa,把公钥放到anisble-02上,设置密钥认证。
注意:需要将本机也配置免密。
[root@ansible-test1 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
24:61:4d:8c:5d:04:cb:e8:6e:ba:c1:bf:fc:ec:fa:d2 root@ansible-test1
The key's randomart image is:
+--[ RSA 2048]----+
| o*o+o |
| ..++. |
| o + |
| . o |
| . S |
| . . |
| o o. |
| *..E |
| o.=B= |
+-----------------+
[root@ansible-test1 ~]# ssh-copy-id 192.168.153.20
The authenticity of host '192.168.153.20 (192.168.153.20)' can't be established.
ECDSA key fingerprint is 67:a9:3a:e8:9b:da:29:18:e2:6e:f7:25:8a:3d:e0:62.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.153.20's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.153.20'"
and check to make sure that only the key(s) you wanted were added.
检测一下免密配置是否成功
[root@ansible-test1 ~]# ssh 192.168.153.20
Last login: Sun May 30 01:26:26 2021 from 192.168.153.1
[root@ansible-test2 ~]
[root@ansible-test2 ~]# logout
Connection to 192.168.153.20 closed.
[root@ansible-test1 ~]# ssh-copy-id 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is 67:a9:3a:e8:9b:da:29:18:e2:6e:f7:25:8a:3d:e0:62.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@127.0.0.1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '127.0.0.1'"
and check to make sure that only the key(s) you wanted were added.
注意:ssh-copy-id命令可以把本地主机的公钥复制到远程主机的authorized_keys文件上,ssh-copy-id命令也会给远程主机的用户主目录(home)和~/.ssh, 和~/.ssh/authorized_keys设置合适的权限。
2.4 主机组设置
在/etc/ansible/hosts文件中添加本机和另一台机器的IP。
[root@ansible-test1 ~]# vi /etc/ansible/hosts
过滤该文件除#以外的内容
[root@ansible-test1 ~]# grep ^[^#] /etc/ansible/hosts
[testhost]
127.0.0.1
192.168.153.20
说明:testhost为自定义的主机组名字,下面两个IP为组内的机器IP。
三:Ansible 实例
3.1 Ansible远程执行命令
这样操作就可以批量执行命令。
这里的testhost为主机组名,-m后边是模块名字,-a后面是命令。
当然我们也可以直接写一个IP,针对某一台机器来执行命令。
[root@ansible-test1 ~]# ansible testhost -m command -a "hostname"
127.0.0.1 | CHANGED | rc=0 >>
ansible-test1
192.168.153.20 | CHANGED | rc=0 >>
ansible-test2
[root@ansible-test1 ~]# ansible 127.0.0.1 -m command -a 'hostname'
127.0.0.1 | CHANGED | rc=0 >>
ansible-test1
[root@ansible-test1 ~]# ansible 192.168.153.20 -m command -a "hostname"
192.168.153.20 | CHANGED | rc=0 >>
ansible-test2
或者:
还有一个模块就是shell同样也可以实现
[root@ansible-test1 ~]# ansible testhost -m shell -a 'w'
127.0.0.1 | CHANGED | rc=0 >>
20:07:08 up 3:19, 3 users, load average: 0.01, 0.02, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 16:48 3:17m 0.06s 0.06s -bash
root pts/0 192.168.153.1 16:51 4.00s 0.71s 0.00s ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/48d302285a -tt 192.168.153.20 /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1622462827.64-11031-61002707020228/AnsiballZ_command.py && sleep 0'
root pts/3 localhost 20:07 1.00s 0.08s 0.01s w
192.168.153.20 | CHANGED | rc=0 >>
20:07:08 up 3:19, 3 users, load average: 0.00, 0.01, 0.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 16:48 3:18m 0.00s 0.00s -bash
root pts/0 192.168.153.1 16:51 1:04m 0.01s 0.01s bash
root pts/1 ansible-test1 20:07 0.00s 0.08s 0.01s w
3.2 Ansible拷贝文件或目录
源目录会放到目标目录下面去,如果目标指定的目录不存在,它会自动创建。
如果拷贝的是文件,如果dest指定的名字和源不同,并且它不是已经存在的目录,相当于拷贝过去后又重命名。
但相反,如果desc是目标机器上已经存在的目录,则会直接把文件拷贝到该目录下面
。
[root@ansible-test1 ~]# ansible 192.168.153.20 -m copy -a "src=/etc/passwd dest=/tmp/123"
192.168.153.20 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "8f3ebea24b1558e6207af80195aa12931d96345f",
"dest": "/tmp/123",
"gid": 0,
"group": "root",
"md5sum": "ca8f3327c9a73cb6fd96ba88ec4d18ee",
"mode": "0644",
"owner": "root",
"secontext": "unconfined_u:object_r:admin_home_t:s0",
"size": 1040,
"src": "/root/.ansible/tmp/ansible-tmp-1622459575.28-10796-116310439759050/source",
"state": "file",
"uid": 0
}
注意:这里的/tmp/123和源机器上的/etc/passwd是一致的,但如果目标机器上已经有/tmp/123目录,则会再/tmp/123目录下面建立passwd文件。
在10端口检查下/tmp/目录下是否有123
[root@ansible-test1 ~]# ls /tmp/
123 ansible_test.txt test.sh
[root@ansible-test1 ~]# cat /tmp/123
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
......
......
在20端口检查/tmp/123的内容
[root@ansible-test2 ~]# cat /tmp/123
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
......
......
3.3 Ansible远程执行脚本
(1)先创建一个脚本
[root@ansible-test1 ~]# cat /tmp/test.sh
#!/bin/bash
echo `date` > /tmp/ansible_test.txt
(2)把该脚本分发到各个机器上
[root@ansible-test1 ~]# ansible testhost -m copy -a "src=/tmp/test.sh dest=/tmp/test.sh mode=0755"
192.168.153.20 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "1a6e4af02dba1bda6fc8e23031d4447efeba0ade",
"dest": "/tmp/test.sh",
"gid": 0,
"group": "root",
"md5sum": "edfaa4371316af8c5ba354e708fe8a97",
"mode": "0755",
"owner": "root",
"secontext": "unconfined_u:object_r:admin_home_t:s0",
"size": 48,
"src": "/root/.ansible/tmp/ansible-tmp-1622464164.77-11224-248964856389684/source",
"state": "file",
"uid": 0
}
127.0.0.1 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "1a6e4af02dba1bda6fc8e23031d4447efeba0ade",
"dest": "/tmp/test.sh",
"gid": 0,
"group": "root",
"mode": "0755",
"owner": "root",
"path": "/tmp/test.sh",
"secontext": "unconfined_u:object_r:user_tmp_t:s0",
"size": 48,
"state": "file",
"uid": 0
}
(3)批量执行该shell脚本。
[root@ansible-test1 ~]# ansible testhost -m shell -a "/tmp/test.sh"
127.0.0.1 | CHANGED | rc=0 >>
192.168.153.20 | CHANGED | rc=0 >>
shell模块,还支持远程执行命令并且带管道。
[root@ansible-test1 ~]# ansible testhost -m shell -a "cat /etc/passwd|wc -l"
192.168.153.20 | CHANGED | rc=0 >>
21
127.0.0.1 | CHANGED | rc=0 >>
21
[root@ansible-test1 ~]# cat /tmp/ansible_test.txt
Mon May 31 21:01:22 CST 2021
运行成功
四:Ansible管理任务计划
4.1 创建任务计划,命名并定义工作。
[root@ansible-test1 ~]# ansible testhost -m cron -a "name='test cron' job='/bin/bash /tmp/test.sh' weekday=6"
192.168.153.20 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"envs": [],
"jobs": [
"test cron"
]
}
127.0.0.1 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"envs": [],
"jobs": [
"test cron"
]
}
若要删除该cron只需要加一个字段state=absent。