vault 加密
加密
[devops@server1 ansible]$ ansible-vault encrypt vars/userlist.yml
New Vault password:
Confirm New Vault password:
Encryption successful
[devops@server1 ansible]$ cat vars/userlist.yml
$ANSIBLE_VAULT;1.1;AES256
30666264376264386666356637313665626434393530353135623636326431356339666533343166
3832343433353566643239646237316262653732303362300a666666643062633434383363363965
65613661623564336235346231353830356663623965383539643238613165663964356461633739
3832316333386533320a613164316434353833663866356665613638666662623039396664323266
34633139636135313931396230373566323439653363363438303234616536303165616630313763
61613862616465ault加密和魔术变量333263623839343031653931333262353661353936613961653964383930633162
33323633396666656533343439326464653539633637616161663434633565383061373533653664
61616162313865316162633235666134633664623665643136663662643931393331346463303433
32336565323261323838313137623562613361336231353538376137363936393061376662643032
6161623463366336373834313239363038373866653062663331
使用
[devops@server1 ansible]$ ansible-playbook creatuser.yml --ask-vault-pass
Vault password:
PLAY [all] ***********************************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [server2]
ok: [server3]
TASK [creat user] ****************************************************************************************************************************************************************************************************************************
changed: [server2] => (item={u'passwd': u'westos', u'user': u'user1'})
changed: [server3] => (item={u'passwd': u'westos', u'user': u'user1'})
changed: [server2] => (item={u'passwd': u'westos', u'user': u'user2'})
changed: [server3] => (item={u'passwd': u'westos', u'user': u'user2'})
changed: [server3] => (item={u'passwd': u'westos', u'user': u'user3'})
changed: [server2] => (item={u'passwd': u'westos', u'user': u'user3'})
PLAY RECAP ***********************************************************************************************************************************************************************************************************************************
server2 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
server3 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
其他几种用法
[devops@server1 ansible]$ ansible-vault edit vars/userlist.yml
Vault password:
[devops@server1 ansible]$ ansible-vault view vars/userlist.yml
Vault password:
userlist:
- user: user1
passwd: westos
- user: user2
passwd: westos
- user: user3
passwd: westos
[devops@server1 ansible]$ ansible-vault decrypt vars/userlist.yml
Vault password:
Decryption successful
[devops@server1 ansible]$ cat vars/userlist.yml
userlist:
- user: user1
passwd: westos
- user: user2
passwd: westos
- user: user3
passwd: westos
部署httpd 和 haproxy
---
- name: deploy httpd
hosts: webservers
vars:
http_port: 80
tasks:
- name: ensure apache is at the latest version
yum:
name: httpd
state: latest
- name: write the apache config file
template:
src: templates/httpd.conf.j2
dest: /etc/httpd/conf/httpd.conf
notify:
- restart apache
- name: write index html
copy:
content: "{{ ansible_facts['hostname'] }}\n"
dest: /var/www/html/index.html
- name: ensure apache is running
service:
name: httpd
state: started
- name: start firewalld
service:
name: firewalld
state: started
- name: open httpd port
firewalld:
port: "{{ http_port }}/tcp"
permanent: yes
state: enabled
immediate: yes
handlers:
- name: restart apache
service:
name: httpd
state: restarted
- name: deploy haproxy
hosts: haproxy
vars:
haproxy_port: 80
tasks:
- name: install haproxy
yum:
name: haproxy
state: present
- name: config haproxy
template:
src: templates/haproxy.cfg.j2
dest: /etc/haproxy/haproxy.cfg
notify:
- restart haproxy
- name: start haproxy
service:
name: haproxy
state: started
enabled: yes
handlers:
- name: restart haproxy
service:
name: haproxy
state: restarted
模板:
backend app
balance roundrobin
{% for host in groups['webservers'] %}
server {{ hostvars[host]['ansible_facts']['hostname'] }} {{ hostvars[host]['ansible_facts']['eth0']['ipv4']['address'] }}:{{ haproxy_port }} check
{% endfor %}
[devops@server1 ansible]$ curl 172.25.254.104
server3
[devops@server1 ansible]$ curl 172.25.254.104
server2
[devops@server1 ansible]$ curl 172.25.254.104
server3
[devops@server1 ansible]$ curl 172.25.254.104
server2
部署keepalived+haproxy+httpd
- name: deploy keepalived
hosts: keepalived
tasks:
- name: install keepalived
yum:
name: keepalived
state: present
- name: config keepalived
template:
src: templates/keepalived.conf.j2
dest: /etc/keepalived/keepalived.conf
notify:
- restart keepalived
- name: start keepalived
service:
name: keepalived
state: started
enabled: yes
handlers:
- name: restart keepalived
service:
name: keepalived
state: restarted
! Configuration File for keepalived
global_defs {
notification_email {
root@localhost
}
notification_email_from keepalived@localhost
smtp_server localhost
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
#vrrp_strict
vrrp_garp_interval 0
vrrp_gna_interval 0
}
vrrp_instance VI_1 {
state {{ STATE}}
interface eth0
virtual_router_id {{ VRI}}
priority {{ PRI }}
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.25.254.250
}
}
[devops@server1 ansible]$ tree host_vars/
host_vars/
├── server4
│ └── vars
└── server5
└── vars
2 directories, 2 files
[devops@server1 ansible]$ cat host_vars/server4/vars
---
STATE: MASTER
VRI: 51
PRI: 100
[devops@server1 ansible]$ cat host_vars/server5/vars
---
STATE: BACKUP
VRI: 51
PRI: 50
使用block优化结构
---
- name: deploy http_SLB
hosts: all
vars:
http_port: 80
haproxy_port: 80
tasks:
- name: deploy httpd
block:
- name: check the firewalld
command: /usr/bin/systemctl is-active firewalld
changed_when: false
rescue:
- name: start firewalld
service:
name: firewalld
state: started
enabled: yes
always:
- name: install apache
yum:
name: httpd
state: latest
- name: write the apache config file
template:
src: templates/httpd.conf.j2
dest: /etc/httpd/conf/httpd.conf
notify:
- restart apache
- name: write index html
copy:
content: "{{ ansible_facts['hostname'] }}\n"
dest: /var/www/html/index.html
- name: ensure apache is running
service:
name: httpd
state: started
- name: open httpd port
firewalld:
port: "{{ http_port }}/tcp"
permanent: yes
state: enabled
immediate: yes
when: ansible_hostname in groups['webservers']
- name: deploy haproxy
block:
- name: install haproxy
yum:
name: haproxy
state: present
- name: config haproxy
template:
src: templates/haproxy.cfg.j2
dest: /etc/haproxy/haproxy.cfg
notify:
- restart haproxy
- name: start haproxy
service:
name: haproxy
state: started
enabled: yes
when: ansible_hostname in groups['haproxy']
- name: deploy keepalived
block:
- name: install keepalived
yum:
name: keepalived
state: present
- name: config keepalived
template:
src: templates/keepalived.conf.j2
dest: /etc/keepalived/keepalived.conf
notify:
- restart keepalived
- name: start keepalived
service:
name: keepalived
state: started
enabled: yes
when: ansible_hostname in groups['keepalived']
handlers:
- name: restart apache
service:
name: httpd
state: restarted
- name: restart haproxy
service:
name: haproxy
state: restarted
- name: restart keepalived
service:
name: keepalived
state: restarted
这时task只有一个
include和import
随着要管理的服务不断增多,我们又没将task放到roles里,会发现playbook文件越来越大,内容也越来越多,管理起来也很复杂。
这时我们可以将这些task分解到很多文件中,通过include_tasks和import_tasks方法进行task之间的调用,说直白点这两个方法作用就是连接不同文件里的task。
- import_tasks(Static)方法会在playbooks解析阶段将父task变量和子task变量全部读取并加载
- include_tasks(Dynamic)方法则是在执行play之前才会加载自己变量
实例:
[devops@server1 ansible]$ cat test1.yml
---
- hosts: server2
tasks:
- import_tasks: test2.yml
when: ansible_os_family == "RedHat"
[devops@server1 ansible]$ cat test2.yml
---
- set_fact: ansible_os_family="CentOS"
- debug:
var: "{{ ansible_os_family }}"
import_tasks:在执行tasks之前,ansible解释器会先加载test1.yml里的变量同时再加载test2.yml里的变量,那么ansible_os_family变量会有一个覆盖现象产生,最终的参数应为“CentOS”,所以当test1.yml里执行when语句时,ansible_os_family被判定为“CentOS”,when的判断结果为false,也就不会调用test2.yml了
include_tasks:ansible会在完全执行完test1.yml里的task后才会加载test2.yml里的变量,所以当执行when语句时,ansible_os_family的参数应为“RedHat”,此时when语句判断结果是true,也就是test2.yml里的tasks会被执行。