准备工作:
两台虚拟机
ansible虚拟机 172.25.254.111
note1被控虚拟机 172.25.254.211
网络是通的
配置好网络软件仓库,要下载软件
Ansible对于企业运维的重大意义
Ansible是一个简单高效的自动化运维管理工具,能大批量管理N多台机器,可以并发的在多台机器上部署应用、安装软件、执行命令、配置和编排任务。
ansible的安装
*Ansible是一个插件,不用启动任何服务
方法一:
epel源 ##下载epel源的rpm安装包
wget 安装包网址
##从网上找到可以下在epel源的网址!!!!
确保自己的虚拟机可以上网!!才能下载!
ansible --version ##察看是否安装成功,显示版本
//成功显示如下
[root@ansible ~]# ansible --version
ansible 2.9.24
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.6.8 (default, Dec 5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
//
方法二:
我们的软件仓库中有ansible需要的大部分安装包,只需要下载安装以下两个安装包
先 dnf install sshpass-1.06-9.el8.x86_64.rpm
后 dnf install ansible-2.9.24-1.el8.noarch.rpm
ansible的基本信息:
/etc/ansible/ansible.cfg 全局主配置文件,默认很少修改
/etc/ansible/hosts 全局主机清单文件
构建Anisble清单
清单就是ansible控制主机的列表
/etc/ansible/hosts 全局清单文件
(1)
在ansible虚拟机 172.25.254.111:
ansible 172.25.254.211 -m ping ##管理清单中没有172.25.254.211这台主机,所以不能管理
vim /etc/ansible/hosts ##编写全局清单文件,再次查询清单信息可以看见新加的主机ip
//最后一行加上
172.25.254.211
//
ansible all --list-hosts ##列出清单主机
当要控制211主机时,首先会在ansible主机中生成py脚本,然后远程通过sshd服务传输到被控主机中,在传文件的过程中需要后者的认证通过,所以此时还不能管理172.25.254.211主机;
具体操作按上述步骤:
[root@ansible ansible]# ansible 172.25.254.211 -m ping ##管理清单中没有172.25.254.211这台主机,所以不能管理
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
[WARNING]: Could not match supplied host pattern, ignoring: 172.25.254.211
[root@ansible ansible]# ansible all --list-hosts
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
hosts (0):
[root@ansible ansible]# vim /etc/ansible/hosts ##编写全局清单文件,添加172.25.254.211主机ip,再次查询清单信息可以看见新加的主机ip
[root@ansible ansible]# ansible all --list-hosts ##列出清单主机
hosts (1):
172.25.254.211 ##清单中有172.25.254.211主机
[root@ansible ansible]# ansible 172.25.254.211 -m ping ##在管理172.25.254.211主机的过程中需要后者的认证通过,所以此时还不能管理
The authenticity of host '172.25.254.211 (172.25.254.211)' can't be established.
ECDSA key fingerprint is SHA256:j1eksGwobdp+MVYQXJB+MoyMeCMt6FIYzp5egJFXyws.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
172.25.254.211 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.25.254.211' (ECDSA) to the list of known hosts.\r\nroot@172.25.254.211: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
(2)
在note1被控虚拟机 172.25.254.211:
useradd devops ##让ansible用devops来控制本机
echo westos | passwd --stdin devops
(3)
在ansible虚拟机 172.25.254.111:
ssh-keygen
ssh-copy-id -i /root/.ssh/id_rsa.pub devops@172.25.254.211 ##用密钥对指定用户加密,登陆时可以不输入密码
ansible 172.25.254.211 -m ping -u devops ##当前在211主机中运行指令时用到的是devops这个普通用户身份,所以权力非常小
[root@ansible ansible]# ansible 172.25.254.211 -m ping -k ##-k当执行ansible时询问ssh密码
SSH password:
172.25.254.211 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong" ##出现pong回馈表示和200主机之间可以实现ansible的管理
}
[root@ansible ansible]# ssh-keygen ##生成密钥
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:lzoM2OJopEepNzJoHB0DSykBx8RrfHRHB68uahNxQbk root@ansible.westos.org
The key's randomart image is:
+---[RSA 3072]----+
|+B+ ..oo.. |
|oo= . + .o |
|.o = . + . |
| =.=oE . . |
| o+oooo S o |
|o=.o.. + o |
|*o* ... = |
|.* .o. . . |
| ... |
+----[SHA256]-----+
[root@ansible ansible]# ssh-copy-id -i /root/.ssh/id_rsa.pub devops@172.25.254.211 ##用密钥对指定用户加密,免密登陆此用户
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
devops@172.25.254.211's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'devops@172.25.254.211'"
and check to make sure that only the key(s) you wanted were added.
[root@ansible ansible]# ansible 172.25.254.211 -m shell -a 'touch /mnt/westosfile' -u devops ##当前在211主机中运行指令时用到的是devops这个普通用户身份,所以权力非常小
[WARNING]: Consider using the file module with state=touch rather than running
'touch'. If you need to use command because file is insufficient you can add
'warn: false' to this command task or set 'command_warnings=False' in
ansible.cfg to get rid of this message.
172.25.254.211 | FAILED | rc=1 >>
touch: cannot touch '/mnt/westosfile': Permission deniednon-zero return code
(4)
在note1被控虚拟机 172.25.254.211:
visudo ##下方权力给devops
//
devops ALL=(ALL) ALL 或者 devops ALL=(ALL) NOPASSWD: ALL ##不用输入BECOME密码
//
(5)
在ansible虚拟机 172.25.254.111:
ansible 172.25.254.211 -m shell -a 'touch /mnt/westosfile' -u devops --become -K
##-K 询问sudo密码; --become 指定devops在执行命令时用sudo调用; -m 执行一个模块
现在可以成功管理远程主机。
[root@ansible ansible]# ansible 172.25.254.211 -m shell -a 'touch /mnt/westosfile' -u devops --become -K
BECOME password:
[WARNING]: Consider using the file module with state=touch rather than running
'touch'. If you need to use command because file is insufficient you can add
'warn: false' to this command task or set 'command_warnings=False' in
ansible.cfg to get rid of this message.
172.25.254.211 | CHANGED | rc=0 >>
设定受管主机的组[组名称]
#清单查看:
ansible 清单中组名称 [-i 清单文件] --list-hosts
ansible ungrouped --list-hosts
ansible all --list-hosts
#单层清单#
[list1]
node1.westos.com
node2.westos.com
[list2]
node2.westos.com
#嵌套清单#
[westos:children]
list1
list3
组清单内容:
直接书写受管主机名或ip,每行一个
node1.westos.com
node2.westos.com
172.25.254.240
主机规格的范围化操作
通过指定主机名称或IP的范围可以简化Ansible主机清单
语法:
[start:end]
例子:
[westostest]
172.25.254.[100:108]
ansible命令指定清单的正则表达式
* ##所有
##172.25.254.*
##westos*
: ##逻辑或
##westos1:linux
##172.25.254.100:172.25.254.200
:& ##逻辑与
##westos1:&linux
##主机即在westos1清单也在linux清单中
:! ##逻辑非
##westos1:!linux
##在westos1中不在linux中
~ ##以关键字开头
~(str1|str2) ##以条件1或者条件2开头
实验:
ansible all -i westos --list ##-i 指定清单
ansible ungrouped --list ##ungrouped ##ungrouped,列出未在任何组中的主机
(1)设定受管主机的组[组名称]
[root@ansible ansible]# vim hosts
//
## db-[99:101]-node.example.com
[westos1] ##指定组的名称
172.25.254.211
[westos2]
172.25.254.111
[westos:children] ##嵌套清单,westos清单中有westos1和westos2两个子清单
westos1
westos2
//
[root@ansible ansible]# ansible westos1 --list ##列出指定组主机
hosts (1):
172.25.254.211
[root@ansible ansible]# ansible westos --list
hosts (2):
172.25.254.211
172.25.254.111
(2)通过指定主机名称或IP的范围可以简化Ansible主机清单
[root@ansible ansible]# vim hosts
//
[westos2]
172.25.254.[90:100] ##172.25.254.90-172.25.254.100
//
[root@ansible ansible]# ansible westos2 --list
hosts (11):
172.25.254.90
172.25.254.91
172.25.254.92
172.25.254.93
172.25.254.94
172.25.254.95
172.25.254.96
172.25.254.97
172.25.254.98
172.25.254.99
172.25.254.100
(3)ansible命令指定清单的正则表达式
[root@ansible ansible]# vim hosts
//
[192]
172.25.254.211
172.25.254.91
westos_note1.westos.org
[westos1]
172.25.254.92
westoslinux.westos.org
[westos2]
172.25.254.[90:100]
192.168.0.1
[westos:children]
westos2
linux
//
ansible "192*" --list ##清单中以192字符开头的清单或者清单中的主机
//
hosts (4):
172.25.254.211
172.25.254.91
westos_note1.westos.org
192.168.0.1
//
ansible "172*:192*" --list ##172或者192字符开头的清单或者清单中的主机
//
hosts (14):
172.25.254.211
172.25.254.91
172.25.254.92
172.25.254.90
172.25.254.93
172.25.254.94
172.25.254.95
172.25.254.96
172.25.254.97
172.25.254.98
172.25.254.99
172.25.254.100
westos_note1.westos.org
192.168.0.1
//
ansible "westos1:&westos2" --list ##在清单westos1中也在清单westos2中
//
hosts (1):
172.25.254.92
//
ansible 'westos1:!westos2' --list ###在清单westos1中但不在清单westos2中
//
hosts (1):
westoslinux.westos.org
//
ansible '~(172*|192)' --list ##172或者192字符开头的清单或者清单中的主机
//
hosts (14):
172.25.254.211
172.25.254.91
westos_note1.westos.org
172.25.254.92
172.25.254.90
172.25.254.93
172.25.254.94
172.25.254.95
172.25.254.96
172.25.254.97
172.25.254.98
172.25.254.99
172.25.254.100
192.168.0.1
//
Ansible配置文件参数详解
使用格式:
ansible 清单中组名称 -m 模块 -u remote_user
1.配置文件的分类与优先级
/etc/ansible/ansible.cfg #基本配置文件,找不到其他配置文件此文件生效
~/.ansible.cfg #用户当前目录中没有ansible.cfg此文件生效
./ansible.cfg #优先级最高
2.常用配置参数
#[defaults] ##基本信息设定
inventory= ##指定清单路径
remote_user= ##在受管主机上登陆的用户名称,未指定使用当前用户
ask_pass= ##是否提示输入SSH密码,如果公钥登陆设定为false
library= ##库文件存放目录
local_tmp= ##本机临时命令执行目录
remote_tmp= ##远程主机临时py命令文件存放目录
forks= ##默认并发数量,同时处理受控主机的数量
host_key_checking= ##第一次连接受管主机时是否要输入yes建立host_key
sudo_user= ##默认sudo用户
ask_sudo_pass= ##每次在受控主机执行ansible命令时是否询问sudo密码
module_name= ##默认模块,默认使用command,可以修改为shell
log_path= ##日志文件路径
remote_port = 22 ###连接远程主机的端口
host_key_checking = False ##不再询问,接受受控主机的key
known_hosts :此文件当不存在时,链接受控主机会询问是否接受受控主机发送过来的身份认证key
module_name = ping ##ansible命令运行时默认使用模块
#[privilege_escalation] ##身份信息设定
become= ##连接后是否自动切换用户
become_method= ##设定切换用户的方式,通常用sudo
become_user= ##在受管主机中切换到的用户,通常为root
become_ask_pass ##是否需要为become_method提示输入密码,默认为false
实验:
修改用户配置文件;
vim /home/lee/ansible/ansible.cfg
//
[defaults]
inventory = ~/ansible/inventory
host_key_checking =False
ask_pass =False
remote_user = devops
module_name = shell
[privilege_escalation]
become =True
become_method =sudo
become_user =root
become_ask_pass =False
//
[lee@ansible ansible]$ cat inventory ##编写文件,添加受控主机
[westos2]
172.25.254.111
172.25.254.211
(2)测试
[lee@ansible ansible]$ ansible westos2 -m ping ##测试成功,必须在/home/lee/ansible/目录下执行命令
172.25.254.211 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
172.25.254.111 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
注意4点:
(1)必须在111主机、211主机超级用户下修改,下方权力给devops:
[root@note1 ~]# visudo
//
devops ALL=(ALL) NOPASSWD: ALL
//
(2)在lee用户主机上新添加用户,并设定密码:
[root@ansible ansible]# useradd devops
[root@ansible ansible]# echo westos | passwd --stdin devops
(3)要下载一个文件到lee目录下:
[lee@ansible ~]$ scp root@172.25.254.111:/root/.ssh/id_rsa /home/lee/.ssh/
root@172.25.254.111's password:
id_rsa 100% 2610 2.6MB
(4)这一步不能省:用密钥对指定用户加密,可以免密以用户devops登陆 172.25.254.111
[root@ansible ansible]# ssh-copy-id -i /root/.ssh/id_rsa.pub devops@172.25.254.111 ##用密钥对指定用户加密
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.25.254.111 (172.25.254.111)' can't be established.
ECDSA key fingerprint is SHA256:j1eksGwobdp+MVYQXJB+MoyMeCMt6FIYzp5egJFXyws.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
devops@172.25.254.111's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'devops@172.25.254.111'"
and check to make sure that only the key(s) you wanted were added.