运维部署三层次:
1 纯手动操作
2 一键部署脚本
3 使用自动部署工具
ansible是自动化运维工具,基于Python开发
功能:批量系统配置、批量程序部署、批量运行命令
工作原理:
1 主机清单:定义ansible要管理的对象
2 playbooks:剧本 python的yml脚本
3 功能插件(模块):实现剧本中具体的任务
4 连接模块:ssh
5 ansible整合
-----------------------------------------------
应用场景:
安装系统的工具:
kickstart
初始化:
selinux 、iptables 、 IP 联网 、 主机名、 时间 、常用工具
部署应用:
apache 、nginx 、 tomcat 、 mysql
批量执行命令
…
--------------------------------------
准备环境:
ansible 172.20.10.6
node1 172.20.10.7
node2 172.20.10.8
[root@ansible ~]# tail -3 /etc/hosts
172.20.10.6 ansible.ysla.com ansible
172.20.10.7 node1.ysla.com node1
172.20.10.8 node2.ysla.com node2
[root@ansible ~]# scp /etc/hosts 172.20.10.7:/etc/
[root@ansible ~]# scp /etc/hosts 172.20.10.8:/etc/
--------------------------------------------------
开始部署ansible:
[root@ansible ~]# rpm -ivh epel-release-7-6.noarch.rpm //安装epel,yum也可以
[root@ansible ~]# yum install -y ansible
[root@ansible ~]# rpm -ql ansible | head -20
/etc/ansible
/etc/ansible/ansible.cfg ##配置文件
/etc/ansible/hosts ##主机清单文件
/etc/ansible/roles ##角色配置文件
/usr/bin/ansible-playbook ##运行剧本的命令
配置:
[root@ansible ~]# cd /etc/ansible/
[root@ansible /etc/ansible]# ls
ansible.cfg hosts roles
[root@ansible /etc/ansible]# vim hosts
172.20.10.7
测试连接:
[root@ansible ~]# ssh 172.20.10.7
The authenticity of host '172.20.10.7 (172.20.10.7)' can't be established.
ECDSA key fingerprint is SHA256:4JUE9YLEued+tSEr4sRDz1+7hze39R8aiRHxwQaaO4A.
ECDSA key fingerprint is MD5:f7:3b:08:d7:a2:1f:19:2d:c4:98:6a:9c:d0:a8:72:8a.
Are you sure you want to continue connecting (yes/no)? yes
[root@ansible ~]# cat .ssh/known_hosts
172.20.10.7 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDHNd2TGYifRr0u1Yr94st5CdVG+NqoHVcG8Fyt/Hh2osliJmUu1N/UDTS8MvD8T+nSMYcGQ3GUvAV0YZ+uUf8Q=
需要记录节点的公钥指纹
[root@ansible /etc/ansible]# ansible 172.20.10.7 -m ping -k
SSH password:
172.20.10.7 | SUCCESS => {
[root@ansible /etc/ansible]# vim hosts
[node]
172.20.10.7
172.20.10.8
无密码连接:
[root@ansible ~]# vim /etc/ansible/hosts
[node]
172.20.10.7 ansible_ssh_user=root ansible_ssh_pass=123
172.20.10.8 ansible_ssh_user=root ansible_ssh_pass=123
[root@ansible ~]# ansible node -m ping
[root@ansible ~]# ll /etc/ansible/hosts
-rw-r--r-- 1 root root 1134 Jul 19 10:08 /etc/ansible/hosts
ssh无密码连接:
[root@ansible ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 回车
Enter passphrase (empty for no passphrase): 回车
Enter same passphrase again:回车
[root@ansible ~]# cd .ssh/
[root@ansible ~/.ssh]# ls
id_rsa id_rsa.pub
私钥 公钥
公钥发布给被连接端
[root@ansible ~]# ssh-copy-id -i .ssh/id_rsa.pub 172.20.10.7
[root@node1 ~]# cd .ssh/
[root@node1 ~/.ssh]# ls
authorized_keys
[root@node1 ~/.ssh]# cat authorized_keys
分发公钥的操作脚本化:
[root@ansible ~]# vim iplist
172.20.10.7
172.20.10.8
[root@ansible ~]# vim scp_sshpubkey.sh
#!/bin/bash
# 分发ssh的公钥
pass="123"
key="/root/.ssh/id_rsa.pub"
file="/root/iplist"
while read ip
do
sshpass -p ${pass} /usr/bin/ssh-copy-id -o StrictHostKeyChecking=no -i ${key} ${ip} &> /dev/null && echo "${ip}公钥传输成功."
done < $file
sshpass带入ssh被连接端的密码
[root@ansible ~]# sshpass -p 123 ssh 172.20.10.7
Last login: Thu Jul 19 10:15:12 2021 from ansible.ysla.com
[root@node1 ~]#
[root@ansible ~]# > .ssh/known_hosts
[root@ansible ~]# sshpass -p 123 ssh -o StrictHostKeyChecking=no 172.20.10.7
介绍ansible的常用模块:
1. ping
探测对端是否存活
ansible node -m ping
2. command
在节点执行命令,不支持管道|
[root@ansible ~]# ansible node -m command -a "mkdir /tmp/dir1"
返回信息:
绿 成功
红 失败
粉 警告
黄 执行成功
3. copy
将ansible的文件传输给节点。
选项:
src 源文件
dest 目标文件
backup 如果目标文件已存在,覆盖之前是否要备份
owner 指定所有者
mode 指定权限
[root@ansible /etc/ansible]# mkdir files
[root@ansible /etc/ansible]# ls
ansible.cfg files hosts roles
[root@ansible /etc/ansible]# cp /etc/hosts files/
[root@ansible /etc/ansible]# ansible node -m copy -a "src=/etc/ansible/files/hosts dest=/tmp/hosts
[root@ansible /etc/ansible]# ansible node -m copy -a "src=/etc/ansible/files/hosts dest=/etc/hosts backup=yes"
[root@ansible /etc/ansible]# ansible node -m command -a "useradd user1"
[root@ansible /etc/ansible]# ansible node -m copy -a "src=/etc/ansible/files/hosts dest=/tmp/hosts1 owner=user1 mode=700"
[root@ansible /etc/ansible]# ansible node -m command -a "ls -l /tmp/hosts1"
172.20.10.8 | CHANGED | rc=0 >>
-rwx------ 1 user1 root 256 Jul 19 11:53 /tmp/hosts1
172.20.10.7 | CHANGED | rc=0 >>
-rwx------ 1 user1 root 256 Jul 19 11:53 /tmp/hosts1
4. file
管理节点上的文件
选项:
path 指定文件路径
state 操作
touch 创建文件
directory 创建目录
absent 删除
[root@ansible ~]# ansible node -m file -a "path=/tmp/f1 state=touch"
## == touch
[root@ansible ~]# ansible node -m file -a "path=/tmp/d1 state=directory"
## == mkdir
[root@ansible ~]# ansible node -m file -a "path=/tmp/f1 state=absent"
## == rm -f
[root@ansible ~]# ansible node -m file -a "path=/tmp/d1 state=absent"
## == rm -fr
[root@ansible ~]# ansible node -m file -a "path=/tmp/f1 mode=700 owner=user1 group=user1 state=touch"
## == touch
## == chown user1:user1
## == chmod 700
[root@ansible ~]# ansible node -m file -a "path=/tmp/d1/d2/d3 state=directory"
## == mkdir -p
[root@ansible ~]# ansible node -m file -a "path=/tmp/d1/d2/d3 mode=757 recurse=yes"
## == chmod -R 757
# vim /etc/bashrc
export PS1="[\u@\[\e[32;40m\]\h \[\e[31;40m\]\w\[\e[0m\]]\\$ "
5. get_url
下载文件的
[root@ansible ~]# ansible node -m get_url -a "url=ftp://172.20.10.99/release/epel-release-7-6.noarch.rpm dest=/tmp"
[root@ansible ~]# ansible node -m get_url -a "url=ftp://172.20.10.99/scripts/nginx-1.13-clean.sh dest=/tmp mode=755"
6. user
管理用户
[root@ansible ~]# ansible node -m user -a "name=zhangsan uid=2000"
## == useradd -u 2000 zhangsan
[root@ansible ~]# ansible 172.20.10.7 -m user -a "name=zhangsan state=absent"
## == userdel zhangsan
[root@ansible ~]# ansible 172.20.10.8 -m user -a "name=zhangsan state=absent remove=yes"
## == userdel -r zhangsan
7. group
管理组
[root@ansible ~]# ansible node -m group -a "name=group1 gid=100000"
## == groupadd -g 100000 group1
[root@ansible ~]# ansible node -m group -a "name=group1 state=absent"
## == groupdel group1
8. yum
安装rpm包
卸载:
[root@ansible ~]# ansible node -m yum -a "name=lftp state=absent"
安装:
[root@ansible ~]# ansible node -m yum -a "name=lftp"
9. systemd
管理节点上的服务 开启或关闭
centos7
centos6是service模块
[root@ansible ~]# ansible node -m yum -a "name=httpd"
[root@ansible ~]# ansible node -m systemd -a "name=httpd state=started"
[root@ansible ~]# ansible node -m systemd -a "name=httpd state=stopped"
[root@ansible ~]# ansible node -m systemd -a "name=httpd state=restarted"
[root@ansible ~]# ansible node -m systemd -a "name=httpd enabled=yes"
10. shell
在节点执行shell脚本
[root@ansible ~]# ansible node -m shell -a "/usr/bin/bash /tmp/nginx-1.13-clean.sh"
11. cron
在远程节点配置计划任务
每隔5分钟,执行一次关闭firewalld的命令:
*/5 * * * * systemctl stop firewalld
分 minute
时 hour
日 day
月 month
周 weekday
命令 job
[root@ansible ~]# ansible node -m cron -a 'name="stop firewalld" minute=*/5 job="systemctl stop firewalld"'
[root@node1 /tmp]# crontab -l
#Ansible: stop firewalld
*/5 * * * * systemctl stop firewalld
=======================================
写剧本:
[root@ansible /etc/ansible]# mkdir playbooks
[root@ansible /etc/ansible]# cd playbooks/
[root@ansible /etc/ansible/playbooks]# vim apache.yml
- name: install and config apache
hosts: node
user: root
tasks:
- name: install apache
yum: name=httpd
- name: config apache
copy: src=files/httpd.conf dest=/etc/httpd/conf/httpd.conf backup=yes
notify: restart httpd
- name: create index.html
copy: src=files/index.html dest=/var/www/html/index.html
handlers:
- name: restart httpd
systemd: name=httpd state=restarted enabled=yes
[root@ansible /etc/ansible/playbooks]# mkdir files
[root@ansible /etc/ansible/playbooks]# yum install -y httpd
[root@ansible /etc/ansible/playbooks]# cp /etc/httpd/conf/httpd.conf files/
[root@ansible /etc/ansible/playbooks]# echo "test-ansible" > files/index.html
[root@ansible /etc/ansible/playbooks]# vim files/httpd.conf
加一些注释符号
[root@ansible /etc/ansible/playbooks]# ansible-playbook apache.yml
虚拟主机:
- name: config apache
hosts: node
user: root
tasks:
- name: config apache
copy: src=files/httpd.conf dest=/etc/httpd/conf/httpd.conf backup=yes
notify: restart httpd
- name: create a'directory
file: path=/var/www/html/a state=directory
- name: create b'directory
file: path=/var/www/html/b state=directory
- name: create a'index.html
copy: src=files/aindex.html dest=/var/www/html/a/index.html
- name: create b'index.html
copy: src=files/bindex.html dest=/var/www/html/b/index.html
handlers:
- name: restart httpd
systemd: name=httpd state=restarted enabled=yes
写一个ftp部署剧本:
[root@ansible /etc/ansible/playbooks]# vim ftp.yml
- name: install and config vsftpd
hosts: node
user: root
tasks:
- name: install vsftpd
yum: name=vsftpd
- name: create upload dir
file: path=/var/ftp/upload owner=ftp state=directory
- name: config vsftpd
copy: src=files/vsftpd.conf dest=/etc/vsftpd/vsftpd.conf backup=yes
notify: restart vsftpd
handlers:
- name: restart vsftpd
systemd: name=vsftpd state=restarted enabled=yes
[root@ansible /etc/ansible/playbooks]# yum install -y vsftpd
[root@ansible /etc/ansible/playbooks]# cp /etc/vsftpd/vsftpd.conf files/
[root@ansible /etc/ansible/playbooks]# vim files/vsftpd.conf