目录
14.Archive(打包压缩)/unarchive(解包解压)模块
一.运行临时命令
1.基本语法格式
ansible 主机/组 -m 模块名称 -a 模块参数 其他选项
#使用ping模块来测试节点连通性
[student@workstation ~]$ ansible servera -m ping
servera | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
[student@workstation ~]$ ansible servera -m ping -o #-o使输出在一行
servera | SUCCESS => {"ansible_facts": {"discovered_interpreter_python": "/usr/libexec/platform-python"},"changed": false,"ping": "pong"}
2.查看当前版本已安装的所有模块
[student@workstation ~]$ ansible-doc -l | wc -l
2834[student@workstation ~]$ ansible-doc ping
#直接使用"ansible-doc 模块名"来获取模块使用帮助,可以在查看后搜索"/EXAMPLES"来查看示例
[student@workstation ~]$ ansible-doc -s ping #查看模块用法和后接参数
二.ansible常见模块
1.command模块
(1)通过-a后面跟上需要运行的命令,直接执行,但命令行不能包含“<,>,|,&”不指定模块时默认执行command模块
[student@workstation ~]$ ansible servera -m command -a 'free -m'
servera | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 821 222 366 11 232 464
Swap: 0 0 0
(2)参数简介
chdir:切换目录
[student@workstation ~]$ ansible servera -m command -a 'chdir=/etc pwd'
servera | CHANGED | rc=0 >>
/etc
creates:文件存在时,后方接的命令不会执行
[student@workstation ~]$ ansible servera -m command -a 'creates=aaa.txt ls'
#不存在aaa.txt,ls命令执行
servera | CHANGED | rc=0 >>
anaconda-ks.cfg
original-ks.cfg
removes:文件不存在时,后方接的命令不会执行
[student@workstation ~]$ ansible servera -m command -a 'removes=aaa.txt ls'
#不存在aaa.txt,ls命令跳过执行
servera | SUCCESS | rc=0 >>
skipped, since aaa.txt does not exist
2.shell模块
同command,基于/bin/bash执行命令,可以支持“<,>,|,&”
[student@workstation ~]$ ansible servera -m shell -a 'free -m | grep Swap'
servera | CHANGED | rc=0 >>
Swap: 0 0 0
free_form:要执行的linux命令
executable:切换执行shell绝对路径来执行命令
3.raw模块
同command和shell,可以执行含特殊符号的命令,但raw模块没有chdir,creates,removes等参数
[student@workstation ~]$ ansible-doc -s raw
- name: Executes a low-down and dirty command
raw:
executable: # Change the shell used to execute the command. Should be an absolute path to the executable. When using privilege escalation (`become') a default shell
will be assigned if one is not provided as privilege escalation requires a shell.
free_form: # (required) The raw module takes a free form command to run. There is no parameter actually named 'free form'; see the examples!
4.script模块
在受管节点上执行管理节点的shell(把shell从管理节点复制到受管节点再在受管节点上运行)
[student@workstation ~]$ cat date.sh
#!/bin/bash
date > /date.txt
[student@workstation ~]$ ansible servera -m script -a '/home/student/date.sh'
#将管理节点的shell脚本文件复制到servera上执行,并查看是否执行成功
servera | CHANGED => {
"changed": true,
"rc": 0,
"stderr": "Shared connection to servera closed.\r\n",
"stderr_lines": [
"Shared connection to servera closed."
],
"stdout": "",
"stdout_lines": []
}
[student@workstation ~]$ ansible servera -m shell -a 'cat /date.txt'
servera | CHANGED | rc=0 >>
Sat Oct 14 04:09:17 GMT 2023 #执行成功
5.file模块
主要用于创建、删除文件或目录,修改权限等
参数列表:
path:必要参数,指定文件或目录,也可以使用dest或name(旧版本)替换
state:可以有touch(文件)、directory(目录)、link(软链接)、hard(硬链接)、absent(删除)几个可选项,主要用来进一步确认你操作的对象的文件属性
src:操作对象为link或hard并且state指定了link或hard时使用src来指定链接的来源
force:state=link时,使用force强制创建链接文件,使用于三种情况(src指向的源文件在创建链接前不存在,可以先强制创建链接文件;存放链接文件的目录内存在同名文件,可以使用force=yes实现删除同名文件再创建链接文件;前两种情况都有的情况下,使用force=yes会强制替换同名文件为创建的链接文件)
owner:指定文件拷贝到受管节点后的属主,前提是要先有这个用户
group:指定文件拷贝到受管节点后的属组,前提是要先有这个组
mode:指定文件拷贝到受管节点后的权限,一般多采用“mode=权限数值”方式
recurse:操作对象为目录时,会递归操作该目录
示例:
[student@workstation ~]$ ansible servera -m file -a 'path=/tmp/abc.txt state=touch'
servera | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"dest": "/tmp/abc.txt",
"gid": 0,
"group": "root",
"mode": "0644",
"owner": "root",
"secontext": "unconfined_u:object_r:user_tmp_t:s0",
"size": 0,
"state": "file",
"uid": 0
}
[student@workstation ~]$ ansible servera -m shell -a 'ls /tmp | grep abc.txt'
servera | CHANGED | rc=0 >>
abc.txt
6.copy模块
主要用于将管理节点文件拷贝到受管节点
参数列表:
src:指定被copy的目录或文件
dest:指定被copy文件的目的目录(必要参数)
content:被copy内容非src指定文件时,使用content直接指定文件内容,src和content两者必要一个
force:受管节点路径下已经有同名文件但两者内容不同,选择是否强制覆盖,默认为yes
backup:受管节点路径下已经有同名文件但两者内容不同,选择是否对受管节点的该文件进行备份
owner:指定文件拷贝到受管节点后的属主,前提是要先有这个用户
group:指定文件拷贝到受管节点后的属组,前提是要先有这个组
mode:指定文件拷贝到受管节点后的权限,一般多采用“mode=权限数值”方式
示例:
[student@workstation ~]$ cat list
servera
[student@workstation ~]$ ansible servera -m copy -a 'src=/home/student/list dest=/tmp/'
servera | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"checksum": "8e723f6a40d561529bae71445d9a60fbd8185fc6",
"dest": "/tmp/list",
"gid": 0,
"group": "root",
"md5sum": "b891602b9b8b0a41ffd86c15b171ea56",
"mode": "0644",
"owner": "root",
"secontext": "unconfined_u:object_r:admin_home_t:s0",
"size": 8,
"src": "/root/.ansible/tmp/ansible-tmp-1697267810.5263553-92157951653798/source",
"state": "file",
"uid": 0
}
[student@workstation ~]$ ansible servera -m shell -a 'cat /tmp/list'
servera | CHANGED | rc=0 >>
servera
#注意:若是对目录进行拷贝操作,src接的路径最后没有/表示连同目录一起拷贝,路径最后有/表示只拷贝该目录下的文件并不拷贝目录
7.fetch模块
主要用于将受管节点的文件拷贝到管理节点
参数列表:
dest:拷贝到管理节点的路径
src:从受管节点的哪个路径拷贝
flat:选择是否拷贝受管节点上该文件的目录结构,yes为不拷贝结构
示例:
#拷贝默认目录结构
[student@workstation ~]$ ansible servera -m fetch -a 'src=/tmp/abc.txt dest=/home/student'
servera | CHANGED => {
"changed": true,
"checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"dest": "/home/student/servera/tmp/abc.txt",
"md5sum": "d41d8cd98f00b204e9800998ecf8427e",
"remote_checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"remote_md5sum": null
}
[student@workstation ~]$ ll
total 16
-rw-rw-r--. 1 student student 238 Oct 12 13:27 ansible.cfg
-rw-rw-r--. 1 student student 29 Oct 14 04:06 date.sh
-rw-rw-r--. 1 student student 8 Oct 12 09:34 list
-rw-rw-r--. 1 student student 105 Oct 12 13:33 myhosts1
drwxrwxr-x. 3 student student 17 Oct 14 07:36 servera
[student@workstation ~]$ tree servera
servera
└── tmp
└── abc.txt
1 directory, 1 file
#不拷贝目录结构,拷过来直接就是文件
[student@workstation ~]$ ansible servera -m fetch -a 'src=/tmp/abc.txt dest=/home/student/ flat=yes'
servera | CHANGED => {
"changed": true,
"checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"dest": "/home/student/abc.txt",
"md5sum": "d41d8cd98f00b204e9800998ecf8427e",
"remote_checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"remote_md5sum": null
}
[student@workstation ~]$ ll
total 16
-rw-rw-r--. 1 student student 0 Oct 14 07:48 abc.txt
-rw-rw-r--. 1 student student 238 Oct 12 13:27 ansible.cfg
-rw-rw-r--. 1 student student 29 Oct 14 04:06 date.sh
-rw-rw-r--. 1 student student 8 Oct 12 09:34 list
-rw-rw-r--. 1 student student 105 Oct 12 13:33 myhosts1
#注意一个报错:
"msg": "dest is an existing directory, use a trailing slash if you want to fetch src into that directory"
flat=yes时目录已存在,需要在目录后加个斜杠
8.yum/apt/dnf
主要用于软件包管理
参数列表:
name:进行操作的软件包名,可以是本地rpm包路径也可以是网络文件url地址
state:可选项present(安装),absent(删除),latest(更新)
示例:
[student@workstation ~]$ ansible servera -m yum -a 'name="bind" state=present'
servera | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"msg": "Nothing to do",
"rc": 0,
"results": [
"Installed: bind"
]
}
[student@workstation ~]$ ansible servera -m yum -a 'name="httpd" state=latest'
#更新某个包
9.service模块
主要用于各种服务的设置
参数列表:
enabled:yes/no,是否开机自启动
name:服务名称
state:可选项started,stopped,restarted,reloaded
daemon_reload:yes/no,是否配置文件重载
示例:
[student@workstation ~]$ ansible servera -m service -a 'name=httpd state=started'
10.systemd模块
主要用于服务配置文件变化后的服务管理
参数和用法同service模块
11.get_url
主要用于从http/https,ftp等服务器上下载资源,可以理解为linux上的wget命令
参数列表:
sha256sum:下载完成后进行完整性验证
timeout:超时时间,默认10秒
url:指定url地址,url=地址
urlpassword/urlusername:验证用户密码和名称
use_proxy:使用代理
owner:指定属主
group:指定属组
12.cron模块
主要用于计划任务管理
参数列表:
name:自定义名称,尽量贴近任务内容
minute:多少分钟,*/2表示每两分钟
hour:时
day:日
month:月
weekday:周几
state:可选项present(创建),absent(删除)
job:需要执行的具体任务,在state=present的前提下
backup:是否在做计划任务前对原本内容进行备份
user:以哪个用户的身份来执行
13.user模块
主要用于用户管理,user与group模块用法类似
参数列表:
name:指定用户名
uid:指定该用户uid
group:指定该用户所属组(私有组)
groups:指定该用户附加组
state:可选项present(创建),absent(删除)
remove:当state=absent时,remove表示将该用户的家目录一起删除
password:指定密码
home:家目录位置
createhome:yes/no,是否创建家目录
shell:shell类型
示例:
[student@workstation ~]$ ansible servera -m user -a 'name=sulibao state=present password="slb123"'
[student@workstation ~]$ ansible servera -m shell -a 'cat /etc/passwd | grep sulibao'
servera | CHANGED | rc=0 >>
sulibao:x:1002:1002::/home/sulibao:/bin/bash
[student@workstation ~]$ ansible servera -m shell -a 'cat /etc/shadow | grep sulibao'
servera | CHANGED | rc=0 >>
sulibao:slb123:19645:0:99999:7:::
14.Archive(打包压缩)/unarchive(解包解压)模块
参数列表:
copy:yes/no,yes将管理节点上的压缩包传送到受管节点后解压至特定目录,no将受管节点的压缩包解压到指定路径下
src:原路径,若是受管节点的路径需要设置copy=no
dest:受管节点的目标路径
mode:压缩文件解压后权限设置
四.Ansible-vault作用
1.ansible的vault主要是为了方便进行密码或API密钥登敏感数据的访问,可以加密和解密任何通过ansible构建的结构化数据文件(清单变量、playbook的变量文件、playbook传递的参数变量文件、ansible角色定义的变量)
2.通过ansible-vault的命令行工具进行创建、编辑、加密、解密或查看,但不实施自有的加密函数,使用的外部python工具集
[root@main ~]# ansible-vault --help
usage: ansible-vault [-h] [--version] [-v]
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
...
encryption/decryption utility for Ansible data files
positional arguments:
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
create Create new vault encrypted file
decrypt Decrypt vault encrypted file
edit Edit vault encrypted file
view View vault encrypted file
encrypt Encrypt YAML file
encrypt_string Encrypt a string
rekey Re-key a vault encrypted file
optional arguments:
--version show program's version number, config file location,
configured module search path, module location,
executable location and exit
-h, --help show this help message and exit
-v, --verbose verbose mode (-vvv for more, -vvvv to enable
connection debugging)
See 'ansible-vault <command> --help' for more information on a specific
command.
五.常用的操作
1.create创建加密文件
需要指定加密文件的密码,后续对这个加密文件进行操作时需要用到这个密码
[root@main ~]# ansible-vault create secretfile #创建加密文件
New Vault password: #输入确认两次密码
Confirm New Vault password:
#写入内容
name: su
password: redhat
#直接查看时已经被加密
[root@main ~]# cat secretfile
$ANSIBLE_VAULT;1.1;AES256
35336161343764376662613932656566636139373031663861623839386363396161616664313962
3539303532323266386435393039383638303263383363330a613064326632333666323739306563
65356661363239383535636136633934356437633735313938636166393734333637663165636630
3861653063636137300a306634323064386432393831353931306537363966373562313630356139
65353565336662333134326563346261396236396464656238303062336335386666
2.view查看加密文件
[root@main ~]# ansible-vault view secretfile
Vault password: #输入创建加密文件时的密码
name: su
password: redhat
3.交互输入密码和避免交互输入密码
(1)交互输出密码使用命令行表示出来应该是“--ask-vault-pass”
(2)将加密文件的密码放到文件内,进行操作加密文件时在命令行指定密码文件
[root@main ~]# cat mysecret #这个密码文件同样需要谨慎保管,可以设置600权限避免滥用
redhat
[root@main ~]# ansible-vault view secretfile --vault-password-file=mysecret
name: su
password: redhat
(3)将密码文件指定到配置文件
[root@main ~]# cat ansible.cfg | grep vault_password
vault_password_file = /root/mysecret
4.edit修改加密文件
[root@main ~]# ansible-vault --vault-password-file=mysecret edit secretfile
5.rekey修改加密文件的密码
新密码修改完成后需要使用新密码才能对加密文件进行操作
[root@main ~]# ansible-vault rekey secretfile
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful #修改成功
6.encrypt对已有文件加密
[root@main ~]# cat waitsecret
hello
[root@main ~]# ansible-vault encrypt waitsecret
New Vault password:
Confirm New Vault password:
Encryption successful
[root@main ~]# cat waitsecret #加密完成
$ANSIBLE_VAULT;1.1;AES256
63343934373833633035343763303163336538303363326137396362396365323538613062613436
6331633533383465333034653962613062616330363964630a616532313364343061353362376631
34346430373739636235323666333033386637633431313966626136306336306534396136326161
3933333463613235310a393432396663396533376161613166303534656638306564373532353234
3162
7.decrypt解密加密文件
[root@main ~]# cat waitsecret
$ANSIBLE_VAULT;1.1;AES256
63343934373833633035343763303163336538303363326137396362396365323538613062613436
6331633533383465333034653962613062616330363964630a616532313364343061353362376631
34346430373739636235323666333033386637633431313966626136306336306534396136326161
3933333463613235310a393432396663396533376161613166303534656638306564373532353234
3162
[root@main ~]# ansible-vault decrypt waitsecret
Vault password:
Decryption successful
[root@main ~]# cat waitsecret
hello
六.ansible-vault创建用户案例
1.准备用户的名称和hash后的密码文件并加密
[root@main ~]# vim user.yaml
username: "sulibao"
pwdhash: "$6$xJ7udt0hon8ACTGd$nRo7zGW89KII60I4eFrGGtCPbWgY4ErvOALdndlFJSQnmkBURxswxoJK4KruuB3T6SykTyKivHpwusKeyvz.G0"
[root@main ~]# ansible-vault encrypt user.yaml
New Vault password:
Confirm New Vault password:
Encryption successful
[root@main ~]# cat user.yaml
$ANSIBLE_VAULT;1.1;AES256
64316439306661616264663962653739626665326161663161613234613932323630346561306534
6266623364666131376464316463383265326562383764380a613930363161626339316634316436
63303939376331313665613334383666323165323562326135383765643663633334363361653939
3438306135663964390a386638396566643634643635393039623732623861646664313361336330
63363733633363393563396131363333333065323131643965383139626236623635333537356162
65626163303136306466316662323939343837663665333961343838616234353961643565316466
31393332656162313966663835643464383838626331356235333437653565353738366165313264
36643637386163333030393162376162393439396166323932646238623637323666313533626438
33616535663333386635366432323335376434646137366130626137396538303464376531376231
66353933303332626635613236353363306431363438623935353235303833373062343665636332
633532613263646463613864613132623561
2.剧本文件
(1)编写剧本文件
[root@main ~]# cat createuser.yaml
---
- hosts: servera
vars_files:
- user.yaml
tasks:
- name: create user sulibao
user:
name: "{{ username }}"
password: "{{ pwdhash }}"
(2)运行剧本文件
[root@main ~]# ansible-playbook createuser.yaml --syntax-check
ERROR! Attempting to decrypt but no vault secrets found
这样可以选择创建一个文件存放user.yaml文件的密码从而执行脚剧本,也可以声明直接交互输入密码
[root@main ~]# ansible-playbook createuser.yaml --vault-password-file=useryamlmima
#或者
#[root@main ~]# ansible-playbook createuser.yaml --ask-vault-pass
#Vault password:
PLAY [servera] **********************************************************************************************************************************
TASK [create user sulibao] **********************************************************************************************************************
changed: [servera]
PLAY RECAP **************************************************************************************************************************************
servera : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[root@main ~]# ansible servera -m shell -a 'grep sulibao /etc/passwd'
servera | CHANGED | rc=0 >>
sulibao:x:1001:1001::/home/sulibao:/bin/bash
3.登录验证
[root@main ~]# ssh sulibao@servera
sulibao@servera's password:
[sulibao@localhost ~]$