1. yum安装ansible
参考https://www.w3cschool.cn/automate_with_ansible/automate_with_ansible-1khc27p1.html
yum install -y epel-release
yum install -y ansible
[root@testx yum.repos.d]# ansible --version
2. ansible配置文件路径
[root@testx yum.repos.d]# cd /etc/ansible/
[root@testx ansible]# ll
total 24
-rw-r–r--. 1 root root 19985 Jun 19 11:04 ansible.cfg
-rw-r–r--. 1 root root 1016 Jun 19 11:04 hosts
drwxr-xr-x. 2 root root 6 Jun 19 11:04 roles
2. Hello World
[root@testx ansible]# /bin/echo -e “[local]\nlocalhost ansible_connection=local” >> /etc/ansible/hosts
[root@testx ansible]# ansible localhost -m command -a ‘echo Hello World.’
localhost | CHANGED | rc=0 >>
Hello World.
3. mylog配置免密登录
主机A用mylog登录,并执行:
step1:
在机器A中生成 私钥和公钥:
ssh-keygen -t rsa
此时在 ~/.ssh/ 目录下生成了公钥(id_rsa.pub)和私钥(id_rsa)
step2:
把机器A的公钥(id_rsa.pub)复制到机器B ~/.ssh/authorized_keys 文件里
scp ~/.ssh/id_rsa.pub mylog@192.168.189.131:/home/mylog/id_rsa.pub
scp ~/.ssh/id_rsa.pub username@host:/home/B/id_rsa.pub
进入机器B内把 /home/B/id_rsa.pub 文件内容加写进 ~/.ssh/authorized_keys 文件
step3:
修改机器B ~/.ssh/authorized_keys 文件的权限:
chmod 600 ~/.ssh/authorized_keys
chmod 700 /home/mylog/.ssh
在主机A上直接免密登录ssh mylog@192.168.189.131,无需输入密码
[mylog@testx ~]$ ssh mylog@192.168.189.131
Last login: Fri Jul 24 18:03:15 2020 from node1
[mylog@test-two ~]$ exit
logout
Connection to 192.168.189.131 closed.
[mylog@testx ~]$ ansible 192.168.189.131 -m shell -a “mkdir /tmp/1”
192.168.189.131 | UNREACHABLE! => {
“changed”: false,
“msg”: “Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).”,
“unreachable”: true
}
报错问题是由于ansible控制端配置文件里面用户设置导致的
[root@testx ~]# vi /etc/ansible/hosts
#[local]
#localhost ansible_connection=local
192.168.189.131 ansible_user=mylog
[root@testx ~]#
[root@testx ~]# vi /etc/ansible/ansible.cfg
[defaults]
#some basic default values…
hostfile = hosts
remote_user = mylog
host_key_checking = False
[root@testx ~]# exit
logout
[mylog@testx ~]$ ansible 192.168.189.131 -m shell -a “mkdir /tmp/1”
[WARNING]: Consider using the file module with state=directory rather than running ‘mkdir’. If you
need to use command because file is insufficient you can add ‘warn: false’ to this command task or set
‘command_warnings=False’ in ansible.cfg to get rid of this message.
192.168.189.131 | CHANGED | rc=0 >>
如果ansible服务端没有和远程主机做ssh信任关系, 则可以在hosts清单配置里直接指明用户名和密码.
如果使用普通用户, 并且允许sudo, 则需要提前在客户机里的/etc/sudoers文件里配置好该普通用户的sudo配置, 即允许该普通用户有sudo权限.
[root@testx ansible]# cat hosts
[test-host]
192.168.189.131 ansible_ssh_user=mylog ansible_ssh_pass=** ansible_ssh_port=22
192.168.189.133 ansible_ssh_user=mylog ansible_ssh_pass=** ansible_ssh_port=22
即192.168.189.133 客户机上要提前配置, 允许app用户具有sudo权限.
执行:
[root@testx ansible]# ansible test-host -m shell -a “hostname”
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
192.168.189.131 | CHANGED | rc=0 >>
test-two
192.168.189.133 | CHANGED | rc=0 >>
testx-three
批量配置免密登录
[root@zabbix-server ansible]# cat /etc/ansible/hosts
[test-host]
10.5.1.21 ansible_ssh_user=mylog ansible_ssh_pass= **
10.5.1.23 ansible_ssh_user=mylog ansible_ssh_pass= **
修改host_key_checking(默认是check的):
vi /etc/ansible/ansible.cfg
host_key_checking = False
[root@zabbix-server ansible]# cat push.ssh.ymal
#Using alternate directory locations:
- hosts: test-host
user: mylog
tasks:- name: ssh-copy
authorized_key: user=mylog key="{{ lookup(‘file’, ‘/home/mylog/.ssh/id_rsa.pub’) }}"
tags:- sshkey
- name: ssh-copy
[root@zabbix-server ansible]# ansible-playbook push.ssh.ymal
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
PLAY [test-host] ***************************************************************************************
TASK [Gathering Facts] *********************************************************************************
ok: [10.5.1.21]
ok: [10.5.1.23]
TASK [ssh-copy] ****************************************************************************************
changed: [10.5.1.21]
changed: [10.5.1.23]
PLAY RECAP *********************************************************************************************
10.5.1.21 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
10.5.1.23 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
测试是否分发成功
#查看各机器时间
ansible all -a date
#ansible all -m command -a date # 作用同上
#ping
ansible all -m ping
使用Ansible的user模块批量修改远程客户机的用户密码
由于在使用ansible修改用户密码的时候不能使用明文的方式,需要先加密,所以就需要使用一个方法对输入的明文的密码进行加密.
[root@ansible-server ~]# vim /opt/root_passwd.yaml
- hosts: ssh-host
gather_facts: false
tasks:- name: change user passwd
user: name={{ item.name }} password={{ item.chpass | password_hash(‘sha512’) }} update_password=always
with_items:
- { name: ‘root’, chpass: ‘kevin@123’ }
- { name: ‘app’, chpass: ‘bjop123’ }
- name: change user passwd
注意上面在yaml文件中修改了远程客户机的root用户密码, app用户密码.
如果还想要修改其他用户密码, 则继续按照上面规则添加即可!
执行ansible-play
[root@ansible-server ~]# ansible-playbook /opt/root_passwd.yaml
方法二: 修改远程主机的单个用户密码使用此方法比较方便
编写playbook文件
[root@ansible-server ~]# vim /opt/root_passwd2.yaml
- hosts: ssh-host
gather_facts: false
tasks:- name: Change password
user: name={{ name1 }} password={{ chpass | password_hash(‘sha512’) }} update_password=always
- name: Change password
执行ansible-playbook, 使用-e参数传递用户名和密码给剧本,其中root为用户名,admin#123就是修改后的root密码
[root@ansible-server ~]# ansible-playbook /opt/root_passwd2.yaml -e “name1=root chpass=admin#123”
把hosts里面的文件全部ssh一次后,ansible server里面会生成known_hosts,里面记录ssh免密登录信息,之后去掉hosts文件里面的密码文件也可以直接免密登录这个IP
[mylog@zabbix-server .ssh]$ ll
total 16
-rw------- 1 mylog mylog 401 Jul 31 15:34 authorized_keys
-rw------- 1 mylog mylog 1679 Jul 28 16:59 id_rsa
-rw-r–r-- 1 mylog mylog 401 Jul 28 16:59 id_rsa.pub
-rw-r–r-- 1 mylog mylog 519 Jul 31 15:36 known_hosts
三、 Ansible其他脚本
- 准备playbook文件 ,yml结尾
3.1. 拷贝ssh :
rsync_key.yml
文件内容如下:
- hosts: test
remote_user: test
tasks:- name: copy ssh key
authorized_key:
user: test
key: “{{ lookup(‘file’, ‘/home/test/.ssh/id_rsa.pub’) }}”
- name: copy ssh key
3.2. 传送key到远程服务器:
rsync_key2.yml
文件内容如下:
- hosts: test
remote_user: test
tasks:- name: mkdir /home/test/.ssh
command: mdkir -p /home/test/.ssh - name: copy ssh key
copy: src=/home/test/.ssh/id_rsa.pub dest=/home/test/.ssh owner=test group=test mode=0644
- name: mkdir /home/test/.ssh
3.3. 执行 playbook
-i test ,是指 指定 ansible playbook 需要执行远程服务器, test 相对于 默认的hosts文件
ansible-playbook -i test rsync_key.yml
ansible-playbook -i test rsync_key2.yml (不需要执行了,第一个足矣)
添加 hadoop用户
useradd.yml
-
hosts: hadoop_devops_hosts
remote_user: test
sudo: yes
vars:
user: hadooptasks:
- name: add user
action: user name={{ user }} home=/home/{{ user }}
tags: - user
- name: add user
执行完后,查看下
ansible -i ./hosts hadoop_hosts -m shell -a “id hadoop”
接下来准备 远程生成hadoop key
并在 各服务器上,让 hadoop来去自如
四、Ansible远程安装lrzsz
[root@zabbix-server ansible]# cat push.ssh.ymal
- hosts: IDC2
remote_user: mylog
become: yes
become_method: sudo
#become_user: root
tasks:- name: install lrzsz
shell: yum install lrzsz
#action: yum name=lrzsz state=present
#sudo: yes
[root@zabbix-server ansible]# ansible-playbook push.ssh.ymal
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv
to see details
- name: install lrzsz
PLAY [IDC2] **************************************************************************
TASK [Gathering Facts] ***************************************************************
fatal: [10.5.10.103]: FAILED! => {“msg”: “Missing sudo password”}
PLAY RECAP ***************************************************************************
10.5.10.103 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
[root@zabbix-server ansible]#
####################### sudo设置 #######################
#通常使用-b可以切换用户身份,但是每次使用命令切换太麻烦,可以直接在配置文件中设置
[ans@node1 ansible]$ vim ansible.cfg
……
[privilege_escalation]
become=True #使用切换模式
become_method=sudo #模式为sudo
become_user=root #身份切换为root
become_ask_pass=False #询问密码关闭
#添加[privilege_escalation]模块
[root@node2 ~]# vim /etc/sudoers
……
ans ALL=(ALL) NOPASSWD: ALL
……
#仅在node2中设置sudo,查看测试结果
6. ansible servers上执行sudo远程安装,加-b
[mylog@zabbix-server ansible]$ ansible 10.5.11.232 -m yum -a ‘name=httpd state=present’ -b
7. ansible普通用户切换到root 0用户远程执行shell
ansible 10.5.11.233 -m shell -a “touch /tmp/0804.txt” --become-method su --become-user myroot
7.1 ansible playbook远程切换用户执行
[root@localhost ~]# cat /etc/ansible/test.yaml
- hosts: lb
become: yes
become_user: root
become_method: sudo
tasks:
- name: start httpd
service: name=httpd state=started
7.2 ansible远程切换用户执行命令
[root@localhost ~]# ansible lb -b --become-user root --become-method sudo -m service -a "name=httpd state=stopped"