linux服务-ansible部署

1.构建ansible清单

1.1 定义清单

为了让ansible识别可控制主机,必须定义清单。

  • 主机可以分配到组
  • 组可以有子组

定义方式:

  • 静态主机清单:文本定义
  • 动态主机清单:根据外部信息提供程序通过脚本或其他程序生成

1.2 使用静态清单指定受控主机

编辑/etc/ansible下的hosts文件

  • 基本形式
[root@node0 ~]# vim /etc/ansible/hosts 

## alpha.example.org
## beta.example.org
## 192.168.1.100
## 192.168.1.110
  • 有组的情况

## [dbservers]
## 
## db01.intranet.mydomain.net
## db02.intranet.mydomain.net
## 10.25.1.56
## 10.25.1.57

## db-[99:101]-node.example.com

设置node0为控制机,node1为受控制机

主机 ip
node0 192.168.94.142
node1 192.168.94.141
  1. 控制机上映射node1的IP
[root@node0 ~]# vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.94.141 node1

  1. 测试
[root@node0 ~]# ping node1
PING node1 (192.168.94.141) 56(84) bytes of data.
64 bytes from node1 (192.168.94.141): icmp_seq=1 ttl=64 time=0.876 ms
...
rtt min/avg/max/mdev = 0.876/0.963/1.015/0.053 ms

  1. 配置静态清单
[root@node0 ~]# vim /etc/ansible/hosts 

...
node2
[test]
node1   ansible_user=root ansible_password=123456

  • 自定义静态清单
//etc/ansible/下新建inventory配置文件
[root@node0 ~]# vim /etc/ansible/inventory
[test]
node1	
//主文件取消注释默认寻找路径
[root@node0 ~]# vim /etc/ansible/ansible.cfg 
[defaults]

# some basic default values...
//取消注释
inventory      = /etc/ansible/inventory

  • 不配置node1密码的情况
[root@node0 ~]# vim /etc/ansible/inventory
[test]
node1	
//ping不通
[root@node0 ~]# ansible node1 -m ping
node1 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: root@node1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}
//创建公钥-私钥对
[root@node0 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:FVwLhxklQHKFw5QirdJihiiVs/KHTB8ADMO+NzDCx2c root@node0
The key's randomart image is:
+---[RSA 3072]----+
|B. . ..+=***+    |
| += . oo= += .   |
|+o.= o . .. .    |
|*=Bo+E   .       |
|oB==o.  S        |
| .+oo            |
|  ...            |
|                 |
|                 |
+----[SHA256]-----+

//复制公钥至远程node1上
[root@node0 ~]# ssh-copy-id root@node1
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@node1's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@node1'"
and check to make sure that only the key(s) you wanted were added.

//ping通
[root@node0 ~]# ansible node1 -m ping
node1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}

  1. 查看主机
//查看test组的主机
[root@node0 ~]# ansible test --list-hosts
  hosts (1):
    node1
//查看node1主机是否受控制    
[root@node0 ~]# ansible node1 --list-hosts
  hosts (1):
    node1
//查看所有主机
[root@node0 ~]# ansible all --list-hosts
  hosts (2):
    node2
    node1
//查看不在组的主机
[root@node0 ~]# ansible ungrouped --list-hosts
  hosts (1):
    node2

  1. 调用ping模组测试
//显示ping通
[root@node0 ~]# ansible node1 -m ping
node1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}

2.管理ansible配置文件

通过修改ansible.cfg来配置安装行为

按照一定的优先级去找配置文件

  • 使用/etc/ansible/ansible.cfg
    ansible软件包提供一个基本的配置文件,它位于/etc/ansible/ansible.cfg。如果找不到其他配置文件,则使用此文件。
  • 使用~/.ansible.cfg,Ansible在用户的家目录中查找.ansible.cfg文件。如果存在此配置文件并且当前工作目录中也没有ansible.cfg文件,则使用此配置取代/etc/ansible/ansible.cfg。
  • 使用./ansible.cfg如果执行ansible命令的目录中存在ansible.cfg文件,则使用它,而不使用全局文件或用户的个人文件。这样,管理员可以创建一种目录结构,将不同的环境或项目存储在单独的目录中,并且每个目录包含为独特的一组设置而定制的配置文件。

2.1查看ansible版本

[root@node0 ~]# ansible --version
ansible 2.9.16
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Dec  5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]

2.2管理配置文件的设置

[defaults]部分设置Ansible操作的默认值

 [root@node0 ~]# vim /etc/ansible/ansible.cfg 
[defaults]

# some basic default values...

inventory      = /etc/ansible/inventory
#library        = /usr/share/my_modules/
#module_utils   = /usr/share/my_module_utils/
#remote_tmp     = ~/.ansible/tmp
#local_tmp      = ~/.ansible/tmp
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
#forks          = 5
#poll_interval  = 15
#sudo_user      = root
#ask_sudo_pass = True
#ask_pass      = True
#transport      = smart
#remote_port    = 22
#module_lang    = C
#module_set_locale = False

[privilege_escalation]配置Ansible如何在受管主机上执行特权升级

[privilege_escalation]
#become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False

上一篇:Juniper SRX防火墙HA配置


下一篇:openssl3.0 加密算法库编程精要 01 - 简介