1.构建ansible清单
1.1 定义清单
为了让ansible识别可控制主机,必须定义清单。
- 主机可以分配到组
- 组可以有子组
定义方式:
- 静态主机清单:文本定义
- 动态主机清单:根据外部信息提供程序通过脚本或其他程序生成
1.2 使用静态清单指定受控主机
编辑/etc/ansible下的hosts文件
- 基本形式
[root@node0 ~]# vim /etc/ansible/hosts
## alpha.example.org
## beta.example.org
## 192.168.1.100
## 192.168.1.110
- 有组的情况
## [dbservers]
##
## db01.intranet.mydomain.net
## db02.intranet.mydomain.net
## 10.25.1.56
## 10.25.1.57
## db-[99:101]-node.example.com
设置node0为控制机,node1为受控制机
主机 | ip |
---|---|
node0 | 192.168.94.142 |
node1 | 192.168.94.141 |
- 控制机上映射node1的IP
[root@node0 ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.94.141 node1
- 测试
[root@node0 ~]# ping node1
PING node1 (192.168.94.141) 56(84) bytes of data.
64 bytes from node1 (192.168.94.141): icmp_seq=1 ttl=64 time=0.876 ms
...
rtt min/avg/max/mdev = 0.876/0.963/1.015/0.053 ms
- 配置静态清单
[root@node0 ~]# vim /etc/ansible/hosts
...
node2
[test]
node1 ansible_user=root ansible_password=123456
- 自定义静态清单
//etc/ansible/下新建inventory配置文件
[root@node0 ~]# vim /etc/ansible/inventory
[test]
node1
//主文件取消注释默认寻找路径
[root@node0 ~]# vim /etc/ansible/ansible.cfg
[defaults]
# some basic default values...
//取消注释
inventory = /etc/ansible/inventory
- 不配置node1密码的情况
[root@node0 ~]# vim /etc/ansible/inventory
[test]
node1
//ping不通
[root@node0 ~]# ansible node1 -m ping
node1 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: root@node1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
//创建公钥-私钥对
[root@node0 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:FVwLhxklQHKFw5QirdJihiiVs/KHTB8ADMO+NzDCx2c root@node0
The key's randomart image is:
+---[RSA 3072]----+
|B. . ..+=***+ |
| += . oo= += . |
|+o.= o . .. . |
|*=Bo+E . |
|oB==o. S |
| .+oo |
| ... |
| |
| |
+----[SHA256]-----+
//复制公钥至远程node1上
[root@node0 ~]# ssh-copy-id root@node1
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@node1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@node1'"
and check to make sure that only the key(s) you wanted were added.
//ping通
[root@node0 ~]# ansible node1 -m ping
node1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
- 查看主机
//查看test组的主机
[root@node0 ~]# ansible test --list-hosts
hosts (1):
node1
//查看node1主机是否受控制
[root@node0 ~]# ansible node1 --list-hosts
hosts (1):
node1
//查看所有主机
[root@node0 ~]# ansible all --list-hosts
hosts (2):
node2
node1
//查看不在组的主机
[root@node0 ~]# ansible ungrouped --list-hosts
hosts (1):
node2
- 调用ping模组测试
//显示ping通
[root@node0 ~]# ansible node1 -m ping
node1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
2.管理ansible配置文件
通过修改ansible.cfg来配置安装行为
按照一定的优先级去找配置文件
- 使用/etc/ansible/ansible.cfg
ansible软件包提供一个基本的配置文件,它位于/etc/ansible/ansible.cfg。如果找不到其他配置文件,则使用此文件。 - 使用~/.ansible.cfg,Ansible在用户的家目录中查找.ansible.cfg文件。如果存在此配置文件并且当前工作目录中也没有ansible.cfg文件,则使用此配置取代/etc/ansible/ansible.cfg。
- 使用./ansible.cfg如果执行ansible命令的目录中存在ansible.cfg文件,则使用它,而不使用全局文件或用户的个人文件。这样,管理员可以创建一种目录结构,将不同的环境或项目存储在单独的目录中,并且每个目录包含为独特的一组设置而定制的配置文件。
2.1查看ansible版本
[root@node0 ~]# ansible --version
ansible 2.9.16
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.6.8 (default, Dec 5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
2.2管理配置文件的设置
[defaults]部分设置Ansible操作的默认值
[root@node0 ~]# vim /etc/ansible/ansible.cfg
[defaults]
# some basic default values...
inventory = /etc/ansible/inventory
#library = /usr/share/my_modules/
#module_utils = /usr/share/my_module_utils/
#remote_tmp = ~/.ansible/tmp
#local_tmp = ~/.ansible/tmp
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
#forks = 5
#poll_interval = 15
#sudo_user = root
#ask_sudo_pass = True
#ask_pass = True
#transport = smart
#remote_port = 22
#module_lang = C
#module_set_locale = False
[privilege_escalation]配置Ansible如何在受管主机上执行特权升级
[privilege_escalation]
#become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False