ansible服务说明
主机名称和IP地址规划
| 服务 | 主机名 | eth0网卡IP | eth1网卡IP | 软件 |
|---|---|---|---|---|
| 防火墙服务器 | firewalld | 10.0.0.81 | 172.16.1.81 | firewalld |
| 负载均衡服务器 | lb01 | 10.0.0.5 | 172.16.1.5 | nginx,keepalived |
| 负载均衡服务器 | lb02 | 10.0.0.6 | 172.16.1.6 | nginx,keepalived |
| web服务器 | web01 | 10.0.0.7 | 172.16.1.7 | nginx |
| web服务器 | web02 | 10.0.0.8 | 172.16.1.8 | nginx |
| web服务器 | web03 | 10.0.0.9 | 172.16.1.9 | nginx |
| 存储服务器 | nfs01 | 10.0.0.31 | 172.16.1.31 | nfs |
| 备份服务器 | backup | 10.0.0.41 | 172.16.1.41 | rsync |
| 数据库服务器 | db01 | 10.0.0.51 | 172.16.1.51 | mysql,mariaDB |
| 批量管理服务器 | m01 | 10.0.0.61 | 172.16.1.61 | ansible |
| 跳板机服务器 | jumpserver | 10.0.0.71 | 172.16.1.71 | jumpserver |
| 监控服务器 | zabbix | 10.0.0.72 | 172.16.1.72 | zabbix |
| 缓存服务器 | 暂无 | 暂无 | 暂无 | 暂无 |
- 管理端不需要启动服务程序
- 管理端不需要编写配置文件
/etc/ansible/ansible.cfg - 受控端不需要安装软件程序
被管理端
selinux服务没有关闭会影响ansible软件的管理
libselinux-python让selinux开启的状态也可以使用ansible程序
- 受控端不需要启动服务程序
- 服务程序管理操作模块众多
- 利用剧本编写来实现自动化
- ansible学习帮助手册
ansible-doc -l列出模块使用简介ansible-doc -s fetch指定一个模块详细说明ansible-doc fetch查询模块在剧本中应用方法
ansible无法管理远程主机
- 管理端没有分发好主机的公钥
- 被管理端远程服务出现问题
- 被管理端进程出现僵死情况
[root@nfs01 ~]# ps -ef|grep sshd
root 1204 1 0 04:05 ? 00:00:00 /usr/sbin/sshd -D
root 5046 1204 0 14:33 ? 00:00:00 sshd: root@pts/0
root 5069 1204 1 14:34 ? 00:00:00 sshd: root@notty/usr/sbin/sshd -D: 负责建立远程连接,如果关闭该进程就不能创建新的sshd连接sshd: root@pts/0: 用于维护远程连接,windows远程工具连接linux服务端sshd: root@notty: 用于维护远程连接,ansible服务连接linux服务端 运行完操作后该进程会结束,如果该进程一直没有结束,可能会影响ansible继续执行之后的操作
ansible模块应用
- ansible官方网站
- ansible索引模块官方文档
ansible 主机名称/主机组名称/主机地址信息/all -m(指定应用的模块信息) 模块名称 -a(指定动作信息)
yum模块
Manages packages with the yum package manager(使用yum包管理器管理包)
#在172.16.1.31上,执行yum命令安装iotop
ansible 172.16.1.31 -m yum -a "name=iotop state=installed"
#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m yum -a "name=iotop state=installed"
172.16.1.31 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"changes": {
"installed": [
"iotop"
]
},
"msg": "",
"rc": 0,
"results": [
"Loaded plugins: fastestmirror\nLoading mirror speeds from cached hostfile\n * base: mirrors.aliyun.com\n * extras: mirrors.aliyun.com\n * updates: mirrors.aliyun.com\nResolving Dependencies\n--> Running transaction check\n---> Package iotop.noarch 0:0.6-4.el7 will be installed\n--> Finished Dependency Resolution\n\nDependencies Resolved\n\n================================================================================\n Package Arch Version Repository Size\n================================================================================\nInstalling:\n iotop noarch 0.6-4.el7 base 52 k\n\nTransaction Summary\n================================================================================\nInstall 1 Package\n\nTotal download size: 52 k\nInstalled size: 156 k\nDownloading packages:\nRunning transaction check\nRunning transaction test\nTransaction test succeeded\nRunning transaction\n Installing : iotop-0.6-4.el7.noarch 1/1 \n Verifying : iotop-0.6-4.el7.noarch 1/1 \n\nInstalled:\n iotop.noarch 0:0.6-4.el7 \n\nComplete!\n"
]
}扩展应用
- state : Whether to install (
presentorinstalled,latest), or remove (absentorremoved) a package.(安装(present或installed,latest)还是删除(absent或removed)包.)
presentandinstalledwill simply ensure that a desired package is installed.(present和installed只需确保安装了所需的包.)latestwill update the specified package if it's not of the latest available version.(latest如果指定的包不是最新可用版本,则最新版本将更新该包.)absentandremovedwill remove the specified package.(absent和removed不存在并删除将删除指定的包.)- Default is
None, however in effect the default action ispresentunless theautoremoveoption is enabled for this module, thenabsentis inferred.(默认值为None,但实际上默认操作是present,除非为此模块启用了autoremove选项,否则将推断absent.)
service模块
Manage services(管理服务)
#在172.16.1.31上,执行重启nfs服务并设置开机启动
ansible 172.16.1.31 -m service -a "name=nfs state=restarted"
#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m service -a "name=nfs state=restarted"
172.16.1.31 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"name": "nfs",
"state": "started",
"status": {
...
}
}扩展应用
- state :
started/stoppedare idempotent actions that will not run commands unless necessary.(started/stopped是等幂操作,除非有必要,否则不会运行命令.)
restartedwill always bounce the service.(restarted后,服务将始终弹回.)reloadedwill always reload.(reloaded将始终重新加载.)- At least one of state and enabled are required.(至少需要state和enabled中的一个)
- Note that reloaded will start the service if it is not already started, even if your chosen init system wouldn't normally.(请注意,如果服务尚未启动,则重新加载将启动该服务,即使所选的init系统通常不会启动.)
- enabled : Whether the service should start on boot.(服务是否应在启动时启动.)At least one of state and enabled are required.(至少需要state和enabled中的一个)
#在172.16.1.31上,执行重启nfs服务并设置开机启动
ansible 172.16.1.31 -m service -a "name=nfs state=restarted enabled=yes"
#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m service -a "name=nfs state=restarted enabled=yes"
172.16.1.31 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"enabled": true,
"name": "nfs",
"state": "started",
"status": {
...
}
}cron模块
Manage cron.d and crontab entries(管理cron.d和crontab条目)
#在172.16.1.31上,创建一个每天2:00执行的任务
ansible 172.16.1.31 -m cron -a "minute=0 hour=2 job='/usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1'"
#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m cron -a "minute=0 hour=2 job='/usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1'"
[DEPRECATION WARNING]: The 'name' parameter will be required in future
releases.. This feature will be removed in version 2.12. Deprecation warnings
can be disabled by setting deprecation_warnings=False in ansible.cfg.
172.16.1.31 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"envs": [],
"jobs": [
"None"
]
}扩展应用
- name : Description of a crontab entry or, if env is set, the name of environment variable.(crontab项的说明,如果设置了env,则为环境变量的名称.)
#在172.16.1.31上,创建一个每天2:00执行的任务,并设置说明
ansible 172.16.1.31 -m cron -a "name='time sync' minute=0 hour=2 job='/usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1'"
#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m cron -a "name='time sync' minute=0 hour=2 job='/usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1'"
172.16.1.31 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"envs": [],
"jobs": [
"time sync"
]
}- state : Whether to ensure the job or environment variable is present or absent.(是否确保作业或环境变量存在或不存在.)
#在172.16.1.31上,删除说明为time sync的任务
ansible 172.16.1.31 -m cron -a "name='time sync' state=absent"
#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m cron -a "name='time sync' state=absent"
172.16.1.31 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"envs": [],
"jobs": []
}- disabled : If the job should be disabled (commented out) in the crontab.(是否应在crontab中禁用(注释掉)作业.)
#在172.16.1.31上,创建一个每天2:00执行的任务,并设置说明,并注释
ansible 172.16.1.31 -m cron -a "name='time sync' minute=0 hour=2 job='/usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' disabled=yes"
#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m cron -a "name='time sync' minute=0 hour=2 job='/usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' disabled=yes"
172.16.1.31 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"envs": [],
"jobs": [
"time sync"
]
}mount模块
Control active and configured mount points(控制活动和配置的挂载点)
#在172.16.1.7上,挂在一个nfs,并设置开机自动挂载
ansible 172.16.1.7 -m mount -a "src=172.16.1.31:/data path=/mnt fstype=nfs state=mounted"
#运行结果
[root@m01 ~]# ansible 172.16.1.7 -m mount -a "src=172.16.1.31:/data path=/mnt fstype=nfs state=mounted"
172.16.1.7 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"dump": "0",
"fstab": "/etc/fstab",
"fstype": "nfs",
"name": "/mnt",
"opts": "defaults",
"passno": "0",
"src": "172.16.1.31:/data"
}扩展应用
- src : Device to be mounted on path.(要安装在路径上的设备.)Required when state set to
presentormounted.(当状态设置为present或mounted时需要) - path : Path to the mount point (e.g. /mnt/files).(安装点的路径(例如/mnt/files).)Before Ansible 2.3 this option was only usable as dest, destfile and name.(在ansibe2.3之前,这个选项只能用作dest,destfile,name.)
- fstype : Filesystem type.(文件系统类型.)Required when state is present or mounted.(当状态存在或安装时需要.)
- state : If
mounted, the device will be actively mounted and appropriately configured in fstab.(如果mounted,设备将被主动挂载并在fstab中进行适当配置.) If the mount point is not present, the mount point will be created.(如果挂载点不存在,则将创建挂载点.)
- If
unmounted, the device will be unmounted without changing fstab.(如果unmounted,设备将在不更改fstab的情况下卸载.) presentonly specifies that the device is to be configured in fstab and does not trigger or require a mount.(present仅在指定设备fstab中进行适当配置,并且不触发或要求挂载.)absentspecifies that the device mount's entry will be removed from fstab and will also unmount the device and remove the mount point.(absent将从指定fstab中删除设备挂载项,还将卸载设备并删除挂载点.)remountedspecifies that the device will be remounted for when you want to force a refresh on the mount itself (added in 2.9). This will always return changed=true.(remounted指定当您要强制对挂载本身进行刷新时(在2.9中添加),设备将被重新装载.这将始终返回changed=true.)
user模块
Manage user accounts(管理用户帐户)
#在172.16.1.7上,创建一个1997sty01的用户
ansible 172.16.1.31 -m user -a "name=1997sty01"
#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m user -a "name=1997sty01"
172.16.1.31 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": "",
"create_home": true,
"group": 1002,
"home": "/home/1997sty01",
"name": "1997sty01",
"shell": "/bin/bash",
"state": "present",
"system": false,
"uid": 1002
}扩展应用
- uid : Optionally sets the UID of the user.(可以选择设置用户的UID)
- group : Optionally sets the user's primary group (takes a group name).(可以选择设置用户的主组(采用组名).)
- groups : List of groups user will be added to. When set to an empty string '', the user is removed from all groups except the primary group.(用户将添加到的组列表.当设置为空字符串''时,将从除主组之外的所有组中删除该用户.)Before Ansible 2.3, the only input format allowed was a comma separated string.(在ansibe2.3之前,唯一允许的输入格式是逗号分隔的字符串.)Mutually exclusive with
local(与本地互斥) - create_home : Unless set to no, a home directory will be made for the user when the account is created or if the home directory does not exist.(除非设置为
no,否则,当创建帐户或主目录不存在时,将为用户创建主目录.)Changed fromcreatehometocreate_homein Ansible 2.5.(在ansibe2.5中从createhome更改为create_home.) - shell : Optionally set the user's shell.(可以选择设置用户的shell.)On macOS, before Ansible 2.5, the default shell for non-system users was
/usr/bin/false. Since Ansible 2.5, the default shell for non-system users on macOS is/bin/bash.(在macOS上,在Ansible 2.5之前,非系统用户的默认shell是/usr/bin/false.自ansibe2.5以来,macOS上非系统用户的默认shell是/bin/bash.) - password : Optionally set the user's password to this crypted value.(可以选择将用户密码设置为此加密值.)On macOS systems, this value has to be cleartext. Beware of security issues.(在macOS系统上,这个值必须是cleartext.当心安全问题.)
To create a disabled account on Linux systems, set this to
!or*.(要在Linux系统上创建禁用帐户,请将其设置为!或*.)
生成密文密码方法
- 方法一,使用ansible的debug模块
#123456是密码信息,1997sty是校验信息,获得密文再填入password参数
ansible all -i localhost, -m debug -a "msg={{ '123456' | password_hash('sha512', '1997sty') }}"- 方法二,使用passlib
#如果没有python-pip需要安装
yum install -y python-pip
#再使用python-pip安装passlib
pip install passlib
#输入该命令后再输入密码,获得密文再填入password参数
python -c "from passlib.hash import sha512_crypt; import getpass; print(sha512_crypt.using(rounds=5000).hash(getpass.getpass()))"ansible剧本
- 剧本的作用 : 可以一键化完成多个任务
剧本的组成
- hosts: 172.16.1.41 #主机信息
tasks: #剧本内容
- name: 01-install rsync #操作名称
yum: name=rsync state=installed #操作内容
- name: 02-push conf file
copy: src=/tmp/rsyncd.conf dest=/etc/- 合理的信息缩进 两个空格表示一个缩进关系(一定不能用tab进行缩进)
- 使用冒号时后面要有一个空格(如果以冒号结尾或冒号信息出现在注释说明中,则后面不需要加空格)
- 使用短横线构成列表信息,短横线后面需要有空格
编写剧本过程
- 剧本文件扩展名尽量写为
.yaml
执行剧本过程
- 检查剧本的语法格式
ansible-playbook --syntax-check playbook.yaml- 模拟执行剧本
ansible-playbook -C playbook.yaml- 直接执行剧本
ansible-playbook playbook.yaml服务端部署rsync服务剧本
- rsync.yaml
- hosts: 172.16.1.41
tasks:
- name: 01-install rsync
yum: name=rsync state=installed
- name: 02-push conf file
copy: src=/tmp/rsyncd.conf dest=/etc/
- name: 03-useradd rsync
user: name=rsync shell=/sbin/nologin create_home=no
- name: 04-touch rsync.password
copy: content='rsync_backup:123456' dest=/etc/rsync.password mode=600
- name: 05-mkdir /backup
file: dest=/backup owner=rsync group=rsync state=directory
- name: 06-start enable rsyncd
service: name=rsyncd state=started enabled=yes- /tmp/rsyncd.conf
#指定管理备份目录的用户
uid = rsync
#指定管理备份目录的用户组
gid = rsync
#定义rsync备份服务的网络端口号
port = 873
#将rsync虚拟用户伪装成为一个超级管理员用户
fake super = yes
#和安全相关的配置
use chroot = no
#最大连接数 同时只能有200个客户端连接到备份服务器
max connections = 200
#超时时间(单位秒)
timeout = 300
#记录进程号码信息 1.让程序快速停止进程 2. 判断一个服务是否正在运行
pid file = /var/run/rsyncd.pid
#锁文件
lock file = /var/run/rsync.lock
#rsync服务的日志文件 用于排错分析问题
log file = /var/log/rsyncd.log
#忽略传输中的简单错误
ignore errors
#指定备份目录是可读可写
read only = false
#使客户端可以查看服务端的模块信息
list = false
#允许传输备份数据的主机(白名单)
hosts allow = 172.16.1.0/24
#禁止传输备份数据的主机(黑名单)
hosts deny = 0.0.0.0/32
#指定认证用户
auth users = rsync_backup
#指定认证用户密码文件 用户名称:密码信息
secrets file = /etc/rsync.password
#模块信息
[backup]
comment = "backup dir by 1997sty"
#模块中配置参数 指定备份目录
path = /backup服务端部署nfs服务剧本
- nfs.yaml
- hosts: 172.16.1.31
tasks:
- name: 01-install rpcbind
yum: name=rpcbind state=installed
- name: 02-install nfs
yum: name=nfs state=installed
- name: 03-/etc/exports
copy: content='/data 172.16.1.0/24(rw,sync)' dest=/etc/exports
- name: 04-mkdir /data
file: dest=/data owner=nfsnobody group=nfsnobody
- name: 05-start enable nfs
service: name=nfs state=started enabled=yes
Alipay
Wechat
最后一次更新于2020-01-10 21:30
0 条评论