ansible服务说明

主机名称和IP地址规划

服务 主机名 eth0网卡IP eth1网卡IP 软件
防火墙服务器 firewalld 10.0.0.81 172.16.1.81 firewalld
负载均衡服务器 lb01 10.0.0.5 172.16.1.5 nginx,keepalived
负载均衡服务器 lb02 10.0.0.6 172.16.1.6 nginx,keepalived
web服务器 web01 10.0.0.7 172.16.1.7 nginx
web服务器 web02 10.0.0.8 172.16.1.8 nginx
web服务器 web03 10.0.0.9 172.16.1.9 nginx
存储服务器 nfs01 10.0.0.31 172.16.1.31 nfs
备份服务器 backup 10.0.0.41 172.16.1.41 rsync
数据库服务器 db01 10.0.0.51 172.16.1.51 mysql,mariaDB
批量管理服务器 m01 10.0.0.61 172.16.1.61 ansible
跳板机服务器 jumpserver 10.0.0.71 172.16.1.71 jumpserver
监控服务器 zabbix 10.0.0.72 172.16.1.72 zabbix
缓存服务器 暂无 暂无 暂无 暂无
  1. 管理端不需要启动服务程序
  2. 管理端不需要编写配置文件/etc/ansible/ansible.cfg
  3. 受控端不需要安装软件程序

被管理端selinux服务没有关闭会影响ansible软件的管理

libselinux-pythonselinux开启的状态也可以使用ansible程序

  1. 受控端不需要启动服务程序
  2. 服务程序管理操作模块众多
  3. 利用剧本编写来实现自动化
  4. ansible学习帮助手册
  • ansible-doc -l列出模块使用简介
  • ansible-doc -s fetch指定一个模块详细说明
  • ansible-doc fetch查询模块在剧本中应用方法

ansible无法管理远程主机

  1. 管理端没有分发好主机的公钥
  2. 被管理端远程服务出现问题
  3. 被管理端进程出现僵死情况
[root@nfs01 ~]# ps -ef|grep sshd
root       1204      1  0 04:05 ?        00:00:00 /usr/sbin/sshd -D
root       5046   1204  0 14:33 ?        00:00:00 sshd: root@pts/0
root       5069   1204  1 14:34 ?        00:00:00 sshd: root@notty
  • /usr/sbin/sshd -D : 负责建立远程连接,如果关闭该进程就不能创建新的sshd连接
  • sshd: root@pts/0 : 用于维护远程连接,windows远程工具连接linux服务端
  • sshd: root@notty : 用于维护远程连接,ansible服务连接linux服务端 运行完操作后该进程会结束,如果该进程一直没有结束,可能会影响ansible继续执行之后的操作

ansible模块应用

ansible命令语法格式.png

yum模块

Manages packages with the yum package manager(使用yum包管理器管理包)

yum模块官方文档

#在172.16.1.31上,执行yum命令安装iotop
ansible 172.16.1.31 -m yum -a "name=iotop state=installed"

#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m yum -a "name=iotop state=installed" 
172.16.1.31 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "changes": {
        "installed": [
            "iotop"
        ]
    }, 
    "msg": "", 
    "rc": 0, 
    "results": [
        "Loaded plugins: fastestmirror\nLoading mirror speeds from cached hostfile\n * base: mirrors.aliyun.com\n * extras: mirrors.aliyun.com\n * updates: mirrors.aliyun.com\nResolving Dependencies\n--> Running transaction check\n---> Package iotop.noarch 0:0.6-4.el7 will be installed\n--> Finished Dependency Resolution\n\nDependencies Resolved\n\n================================================================================\n Package          Arch              Version               Repository       Size\n================================================================================\nInstalling:\n iotop            noarch            0.6-4.el7             base             52 k\n\nTransaction Summary\n================================================================================\nInstall  1 Package\n\nTotal download size: 52 k\nInstalled size: 156 k\nDownloading packages:\nRunning transaction check\nRunning transaction test\nTransaction test succeeded\nRunning transaction\n  Installing : iotop-0.6-4.el7.noarch                                       1/1 \n  Verifying  : iotop-0.6-4.el7.noarch                                       1/1 \n\nInstalled:\n  iotop.noarch 0:0.6-4.el7                                                      \n\nComplete!\n"
    ]
}

扩展应用

  • state : Whether to install (present or installed, latest), or remove (absent or removed) a package.(安装(presentinstalled, latest)还是删除(absentremoved)包.)
  1. present and installed will simply ensure that a desired package is installed.(presentinstalled只需确保安装了所需的包.)
  2. latest will update the specified package if it's not of the latest available version.(latest如果指定的包不是最新可用版本,则最新版本将更新该包.)
  3. absent and removed will remove the specified package.(absentremoved不存在并删除将删除指定的包.)
  4. Default is None, however in effect the default action is present unless the autoremove option is enabled for this module, then absent is inferred.(默认值为None,但实际上默认操作是present,除非为此模块启用了autoremove选项,否则将推断absent.)

service模块

Manage services(管理服务)

service模块官方文档

#在172.16.1.31上,执行重启nfs服务并设置开机启动
ansible 172.16.1.31 -m service -a "name=nfs state=restarted"

#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m service -a "name=nfs state=restarted"
172.16.1.31 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "name": "nfs", 
    "state": "started", 
    "status": {
...
    }
}

扩展应用

  • state : started/stopped are idempotent actions that will not run commands unless necessary.(started/stopped是等幂操作,除非有必要,否则不会运行命令.)
  1. restarted will always bounce the service.(restarted后,服务将始终弹回.)
  2. reloaded will always reload.(reloaded将始终重新加载.)
  3. At least one of state and enabled are required.(至少需要state和enabled中的一个)
  4. Note that reloaded will start the service if it is not already started, even if your chosen init system wouldn't normally.(请注意,如果服务尚未启动,则重新加载将启动该服务,即使所选的init系统通常不会启动.)
  • enabled : Whether the service should start on boot.(服务是否应在启动时启动.)At least one of state and enabled are required.(至少需要state和enabled中的一个)
#在172.16.1.31上,执行重启nfs服务并设置开机启动
ansible 172.16.1.31 -m service -a "name=nfs state=restarted enabled=yes"

#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m service -a "name=nfs state=restarted enabled=yes"
172.16.1.31 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "enabled": true, 
    "name": "nfs", 
    "state": "started", 
    "status": {
...
    }
}

cron模块

Manage cron.d and crontab entries(管理cron.d和crontab条目)

cron模块官方文档

#在172.16.1.31上,创建一个每天2:00执行的任务
ansible 172.16.1.31 -m cron -a "minute=0 hour=2 job='/usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1'" 

#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m cron -a "minute=0 hour=2 job='/usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1'" 
[DEPRECATION WARNING]: The 'name' parameter will be required in future 
releases.. This feature will be removed in version 2.12. Deprecation warnings 
can be disabled by setting deprecation_warnings=False in ansible.cfg.
172.16.1.31 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "envs": [], 
    "jobs": [
        "None"
    ]
}

扩展应用

  • name : Description of a crontab entry or, if env is set, the name of environment variable.(crontab项的说明,如果设置了env,则为环境变量的名称.)
#在172.16.1.31上,创建一个每天2:00执行的任务,并设置说明
ansible 172.16.1.31 -m cron -a "name='time sync' minute=0 hour=2 job='/usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1'"

#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m cron -a "name='time sync' minute=0 hour=2 job='/usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1'"
172.16.1.31 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "envs": [], 
    "jobs": [
        "time sync"
    ]
}
  • state : Whether to ensure the job or environment variable is present or absent.(是否确保作业或环境变量存在或不存在.)
#在172.16.1.31上,删除说明为time sync的任务
ansible 172.16.1.31 -m cron -a "name='time sync' state=absent"

#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m cron -a "name='time sync' state=absent"
172.16.1.31 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "envs": [], 
    "jobs": []
}
  • disabled : If the job should be disabled (commented out) in the crontab.(是否应在crontab中禁用(注释掉)作业.)
#在172.16.1.31上,创建一个每天2:00执行的任务,并设置说明,并注释
ansible 172.16.1.31 -m cron -a "name='time sync' minute=0 hour=2 job='/usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' disabled=yes"

#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m cron -a "name='time sync' minute=0 hour=2 job='/usr/sbin/ntpdate ntp1.aliyun.com >/dev/null 2>&1' disabled=yes"
172.16.1.31 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "envs": [], 
    "jobs": [
        "time sync"
    ]
}

mount模块

Control active and configured mount points(控制活动和配置的挂载点)

mount模块官方文档

#在172.16.1.7上,挂在一个nfs,并设置开机自动挂载
 ansible 172.16.1.7 -m mount -a "src=172.16.1.31:/data path=/mnt fstype=nfs state=mounted"

#运行结果
[root@m01 ~]# ansible 172.16.1.7 -m mount -a "src=172.16.1.31:/data path=/mnt fstype=nfs state=mounted"
172.16.1.7 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "dump": "0", 
    "fstab": "/etc/fstab", 
    "fstype": "nfs", 
    "name": "/mnt", 
    "opts": "defaults", 
    "passno": "0", 
    "src": "172.16.1.31:/data"
}

扩展应用

  • src : Device to be mounted on path.(要安装在路径上的设备.)Required when state set to present or mounted.(当状态设置为presentmounted时需要)
  • path : Path to the mount point (e.g. /mnt/files).(安装点的路径(例如/mnt/files).)Before Ansible 2.3 this option was only usable as dest, destfile and name.(在ansibe2.3之前,这个选项只能用作dest,destfile,name.)
  • fstype : Filesystem type.(文件系统类型.)Required when state is present or mounted.(当状态存在或安装时需要.)
  • state : If mounted, the device will be actively mounted and appropriately configured in fstab.(如果mounted,设备将被主动挂载并在fstab中进行适当配置.) If the mount point is not present, the mount point will be created.(如果挂载点不存在,则将创建挂载点.)
  1. If unmounted, the device will be unmounted without changing fstab.(如果unmounted,设备将在不更改fstab的情况下卸载.)
  2. present only specifies that the device is to be configured in fstab and does not trigger or require a mount.(present仅在指定设备fstab中进行适当配置,并且不触发或要求挂载.)
  3. absent specifies that the device mount's entry will be removed from fstab and will also unmount the device and remove the mount point.(absent将从指定fstab中删除设备挂载项,还将卸载设备并删除挂载点.)
  4. remounted specifies that the device will be remounted for when you want to force a refresh on the mount itself (added in 2.9). This will always return changed=true.(remounted指定当您要强制对挂载本身进行刷新时(在2.9中添加),设备将被重新装载.这将始终返回changed=true.)

user模块

Manage user accounts(管理用户帐户)

user模块官方文档

#在172.16.1.7上,创建一个1997sty01的用户
ansible 172.16.1.31 -m user -a "name=1997sty01"

#运行结果
[root@m01 ~]# ansible 172.16.1.31 -m user -a "name=1997sty01"
172.16.1.31 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "comment": "", 
    "create_home": true, 
    "group": 1002, 
    "home": "/home/1997sty01", 
    "name": "1997sty01", 
    "shell": "/bin/bash", 
    "state": "present", 
    "system": false, 
    "uid": 1002
}

扩展应用

  • uid : Optionally sets the UID of the user.(可以选择设置用户的UID)
  • group : Optionally sets the user's primary group (takes a group name).(可以选择设置用户的主组(采用组名).)
  • groups : List of groups user will be added to. When set to an empty string '', the user is removed from all groups except the primary group.(用户将添加到的组列表.当设置为空字符串''时,将从除主组之外的所有组中删除该用户.)Before Ansible 2.3, the only input format allowed was a comma separated string.(在ansibe2.3之前,唯一允许的输入格式是逗号分隔的字符串.)Mutually exclusive with local(与本地互斥)
  • create_home : Unless set to no, a home directory will be made for the user when the account is created or if the home directory does not exist.(除非设置为no,否则,当创建帐户或主目录不存在时,将为用户创建主目录.)Changed from createhome to create_home in Ansible 2.5.(在ansibe2.5中从createhome更改为create_home.)
  • shell : Optionally set the user's shell.(可以选择设置用户的shell.)On macOS, before Ansible 2.5, the default shell for non-system users was /usr/bin/false. Since Ansible 2.5, the default shell for non-system users on macOS is /bin/bash.(在macOS上,在Ansible 2.5之前,非系统用户的默认shell是/usr/bin/false.自ansibe2.5以来,macOS上非系统用户的默认shell是/bin/bash.)
  • password : Optionally set the user's password to this crypted value.(可以选择将用户密码设置为此加密值.)On macOS systems, this value has to be cleartext. Beware of security issues.(在macOS系统上,这个值必须是cleartext.当心安全问题.) To create a disabled account on Linux systems, set this to ! or *.(要在Linux系统上创建禁用帐户,请将其设置为!*.)

生成密文密码方法

  • 方法一,使用ansible的debug模块
#123456是密码信息,1997sty是校验信息,获得密文再填入password参数
ansible all -i localhost, -m debug -a "msg={{ '123456' | password_hash('sha512', '1997sty') }}"
  • 方法二,使用passlib
#如果没有python-pip需要安装
yum install -y python-pip
#再使用python-pip安装passlib
pip install passlib
#输入该命令后再输入密码,获得密文再填入password参数
python -c "from passlib.hash import sha512_crypt; import getpass; print(sha512_crypt.using(rounds=5000).hash(getpass.getpass()))"

ansible剧本

  • 剧本的作用 : 可以一键化完成多个任务

剧本的组成

- hosts: 172.16.1.41 #主机信息
  tasks: #剧本内容
    - name: 01-install rsync #操作名称
      yum: name=rsync state=installed #操作内容
    - name: 02-push conf file
      copy: src=/tmp/rsyncd.conf dest=/etc/
  1. 合理的信息缩进 两个空格表示一个缩进关系(一定不能用tab进行缩进)
  2. 使用冒号时后面要有一个空格(如果以冒号结尾或冒号信息出现在注释说明中,则后面不需要加空格)
  3. 使用短横线构成列表信息,短横线后面需要有空格

编写剧本过程

  • 剧本文件扩展名尽量写为.yaml

执行剧本过程

  1. 检查剧本的语法格式
ansible-playbook --syntax-check  playbook.yaml
  1. 模拟执行剧本
ansible-playbook -C playbook.yaml
  1. 直接执行剧本
ansible-playbook playbook.yaml

服务端部署rsync服务剧本

  • rsync.yaml
- hosts: 172.16.1.41
  tasks: 
    - name: 01-install rsync
      yum: name=rsync state=installed
    - name: 02-push conf file
      copy: src=/tmp/rsyncd.conf dest=/etc/
    - name: 03-useradd rsync
      user: name=rsync shell=/sbin/nologin create_home=no
    - name: 04-touch rsync.password
      copy: content='rsync_backup:123456' dest=/etc/rsync.password mode=600
    - name: 05-mkdir /backup
      file: dest=/backup owner=rsync group=rsync state=directory
    - name: 06-start enable rsyncd
      service: name=rsyncd state=started enabled=yes
  • /tmp/rsyncd.conf
#指定管理备份目录的用户
uid = rsync
#指定管理备份目录的用户组
gid = rsync
#定义rsync备份服务的网络端口号
port = 873
#将rsync虚拟用户伪装成为一个超级管理员用户
fake super = yes
#和安全相关的配置
use chroot = no
#最大连接数  同时只能有200个客户端连接到备份服务器
max connections = 200
#超时时间(单位秒)
timeout = 300
#记录进程号码信息 1.让程序快速停止进程 2. 判断一个服务是否正在运行
pid file = /var/run/rsyncd.pid
#锁文件
lock file = /var/run/rsync.lock
#rsync服务的日志文件 用于排错分析问题
log file = /var/log/rsyncd.log
#忽略传输中的简单错误
ignore errors
#指定备份目录是可读可写
read only = false
#使客户端可以查看服务端的模块信息
list = false
#允许传输备份数据的主机(白名单)
hosts allow = 172.16.1.0/24
#禁止传输备份数据的主机(黑名单)
hosts deny = 0.0.0.0/32
#指定认证用户
auth users = rsync_backup
#指定认证用户密码文件 用户名称:密码信息
secrets file = /etc/rsync.password
#模块信息
[backup]

comment = "backup dir by 1997sty"
#模块中配置参数 指定备份目录
path = /backup

服务端部署nfs服务剧本

  • nfs.yaml
- hosts: 172.16.1.31
  tasks: 
    - name: 01-install rpcbind
      yum: name=rpcbind state=installed
    - name: 02-install nfs
      yum: name=nfs state=installed
    - name: 03-/etc/exports
      copy: content='/data   172.16.1.0/24(rw,sync)' dest=/etc/exports
    - name: 04-mkdir /data
      file: dest=/data owner=nfsnobody group=nfsnobody
    - name: 05-start enable nfs
      service: name=nfs state=started enabled=yes