“Ansible基础”的版本间的差异

来自linux中国网wiki
跳到导航 跳到搜索
 
(未显示同一用户的79个中间版本)
第1行: 第1行:
 +
= [[Playbook |playbook双击跳转]]=
 +
[æn; ən
 +
 
=进阶=
 
=进阶=
 +
 +
[https://blog.51cto.com/u_10272167/2707282 Ansible 日常使用技巧 - 运维总结]
 +
 +
[https://blog.jairmir.com/index.php/2021/03/27/ansible%E8%87%AA%E5%8A%A8%E5%8C%96%E8%BF%90%E7%BB%B4/ ansible自动化运维]
  
  
第15行: 第22行:
  
 
[https://www.cnblogs.com/LiuChang-blog/p/14702939.html  Ansible自动化运维应用实战 ]
 
[https://www.cnblogs.com/LiuChang-blog/p/14702939.html  Ansible自动化运维应用实战 ]
 +
 +
[https://blog.csdn.net/u013613428/article/details/92837916  手把手教你在python中运行ansible-playbook]
 +
 +
[https://blog.csdn.net/weixin_46833747/article/details/108441827 知识总结(17)ansible总结(ansible的优点、架构、工作原理、常用模块、playbook详解)]
  
 
==变量==
 
==变量==
第34行: 第45行:
 
=introduction=
 
=introduction=
 
Ansible是一种IT自动化工具。它可以配置系统,部署软件以及协调更高级的IT任务,例如持续部署,滚动更新。Ansible适用于管理企业IT基础设施,从具有少数主机的小规模到数千个实例的企业环境。Ansible也是一种简单的自动化语言,可以完美地描述IT应用程序基础结构。
 
Ansible是一种IT自动化工具。它可以配置系统,部署软件以及协调更高级的IT任务,例如持续部署,滚动更新。Ansible适用于管理企业IT基础设施,从具有少数主机的小规模到数千个实例的企业环境。Ansible也是一种简单的自动化语言,可以完美地描述IT应用程序基础结构。
 +
 +
Ansible is a suite /swiːt/ of software tools that enables infrastructure /ˈɪn.frəˌstrʌk.tʃɚ/ as code. It is open-source and the suite includes software provisioning, configuration management, and application deployment functionality /ˌfʌŋk.ʃənˈæl.ə.t̬i
 +
 
=ins=
 
=ins=
 
https://docs.ansible.com/ansible/latest/installation_guide/index.html
 
https://docs.ansible.com/ansible/latest/installation_guide/index.html
 
<pre>
 
<pre>
#on master
+
#on master 在debian 11上 用pip3 安装的版本很新 不过也是没默认配置文件  自己动手吧
 
pip3 install --user ansible
 
pip3 install --user ansible
  
第77行: 第91行:
 
=配置文件=
 
=配置文件=
 
<pre>
 
<pre>
 +
#放自己home更加爽
 +
/home/evan/ansible
 +
 +
so  Jul 04  2023
 +
 +
sudo vi /etc/ansible/ansible.cfg
 +
[defaults]
 +
inventory = /home/evan/ansible/inventory/hosts
 +
 +
  
  
第104行: 第128行:
  
 
把它放到/etc/ansible/目录
 
把它放到/etc/ansible/目录
 +
</pre>
 +
==ansible指定用户 ==
 +
<pre>
 +
方案1:
 +
nsible -m ping -u 用户名
 +
 +
方案2:
 +
 +
修改/etc/ansible/hosts文件:
 +
[test_hosts]
 +
host_ip ansible_user=用户名
 +
# 还可以指定登陆密码
 +
host_ip ansible_user=用户名 ansible_ssh_pass=登陆密码
 +
 
</pre>
 
</pre>
  
第109行: 第147行:
 
==sudo ==
 
==sudo ==
  
 +
[https://github.com/evan886/my-ansible/tree/main/sudo-insdocker/ansible sudo 详细例子insdocker在github]
 
=== 没密码的sudo===
 
=== 没密码的sudo===
 
<pre>
 
<pre>
第116行: 第155行:
 
   become: yes
 
   become: yes
 
   become_method: sudo
 
   become_method: sudo
   remote_user: ops
+
   remote_user: evan 
 +
  #remote_user: ops  
 
   roles:
 
   roles:
 
     - ag_conf
 
     - ag_conf
  
 
#当然 shell 里面也要写sudo  
 
#当然 shell 里面也要写sudo  
 +
 +
#直接在commond 这样执行,要交互,但是可以直接回车 如果没密码
 +
ansible  tmp -m  command -a "ls /root"  -u  evan --become  --ask-become-pass
 +
 
</pre>
 
</pre>
 
[https://blog.51cto.com/u_3379770/1906326  ansible 普通用户执行命令]
 
[https://blog.51cto.com/u_3379770/1906326  ansible 普通用户执行命令]
第126行: 第170行:
  
 
[https://www.cnblogs.com/fjping0606/p/6952749.html  Ansible 使用普通用户远程执行playbook ]
 
[https://www.cnblogs.com/fjping0606/p/6952749.html  Ansible 使用普通用户远程执行playbook ]
 +
 +
https://serverfault.com/questions/870951/ansible-adhoc-command-execute-with-sudo
 +
 +
https://stackoverflow.com/questions/38958333/how-to-achieve-sudo-su-user-and-run-all-command-in-ansible#38965192
 +
 +
==SSH authenticity checking  ==
 +
<pre>
 +
Is there a way to ignore the SSH authenticity checking made by Ansible? For example when I've just setup a new server I have to answer yes to this question:
 +
 +
GATHERING FACTS ***************************************************************
 +
The authenticity of host 'xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)' can't be established.
 +
RSA key fingerprint is xx:yy:zz:....
 +
Are you sure you want to continue connecting (yes/no)?
 +
 +
 +
方法1 直接在命令行 加参数
 +
ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook  ssh-u-conf.yml
 +
 +
方法2  加到配置文件
 +
/etc/ansible/ansible.cfg or ~/.ansible.cfg
 +
 +
[defaults]
 +
host_key_checking = False
 +
 +
</pre>
 +
https://stackoverflow.com/questions/32297456/how-to-ignore-ansible-ssh-authenticity-checking
 
==分组==
 
==分组==
 
  ansible beta -b -u evan -m shell  -a " sudo hostname"
 
  ansible beta -b -u evan -m shell  -a " sudo hostname"
第161行: 第231行:
  
 
== run shell==
 
== run shell==
 +
#还是 -m shell 好用, -m script 不太好用感觉
 
  ansible core  -b -u evan -m shell  -a "sudo ls /home/evan"
 
  ansible core  -b -u evan -m shell  -a "sudo ls /home/evan"
 
   ansible insure -m shell  -a "sudo cat /etc/ssh/sshd_config | grep Permit"
 
   ansible insure -m shell  -a "sudo cat /etc/ssh/sshd_config | grep Permit"
第210行: 第281行:
 
-o:对ansible的输出的结果进行压缩(即,输出的结果显示在一行)
 
-o:对ansible的输出的结果进行压缩(即,输出的结果显示在一行)
 
</pre>
 
</pre>
 +
 +
==远程执行shell脚本文件 ==
 +
=== Friday July twenty-ninth 2022===
 +
===编写脚本  ===
 +
<pre>
 +
cat /tmp/mypatch
 +
# 卸载旧版本
 +
yum remove -y kubelet kubeadm kubectl
 +
 +
# 安装kubelet、kubeadm、kubectl
 +
# 将 ${1} 替换为 kubernetes 版本号,例如
 +
v=1.21.12
 +
yum install -y kubelet-${v} kubeadm-${v} kubectl-${v}
 +
crictl config runtime-endpoint /run/containerd/containerd.sock
 +
# 重启 docker,并启动 kubelet
 +
systemctl daemon-reload
 +
systemctl enable kubelet && systemctl start kubelet
 +
 +
</pre>
 +
=== 脚本copy到其他几台服务器===
 +
<pre>
 +
#执行ansible命令,将脚本copy到其他几台服务器上
 +
  ansible  myk8s -u root -m copy -a "src=/tmp/mypatch dest=/tmp/mypatch"
 +
 +
</pre>
 +
===每台服务器上执行 你的shell脚本 ===
 +
<pre>
 +
#执行ansible命令,在每台服务器上执行 你的shell脚本
 +
ansible  myk8s -u root -m shell -a "bash /tmp/mypatch chdir=/tmp"
 +
 +
</pre>
 +
[https://blog.51cto.com/llzdwyp/1761057  3.4-ansible远程执行脚本]
  
 
==ansible 常用模块==
 
==ansible 常用模块==
 
===主机连通性测试===
 
===主机连通性测试===
 +
<pre>
 +
 +
ansible-doc ping
 +
 
  ansible web -m ping命令来进行主机连通性测试
 
  ansible web -m ping命令来进行主机连通性测试
 +
 +
  ansible ansible mytmp -m ping
 +
[WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was 127.0.0.1
 +
127.0.0.1 | SUCCESS => {
 +
    "ansible_facts": {
 +
        "discovered_interpreter_python": "/usr/bin/python3"
 +
    },
 +
    "changed": false,
 +
    "ping": "pong"
 +
}
 +
</pre>
 +
 
=== command 模块===
 
=== command 模块===
 
<pre>
 
<pre>
第230行: 第349行:
 
</pre>
 
</pre>
 
===shell 模块===
 
===shell 模块===
 +
<pre>
 +
shell模块基本和command相同,但是shell raw支持管道符
 +
 +
➜  ~ ansible pi3 -m raw -a "cat /etc/passwd | wc -l"
 +
192.168.10.5 | CHANGED | rc=0 >>
 +
41
 +
Shared connection to 192.168.10.5 closed.
 +
 +
➜  ~ ansible pi3 -m shell  -a "cat /etc/passwd | wc -l"
 +
192.168.10.5 | CHANGED | rc=0 >>
 +
41
 +
 +
 +
 +
shell > ansible Client -m shell -a "/home/test.sh"          # 执行远程脚本
 +
 +
 +
cat /root/2
 +
touch 2.txt
 +
 +
ansible 200  -b -u evan -m shell  -a  "sudo bash  /home/evan/close"
 +
 +
# cat /home/evan/2.txt 用sudo 默认去了 evan
 +
</pre>
  
 
===copy 模块===
 
===copy 模块===
 +
  ansible  myk8  -m copy -a 'dest=/home/evan src=/tmp/vboxdrv-Module.symvers'  #把 master上的 /tmp/vboxdrv-Module.symvers  cp到 myk8组的所有机器的 /home/evan下
 +
 +
===fetch 模块===
 +
和copy 相反 ,可看作文件上传动作,  把 远端机器的 /home/evan/vboxdrv-Module.symvers 收集回主机的 /home/evan/tmp/tpp目录下
 +
  ansible  myk8 -m fetch -a 'dest=/home/evan/tmp/tpp  src=/home/evan/vboxdrv-Module.symvers'
 +
 +
==== file ====
 +
还有相关的什么权限 用户组 属性什么的
 +
ansible  myk8  -m file -a  'path=/home/evan/vboxdrv-Module.symvers  state=absent' #删除/home/evan/vboxdrv-Module.symvers
  
 
===9)service 模块===
 
===9)service 模块===
第252行: 第404行:
 
</pre>
 
</pre>
  
===12)script 模块===
+
===12)script 模块 运行sh or py 2023 update===
 
<pre>
 
<pre>
 +
script模块将控制节点的脚本执行在被控节点上。 相当于scp+shell
 +
 +
➜  ~ hostname
 +
myxps
 +
➜  ~ cat /tmp/hostname
 +
hostname
 +
➜  ~
 +
➜  ~ ansible pi3 -m  script -a /tmp/hostname
 +
192.168.10.5 | CHANGED => {
 +
    "changed": true,
 +
    "rc": 0,
 +
    "stderr": "Shared connection to 192.168.10.5 closed.\r\n",
 +
    "stderr_lines": [
 +
        "Shared connection to 192.168.10.5 closed."
 +
    ],
 +
    "stdout": "mypi3b\r\n",
 +
    "stdout_lines": [
 +
        "mypi3b"
 +
    ]
 +
}
 +
➜  ~
 +
 +
 +
 +
 +
  一般用在被管主机上 执行一系列命令就非常爽
 +
一般先用copy 把脚本下发到所有的 slave机器 再执行
 +
 +
#Dec thirteenth 2022
 +
 +
ansible的script模块的用途
 +
 +
script 模块用来在远程主机上执行 ansible 管理主机上的脚本,
 +
 +
即:脚本一直存在于 ansible 管理主机本地,
 +
 +
不需要手动拷贝到远程主机后再执行
 +
 +
➜  tmp cat a.sh
 +
touch  evantouch.txt
 +
 +
chmod +x /home/evan/tmp/a.sh
 +
 +
ansible intra  -u root  -m  script -a '/home/evan/tmp/a.sh'
 +
 +
ansible intra    -m  script -a '/home/evan/tmp/a.sh' --become  --become-method=sudo --become-user=root
 +
 +
执行效果
 +
-192-168-10-121-c7 ~] {16:35:22} (0)
 +
# ls /root/evantouch.txt
 +
/root/evantouch.txt
 +
 +
 +
根据文件判断是否需要执行脚本?
 +
 +
creates参数 :使用此参数指定一个远程主机中的文件,当指定的文件存在时,就不执行对应脚本
 +
removes参数 :使用此参数指定一个远程主机中的文件,当指定的文件不存在时,就不执行对应脚本
 +
 +
[root@centos8 ~]# ansible yujian -m script -a 'removes=/root/isgit.txt /home/liuhongdi/ansible/gitpubwww.sh'  --become  --become-method=sudo --become-user=root
 +
121.122.123.47 | SKIPPED
 +
 +
因为删除文件不成功,所以不执行
 +
 +
[root@centos8 ~]# ansible yujian -m script -a 'creates=/root/isgit.txt /home/liuhongdi/ansible/gitpubwww.sh'  --become  --become-method=sudo --become-user=root
 +
121.122.123.47 | CHANGED => {
 +
    "changed": true,
 +
...
 +
 +
因为文件可以创建,所以成功执行
 +
 +
 +
 +
  
 
万事先man  
 
万事先man  
  
 
root@myxps:~# ansible-doc  -s script
 
root@myxps:~# ansible-doc  -s script
- name: Runs a local script on a remote node after transferring it
+
- name: Runs a local script (shell and py etc) on a remote node after transferring it
 
   script:
 
   script:
 
       chdir:                # Change into this directory on the remote node before
 
       chdir:                # Change into this directory on the remote node before
第284行: 第509行:
  
  
 +
py
 +
 +
evan@debian-s-1vcpu-1gb-sfo2-01:~$ ansible ec2  -m script -a ' ./getip.py'
 +
 +
ec2 | CHANGED => {
 +
    "changed": true,
 +
    "rc": 0,
 +
    "stderr": "Shared connection to 54.215.65.27 closed.\r\n",
 +
    "stderr_lines": [
 +
        "Shared connection to 54.215.65.27 closed."
 +
    ],
 +
    "stdout": "54.215.65.27\r\n",
 +
    "stdout_lines": [
 +
        "54.215.65.27"
 +
    ]
 +
}
 +
 +
 +
cat getip.py
 +
#!/usr/bin/python3
 +
import requests
 +
print(requests.get('http://ifconfig.me/ip', timeout=1).text.strip())
  
  
 
</pre>
 
</pre>
 +
 +
[https://www.cnblogs.com/architectforest/p/12766206.html ansible的script模块的用途]
 +
 
https://blog.51cto.com/noodle/1769474
 
https://blog.51cto.com/noodle/1769474
 +
 +
[https://qa.icopy.site/questions/35139711/running-python-script-via-ansible 通过 ansible 运行 Python 脚本]
  
 
===stat 模块===
 
===stat 模块===
第366行: 第618行:
  
 
[https://www.cnblogs.com/hypj/p/14035206.html ansible firewalld模块详解]
 
[https://www.cnblogs.com/hypj/p/14035206.html ansible firewalld模块详解]
 +
===[[ansible包管理模块]]请双击跳转===
 +
 
===ansible 用户批量创建与管理===
 
===ansible 用户批量创建与管理===
 
<pre>
 
<pre>
第401行: 第655行:
  
  
 +
 +
</pre>
 +
 +
=Ansible-Playbook之初始化服务器=
 +
<pre>
 +
init-user
 +
init-tools
 +
 +
vim task/main.yml
 +
- include: user.yml  #用户管理
 +
- include: repo.yml  #yum源
 +
- include: init_pkg.yml  #安装基础组件
 +
- include: profile.yml  #环境变量
 +
- include: selinux.yml  #selinux
 +
- include: dir.yml  #基础目录
 +
- include: limits.yml  #系统参数
 +
- include: iptables.yml  #防火墙
 +
- include: sysctl.yml  #内核参数
 +
- include: rc.local.yml  #开机启动
 +
- include: dns.yml    #dns
 +
- include: ntp.yml    #ntp
 +
- include: rsyslog.yml  #日志同步
 +
- include: sshd.yml  #ssh优化
 +
- include: safe.yml  #安全配置
 +
 +
</pre>
 +
 +
[https://juejin.cn/post/6995171921004331038  good-ansible自动化:操作系统初始化具体实现 ]
 +
 +
[https://cloud.tencent.com/developer/article/1702876 03 实战 Ansible-Playbook之初始化服务器--有sshd安全相关]
 +
 +
https://gitee.com/wanghui1234/ansible_repo
 +
 +
[https://blog.csdn.net/weixin_30955341/article/details/101262866  ansible-playbook编写服务器初始化脚本]
 +
==Ansible-Playbook 修改ssh 配置举例 ==
 +
 +
<pre>
 +
 +
cat /etc/ansible/ssh-u-conf.yml
 +
---
 +
- hosts: add
 +
  become: yes
 +
  become_method: sudo
 +
  gather_facts: true
 +
  remote_user: ubuntu
 +
  #remote_user: root
 +
  tasks:
 +
 +
  - name: "Change password"
 +
    user: name={{ item.name }} password={{  item.chpass | password_hash('sha512') }} update_password=always
 +
    with_items:
 +
      - { name: 'root', chpass: 'root1234' }
 +
      - { name: 'evan', chpass: 'evan1234' }
 +
 +
 +
 +
  - name: "修改ssh配置文件的安全选项"
 +
    lineinfile:
 +
      path: /etc/ssh/sshd_config
 +
      regexp: '{{ item.regexp }}'
 +
      line: '{{ item.line }}'
 +
      state: present
 +
    with_items:
 +
      - regexp: "^PasswordAuthentication"
 +
        line: "PasswordAuthentication yes"
 +
      - regexp: "^#PermitRootLogin"
 +
        line: "PermitRootLogin yes"
 +
      #- regexp: "^#Port 22"
 +
      #  line: "Port 2249"
 +
      - regexp: "^GSSAPIAuthentication yes"
 +
        line: "GSSAPIAuthentication no"
 +
    notify:
 +
      - restart sshd
 +
  handlers:
 +
    - name: restart sshd
 +
      service:
 +
        name: sshd
 +
        state: restarted
 +
 +
 +
 +
 +
ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook  ssh-u-conf.yml
 +
 +
 +
 +
跑脚本前
 +
evan@ubuntu-2004-1:~$ cat /etc/ssh/sshd_config | grep Per
 +
#PermitRootLogin prohibit-password
 +
 +
跑后
 +
evan@ubuntu-2004-1:~$ cat /etc/ssh/sshd_config | grep Per
 +
PermitRootLogin yes
 +
 +
#这样就可以用root登录了 在不用太安全的开发环境可用,不过记得u 20.04 要先passwd root
 +
 +
</pre>
 +
 +
=YAML=
 +
<pre>
 +
➜  ~ cat data.yaml
 +
---
 +
- Apple
 +
- Orange
 +
- Strawbeery
 +
- Mango
 +
➜  ~
 +
 +
 +
In [3]: with open('data.yaml') as f:
 +
  ...:    print(yaml.safe_load(f))
 +
  ...:
 +
  ...:
 +
['Apple', 'Orange', 'Strawbeery', 'Mango']
  
 
</pre>
 
</pre>
第426行: 第794行:
  
 
[https://blog.csdn.net/reblue520/article/details/81301223  ansible配合shell脚本批量编译安装python3.6.6]
 
[https://blog.csdn.net/reblue520/article/details/81301223  ansible配合shell脚本批量编译安装python3.6.6]
 
  
 
=ansible配合shell脚本批量安装golang=
 
=ansible配合shell脚本批量安装golang=
第530行: 第897行:
 
</pre>
 
</pre>
 
[https://www.jianshu.com/p/d4e6655ff937 Ansible Role 系统环境 之【go】]
 
[https://www.jianshu.com/p/d4e6655ff937 Ansible Role 系统环境 之【go】]
 +
 +
=ansible sudo 安装配置docker =
 +
 +
==  Ansible Galaxy 搜索 dockek 有空要自己写成galaxy==
 +
https://www.cnblogs.com/sparkdev/p/9962904.html
 +
== 直接使用yum==
 +
<pre>
 +
 +
vi install_docker-ce.yml
 +
---
 +
- hosts: docker
 +
  remote_user: root
 +
  tasks:
 +
    - name: install yum-utils
 +
      yum: name=yum-utils state=present
 +
    - name: add docker repo
 +
      shell: yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
 +
    - name: install docer-ce
 +
      yum:
 +
        name: docker-ce
 +
        state: present
 +
    - name: install docker-ce-cli
 +
      yum:
 +
        name: docker-ce-cli
 +
        state: present
 +
    - name: install containerd.io
 +
      yum:
 +
        name: containerd.io
 +
        state: present
 +
    - name: config mirro
 +
      copy: src=~/docker-daemon.json dest=/etc/docker/daemon.json
 +
      tags: configmirro
 +
    - name: start enable docker
 +
      service: name=docker state=started enabled=true
 +
    - name: restrat
 +
      shell: sudo systemctl daemon-reload && sudo systemctl restart docker
 +
      tags: restart
 +
 +
#mirror配置
 +
cat docker-daemon.json
 +
{
 +
  "registry-mirrors": [
 +
    "https://registry.docker-cn.com",
 +
    "http://hub-mirror.c.163.com",
 +
    "https://docker.mirrors.ustc.edu.cn"
 +
  ]
 +
}
 +
 +
 +
 +
4.运行playbook
 +
 +
ansible-playbook -v install_docker-ce.yml
 +
 +
 +
 +
</pre>
 +
 +
==比较全面的 playbook and roles ==
 +
https://github.com/evan886/my-ansible/tree/main/sudo-insdocker/ansible
  
 
=ansible sudo 安装配置zbx agent =
 
=ansible sudo 安装配置zbx agent =
第539行: 第966行:
 
=ansible sudo 修改ssh配置文件的安全选项 =
 
=ansible sudo 修改ssh配置文件的安全选项 =
 
<pre>
 
<pre>
 +
Attention
 +
如果有 多个 PasswordAuthentication yes 可能不成功 只改了一个为no
 +
 
cat modify_sshd.yml
 
cat modify_sshd.yml
 
---
 
---
第576行: 第1,006行:
 
         state: restarted
 
         state: restarted
  
 +
 +
 +
 +
ansible-playbook  modify_sshd.yml
  
 
直接
 
直接
 
ansible all -b  --become-method=su  --become-user-root -m shell -a "sed 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config" |grep -E "Root|172.16"
 
ansible all -b  --become-method=su  --become-user-root -m shell -a "sed 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config" |grep -E "Root|172.16"
  
 +
 +
2022
 +
 +
cat /etc/ansible/hosts
 +
[one]
 +
192.168.10.122
 +
 +
 +
---
 +
- hosts: one
 +
  gather_facts: true
 +
  remote_user: root
 +
  tasks:
 +
  - name: "修改ssh配置文件的安全选项"
 +
    lineinfile:
 +
      path: /etc/ssh/sshd_config
 +
      regexp: '{{ item.regexp }}'
 +
      line: '{{ item.line }}'
 +
      state: present
 +
    with_items:
 +
      - regexp: "^PasswordAuthentication"
 +
        line: "PasswordAuthentication no"
 +
      - regexp: "^#PermitRootLogin"
 +
        line: "PermitRootLogin yes"
 +
      #- regexp: "^#Port 22"
 +
      #  line: "Port 2249"
 +
      - regexp: "^GSSAPIAuthentication yes"
 +
        line: "GSSAPIAuthentication no"
 +
    notify:
 +
      - restart sshd
 +
  handlers:
 +
    - name: restart sshd
 +
      service:
 +
        name: sshd
 +
        state: restarted
 +
 +
 +
如果有多个 PasswordAuthentication yes
 +
可能要执行多次 也有可能不成功 注意了
 +
 +
ansible-playbook -C ssh-conf.yml
 +
ansible-playbook  ssh-conf.yml
  
 
</pre>
 
</pre>
第586行: 第1,062行:
  
 
[https://www.linuxidc.com/Linux/2017-10/148058.htm Ansible使用playbook自动化编译安装Nginx]
 
[https://www.linuxidc.com/Linux/2017-10/148058.htm Ansible使用playbook自动化编译安装Nginx]
 +
 +
=ansible 批量修改已存在用户的密码=
 +
<pre>
 +
cat /etc/ansible/change-passwd.yml
 +
---
 +
  - hosts: prod
 +
    become: yes
 +
    become_method: sudo
 +
 +
    gather_facts: false
 +
    tasks:
 +
    - name: change user passwd
 +
      user: name={{ item.name }} password={{ item.chpass | password_hash('sha512') }}  update_password=always
 +
      with_items:
 +
          - { name: 'evan', chpass: '$evan1234567' }
 +
 +
 +
#run test
 +
ansible-playbook -C  change-passwd.yml
 +
#run
 +
ansible-playbook  change-passwd.yml
 +
 +
</pre>
  
 
=ansible 创建用户=
 
=ansible 创建用户=
第595行: 第1,094行:
  
 
[https://www.codenong.com/37333305/ 关于sudoers:Ansible:创建具有sudo特权的用户]
 
[https://www.codenong.com/37333305/ 关于sudoers:Ansible:创建具有sudo特权的用户]
 +
 
=ansible修改hostname modify_hostname=
 
=ansible修改hostname modify_hostname=
 
<pre>
 
<pre>
第641行: 第1,141行:
  
 
[https://bingostack.com/2021/03/ansible-shell-command/ 使用ansible执行shell命令的正确姿势]
 
[https://bingostack.com/2021/03/ansible-shell-command/ 使用ansible执行shell命令的正确姿势]
 +
=ansible-galaxy=
 +
 +
== ansible-galaxy install docker==
 +
<pre>  ansible-galaxy install geerlingguy.docker #记得国内机器可能要改dns 为8.8.4.4 不然连接github time out
 +
 +
#主要配置文件
 +
root@myxps:~# cat ~/.ansible/roles/geerlingguy.docker/defaults/main.yml
 +
 +
 +
cat pb-docker.yml  #安装 docker
 +
- hosts: mydocker
 +
  vars:
 +
    docker_users:
 +
      - root
 +
  roles:
 +
    - role: geerlingguy.docker
 +
      become: yes
 +
 +
 +
ansible-playbook -u root pb_docker.yml
 +
 +
</pre>
 +
[https://codeantenna.com/a/wQw1weZj3O 通过 Ansible 安装 Docker]
 +
 
=分发文件=
 
=分发文件=
 
<pre>  
 
<pre>  
第676行: 第1,200行:
 
solution
 
solution
 
忘记main.yml 加上 copy.yml喽
 
忘记main.yml 加上 copy.yml喽
 +
 +
 +
普通用户 
 +
 +
$ ansible
 +
Traceback (most recent call last):
 +
  File "/usr/local/bin/ansible", line 32, in <module>
 +
    from ansible import context
 +
ModuleNotFoundError: No module named 'ansible'
 +
 +
 +
evan@myxps:~/data/resume/interview$ pip list  | grep ansible
 +
evan@myxps:~/data/resume/interview$ sudo pip list  | grep ansible
 +
ansible                        4.5.0
 +
ansible-core                  2.11.5
 +
 
</pre>
 
</pre>
  
第681行: 第1,221行:
  
 
[https://al-cui.github.io/2020/04/05/Ansible-playbook%20%E5%85%B3%E4%BA%8Essh%E7%9A%84%E9%85%8D%E7%BD%AE%E5%92%8C%E4%BD%BF%E7%94%A8/  ansible中配置ssh--ssh连接断开时,如何很快获取异常并中断playbook的执行]
 
[https://al-cui.github.io/2020/04/05/Ansible-playbook%20%E5%85%B3%E4%BA%8Essh%E7%9A%84%E9%85%8D%E7%BD%AE%E5%92%8C%E4%BD%BF%E7%94%A8/  ansible中配置ssh--ssh连接断开时,如何很快获取异常并中断playbook的执行]
 +
== [DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks instead. This feature will be removed ==
 +
把你的 tasks/main.yml include 换成  include_tasks/import_tasks 就可以了
 +
 +
=Ansible  Vault=
 +
 +
==Running Ansible with Vault-Encrypted Files==
 +
 +
===Using an Interactive Prompt===
 +
<pre>
 +
 +
➜ ansible-vault create secret_key
 +
 +
➜  ansible vi  inventory/hosts
 +
#Aug  11  2023
 +
[database]
 +
localhost ansible_connection=local
 +
➜  ansible ansible --ask-vault-pass -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost
 +
BECOME password:
 +
Vault password:
 +
[WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was 127.0.0.1
 +
localhost | CHANGED => {
 +
    "ansible_facts": {
 +
        "discovered_interpreter_python": "/usr/bin/python3"
 +
    },
 +
    "changed": true,
 +
    "checksum": "15bb6433cbfcba861b6e7c1121fbe097f68ff14f",
 +
    "dest": "/tmp/secret_key",
 +
    "gid": 0,
 +
    "group": "root",
 +
    "md5sum": "e894b01b2cc7fc8f341df858e031798a",
 +
    "mode": "0600",
 +
    "owner": "root",
 +
    "size": 17,
 +
    "src": "/home/evan/.ansible/tmp/ansible-tmp-1691743336.7170281-39285-290202074/source",
 +
    "state": "file",
 +
    "uid": 0
 +
}
 +
 +
➜  ansible sudo cat /tmp/secret_key
 +
onfidential data
 +
 +
</pre>
 +
 +
===Using Ansible Vault with a Password File===
 +
<pre>
 +
echo 'my_vault_password' > .vault_pass
 +
 +
 +
 +
➜  .ansible ls
 +
change-passwd.yml  cp  secret_key  tmp
 +
➜  .ansible ansible --vault-password-file=.vault_pass -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost
 +
BECOME password:
 +
[WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was 127.0.0.1
 +
localhost | CHANGED => {
 +
    "ansible_facts": {
 +
        "discovered_interpreter_python": "/usr/bin/python3"
 +
    },
 +
    "changed": true,
 +
    "checksum": "478a4b2f4eed95489ca86c7d4f060da80f498202",
 +
    "dest": "/tmp/secret_key",
 +
    "gid": 0,
 +
    "group": "root",
 +
    "md5sum": "ee950cc0624bbba77126274ceb752e3c",
 +
    "mode": "0600",
 +
    "owner": "root",
 +
    "size": 7,
 +
    "src": "/home/evan/.ansible/tmp/ansible-tmp-1691749143.0555234-42774-280022701874123/source",
 +
    "state": "file",
 +
    "uid": 0
 +
 +
 +
#我又新建议了一个
 +
➜  .ansible sudo cat /tmp/secret_key
 +
dafasf
 +
 +
</pre>
 +
 +
https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data
 +
 +
https://docs.ansible.com/ansible/latest/vault_guide/vault_managing_passwords.html
 +
 +
=see also=
 +
[[Playbook]]
 +
 +
[[Ansible包管理模块]]
  
= Playbook=
+
=Galaxy=
  
[https://blog.51cto.com/u_13630803/2154192 Ansible之Playbook详解、案例]
+
[https://blog.csdn.net/qq_43584691/article/details/118365603  Ansible 系列之 Galaxy 工具]
  
 
=References=
 
=References=
第703行: 第1,329行:
 
[https://www.gbgj.net/info/468349.html langroot下载 分享Ansible批量安装golang环境]
 
[https://www.gbgj.net/info/468349.html langroot下载 分享Ansible批量安装golang环境]
  
 
+
[https://www.cnblogs.com/chenxianpao/p/7360349.html  ansible基本使用教程]
  
 
[https://blog.csdn.net/dghfttgv/article/details/104726454  Ansible(1)—— Ansible详解及inventory文件配置]
 
[https://blog.csdn.net/dghfttgv/article/details/104726454  Ansible(1)—— Ansible详解及inventory文件配置]
第711行: 第1,337行:
 
[https://zhuanlan.zhihu.com/p/139846936 一分钟了解Ansible]
 
[https://zhuanlan.zhihu.com/p/139846936 一分钟了解Ansible]
  
[[category:devops]]
+
[https://en.wikipedia.org/wiki/Comparison_of_open-source_configuration_management_software Comparison of open-source configuration management software]
 +
 
 +
[https://blog.csdn.net/ximenjianxue/article/details/115326825  DevOps之Cfengine工具安装过程图解]
 +
 
 +
[[category:devops]][[category:ansible]]

2024年10月21日 (一) 02:45的最新版本

目录

playbook双击跳转

[æn; ən

进阶

Ansible 日常使用技巧 - 运维总结

ansible自动化运维


Ansible中文权威指南

2021-Ansible学习

ansible playbook初始化系统基础环境,直接就可以用

ansible批量部署服务

ansible的安装和操作,并编写一个docker部署的示例

ansible-playbook使用实例(分发文件,执行脚本)

Ansible自动化运维应用实战

手把手教你在python中运行ansible-playbook

知识总结(17)ansible总结(ansible的优点、架构、工作原理、常用模块、playbook详解)

变量

vars:
  key_file: /etc/nginx/ssl/nginx.key 

play book 
- name: copy TLS key
  copy: src=files/nginx.key dest={{key_file}} owern=root  mode=0600 

Chapter 2 inventory

p48


Ansible教程 第三章 Inventory详解

introduction

Ansible是一种IT自动化工具。它可以配置系统,部署软件以及协调更高级的IT任务,例如持续部署,滚动更新。Ansible适用于管理企业IT基础设施,从具有少数主机的小规模到数千个实例的企业环境。Ansible也是一种简单的自动化语言,可以完美地描述IT应用程序基础结构。

Ansible is a suite /swiːt/ of software tools that enables infrastructure /ˈɪn.frəˌstrʌk.tʃɚ/ as code. It is open-source and the suite includes software provisioning, configuration management, and application deployment functionality /ˌfʌŋk.ʃənˈæl.ə.t̬i

ins

https://docs.ansible.com/ansible/latest/installation_guide/index.html

#on master  在debian 11上 用pip3 安装的版本很新 不过也是没默认配置文件  自己动手吧
pip3 install --user ansible

ssh-copy-id  -i  id_ecdsa.pub [email protected]
ssh-copy-id  -i  id_ecdsa.pub [email protected]
ssh-copy-id  -i  id_ecdsa.pub [email protected]



mkdir   /etc/ansible
vi /etc/ansible/hosts

192.168.88.50
192.168.88.51
192.168.88.52

[intra]
192.168.10.120
192.168.10.121

 ansible  all  -b -u root  -a "hostname"
192.168.88.51 | CHANGED | rc=0 >>
k8s-node1
192.168.88.50 | CHANGED | rc=0 >>
k8s-master
192.168.88.52 | CHANGED | rc=0 >>
k8s-node2


 ansible all -m ping

ins on centos use yum

 yum install epel-release
 yum install ansible

配置文件

#放自己home更加爽
/home/evan/ansible

so   Jul 04  2023

sudo vi /etc/ansible/ansible.cfg
[defaults]
inventory = /home/evan/ansible/inventory/hosts




# 写在自己的home目录 
ansible在使用配置文件时按照以下顺序优先配置:

export ANSIBLE_CONFIG

./ansible.cfg

~/.ansible.cfg

/etc/ansible/ansible.cfg

如果以上顺序没有找到配置文件ansible会自动使用默认配置

关于ansible的配置在/etc/ansible/ansible.cfg文件中,所以关于ansible运行时所使用的ssh配置也可以在此文件中配置。在目前的ansible中,运行ansible时会依次加载 环境变量ANSIBLE_CONFIG,当前目录的ansible.cfg,~/.ansible.cfg,/etc/ansible/ansible.cfg,针对同一个配置项以最先加载到的为准。所以,我们可以单独编写自己的ansible.cfg文件放在当前目录下。

可以去github上把默认配置拿下来:

https://raw.githubusercontent.com/ansible/ansible/devel/examples/ansible.cfg
# To generate an example config file (a "disabled" one with all default settings, commented out):
#               $ ansible-config init --disabled > ansible.cfg

# Also you can now have a more complete file by including existing plugins:
# ansible-config init --disabled -t all > ansible.cfg

把它放到/etc/ansible/目录

ansible指定用户

方案1:
nsible -m ping -u 用户名

方案2:

修改/etc/ansible/hosts文件:
[test_hosts]
host_ip ansible_user=用户名
# 还可以指定登陆密码
host_ip ansible_user=用户名 ansible_ssh_pass=登陆密码

日常技巧

sudo

sudo 详细例子insdocker在github

没密码的sudo

cat /etc/ansible/agent.yml
---
- hosts: all
  become: yes
  become_method: sudo
  remote_user: evan  
  #remote_user: ops 
  roles:
    - ag_conf

#当然 shell 里面也要写sudo 

#直接在commond 这样执行,要交互,但是可以直接回车 如果没密码
ansible  tmp -m  command -a "ls /root"  -u  evan --become  --ask-become-pass

ansible 普通用户执行命令


Ansible 使用普通用户远程执行playbook

https://serverfault.com/questions/870951/ansible-adhoc-command-execute-with-sudo

https://stackoverflow.com/questions/38958333/how-to-achieve-sudo-su-user-and-run-all-command-in-ansible#38965192

SSH authenticity checking

Is there a way to ignore the SSH authenticity checking made by Ansible? For example when I've just setup a new server I have to answer yes to this question:

GATHERING FACTS ***************************************************************
The authenticity of host 'xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)' can't be established.
RSA key fingerprint is xx:yy:zz:....
Are you sure you want to continue connecting (yes/no)?


方法1 直接在命令行 加参数 
 ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook   ssh-u-conf.yml

方法2  加到配置文件 
/etc/ansible/ansible.cfg or ~/.ansible.cfg

[defaults]
host_key_checking = False

https://stackoverflow.com/questions/32297456/how-to-ignore-ansible-ssh-authenticity-checking

分组

ansible beta -b -u evan -m shell   -a " sudo hostname"
执行ansible-playbook  -C /etc/ansible/agent.yml 得在 yml 里面指定 hostip etc
inventory 文件hosts

# 非标准的22端口 必须第一列为别外 不然无效哦 January 24 2022
[add]
#172.16.0.40
[beta]
beta-insurance ansible_host=172.16.0.14  ansible_port=22
[pro]
prod-core-mongo                ansible_host=172.16.1.40  ansible_port=22
prod-access                    ansible_host=172.16.1.8   ansible_port=22
prod-insurance-backstage       ansible_host=172.16.0.16  ansible_port=22 
prod-insurance-crm-mongo       ansible_host=172.16.1.37  ansible_port=22  
prod-insurance-backstage-count ansible_host=172.16.1.19  ansible_port=22 
prod_core                      ansible_host=172.16.1.9 ansible_port=22
prod_mq                        ansible_host=172.16.1.12 ansible_port=22

 
[core]
prod_core
prod-core-mongo 

[insure]
prod-access
prod-insurance-backstage
prod-insurance-crm-mongo
prod-insurance-backstage-count

run shell

#还是 -m shell 好用, -m script 不太好用感觉 
ansible core  -b -u evan -m shell   -a "sudo ls /home/evan"
 ansible insure -m shell   -a "sudo cat /etc/ssh/sshd_config | grep Permit"

常用参数

-m MODULE_NAME	#执行模块的名字,默认使用 command 模块,所以如果是只执行单一命令可以不用 -m参数
-u REMOTE_USER	#远程用户,默认为 root 用户
查看列表的命令
-m	要执行的模块,默认为command
-a	模块的参数
-u	ssh连接的用户名,默认用root,ansible.cfg中可以配置
-C, --check           don't make any changes; instead, try to predict some
                       of the changes that may occur

变量

# 主机和主机组变量(主机变量优先级大于主机组变量)

vim /etc/ansible/hosts

[webservers]

172.16.1.121:22 ansible_ssh_user=root ansible_ssh_pass='123456' http_port=80

172.16.1.122:22 ansible_ssh_user=root ansible_ssh_pass='123456'


[webservers:vars]
http_port=8080
server_name=www.baidu.com

实验:

ansible webservers -m command -a "echo {{http_port}}" -o

命令说明:

ansible webservers -m command -a "echo {{http_port}}" -o

ansible:ansible命令

webservers:/etc/ansible/hosts中配置的主机组名称,指定 all (分组和未分组的主机)代表所有主机,指定172.16.1.121代表单台主机。

-m:指定使用的模块,默认是command模块(简单的shell命令),可以省略不写。

-a:指定具体使用的shell指令,比如"echo {{http_port}}"表示在远程主机上打印http_port这个变量。

-o:对ansible的输出的结果进行压缩(即,输出的结果显示在一行)

远程执行shell脚本文件

Friday July twenty-ninth 2022

编写脚本

cat /tmp/mypatch 
# 卸载旧版本
yum remove -y kubelet kubeadm kubectl

# 安装kubelet、kubeadm、kubectl
# 将 ${1} 替换为 kubernetes 版本号,例如
v=1.21.12
yum install -y kubelet-${v} kubeadm-${v} kubectl-${v}
crictl config runtime-endpoint /run/containerd/containerd.sock
# 重启 docker,并启动 kubelet
systemctl daemon-reload
systemctl enable kubelet && systemctl start kubelet

脚本copy到其他几台服务器

#执行ansible命令,将脚本copy到其他几台服务器上
  ansible  myk8s -u root -m copy -a "src=/tmp/mypatch dest=/tmp/mypatch"

每台服务器上执行 你的shell脚本

#执行ansible命令,在每台服务器上执行 你的shell脚本
ansible  myk8s -u root -m shell -a "bash /tmp/mypatch chdir=/tmp"

3.4-ansible远程执行脚本

ansible 常用模块

主机连通性测试


ansible-doc ping 

 ansible web -m ping命令来进行主机连通性测试

  ansible ansible mytmp -m ping 
[WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was 127.0.0.1
127.0.0.1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}

command 模块

 ansible web -m command -a 'ss -ntl'

命令模块接受命令名称,后面是空格分隔的列表参数。给定的命令将在所有选定的节点上执行。它不会通过shell进行处理,比如$HOME和操作如"<",">","|",";","&" 工作(需要使用(shell)模块实现这些功能)。注意,该命令不支持| 管道命令。
  下面来看一看该模块下常用的几个命令:

    chdir       # 在执行命令之前,先切换到该目录
    executable # 切换shell来执行命令,需要使用命令的绝对路径
    free_form   # 要执行的Linux指令,一般使用Ansible的-a参数代替。
    creates  # 一个文件名,当这个文件存在,则该命令不执行,可以
    用来做判断
    removes # 一个文件名,这个文件不存在,则该命令不执行

shell 模块

shell模块基本和command相同,但是shell raw支持管道符

➜  ~ ansible pi3 -m raw -a "cat /etc/passwd | wc -l"
192.168.10.5 | CHANGED | rc=0 >>
41
Shared connection to 192.168.10.5 closed.

➜  ~ ansible pi3 -m shell  -a "cat /etc/passwd | wc -l"
192.168.10.5 | CHANGED | rc=0 >>
41



shell > ansible Client -m shell -a "/home/test.sh"           # 执行远程脚本


cat /root/2
touch 2.txt

ansible 200  -b -u evan -m shell   -a  "sudo bash  /home/evan/close"

# cat /home/evan/2.txt 用sudo 默认去了 evan 

copy 模块

 ansible  myk8  -m copy -a 'dest=/home/evan src=/tmp/vboxdrv-Module.symvers'  #把 master上的 /tmp/vboxdrv-Module.symvers  cp到 myk8组的所有机器的 /home/evan下

fetch 模块

和copy 相反 ,可看作文件上传动作,  把 远端机器的 /home/evan/vboxdrv-Module.symvers 收集回主机的 /home/evan/tmp/tpp目录下 
  ansible  myk8 -m fetch -a 'dest=/home/evan/tmp/tpp  src=/home/evan/vboxdrv-Module.symvers'

file

还有相关的什么权限 用户组 属性什么的
ansible  myk8  -m file -a  'path=/home/evan/vboxdrv-Module.symvers  state=absent' #删除/home/evan/vboxdrv-Module.symvers

9)service 模块

该模块用于服务程序的管理。
  其主要选项如下:

    arguments #命令行提供额外的参数
    enabled #设置开机启动。
    name= #服务名称
    runlevel #开机启动的级别,一般不用指定。
    sleep #在重启服务的过程中,是否等待。如在服务关闭以后等待2秒再启动。(定义在剧本中。)
    state #有四种状态,分别为:started--->启动服务, stopped--->停止服务, restarted--->重启服务, reloaded--->重载配置

  下面是一些例子:
① 开启服务并设置自启动

[root@server ~]# ansible web -m service -a 'name=nginx state=started enabled=true'

12)script 模块 运行sh or py 2023 update

script模块将控制节点的脚本执行在被控节点上。 相当于scp+shell

➜  ~ hostname
myxps
➜  ~ cat /tmp/hostname 
hostname
➜  ~ 
➜  ~ ansible pi3 -m  script -a /tmp/hostname 
192.168.10.5 | CHANGED => {
    "changed": true,
    "rc": 0,
    "stderr": "Shared connection to 192.168.10.5 closed.\r\n",
    "stderr_lines": [
        "Shared connection to 192.168.10.5 closed."
    ],
    "stdout": "mypi3b\r\n",
    "stdout_lines": [
        "mypi3b"
    ]
}
➜  ~ 




  一般用在被管主机上 执行一系列命令就非常爽
一般先用copy 把脚本下发到所有的 slave机器 再执行

#Dec thirteenth 2022

ansible的script模块的用途

script 模块用来在远程主机上执行 ansible 管理主机上的脚本,

即:脚本一直存在于 ansible 管理主机本地,

不需要手动拷贝到远程主机后再执行

➜  tmp cat a.sh 
touch  evantouch.txt

chmod +x /home/evan/tmp/a.sh

ansible intra  -u root  -m  script -a '/home/evan/tmp/a.sh'

ansible intra    -m  script -a '/home/evan/tmp/a.sh' --become  --become-method=sudo --become-user=root
 
 执行效果 
 -192-168-10-121-c7 ~] {16:35:22} (0)
# ls /root/evantouch.txt 
/root/evantouch.txt


根据文件判断是否需要执行脚本?

creates参数 :使用此参数指定一个远程主机中的文件,当指定的文件存在时,就不执行对应脚本
removes参数 :使用此参数指定一个远程主机中的文件,当指定的文件不存在时,就不执行对应脚本

[root@centos8 ~]# ansible yujian -m script -a 'removes=/root/isgit.txt /home/liuhongdi/ansible/gitpubwww.sh'  --become  --become-method=sudo --become-user=root
121.122.123.47 | SKIPPED

因为删除文件不成功,所以不执行

[root@centos8 ~]# ansible yujian -m script -a 'creates=/root/isgit.txt /home/liuhongdi/ansible/gitpubwww.sh'  --become  --become-method=sudo --become-user=root
121.122.123.47 | CHANGED => {
    "changed": true,
...

因为文件可以创建,所以成功执行





万事先man 

root@myxps:~# ansible-doc  -s script
- name: Runs a local script (shell and py etc) on a remote node after transferring it
  script:
      chdir:                 # Change into this directory on the remote node before
                               running the script.
      cmd:                   # Path to the local script to run followed by optional
                               arguments.
      creates:               # A filename on the remote node, when it already
                               exists, this step will
                               *not* be run.
      decrypt:               # This option controls the autodecryption of source
                               files using vault.
      executable:            # Name or path of a executable to invoke the script
                               with.
      free_form:             # Path to the local script file followed by optional
                               arguments.
      removes:               # A filename on the remote node, when it does not
                               exist, this step will
                               *not* be run.


 [evan@ ansible]$ ansible add -m script -a './1.sh'

[evan@ ansible]$ cat  1.sh 
touch /tmp/byevanjan.log


py 

evan@debian-s-1vcpu-1gb-sfo2-01:~$ ansible ec2  -m script -a ' ./getip.py'

ec2 | CHANGED => {
    "changed": true,
    "rc": 0,
    "stderr": "Shared connection to 54.215.65.27 closed.\r\n",
    "stderr_lines": [
        "Shared connection to 54.215.65.27 closed."
    ],
    "stdout": "54.215.65.27\r\n",
    "stdout_lines": [
        "54.215.65.27"
    ]
}


cat getip.py 
#!/usr/bin/python3
import requests
print(requests.get('http://ifconfig.me/ip', timeout=1).text.strip())


ansible的script模块的用途

https://blog.51cto.com/noodle/1769474

通过 ansible 运行 Python 脚本

stat 模块

 ansible sftp -m stat  -a "path=/etc/passwd"

firewalld模块


service : Name of a service to add/remove to/from firewalld.The service must be listed in output of firewall-cmd --get-services.
指定放行的服务,此服务必须要在firewall-cmd --get-services查询的到。

irewalld模块主要设置火墙对服务和端口的允许
参数:ansible-doc -s firewalld查看一下fetch模块的参数`

service参数 	必须参数,用于指定要允许服务。
state参数 	enabled开机启动
permanent参数 	true 永久添加
immediate参数 	true 立即生效








#  firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  
  
  /etc/ansible# cat fire.yml 
---
- hosts: 192.168.10.122
  gather_facts: true
  remote_user: root
  tasks:
  - name: "firewalld"
    firewalld:
      service: http
      state: enabled
      permanent: true
      immediate: yes
      
      
ansible-playbook -C  fire.yml 
ansible-playbook   fire.yml 
      
运行后 结果如下 多了个 http

 firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client http ssh


#直接执行
ansible node1 -m firewalld -a 'service=https permanent=yes state=enabled'



ansible node1 -m service -a 'name=firewalld state=restarted'


#建议reload 不要动不动restart
 ansible intra -m service -a 'name=firewalld state=reloaded'


 ansible intra -m firewalld -a 'port=8081/tcp permanent=yes state=enabled'

ansible firewalld模块详解

ansible包管理模块请双击跳转

ansible 用户批量创建与管理


最笨的办法  明显不是我们要的 
ansible intra -m command -a 'useradd appl'


ansible-doc  user -s


最好的办法  playbook 

/etc/ansible# cat adduser.yml 
---
- hosts: all
  remote_user: root
  tasks:
  - name: 'Create  group lai'
    group:
     name: lai
     state: present        

  - name: create user deployer
    user:
      name: "{{ item.user }}"
      group: "{{ item.user }}"
      password: "{{ item.pass|password_hash('sha512') }}"
      state: present
      update_password: on_create
    loop: 
        - { user: lai , pass:  '2240881'}     

#密码要用字符



Ansible-Playbook之初始化服务器

init-user 
init-tools 

vim task/main.yml
- include: user.yml  #用户管理
- include: repo.yml  #yum源
- include: init_pkg.yml  #安装基础组件
- include: profile.yml  #环境变量
- include: selinux.yml  #selinux
- include: dir.yml  #基础目录
- include: limits.yml   #系统参数
- include: iptables.yml  #防火墙
- include: sysctl.yml   #内核参数
- include: rc.local.yml   #开机启动
- include: dns.yml    #dns
- include: ntp.yml    #ntp
- include: rsyslog.yml  #日志同步
- include: sshd.yml  #ssh优化
- include: safe.yml   #安全配置

good-ansible自动化:操作系统初始化具体实现

03 实战 Ansible-Playbook之初始化服务器--有sshd安全相关

https://gitee.com/wanghui1234/ansible_repo

ansible-playbook编写服务器初始化脚本

Ansible-Playbook 修改ssh 配置举例


 cat /etc/ansible/ssh-u-conf.yml 
---
- hosts: add
  become: yes
  become_method: sudo 
  gather_facts: true
  remote_user: ubuntu
  #remote_user: root
  tasks:

  - name: "Change password"
    user: name={{ item.name }} password={{  item.chpass | password_hash('sha512') }} update_password=always
    with_items:
      - { name: 'root', chpass: 'root1234' }
      - { name: 'evan', chpass: 'evan1234' }



  - name: "修改ssh配置文件的安全选项"
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '{{ item.regexp }}'
      line: '{{ item.line }}'
      state: present
    with_items:
      - regexp: "^PasswordAuthentication"
        line: "PasswordAuthentication yes"
      - regexp: "^#PermitRootLogin"
        line: "PermitRootLogin yes"
      #- regexp: "^#Port 22"
      #  line: "Port 2249"
      - regexp: "^GSSAPIAuthentication yes"
        line: "GSSAPIAuthentication no"
    notify:
      - restart sshd
  handlers:
    - name: restart sshd
      service:
        name: sshd
        state: restarted




ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook   ssh-u-conf.yml



跑脚本前 
evan@ubuntu-2004-1:~$ cat /etc/ssh/sshd_config | grep Per
#PermitRootLogin prohibit-password

跑后 
evan@ubuntu-2004-1:~$ cat /etc/ssh/sshd_config | grep Per
PermitRootLogin yes

#这样就可以用root登录了 在不用太安全的开发环境可用,不过记得u 20.04 要先passwd root 

YAML

➜  ~ cat data.yaml 
---
- Apple
- Orange
- Strawbeery
- Mango
➜  ~ 


In [3]: with open('data.yaml') as f:
   ...:     print(yaml.safe_load(f))
   ...: 
   ...: 
['Apple', 'Orange', 'Strawbeery', 'Mango']

ansible配合shell脚本批量编译安装python3.7

https://github.com/evan886/my-ansible

具体安排脚本here https://github.com/evan886/my-ansible/tree/main/ansible4py3.7ins

git clone [email protected]:evan886/my-ansible.git

cd ansible4py3.7ins/

执行playbook
测试
root@myxps:/etc/ansible# ansible-playbook -C  python.yml

执行
root@myxps:/etc/ansible# ansible-playbook  python.yml


ansible配合shell脚本批量编译安装python3.6.6

ansible配合shell脚本批量安装golang

https://golang.org/doc/install

tree 
.
├── ansible.cfg
├── go.yml
├── hosts
└── roles
    └── go_install
        ├── files
        │   └── go1.17.1.linux-amd64.tar.gz
        ├── tasks
        │   ├── copy.yml
        │   ├── install.yml
        │   └── main.yml
        └── templates
            └── go_install.sh

5 directories, 8 files



reload environment variable.  怎么搞 要手工不成  不科学
oot@myxps:/etc/ansible# ansible intra -b -u root  -a "source /etc/profile"
192.168.10.120 | FAILED | rc=2 >>
[Errno 2] 没有那个文件或目录
192.168.10.121 | FAILED | rc=2 >>
[Errno 2] 没有那个文件或目录
root@myxps:/etc/ansible# ansible intra -b -u root  -a ". /etc/profile"
192.168.10.121 | FAILED | rc=13 >>
[Errno 13] 权限不够
192.168.10.120 | FAILED | rc=13 >>
[Errno 13] 权限不够


run


#!/usr/bin/env ansible-playbook

加权限后就可以   ./youfile


root@myxps:/etc/ansible# ansible-playbook -C  go.yml 
[WARNING]: ansible.utils.display.initialize_locale has not been called, this may result in incorrectly
calculated text widths that can cause Display to print incorrect line lengths

PLAY [all] *****************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************
ok: [192.168.10.121]
ok: [192.168.10.120]

TASK [go_install : copy go_tgz to client] **********************************************************************
changed: [192.168.10.120]
changed: [192.168.10.121]

TASK [go_install : copy install_go_script to client] ***********************************************************
changed: [192.168.10.120]
changed: [192.168.10.121]

TASK [go_install : install go] *********************************************************************************
skipping: [192.168.10.120]
skipping: [192.168.10.121]

PLAY RECAP *****************************************************************************************************
192.168.10.120             : ok=3    changed=2    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0   
192.168.10.121             : ok=3    changed=2    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0   

root@myxps:/etc/ansible# ansible-playbook   go.yml 
[WARNING]: ansible.utils.display.initialize_locale has not been called, this may result in incorrectly calculated text widths that can cause Display to print incorrect line
lengths

PLAY [all] ******************************************************************************************************************************************************************

TASK [Gathering Facts] ******************************************************************************************************************************************************
ok: [192.168.10.121]
ok: [192.168.10.120]

TASK [go_install : copy go_tgz to client] ***********************************************************************************************************************************
changed: [192.168.10.120]
changed: [192.168.10.121]

TASK [go_install : copy install_go_script to client] ************************************************************************************************************************
changed: [192.168.10.120]
changed: [192.168.10.121]

TASK [go_install : install go] **********************************************************************************************************************************************
changed: [192.168.10.120]
changed: [192.168.10.121]

PLAY RECAP ******************************************************************************************************************************************************************
192.168.10.120             : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
192.168.10.121             : ok=4    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   


Ansible Role 系统环境 之【go】

ansible sudo 安装配置docker

Ansible Galaxy 搜索 dockek 有空要自己写成galaxy

https://www.cnblogs.com/sparkdev/p/9962904.html

直接使用yum


vi install_docker-ce.yml
---
- hosts: docker
  remote_user: root
  tasks:
    - name: install yum-utils
      yum: name=yum-utils state=present
    - name: add docker repo
      shell: yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
    - name: install docer-ce
      yum:
        name: docker-ce
        state: present
    - name: install docker-ce-cli
      yum:
        name: docker-ce-cli
        state: present
    - name: install containerd.io
      yum:
        name: containerd.io
        state: present
    - name: config mirro
      copy: src=~/docker-daemon.json dest=/etc/docker/daemon.json
      tags: configmirro
    - name: start enable docker
      service: name=docker state=started enabled=true
    - name: restrat
      shell: sudo systemctl daemon-reload && sudo systemctl restart docker
      tags: restart

#mirror配置
cat docker-daemon.json
{
  "registry-mirrors": [
    "https://registry.docker-cn.com",
    "http://hub-mirror.c.163.com",
    "https://docker.mirrors.ustc.edu.cn"
  ]
}

 

4.运行playbook

 ansible-playbook -v install_docker-ce.yml



比较全面的 playbook and roles

https://github.com/evan886/my-ansible/tree/main/sudo-insdocker/ansible

ansible sudo 安装配置zbx agent

https://github.com/evan886/my-ansible
#具体脚本
https://github.com/evan886/my-ansible/tree/main/ansible4zbxagent-insconf

ansible sudo 修改ssh配置文件的安全选项

Attention
如果有 多个 PasswordAuthentication yes 可能不成功 只改了一个为no 

cat modify_sshd.yml
---
- hosts: cor
#- hosts: all
  gather_facts: true
  #remote_user: root
  become: yes
  become_method: sudo
  remote_user: evan
  
  tasks:
  - name: "修改ssh配置文件的安全选项"
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '{{ item.regexp }}'
      line: '{{ item.line }}'
      state: present
    with_items:
      - regexp: "^PasswordAuthentication"
        line: "PasswordAuthentication no"
      - regexp: "^#PermitRootLogin yes"
        line: "PermitRootLogin no"
      - regexp: "^PermitRootLogin yes"
        line: "PermitRootLogin no"

      #- regexp: "^#Port 22"
      #  line: "Port 2249"
      - regexp: "^GSSAPIAuthentication yes"
        line: "GSSAPIAuthentication no"
    notify:
      - restart sshd
  handlers:
    - name: restart sshd
      service:
        name: sshd
        state: restarted




ansible-playbook  modify_sshd.yml

直接
ansible all -b  --become-method=su  --become-user-root -m shell -a "sed 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config" |grep -E "Root|172.16"


2022

cat /etc/ansible/hosts
[one]
192.168.10.122


---
- hosts: one
  gather_facts: true
  remote_user: root
  tasks:
  - name: "修改ssh配置文件的安全选项"
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '{{ item.regexp }}'
      line: '{{ item.line }}'
      state: present
    with_items:
      - regexp: "^PasswordAuthentication"
        line: "PasswordAuthentication no"
      - regexp: "^#PermitRootLogin"
        line: "PermitRootLogin yes"
      #- regexp: "^#Port 22"
      #  line: "Port 2249"
      - regexp: "^GSSAPIAuthentication yes"
        line: "GSSAPIAuthentication no"
    notify:
      - restart sshd
  handlers:
    - name: restart sshd
      service:
        name: sshd
        state: restarted


如果有多个 PasswordAuthentication yes 
可能要执行多次 也有可能不成功 注意了 

ansible-playbook -C ssh-conf.yml
ansible-playbook   ssh-conf.yml

Ansible使用playbook自动化编译安装Nginx

Ansible使用playbook自动化编译安装Nginx

ansible 批量修改已存在用户的密码

cat /etc/ansible/change-passwd.yml 
---
  - hosts: prod
    become: yes
    become_method: sudo

    gather_facts: false
    tasks:
    - name: change user passwd
      user: name={{ item.name }} password={{ item.chpass | password_hash('sha512') }}  update_password=always
      with_items:
           - { name: 'evan', chpass: '$evan1234567' }


#run test
ansible-playbook -C  change-passwd.yml
#run
ansible-playbook  change-passwd.yml

ansible 创建用户

useradd jsxge
chown -R jsxge.wheel jsxge
echo "123456" | passwd --stdin jsxge

关于sudoers:Ansible:创建具有sudo特权的用户

ansible修改hostname modify_hostname

cat hosts 
[pro]
172.16.0.8  
172.16.0.16  
172.16.0.37 
172.16.0.19 
172.16.0.9  

ansible]$ cat modify_hostname.yml
---
- name: set hostname
  hosts: pro
  #hosts: all
  become: yes
  become_method: sudo
  remote_user: eva

  gather_facts: false
  vars:
    hostnames:
      - host: 172.16.0.8
        name: prod-access
      - host: 172.16.0.16
        name: prod-insurance-backstage

      - host: 172.16.0.37
        name: prod-insurance-crm-mongo
      - host: 172.16.0.19
        name: prod-insurance-backstage-count
      - host: 172.16.0.9
        name: prod-insurance-core
  tasks:
    - name: set hostname
      hostname:
        name: "{{item.name}}"
      when: item.host == inventory_hostname
      loop: "{{hostnames}}"


ansible and shell

使用ansible执行shell命令的正确姿势

ansible-galaxy

ansible-galaxy install docker

  ansible-galaxy install geerlingguy.docker #记得国内机器可能要改dns 为8.8.4.4 不然连接github time out

#主要配置文件 
root@myxps:~# cat ~/.ansible/roles/geerlingguy.docker/defaults/main.yml 


 cat pb-docker.yml  #安装 docker 
- hosts: mydocker
  vars:
    docker_users:
      - root
  roles:
    - role: geerlingguy.docker
      become: yes


ansible-playbook -u root pb_docker.yml

通过 Ansible 安装 Docker

分发文件

 

 cat /etc/ansible/hosts
[intra]
192.168.10.120
192.168.10.121



ansible intra -m copy -a "src=/home/evan/data/devops/node-v14.17.6-linux-x64.tar.xz  dest=/root/"

ansible 122 -m copy -a "src=/home/evan/data/devops/jdk/jdk-8u212-linux-x64.rpm dest=/root/"


ansible批量传输文件

结合P2P软件使用Ansible分发大文件_神棍之路-程序员宅基地

使用 Ansible 传输文件的几种方式

troubleshooting


TASK [ag_conf : install conig  zbx agent] **************************************************************************
fatal: [172.16.0.16]: FAILED! => {"changed": true, "cmd": "/bin/bash /tmp/i.sh", "delta": "0:00:00.065791", "end": "2021-10-15 10:54:54.896410", "msg": "non-zero return code", "rc": 127, "start": "2021-10-15 10:54:54.830619", "stderr": "/bin/bash: /tmp/i.sh: 没有那个文件或目录", "stderr_lines": ["/bin/bash: /tmp/i.sh: 没有那个文件或目录"], "stdout": "", "stdout_lines": []}

PLAY RECAP *********************************************************************************************************
172.16.0.16                : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   


solution
忘记main.yml 加上 copy.yml喽


普通用户  

$ ansible
Traceback (most recent call last):
  File "/usr/local/bin/ansible", line 32, in <module>
    from ansible import context
ModuleNotFoundError: No module named 'ansible'


evan@myxps:~/data/resume/interview$ pip list   | grep ansible 
evan@myxps:~/data/resume/interview$ sudo pip list   | grep ansible 
ansible                        4.5.0
ansible-core                   2.11.5


ansible中配置ssh--ssh连接断开时,如何很快获取异常并中断playbook的执行

[DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks instead. This feature will be removed

把你的 tasks/main.yml include 换成  include_tasks/import_tasks 就可以了

Ansible Vault

Running Ansible with Vault-Encrypted Files

Using an Interactive Prompt


➜ ansible-vault create secret_key

➜  ansible vi   inventory/hosts 
#Aug  11  2023
[database]
localhost ansible_connection=local
➜  ansible ansible --ask-vault-pass -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost
BECOME password: 
Vault password: 
[WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was 127.0.0.1
localhost | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": true,
    "checksum": "15bb6433cbfcba861b6e7c1121fbe097f68ff14f",
    "dest": "/tmp/secret_key",
    "gid": 0,
    "group": "root",
    "md5sum": "e894b01b2cc7fc8f341df858e031798a",
    "mode": "0600",
    "owner": "root",
    "size": 17,
    "src": "/home/evan/.ansible/tmp/ansible-tmp-1691743336.7170281-39285-290202074/source",
    "state": "file",
    "uid": 0
}

➜  ansible sudo cat /tmp/secret_key
onfidential data

Using Ansible Vault with a Password File

echo 'my_vault_password' > .vault_pass



➜  .ansible ls 
change-passwd.yml  cp  secret_key  tmp
➜  .ansible ansible --vault-password-file=.vault_pass -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost
BECOME password: 
[WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was 127.0.0.1
localhost | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": true,
    "checksum": "478a4b2f4eed95489ca86c7d4f060da80f498202",
    "dest": "/tmp/secret_key",
    "gid": 0,
    "group": "root",
    "md5sum": "ee950cc0624bbba77126274ceb752e3c",
    "mode": "0600",
    "owner": "root",
    "size": 7,
    "src": "/home/evan/.ansible/tmp/ansible-tmp-1691749143.0555234-42774-280022701874123/source",
    "state": "file",
    "uid": 0


#我又新建议了一个 
➜  .ansible sudo cat /tmp/secret_key 
dafasf

https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data

https://docs.ansible.com/ansible/latest/vault_guide/vault_managing_passwords.html

see also

Playbook

Ansible包管理模块

Galaxy

Ansible 系列之 Galaxy 工具

References

Ansible 简介

ansible基础教程


别让运维太忙,一文详解 Ansible 的自动化运维,提高工作效率

Jenkins + Ansible 实现 Golang 自动化编译部署

https://github.com/apenella/go-ansible#install

Ansible系列(四):playbook应用和roles自动化批量安装示例

langroot下载 分享Ansible批量安装golang环境

ansible基本使用教程

Ansible(1)—— Ansible详解及inventory文件配置

ansible入门

一分钟了解Ansible

Comparison of open-source configuration management software

DevOps之Cfengine工具安装过程图解