“Ansible基础”的版本间的差异
跳到导航
跳到搜索
(→sudo) |
|||
| (未显示同一用户的62个中间版本) | |||
| 第1行: | 第1行: | ||
| + | = [[Playbook |playbook双击跳转]]= | ||
| + | [æn; ən | ||
| + | |||
=进阶= | =进阶= | ||
| 第20行: | 第23行: | ||
[https://www.cnblogs.com/LiuChang-blog/p/14702939.html Ansible自动化运维应用实战 ] | [https://www.cnblogs.com/LiuChang-blog/p/14702939.html Ansible自动化运维应用实战 ] | ||
| + | [https://blog.csdn.net/u013613428/article/details/92837916 手把手教你在python中运行ansible-playbook] | ||
[https://blog.csdn.net/weixin_46833747/article/details/108441827 知识总结(17)ansible总结(ansible的优点、架构、工作原理、常用模块、playbook详解)] | [https://blog.csdn.net/weixin_46833747/article/details/108441827 知识总结(17)ansible总结(ansible的优点、架构、工作原理、常用模块、playbook详解)] | ||
| 第44行: | 第48行: | ||
https://docs.ansible.com/ansible/latest/installation_guide/index.html | https://docs.ansible.com/ansible/latest/installation_guide/index.html | ||
<pre> | <pre> | ||
| − | #on master | + | #on master 在debian 11上 用pip3 安装的版本很新 不过也是没默认配置文件 自己动手吧 |
pip3 install --user ansible | pip3 install --user ansible | ||
| 第84行: | 第88行: | ||
=配置文件= | =配置文件= | ||
<pre> | <pre> | ||
| + | #放自己home更加爽 | ||
| + | /home/evan/ansible | ||
| + | |||
| + | so Jul 04 2023 | ||
| + | |||
| + | sudo vi /etc/ansible/ansible.cfg | ||
| + | [defaults] | ||
| + | inventory = /home/evan/ansible/inventory/hosts | ||
| + | |||
| + | |||
| 第111行: | 第125行: | ||
把它放到/etc/ansible/目录 | 把它放到/etc/ansible/目录 | ||
| + | </pre> | ||
| + | ==ansible指定用户 == | ||
| + | <pre> | ||
| + | 方案1: | ||
| + | nsible -m ping -u 用户名 | ||
| + | |||
| + | 方案2: | ||
| + | |||
| + | 修改/etc/ansible/hosts文件: | ||
| + | [test_hosts] | ||
| + | host_ip ansible_user=用户名 | ||
| + | # 还可以指定登陆密码 | ||
| + | host_ip ansible_user=用户名 ansible_ssh_pass=登陆密码 | ||
| + | |||
</pre> | </pre> | ||
| 第130行: | 第158行: | ||
#当然 shell 里面也要写sudo | #当然 shell 里面也要写sudo | ||
| + | |||
| + | #直接在commond 这样执行,要交互,但是可以直接回车 如果没密码 | ||
| + | ansible tmp -m command -a "ls /root" -u evan --become --ask-become-pass | ||
| + | |||
</pre> | </pre> | ||
[https://blog.51cto.com/u_3379770/1906326 ansible 普通用户执行命令] | [https://blog.51cto.com/u_3379770/1906326 ansible 普通用户执行命令] | ||
| 第136行: | 第168行: | ||
[https://www.cnblogs.com/fjping0606/p/6952749.html Ansible 使用普通用户远程执行playbook ] | [https://www.cnblogs.com/fjping0606/p/6952749.html Ansible 使用普通用户远程执行playbook ] | ||
| + | https://serverfault.com/questions/870951/ansible-adhoc-command-execute-with-sudo | ||
| + | |||
| + | https://stackoverflow.com/questions/38958333/how-to-achieve-sudo-su-user-and-run-all-command-in-ansible#38965192 | ||
| + | |||
| + | ==SSH authenticity checking == | ||
| + | <pre> | ||
| + | Is there a way to ignore the SSH authenticity checking made by Ansible? For example when I've just setup a new server I have to answer yes to this question: | ||
| + | |||
| + | GATHERING FACTS *************************************************************** | ||
| + | The authenticity of host 'xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)' can't be established. | ||
| + | RSA key fingerprint is xx:yy:zz:.... | ||
| + | Are you sure you want to continue connecting (yes/no)? | ||
| + | |||
| + | |||
| + | 方法1 直接在命令行 加参数 | ||
| + | ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook ssh-u-conf.yml | ||
| + | |||
| + | 方法2 加到配置文件 | ||
| + | /etc/ansible/ansible.cfg or ~/.ansible.cfg | ||
| + | |||
| + | [defaults] | ||
| + | host_key_checking = False | ||
| + | |||
| + | </pre> | ||
| + | https://stackoverflow.com/questions/32297456/how-to-ignore-ansible-ssh-authenticity-checking | ||
==分组== | ==分组== | ||
ansible beta -b -u evan -m shell -a " sudo hostname" | ansible beta -b -u evan -m shell -a " sudo hostname" | ||
| 第171行: | 第228行: | ||
== run shell== | == run shell== | ||
| + | #还是 -m shell 好用, -m script 不太好用感觉 | ||
ansible core -b -u evan -m shell -a "sudo ls /home/evan" | ansible core -b -u evan -m shell -a "sudo ls /home/evan" | ||
ansible insure -m shell -a "sudo cat /etc/ssh/sshd_config | grep Permit" | ansible insure -m shell -a "sudo cat /etc/ssh/sshd_config | grep Permit" | ||
| 第220行: | 第278行: | ||
-o:对ansible的输出的结果进行压缩(即,输出的结果显示在一行) | -o:对ansible的输出的结果进行压缩(即,输出的结果显示在一行) | ||
</pre> | </pre> | ||
| + | |||
| + | ==远程执行shell脚本文件 == | ||
| + | === Friday July twenty-ninth 2022=== | ||
| + | ===编写脚本 === | ||
| + | <pre> | ||
| + | cat /tmp/mypatch | ||
| + | # 卸载旧版本 | ||
| + | yum remove -y kubelet kubeadm kubectl | ||
| + | |||
| + | # 安装kubelet、kubeadm、kubectl | ||
| + | # 将 ${1} 替换为 kubernetes 版本号,例如 | ||
| + | v=1.21.12 | ||
| + | yum install -y kubelet-${v} kubeadm-${v} kubectl-${v} | ||
| + | crictl config runtime-endpoint /run/containerd/containerd.sock | ||
| + | # 重启 docker,并启动 kubelet | ||
| + | systemctl daemon-reload | ||
| + | systemctl enable kubelet && systemctl start kubelet | ||
| + | |||
| + | </pre> | ||
| + | === 脚本copy到其他几台服务器=== | ||
| + | <pre> | ||
| + | #执行ansible命令,将脚本copy到其他几台服务器上 | ||
| + | ansible myk8s -u root -m copy -a "src=/tmp/mypatch dest=/tmp/mypatch" | ||
| + | |||
| + | </pre> | ||
| + | ===每台服务器上执行 你的shell脚本 === | ||
| + | <pre> | ||
| + | #执行ansible命令,在每台服务器上执行 你的shell脚本 | ||
| + | ansible myk8s -u root -m shell -a "bash /tmp/mypatch chdir=/tmp" | ||
| + | |||
| + | </pre> | ||
| + | [https://blog.51cto.com/llzdwyp/1761057 3.4-ansible远程执行脚本] | ||
==ansible 常用模块== | ==ansible 常用模块== | ||
===主机连通性测试=== | ===主机连通性测试=== | ||
| + | <pre> | ||
| + | |||
| + | ansible-doc ping | ||
| + | |||
ansible web -m ping命令来进行主机连通性测试 | ansible web -m ping命令来进行主机连通性测试 | ||
| + | |||
| + | ansible ansible mytmp -m ping | ||
| + | [WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was 127.0.0.1 | ||
| + | 127.0.0.1 | SUCCESS => { | ||
| + | "ansible_facts": { | ||
| + | "discovered_interpreter_python": "/usr/bin/python3" | ||
| + | }, | ||
| + | "changed": false, | ||
| + | "ping": "pong" | ||
| + | } | ||
| + | </pre> | ||
| + | |||
=== command 模块=== | === command 模块=== | ||
<pre> | <pre> | ||
| 第240行: | 第346行: | ||
</pre> | </pre> | ||
===shell 模块=== | ===shell 模块=== | ||
| + | <pre> | ||
| + | shell模块基本和command相同,但是shell支持管道符 | ||
| + | |||
| + | shell > ansible Client -m shell -a "/home/test.sh" # 执行远程脚本 | ||
| + | |||
| + | |||
| + | cat /root/2 | ||
| + | touch 2.txt | ||
| + | |||
| + | ansible 200 -b -u evan -m shell -a "sudo bash /home/evan/close" | ||
| + | |||
| + | # cat /home/evan/2.txt 用sudo 默认去了 evan | ||
| + | </pre> | ||
===copy 模块=== | ===copy 模块=== | ||
| + | ansible myk8 -m copy -a 'dest=/home/evan src=/tmp/vboxdrv-Module.symvers' #把 master上的 /tmp/vboxdrv-Module.symvers cp到 myk8组的所有机器的 /home/evan下 | ||
| + | |||
| + | ===fetch 模块=== | ||
| + | 和copy 相反 ,可看作文件上传动作, 把 远端机器的 /home/evan/vboxdrv-Module.symvers 收集回主机的 /home/evan/tmp/tpp目录下 | ||
| + | ansible myk8 -m fetch -a 'dest=/home/evan/tmp/tpp src=/home/evan/vboxdrv-Module.symvers' | ||
| + | |||
| + | ==== file ==== | ||
| + | 还有相关的什么权限 用户组 属性什么的 | ||
| + | ansible myk8 -m file -a 'path=/home/evan/vboxdrv-Module.symvers state=absent' #删除/home/evan/vboxdrv-Module.symvers | ||
===9)service 模块=== | ===9)service 模块=== | ||
| 第262行: | 第390行: | ||
</pre> | </pre> | ||
| − | ===12)script 模块=== | + | ===12)script 模块 运行sh or py 2023 update=== |
<pre> | <pre> | ||
| + | script模块将控制节点的脚本执行在被控节点上。 | ||
| + | |||
| + | ➜ ~ hostname | ||
| + | myxps | ||
| + | ➜ ~ cat /tmp/hostname | ||
| + | hostname | ||
| + | ➜ ~ | ||
| + | ➜ ~ ansible pi3 -m script -a /tmp/hostname | ||
| + | 192.168.10.5 | CHANGED => { | ||
| + | "changed": true, | ||
| + | "rc": 0, | ||
| + | "stderr": "Shared connection to 192.168.10.5 closed.\r\n", | ||
| + | "stderr_lines": [ | ||
| + | "Shared connection to 192.168.10.5 closed." | ||
| + | ], | ||
| + | "stdout": "mypi3b\r\n", | ||
| + | "stdout_lines": [ | ||
| + | "mypi3b" | ||
| + | ] | ||
| + | } | ||
| + | ➜ ~ | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | 一般用在被管主机上 执行一系列命令就非常爽 | ||
| + | 一般先用copy 把脚本下发到所有的 slave机器 再执行 | ||
| + | |||
| + | #Dec thirteenth 2022 | ||
| + | |||
| + | ansible的script模块的用途 | ||
| + | |||
| + | script 模块用来在远程主机上执行 ansible 管理主机上的脚本, | ||
| + | |||
| + | 即:脚本一直存在于 ansible 管理主机本地, | ||
| + | |||
| + | 不需要手动拷贝到远程主机后再执行 | ||
| + | |||
| + | ➜ tmp cat a.sh | ||
| + | touch evantouch.txt | ||
| + | |||
| + | chmod +x /home/evan/tmp/a.sh | ||
| + | |||
| + | ansible intra -u root -m script -a '/home/evan/tmp/a.sh' | ||
| + | |||
| + | ansible intra -m script -a '/home/evan/tmp/a.sh' --become --become-method=sudo --become-user=root | ||
| + | |||
| + | 执行效果 | ||
| + | -192-168-10-121-c7 ~] {16:35:22} (0) | ||
| + | # ls /root/evantouch.txt | ||
| + | /root/evantouch.txt | ||
| + | |||
| + | |||
| + | 根据文件判断是否需要执行脚本? | ||
| + | |||
| + | creates参数 :使用此参数指定一个远程主机中的文件,当指定的文件存在时,就不执行对应脚本 | ||
| + | removes参数 :使用此参数指定一个远程主机中的文件,当指定的文件不存在时,就不执行对应脚本 | ||
| + | |||
| + | [root@centos8 ~]# ansible yujian -m script -a 'removes=/root/isgit.txt /home/liuhongdi/ansible/gitpubwww.sh' --become --become-method=sudo --become-user=root | ||
| + | 121.122.123.47 | SKIPPED | ||
| + | |||
| + | 因为删除文件不成功,所以不执行 | ||
| + | |||
| + | [root@centos8 ~]# ansible yujian -m script -a 'creates=/root/isgit.txt /home/liuhongdi/ansible/gitpubwww.sh' --become --become-method=sudo --become-user=root | ||
| + | 121.122.123.47 | CHANGED => { | ||
| + | "changed": true, | ||
| + | ... | ||
| + | |||
| + | 因为文件可以创建,所以成功执行 | ||
| + | |||
| + | |||
| + | |||
| + | |||
万事先man | 万事先man | ||
root@myxps:~# ansible-doc -s script | root@myxps:~# ansible-doc -s script | ||
| − | - name: Runs a local script on a remote node after transferring it | + | - name: Runs a local script (shell and py etc) on a remote node after transferring it |
script: | script: | ||
chdir: # Change into this directory on the remote node before | chdir: # Change into this directory on the remote node before | ||
| 第294行: | 第495行: | ||
| + | py | ||
| + | |||
| + | evan@debian-s-1vcpu-1gb-sfo2-01:~$ ansible ec2 -m script -a ' ./getip.py' | ||
| + | |||
| + | ec2 | CHANGED => { | ||
| + | "changed": true, | ||
| + | "rc": 0, | ||
| + | "stderr": "Shared connection to 54.215.65.27 closed.\r\n", | ||
| + | "stderr_lines": [ | ||
| + | "Shared connection to 54.215.65.27 closed." | ||
| + | ], | ||
| + | "stdout": "54.215.65.27\r\n", | ||
| + | "stdout_lines": [ | ||
| + | "54.215.65.27" | ||
| + | ] | ||
| + | } | ||
| + | |||
| + | |||
| + | cat getip.py | ||
| + | #!/usr/bin/python3 | ||
| + | import requests | ||
| + | print(requests.get('http://ifconfig.me/ip', timeout=1).text.strip()) | ||
</pre> | </pre> | ||
| + | |||
| + | [https://www.cnblogs.com/architectforest/p/12766206.html ansible的script模块的用途] | ||
| + | |||
https://blog.51cto.com/noodle/1769474 | https://blog.51cto.com/noodle/1769474 | ||
| + | |||
| + | [https://qa.icopy.site/questions/35139711/running-python-script-via-ansible 通过 ansible 运行 Python 脚本] | ||
===stat 模块=== | ===stat 模块=== | ||
| 第376行: | 第604行: | ||
[https://www.cnblogs.com/hypj/p/14035206.html ansible firewalld模块详解] | [https://www.cnblogs.com/hypj/p/14035206.html ansible firewalld模块详解] | ||
| + | ===[[ansible包管理模块]]请双击跳转=== | ||
| + | |||
===ansible 用户批量创建与管理=== | ===ansible 用户批量创建与管理=== | ||
<pre> | <pre> | ||
| 第445行: | 第675行: | ||
[https://blog.csdn.net/weixin_30955341/article/details/101262866 ansible-playbook编写服务器初始化脚本] | [https://blog.csdn.net/weixin_30955341/article/details/101262866 ansible-playbook编写服务器初始化脚本] | ||
| + | ==Ansible-Playbook 修改ssh 配置举例 == | ||
| + | |||
| + | <pre> | ||
| + | |||
| + | cat /etc/ansible/ssh-u-conf.yml | ||
| + | --- | ||
| + | - hosts: add | ||
| + | become: yes | ||
| + | become_method: sudo | ||
| + | gather_facts: true | ||
| + | remote_user: ubuntu | ||
| + | #remote_user: root | ||
| + | tasks: | ||
| + | |||
| + | - name: "Change password" | ||
| + | user: name={{ item.name }} password={{ item.chpass | password_hash('sha512') }} update_password=always | ||
| + | with_items: | ||
| + | - { name: 'root', chpass: 'root1234' } | ||
| + | - { name: 'evan', chpass: 'evan1234' } | ||
| + | |||
| + | |||
| + | |||
| + | - name: "修改ssh配置文件的安全选项" | ||
| + | lineinfile: | ||
| + | path: /etc/ssh/sshd_config | ||
| + | regexp: '{{ item.regexp }}' | ||
| + | line: '{{ item.line }}' | ||
| + | state: present | ||
| + | with_items: | ||
| + | - regexp: "^PasswordAuthentication" | ||
| + | line: "PasswordAuthentication yes" | ||
| + | - regexp: "^#PermitRootLogin" | ||
| + | line: "PermitRootLogin yes" | ||
| + | #- regexp: "^#Port 22" | ||
| + | # line: "Port 2249" | ||
| + | - regexp: "^GSSAPIAuthentication yes" | ||
| + | line: "GSSAPIAuthentication no" | ||
| + | notify: | ||
| + | - restart sshd | ||
| + | handlers: | ||
| + | - name: restart sshd | ||
| + | service: | ||
| + | name: sshd | ||
| + | state: restarted | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook ssh-u-conf.yml | ||
| + | |||
| + | |||
| + | |||
| + | 跑脚本前 | ||
| + | evan@ubuntu-2004-1:~$ cat /etc/ssh/sshd_config | grep Per | ||
| + | #PermitRootLogin prohibit-password | ||
| + | |||
| + | 跑后 | ||
| + | evan@ubuntu-2004-1:~$ cat /etc/ssh/sshd_config | grep Per | ||
| + | PermitRootLogin yes | ||
| + | |||
| + | #这样就可以用root登录了 在不用太安全的开发环境可用,不过记得u 20.04 要先passwd root | ||
| + | |||
| + | </pre> | ||
=ansible配合shell脚本批量编译安装python3.7= | =ansible配合shell脚本批量编译安装python3.7= | ||
| 第571行: | 第864行: | ||
</pre> | </pre> | ||
[https://www.jianshu.com/p/d4e6655ff937 Ansible Role 系统环境 之【go】] | [https://www.jianshu.com/p/d4e6655ff937 Ansible Role 系统环境 之【go】] | ||
| + | |||
| + | =ansible sudo 安装配置docker = | ||
| + | |||
| + | == Ansible Galaxy 搜索 dockek 有空要自己写成galaxy== | ||
| + | https://www.cnblogs.com/sparkdev/p/9962904.html | ||
| + | == 直接使用yum== | ||
| + | <pre> | ||
| + | |||
| + | vi install_docker-ce.yml | ||
| + | --- | ||
| + | - hosts: docker | ||
| + | remote_user: root | ||
| + | tasks: | ||
| + | - name: install yum-utils | ||
| + | yum: name=yum-utils state=present | ||
| + | - name: add docker repo | ||
| + | shell: yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo | ||
| + | - name: install docer-ce | ||
| + | yum: | ||
| + | name: docker-ce | ||
| + | state: present | ||
| + | - name: install docker-ce-cli | ||
| + | yum: | ||
| + | name: docker-ce-cli | ||
| + | state: present | ||
| + | - name: install containerd.io | ||
| + | yum: | ||
| + | name: containerd.io | ||
| + | state: present | ||
| + | - name: config mirro | ||
| + | copy: src=~/docker-daemon.json dest=/etc/docker/daemon.json | ||
| + | tags: configmirro | ||
| + | - name: start enable docker | ||
| + | service: name=docker state=started enabled=true | ||
| + | - name: restrat | ||
| + | shell: sudo systemctl daemon-reload && sudo systemctl restart docker | ||
| + | tags: restart | ||
| + | |||
| + | #mirror配置 | ||
| + | cat docker-daemon.json | ||
| + | { | ||
| + | "registry-mirrors": [ | ||
| + | "https://registry.docker-cn.com", | ||
| + | "http://hub-mirror.c.163.com", | ||
| + | "https://docker.mirrors.ustc.edu.cn" | ||
| + | ] | ||
| + | } | ||
| + | |||
| + | |||
| + | |||
| + | 4.运行playbook | ||
| + | |||
| + | ansible-playbook -v install_docker-ce.yml | ||
| + | |||
| + | |||
| + | |||
| + | </pre> | ||
| + | |||
| + | ==比较全面的 playbook and roles == | ||
| + | https://github.com/evan886/my-ansible/tree/main/sudo-insdocker/ansible | ||
=ansible sudo 安装配置zbx agent = | =ansible sudo 安装配置zbx agent = | ||
| 第580行: | 第933行: | ||
=ansible sudo 修改ssh配置文件的安全选项 = | =ansible sudo 修改ssh配置文件的安全选项 = | ||
<pre> | <pre> | ||
| + | Attention | ||
| + | 如果有 多个 PasswordAuthentication yes 可能不成功 只改了一个为no | ||
| + | |||
cat modify_sshd.yml | cat modify_sshd.yml | ||
--- | --- | ||
| 第617行: | 第973行: | ||
state: restarted | state: restarted | ||
| + | |||
| + | |||
| + | |||
| + | ansible-playbook modify_sshd.yml | ||
直接 | 直接 | ||
ansible all -b --become-method=su --become-user-root -m shell -a "sed 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config" |grep -E "Root|172.16" | ansible all -b --become-method=su --become-user-root -m shell -a "sed 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config" |grep -E "Root|172.16" | ||
| + | |||
| + | 2022 | ||
| + | |||
| + | cat /etc/ansible/hosts | ||
| + | [one] | ||
| + | 192.168.10.122 | ||
| + | |||
| + | |||
| + | --- | ||
| + | - hosts: one | ||
| + | gather_facts: true | ||
| + | remote_user: root | ||
| + | tasks: | ||
| + | - name: "修改ssh配置文件的安全选项" | ||
| + | lineinfile: | ||
| + | path: /etc/ssh/sshd_config | ||
| + | regexp: '{{ item.regexp }}' | ||
| + | line: '{{ item.line }}' | ||
| + | state: present | ||
| + | with_items: | ||
| + | - regexp: "^PasswordAuthentication" | ||
| + | line: "PasswordAuthentication no" | ||
| + | - regexp: "^#PermitRootLogin" | ||
| + | line: "PermitRootLogin yes" | ||
| + | #- regexp: "^#Port 22" | ||
| + | # line: "Port 2249" | ||
| + | - regexp: "^GSSAPIAuthentication yes" | ||
| + | line: "GSSAPIAuthentication no" | ||
| + | notify: | ||
| + | - restart sshd | ||
| + | handlers: | ||
| + | - name: restart sshd | ||
| + | service: | ||
| + | name: sshd | ||
| + | state: restarted | ||
| + | |||
| + | |||
| + | 如果有多个 PasswordAuthentication yes | ||
| + | 可能要执行多次 也有可能不成功 注意了 | ||
| + | |||
| + | ansible-playbook -C ssh-conf.yml | ||
| + | ansible-playbook ssh-conf.yml | ||
</pre> | </pre> | ||
| 第627行: | 第1,029行: | ||
[https://www.linuxidc.com/Linux/2017-10/148058.htm Ansible使用playbook自动化编译安装Nginx] | [https://www.linuxidc.com/Linux/2017-10/148058.htm Ansible使用playbook自动化编译安装Nginx] | ||
| + | |||
| + | =ansible 批量修改已存在用户的密码= | ||
| + | <pre> | ||
| + | cat /etc/ansible/change-passwd.yml | ||
| + | --- | ||
| + | - hosts: prod | ||
| + | become: yes | ||
| + | become_method: sudo | ||
| + | |||
| + | gather_facts: false | ||
| + | tasks: | ||
| + | - name: change user passwd | ||
| + | user: name={{ item.name }} password={{ item.chpass | password_hash('sha512') }} update_password=always | ||
| + | with_items: | ||
| + | - { name: 'evan', chpass: '$evan1234567' } | ||
| + | |||
| + | |||
| + | #run test | ||
| + | ansible-playbook -C change-passwd.yml | ||
| + | #run | ||
| + | ansible-playbook change-passwd.yml | ||
| + | |||
| + | </pre> | ||
=ansible 创建用户= | =ansible 创建用户= | ||
| 第636行: | 第1,061行: | ||
[https://www.codenong.com/37333305/ 关于sudoers:Ansible:创建具有sudo特权的用户] | [https://www.codenong.com/37333305/ 关于sudoers:Ansible:创建具有sudo特权的用户] | ||
| + | |||
=ansible修改hostname modify_hostname= | =ansible修改hostname modify_hostname= | ||
<pre> | <pre> | ||
| 第682行: | 第1,108行: | ||
[https://bingostack.com/2021/03/ansible-shell-command/ 使用ansible执行shell命令的正确姿势] | [https://bingostack.com/2021/03/ansible-shell-command/ 使用ansible执行shell命令的正确姿势] | ||
| + | =ansible-galaxy= | ||
| + | |||
| + | == ansible-galaxy install docker== | ||
| + | <pre> ansible-galaxy install geerlingguy.docker #记得国内机器可能要改dns 为8.8.4.4 不然连接github time out | ||
| + | |||
| + | #主要配置文件 | ||
| + | root@myxps:~# cat ~/.ansible/roles/geerlingguy.docker/defaults/main.yml | ||
| + | |||
| + | |||
| + | cat pb-docker.yml #安装 docker | ||
| + | - hosts: mydocker | ||
| + | vars: | ||
| + | docker_users: | ||
| + | - root | ||
| + | roles: | ||
| + | - role: geerlingguy.docker | ||
| + | become: yes | ||
| + | |||
| + | |||
| + | ansible-playbook -u root pb_docker.yml | ||
| + | |||
| + | </pre> | ||
| + | [https://codeantenna.com/a/wQw1weZj3O 通过 Ansible 安装 Docker] | ||
| + | |||
=分发文件= | =分发文件= | ||
<pre> | <pre> | ||
| 第738行: | 第1,188行: | ||
[https://al-cui.github.io/2020/04/05/Ansible-playbook%20%E5%85%B3%E4%BA%8Essh%E7%9A%84%E9%85%8D%E7%BD%AE%E5%92%8C%E4%BD%BF%E7%94%A8/ ansible中配置ssh--ssh连接断开时,如何很快获取异常并中断playbook的执行] | [https://al-cui.github.io/2020/04/05/Ansible-playbook%20%E5%85%B3%E4%BA%8Essh%E7%9A%84%E9%85%8D%E7%BD%AE%E5%92%8C%E4%BD%BF%E7%94%A8/ ansible中配置ssh--ssh连接断开时,如何很快获取异常并中断playbook的执行] | ||
| + | == [DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks instead. This feature will be removed == | ||
| + | 把你的 tasks/main.yml include 换成 include_tasks/import_tasks 就可以了 | ||
| + | |||
| + | =Ansible Vault= | ||
| + | |||
| + | ==Running Ansible with Vault-Encrypted Files== | ||
| + | |||
| + | ===Using an Interactive Prompt=== | ||
| + | <pre> | ||
| + | |||
| + | ➜ ansible-vault create secret_key | ||
| + | |||
| + | ➜ ansible vi inventory/hosts | ||
| + | #Aug 11 2023 | ||
| + | [database] | ||
| + | localhost ansible_connection=local | ||
| + | ➜ ansible ansible --ask-vault-pass -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost | ||
| + | BECOME password: | ||
| + | Vault password: | ||
| + | [WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was 127.0.0.1 | ||
| + | localhost | CHANGED => { | ||
| + | "ansible_facts": { | ||
| + | "discovered_interpreter_python": "/usr/bin/python3" | ||
| + | }, | ||
| + | "changed": true, | ||
| + | "checksum": "15bb6433cbfcba861b6e7c1121fbe097f68ff14f", | ||
| + | "dest": "/tmp/secret_key", | ||
| + | "gid": 0, | ||
| + | "group": "root", | ||
| + | "md5sum": "e894b01b2cc7fc8f341df858e031798a", | ||
| + | "mode": "0600", | ||
| + | "owner": "root", | ||
| + | "size": 17, | ||
| + | "src": "/home/evan/.ansible/tmp/ansible-tmp-1691743336.7170281-39285-290202074/source", | ||
| + | "state": "file", | ||
| + | "uid": 0 | ||
| + | } | ||
| + | |||
| + | ➜ ansible sudo cat /tmp/secret_key | ||
| + | onfidential data | ||
| − | + | </pre> | |
| − | [https://blog. | + | ===Using Ansible Vault with a Password File=== |
| + | <pre> | ||
| + | echo 'my_vault_password' > .vault_pass | ||
| + | |||
| + | |||
| + | |||
| + | ➜ .ansible ls | ||
| + | change-passwd.yml cp secret_key tmp | ||
| + | ➜ .ansible ansible --vault-password-file=.vault_pass -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost | ||
| + | BECOME password: | ||
| + | [WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was 127.0.0.1 | ||
| + | localhost | CHANGED => { | ||
| + | "ansible_facts": { | ||
| + | "discovered_interpreter_python": "/usr/bin/python3" | ||
| + | }, | ||
| + | "changed": true, | ||
| + | "checksum": "478a4b2f4eed95489ca86c7d4f060da80f498202", | ||
| + | "dest": "/tmp/secret_key", | ||
| + | "gid": 0, | ||
| + | "group": "root", | ||
| + | "md5sum": "ee950cc0624bbba77126274ceb752e3c", | ||
| + | "mode": "0600", | ||
| + | "owner": "root", | ||
| + | "size": 7, | ||
| + | "src": "/home/evan/.ansible/tmp/ansible-tmp-1691749143.0555234-42774-280022701874123/source", | ||
| + | "state": "file", | ||
| + | "uid": 0 | ||
| + | |||
| + | |||
| + | #我又新建议了一个 | ||
| + | ➜ .ansible sudo cat /tmp/secret_key | ||
| + | dafasf | ||
| + | |||
| + | </pre> | ||
| + | |||
| + | https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data | ||
| + | |||
| + | https://docs.ansible.com/ansible/latest/vault_guide/vault_managing_passwords.html | ||
| + | |||
| + | =see also= | ||
| + | [[Playbook]] | ||
| + | |||
| + | [[Ansible包管理模块]] | ||
| + | |||
| + | =Galaxy= | ||
| + | |||
| + | [https://blog.csdn.net/qq_43584691/article/details/118365603 Ansible 系列之 Galaxy 工具] | ||
=References= | =References= | ||
| 第760行: | 第1,296行: | ||
[https://www.gbgj.net/info/468349.html langroot下载 分享Ansible批量安装golang环境] | [https://www.gbgj.net/info/468349.html langroot下载 分享Ansible批量安装golang环境] | ||
| − | + | [https://www.cnblogs.com/chenxianpao/p/7360349.html ansible基本使用教程] | |
[https://blog.csdn.net/dghfttgv/article/details/104726454 Ansible(1)—— Ansible详解及inventory文件配置] | [https://blog.csdn.net/dghfttgv/article/details/104726454 Ansible(1)—— Ansible详解及inventory文件配置] | ||
| 第768行: | 第1,304行: | ||
[https://zhuanlan.zhihu.com/p/139846936 一分钟了解Ansible] | [https://zhuanlan.zhihu.com/p/139846936 一分钟了解Ansible] | ||
| − | [[category:devops]] | + | [https://en.wikipedia.org/wiki/Comparison_of_open-source_configuration_management_software Comparison of open-source configuration management software] |
| + | |||
| + | [https://blog.csdn.net/ximenjianxue/article/details/115326825 DevOps之Cfengine工具安装过程图解] | ||
| + | |||
| + | [[category:devops]][[category:ansible]] | ||
2023年9月26日 (二) 06:50的最新版本
目录
- 1 playbook双击跳转
- 2 进阶
- 3 introduction
- 4 ins
- 5 配置文件
- 6 日常技巧
- 7 Ansible-Playbook之初始化服务器
- 8 ansible配合shell脚本批量编译安装python3.7
- 9 ansible配合shell脚本批量安装golang
- 10 ansible sudo 安装配置docker
- 11 ansible sudo 安装配置zbx agent
- 12 ansible sudo 修改ssh配置文件的安全选项
- 13 Ansible使用playbook自动化编译安装Nginx
- 14 ansible 批量修改已存在用户的密码
- 15 ansible 创建用户
- 16 ansible修改hostname modify_hostname
- 17 ansible and shell
- 18 ansible-galaxy
- 19 分发文件
- 20 troubleshooting
- 21 Ansible Vault
- 22 see also
- 23 Galaxy
- 24 References
playbook双击跳转
[æn; ən
进阶
ansible playbook初始化系统基础环境,直接就可以用
ansible的安装和操作,并编写一个docker部署的示例
ansible-playbook使用实例(分发文件,执行脚本)
手把手教你在python中运行ansible-playbook
知识总结(17)ansible总结(ansible的优点、架构、工作原理、常用模块、playbook详解)
变量
vars:
key_file: /etc/nginx/ssl/nginx.key
play book
- name: copy TLS key
copy: src=files/nginx.key dest={{key_file}} owern=root mode=0600
Chapter 2 inventory
p48
introduction
Ansible是一种IT自动化工具。它可以配置系统,部署软件以及协调更高级的IT任务,例如持续部署,滚动更新。Ansible适用于管理企业IT基础设施,从具有少数主机的小规模到数千个实例的企业环境。Ansible也是一种简单的自动化语言,可以完美地描述IT应用程序基础结构。
ins
https://docs.ansible.com/ansible/latest/installation_guide/index.html
#on master 在debian 11上 用pip3 安装的版本很新 不过也是没默认配置文件 自己动手吧 pip3 install --user ansible ssh-copy-id -i id_ecdsa.pub [email protected] ssh-copy-id -i id_ecdsa.pub [email protected] ssh-copy-id -i id_ecdsa.pub [email protected] mkdir /etc/ansible vi /etc/ansible/hosts 192.168.88.50 192.168.88.51 192.168.88.52 [intra] 192.168.10.120 192.168.10.121 ansible all -b -u root -a "hostname" 192.168.88.51 | CHANGED | rc=0 >> k8s-node1 192.168.88.50 | CHANGED | rc=0 >> k8s-master 192.168.88.52 | CHANGED | rc=0 >> k8s-node2 ansible all -m ping
ins on centos use yum
yum install epel-release yum install ansible
配置文件
#放自己home更加爽 /home/evan/ansible so Jul 04 2023 sudo vi /etc/ansible/ansible.cfg [defaults] inventory = /home/evan/ansible/inventory/hosts # 写在自己的home目录 ansible在使用配置文件时按照以下顺序优先配置: export ANSIBLE_CONFIG ./ansible.cfg ~/.ansible.cfg /etc/ansible/ansible.cfg 如果以上顺序没有找到配置文件ansible会自动使用默认配置 关于ansible的配置在/etc/ansible/ansible.cfg文件中,所以关于ansible运行时所使用的ssh配置也可以在此文件中配置。在目前的ansible中,运行ansible时会依次加载 环境变量ANSIBLE_CONFIG,当前目录的ansible.cfg,~/.ansible.cfg,/etc/ansible/ansible.cfg,针对同一个配置项以最先加载到的为准。所以,我们可以单独编写自己的ansible.cfg文件放在当前目录下。 可以去github上把默认配置拿下来: https://raw.githubusercontent.com/ansible/ansible/devel/examples/ansible.cfg # To generate an example config file (a "disabled" one with all default settings, commented out): # $ ansible-config init --disabled > ansible.cfg # Also you can now have a more complete file by including existing plugins: # ansible-config init --disabled -t all > ansible.cfg 把它放到/etc/ansible/目录
ansible指定用户
方案1: nsible -m ping -u 用户名 方案2: 修改/etc/ansible/hosts文件: [test_hosts] host_ip ansible_user=用户名 # 还可以指定登陆密码 host_ip ansible_user=用户名 ansible_ssh_pass=登陆密码
日常技巧
sudo
没密码的sudo
cat /etc/ansible/agent.yml
---
- hosts: all
become: yes
become_method: sudo
remote_user: evan
#remote_user: ops
roles:
- ag_conf
#当然 shell 里面也要写sudo
#直接在commond 这样执行,要交互,但是可以直接回车 如果没密码
ansible tmp -m command -a "ls /root" -u evan --become --ask-become-pass
https://serverfault.com/questions/870951/ansible-adhoc-command-execute-with-sudo
SSH authenticity checking
Is there a way to ignore the SSH authenticity checking made by Ansible? For example when I've just setup a new server I have to answer yes to this question: GATHERING FACTS *************************************************************** The authenticity of host 'xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)' can't be established. RSA key fingerprint is xx:yy:zz:.... Are you sure you want to continue connecting (yes/no)? 方法1 直接在命令行 加参数 ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook ssh-u-conf.yml 方法2 加到配置文件 /etc/ansible/ansible.cfg or ~/.ansible.cfg [defaults] host_key_checking = False
https://stackoverflow.com/questions/32297456/how-to-ignore-ansible-ssh-authenticity-checking
分组
ansible beta -b -u evan -m shell -a " sudo hostname" 执行ansible-playbook -C /etc/ansible/agent.yml 得在 yml 里面指定 hostip etc
inventory 文件hosts # 非标准的22端口 必须第一列为别外 不然无效哦 January 24 2022 [add] #172.16.0.40 [beta] beta-insurance ansible_host=172.16.0.14 ansible_port=22 [pro] prod-core-mongo ansible_host=172.16.1.40 ansible_port=22 prod-access ansible_host=172.16.1.8 ansible_port=22 prod-insurance-backstage ansible_host=172.16.0.16 ansible_port=22 prod-insurance-crm-mongo ansible_host=172.16.1.37 ansible_port=22 prod-insurance-backstage-count ansible_host=172.16.1.19 ansible_port=22 prod_core ansible_host=172.16.1.9 ansible_port=22 prod_mq ansible_host=172.16.1.12 ansible_port=22 [core] prod_core prod-core-mongo [insure] prod-access prod-insurance-backstage prod-insurance-crm-mongo prod-insurance-backstage-count
run shell
#还是 -m shell 好用, -m script 不太好用感觉 ansible core -b -u evan -m shell -a "sudo ls /home/evan" ansible insure -m shell -a "sudo cat /etc/ssh/sshd_config | grep Permit"
常用参数
-m MODULE_NAME #执行模块的名字,默认使用 command 模块,所以如果是只执行单一命令可以不用 -m参数 -u REMOTE_USER #远程用户,默认为 root 用户
查看列表的命令
-m 要执行的模块,默认为command
-a 模块的参数
-u ssh连接的用户名,默认用root,ansible.cfg中可以配置
-C, --check don't make any changes; instead, try to predict some
of the changes that may occur
变量
# 主机和主机组变量(主机变量优先级大于主机组变量)
vim /etc/ansible/hosts
[webservers]
172.16.1.121:22 ansible_ssh_user=root ansible_ssh_pass='123456' http_port=80
172.16.1.122:22 ansible_ssh_user=root ansible_ssh_pass='123456'
[webservers:vars]
http_port=8080
server_name=www.baidu.com
实验:
ansible webservers -m command -a "echo {{http_port}}" -o
命令说明:
ansible webservers -m command -a "echo {{http_port}}" -o
ansible:ansible命令
webservers:/etc/ansible/hosts中配置的主机组名称,指定 all (分组和未分组的主机)代表所有主机,指定172.16.1.121代表单台主机。
-m:指定使用的模块,默认是command模块(简单的shell命令),可以省略不写。
-a:指定具体使用的shell指令,比如"echo {{http_port}}"表示在远程主机上打印http_port这个变量。
-o:对ansible的输出的结果进行压缩(即,输出的结果显示在一行)
远程执行shell脚本文件
Friday July twenty-ninth 2022
编写脚本
cat /tmp/mypatch
# 卸载旧版本
yum remove -y kubelet kubeadm kubectl
# 安装kubelet、kubeadm、kubectl
# 将 ${1} 替换为 kubernetes 版本号,例如
v=1.21.12
yum install -y kubelet-${v} kubeadm-${v} kubectl-${v}
crictl config runtime-endpoint /run/containerd/containerd.sock
# 重启 docker,并启动 kubelet
systemctl daemon-reload
systemctl enable kubelet && systemctl start kubelet
脚本copy到其他几台服务器
#执行ansible命令,将脚本copy到其他几台服务器上 ansible myk8s -u root -m copy -a "src=/tmp/mypatch dest=/tmp/mypatch"
每台服务器上执行 你的shell脚本
#执行ansible命令,在每台服务器上执行 你的shell脚本 ansible myk8s -u root -m shell -a "bash /tmp/mypatch chdir=/tmp"
ansible 常用模块
主机连通性测试
ansible-doc ping
ansible web -m ping命令来进行主机连通性测试
ansible ansible mytmp -m ping
[WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was 127.0.0.1
127.0.0.1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
command 模块
ansible web -m command -a 'ss -ntl'
命令模块接受命令名称,后面是空格分隔的列表参数。给定的命令将在所有选定的节点上执行。它不会通过shell进行处理,比如$HOME和操作如"<",">","|",";","&" 工作(需要使用(shell)模块实现这些功能)。注意,该命令不支持| 管道命令。
下面来看一看该模块下常用的几个命令:
chdir # 在执行命令之前,先切换到该目录
executable # 切换shell来执行命令,需要使用命令的绝对路径
free_form # 要执行的Linux指令,一般使用Ansible的-a参数代替。
creates # 一个文件名,当这个文件存在,则该命令不执行,可以
用来做判断
removes # 一个文件名,这个文件不存在,则该命令不执行
shell 模块
shell模块基本和command相同,但是shell支持管道符 shell > ansible Client -m shell -a "/home/test.sh" # 执行远程脚本 cat /root/2 touch 2.txt ansible 200 -b -u evan -m shell -a "sudo bash /home/evan/close" # cat /home/evan/2.txt 用sudo 默认去了 evan
copy 模块
ansible myk8 -m copy -a 'dest=/home/evan src=/tmp/vboxdrv-Module.symvers' #把 master上的 /tmp/vboxdrv-Module.symvers cp到 myk8组的所有机器的 /home/evan下
fetch 模块
和copy 相反 ,可看作文件上传动作, 把 远端机器的 /home/evan/vboxdrv-Module.symvers 收集回主机的 /home/evan/tmp/tpp目录下 ansible myk8 -m fetch -a 'dest=/home/evan/tmp/tpp src=/home/evan/vboxdrv-Module.symvers'
file
还有相关的什么权限 用户组 属性什么的 ansible myk8 -m file -a 'path=/home/evan/vboxdrv-Module.symvers state=absent' #删除/home/evan/vboxdrv-Module.symvers
9)service 模块
该模块用于服务程序的管理。
其主要选项如下:
arguments #命令行提供额外的参数
enabled #设置开机启动。
name= #服务名称
runlevel #开机启动的级别,一般不用指定。
sleep #在重启服务的过程中,是否等待。如在服务关闭以后等待2秒再启动。(定义在剧本中。)
state #有四种状态,分别为:started--->启动服务, stopped--->停止服务, restarted--->重启服务, reloaded--->重载配置
下面是一些例子:
① 开启服务并设置自启动
[root@server ~]# ansible web -m service -a 'name=nginx state=started enabled=true'
12)script 模块 运行sh or py 2023 update
script模块将控制节点的脚本执行在被控节点上。
➜ ~ hostname
myxps
➜ ~ cat /tmp/hostname
hostname
➜ ~
➜ ~ ansible pi3 -m script -a /tmp/hostname
192.168.10.5 | CHANGED => {
"changed": true,
"rc": 0,
"stderr": "Shared connection to 192.168.10.5 closed.\r\n",
"stderr_lines": [
"Shared connection to 192.168.10.5 closed."
],
"stdout": "mypi3b\r\n",
"stdout_lines": [
"mypi3b"
]
}
➜ ~
一般用在被管主机上 执行一系列命令就非常爽
一般先用copy 把脚本下发到所有的 slave机器 再执行
#Dec thirteenth 2022
ansible的script模块的用途
script 模块用来在远程主机上执行 ansible 管理主机上的脚本,
即:脚本一直存在于 ansible 管理主机本地,
不需要手动拷贝到远程主机后再执行
➜ tmp cat a.sh
touch evantouch.txt
chmod +x /home/evan/tmp/a.sh
ansible intra -u root -m script -a '/home/evan/tmp/a.sh'
ansible intra -m script -a '/home/evan/tmp/a.sh' --become --become-method=sudo --become-user=root
执行效果
-192-168-10-121-c7 ~] {16:35:22} (0)
# ls /root/evantouch.txt
/root/evantouch.txt
根据文件判断是否需要执行脚本?
creates参数 :使用此参数指定一个远程主机中的文件,当指定的文件存在时,就不执行对应脚本
removes参数 :使用此参数指定一个远程主机中的文件,当指定的文件不存在时,就不执行对应脚本
[root@centos8 ~]# ansible yujian -m script -a 'removes=/root/isgit.txt /home/liuhongdi/ansible/gitpubwww.sh' --become --become-method=sudo --become-user=root
121.122.123.47 | SKIPPED
因为删除文件不成功,所以不执行
[root@centos8 ~]# ansible yujian -m script -a 'creates=/root/isgit.txt /home/liuhongdi/ansible/gitpubwww.sh' --become --become-method=sudo --become-user=root
121.122.123.47 | CHANGED => {
"changed": true,
...
因为文件可以创建,所以成功执行
万事先man
root@myxps:~# ansible-doc -s script
- name: Runs a local script (shell and py etc) on a remote node after transferring it
script:
chdir: # Change into this directory on the remote node before
running the script.
cmd: # Path to the local script to run followed by optional
arguments.
creates: # A filename on the remote node, when it already
exists, this step will
*not* be run.
decrypt: # This option controls the autodecryption of source
files using vault.
executable: # Name or path of a executable to invoke the script
with.
free_form: # Path to the local script file followed by optional
arguments.
removes: # A filename on the remote node, when it does not
exist, this step will
*not* be run.
[evan@ ansible]$ ansible add -m script -a './1.sh'
[evan@ ansible]$ cat 1.sh
touch /tmp/byevanjan.log
py
evan@debian-s-1vcpu-1gb-sfo2-01:~$ ansible ec2 -m script -a ' ./getip.py'
ec2 | CHANGED => {
"changed": true,
"rc": 0,
"stderr": "Shared connection to 54.215.65.27 closed.\r\n",
"stderr_lines": [
"Shared connection to 54.215.65.27 closed."
],
"stdout": "54.215.65.27\r\n",
"stdout_lines": [
"54.215.65.27"
]
}
cat getip.py
#!/usr/bin/python3
import requests
print(requests.get('http://ifconfig.me/ip', timeout=1).text.strip())
https://blog.51cto.com/noodle/1769474
stat 模块
ansible sftp -m stat -a "path=/etc/passwd"
firewalld模块
service : Name of a service to add/remove to/from firewalld.The service must be listed in output of firewall-cmd --get-services.
指定放行的服务,此服务必须要在firewall-cmd --get-services查询的到。
irewalld模块主要设置火墙对服务和端口的允许
参数:ansible-doc -s firewalld查看一下fetch模块的参数`
service参数 必须参数,用于指定要允许服务。
state参数 enabled开机启动
permanent参数 true 永久添加
immediate参数 true 立即生效
# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
/etc/ansible# cat fire.yml
---
- hosts: 192.168.10.122
gather_facts: true
remote_user: root
tasks:
- name: "firewalld"
firewalld:
service: http
state: enabled
permanent: true
immediate: yes
ansible-playbook -C fire.yml
ansible-playbook fire.yml
运行后 结果如下 多了个 http
firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http ssh
#直接执行
ansible node1 -m firewalld -a 'service=https permanent=yes state=enabled'
ansible node1 -m service -a 'name=firewalld state=restarted'
#建议reload 不要动不动restart
ansible intra -m service -a 'name=firewalld state=reloaded'
ansible intra -m firewalld -a 'port=8081/tcp permanent=yes state=enabled'
ansible包管理模块请双击跳转
ansible 用户批量创建与管理
最笨的办法 明显不是我们要的
ansible intra -m command -a 'useradd appl'
ansible-doc user -s
最好的办法 playbook
/etc/ansible# cat adduser.yml
---
- hosts: all
remote_user: root
tasks:
- name: 'Create group lai'
group:
name: lai
state: present
- name: create user deployer
user:
name: "{{ item.user }}"
group: "{{ item.user }}"
password: "{{ item.pass|password_hash('sha512') }}"
state: present
update_password: on_create
loop:
- { user: lai , pass: '2240881'}
#密码要用字符
Ansible-Playbook之初始化服务器
init-user init-tools vim task/main.yml - include: user.yml #用户管理 - include: repo.yml #yum源 - include: init_pkg.yml #安装基础组件 - include: profile.yml #环境变量 - include: selinux.yml #selinux - include: dir.yml #基础目录 - include: limits.yml #系统参数 - include: iptables.yml #防火墙 - include: sysctl.yml #内核参数 - include: rc.local.yml #开机启动 - include: dns.yml #dns - include: ntp.yml #ntp - include: rsyslog.yml #日志同步 - include: sshd.yml #ssh优化 - include: safe.yml #安全配置
03 实战 Ansible-Playbook之初始化服务器--有sshd安全相关
https://gitee.com/wanghui1234/ansible_repo
Ansible-Playbook 修改ssh 配置举例
cat /etc/ansible/ssh-u-conf.yml
---
- hosts: add
become: yes
become_method: sudo
gather_facts: true
remote_user: ubuntu
#remote_user: root
tasks:
- name: "Change password"
user: name={{ item.name }} password={{ item.chpass | password_hash('sha512') }} update_password=always
with_items:
- { name: 'root', chpass: 'root1234' }
- { name: 'evan', chpass: 'evan1234' }
- name: "修改ssh配置文件的安全选项"
lineinfile:
path: /etc/ssh/sshd_config
regexp: '{{ item.regexp }}'
line: '{{ item.line }}'
state: present
with_items:
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication yes"
- regexp: "^#PermitRootLogin"
line: "PermitRootLogin yes"
#- regexp: "^#Port 22"
# line: "Port 2249"
- regexp: "^GSSAPIAuthentication yes"
line: "GSSAPIAuthentication no"
notify:
- restart sshd
handlers:
- name: restart sshd
service:
name: sshd
state: restarted
ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook ssh-u-conf.yml
跑脚本前
evan@ubuntu-2004-1:~$ cat /etc/ssh/sshd_config | grep Per
#PermitRootLogin prohibit-password
跑后
evan@ubuntu-2004-1:~$ cat /etc/ssh/sshd_config | grep Per
PermitRootLogin yes
#这样就可以用root登录了 在不用太安全的开发环境可用,不过记得u 20.04 要先passwd root
ansible配合shell脚本批量编译安装python3.7
https://github.com/evan886/my-ansible
具体安排脚本here https://github.com/evan886/my-ansible/tree/main/ansible4py3.7ins
git clone [email protected]:evan886/my-ansible.git cd ansible4py3.7ins/ 执行playbook 测试 root@myxps:/etc/ansible# ansible-playbook -C python.yml 执行 root@myxps:/etc/ansible# ansible-playbook python.yml
ansible配合shell脚本批量编译安装python3.6.6
ansible配合shell脚本批量安装golang
https://golang.org/doc/install
tree
.
├── ansible.cfg
├── go.yml
├── hosts
└── roles
└── go_install
├── files
│ └── go1.17.1.linux-amd64.tar.gz
├── tasks
│ ├── copy.yml
│ ├── install.yml
│ └── main.yml
└── templates
└── go_install.sh
5 directories, 8 files
reload environment variable. 怎么搞 要手工不成 不科学
oot@myxps:/etc/ansible# ansible intra -b -u root -a "source /etc/profile"
192.168.10.120 | FAILED | rc=2 >>
[Errno 2] 没有那个文件或目录
192.168.10.121 | FAILED | rc=2 >>
[Errno 2] 没有那个文件或目录
root@myxps:/etc/ansible# ansible intra -b -u root -a ". /etc/profile"
192.168.10.121 | FAILED | rc=13 >>
[Errno 13] 权限不够
192.168.10.120 | FAILED | rc=13 >>
[Errno 13] 权限不够
run
#!/usr/bin/env ansible-playbook 加权限后就可以 ./youfile root@myxps:/etc/ansible# ansible-playbook -C go.yml [WARNING]: ansible.utils.display.initialize_locale has not been called, this may result in incorrectly calculated text widths that can cause Display to print incorrect line lengths PLAY [all] ***************************************************************************************************** TASK [Gathering Facts] ***************************************************************************************** ok: [192.168.10.121] ok: [192.168.10.120] TASK [go_install : copy go_tgz to client] ********************************************************************** changed: [192.168.10.120] changed: [192.168.10.121] TASK [go_install : copy install_go_script to client] *********************************************************** changed: [192.168.10.120] changed: [192.168.10.121] TASK [go_install : install go] ********************************************************************************* skipping: [192.168.10.120] skipping: [192.168.10.121] PLAY RECAP ***************************************************************************************************** 192.168.10.120 : ok=3 changed=2 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0 192.168.10.121 : ok=3 changed=2 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0 root@myxps:/etc/ansible# ansible-playbook go.yml [WARNING]: ansible.utils.display.initialize_locale has not been called, this may result in incorrectly calculated text widths that can cause Display to print incorrect line lengths PLAY [all] ****************************************************************************************************************************************************************** TASK [Gathering Facts] ****************************************************************************************************************************************************** ok: [192.168.10.121] ok: [192.168.10.120] TASK [go_install : copy go_tgz to client] *********************************************************************************************************************************** changed: [192.168.10.120] changed: [192.168.10.121] TASK [go_install : copy install_go_script to client] ************************************************************************************************************************ changed: [192.168.10.120] changed: [192.168.10.121] TASK [go_install : install go] ********************************************************************************************************************************************** changed: [192.168.10.120] changed: [192.168.10.121] PLAY RECAP ****************************************************************************************************************************************************************** 192.168.10.120 : ok=4 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 192.168.10.121 : ok=4 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
ansible sudo 安装配置docker
Ansible Galaxy 搜索 dockek 有空要自己写成galaxy
https://www.cnblogs.com/sparkdev/p/9962904.html
直接使用yum
vi install_docker-ce.yml
---
- hosts: docker
remote_user: root
tasks:
- name: install yum-utils
yum: name=yum-utils state=present
- name: add docker repo
shell: yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
- name: install docer-ce
yum:
name: docker-ce
state: present
- name: install docker-ce-cli
yum:
name: docker-ce-cli
state: present
- name: install containerd.io
yum:
name: containerd.io
state: present
- name: config mirro
copy: src=~/docker-daemon.json dest=/etc/docker/daemon.json
tags: configmirro
- name: start enable docker
service: name=docker state=started enabled=true
- name: restrat
shell: sudo systemctl daemon-reload && sudo systemctl restart docker
tags: restart
#mirror配置
cat docker-daemon.json
{
"registry-mirrors": [
"https://registry.docker-cn.com",
"http://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn"
]
}
4.运行playbook
ansible-playbook -v install_docker-ce.yml
比较全面的 playbook and roles
https://github.com/evan886/my-ansible/tree/main/sudo-insdocker/ansible
ansible sudo 安装配置zbx agent
https://github.com/evan886/my-ansible
#具体脚本 https://github.com/evan886/my-ansible/tree/main/ansible4zbxagent-insconf
ansible sudo 修改ssh配置文件的安全选项
Attention
如果有 多个 PasswordAuthentication yes 可能不成功 只改了一个为no
cat modify_sshd.yml
---
- hosts: cor
#- hosts: all
gather_facts: true
#remote_user: root
become: yes
become_method: sudo
remote_user: evan
tasks:
- name: "修改ssh配置文件的安全选项"
lineinfile:
path: /etc/ssh/sshd_config
regexp: '{{ item.regexp }}'
line: '{{ item.line }}'
state: present
with_items:
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
- regexp: "^#PermitRootLogin yes"
line: "PermitRootLogin no"
- regexp: "^PermitRootLogin yes"
line: "PermitRootLogin no"
#- regexp: "^#Port 22"
# line: "Port 2249"
- regexp: "^GSSAPIAuthentication yes"
line: "GSSAPIAuthentication no"
notify:
- restart sshd
handlers:
- name: restart sshd
service:
name: sshd
state: restarted
ansible-playbook modify_sshd.yml
直接
ansible all -b --become-method=su --become-user-root -m shell -a "sed 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config" |grep -E "Root|172.16"
2022
cat /etc/ansible/hosts
[one]
192.168.10.122
---
- hosts: one
gather_facts: true
remote_user: root
tasks:
- name: "修改ssh配置文件的安全选项"
lineinfile:
path: /etc/ssh/sshd_config
regexp: '{{ item.regexp }}'
line: '{{ item.line }}'
state: present
with_items:
- regexp: "^PasswordAuthentication"
line: "PasswordAuthentication no"
- regexp: "^#PermitRootLogin"
line: "PermitRootLogin yes"
#- regexp: "^#Port 22"
# line: "Port 2249"
- regexp: "^GSSAPIAuthentication yes"
line: "GSSAPIAuthentication no"
notify:
- restart sshd
handlers:
- name: restart sshd
service:
name: sshd
state: restarted
如果有多个 PasswordAuthentication yes
可能要执行多次 也有可能不成功 注意了
ansible-playbook -C ssh-conf.yml
ansible-playbook ssh-conf.yml
Ansible使用playbook自动化编译安装Nginx
ansible 批量修改已存在用户的密码
cat /etc/ansible/change-passwd.yml
---
- hosts: prod
become: yes
become_method: sudo
gather_facts: false
tasks:
- name: change user passwd
user: name={{ item.name }} password={{ item.chpass | password_hash('sha512') }} update_password=always
with_items:
- { name: 'evan', chpass: '$evan1234567' }
#run test
ansible-playbook -C change-passwd.yml
#run
ansible-playbook change-passwd.yml
ansible 创建用户
useradd jsxge chown -R jsxge.wheel jsxge echo "123456" | passwd --stdin jsxge
关于sudoers:Ansible:创建具有sudo特权的用户
ansible修改hostname modify_hostname
cat hosts
[pro]
172.16.0.8
172.16.0.16
172.16.0.37
172.16.0.19
172.16.0.9
ansible]$ cat modify_hostname.yml
---
- name: set hostname
hosts: pro
#hosts: all
become: yes
become_method: sudo
remote_user: eva
gather_facts: false
vars:
hostnames:
- host: 172.16.0.8
name: prod-access
- host: 172.16.0.16
name: prod-insurance-backstage
- host: 172.16.0.37
name: prod-insurance-crm-mongo
- host: 172.16.0.19
name: prod-insurance-backstage-count
- host: 172.16.0.9
name: prod-insurance-core
tasks:
- name: set hostname
hostname:
name: "{{item.name}}"
when: item.host == inventory_hostname
loop: "{{hostnames}}"
ansible and shell
ansible-galaxy
ansible-galaxy install docker
ansible-galaxy install geerlingguy.docker #记得国内机器可能要改dns 为8.8.4.4 不然连接github time out
#主要配置文件
root@myxps:~# cat ~/.ansible/roles/geerlingguy.docker/defaults/main.yml
cat pb-docker.yml #安装 docker
- hosts: mydocker
vars:
docker_users:
- root
roles:
- role: geerlingguy.docker
become: yes
ansible-playbook -u root pb_docker.yml
分发文件
cat /etc/ansible/hosts [intra] 192.168.10.120 192.168.10.121 ansible intra -m copy -a "src=/home/evan/data/devops/node-v14.17.6-linux-x64.tar.xz dest=/root/" ansible 122 -m copy -a "src=/home/evan/data/devops/jdk/jdk-8u212-linux-x64.rpm dest=/root/"
结合P2P软件使用Ansible分发大文件_神棍之路-程序员宅基地
troubleshooting
TASK [ag_conf : install conig zbx agent] **************************************************************************
fatal: [172.16.0.16]: FAILED! => {"changed": true, "cmd": "/bin/bash /tmp/i.sh", "delta": "0:00:00.065791", "end": "2021-10-15 10:54:54.896410", "msg": "non-zero return code", "rc": 127, "start": "2021-10-15 10:54:54.830619", "stderr": "/bin/bash: /tmp/i.sh: 没有那个文件或目录", "stderr_lines": ["/bin/bash: /tmp/i.sh: 没有那个文件或目录"], "stdout": "", "stdout_lines": []}
PLAY RECAP *********************************************************************************************************
172.16.0.16 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
solution
忘记main.yml 加上 copy.yml喽
普通用户
$ ansible
Traceback (most recent call last):
File "/usr/local/bin/ansible", line 32, in <module>
from ansible import context
ModuleNotFoundError: No module named 'ansible'
evan@myxps:~/data/resume/interview$ pip list | grep ansible
evan@myxps:~/data/resume/interview$ sudo pip list | grep ansible
ansible 4.5.0
ansible-core 2.11.5
ansible中配置ssh--ssh连接断开时,如何很快获取异常并中断playbook的执行
[DEPRECATION WARNING]: "include" is deprecated, use include_tasks/import_tasks instead. This feature will be removed
把你的 tasks/main.yml include 换成 include_tasks/import_tasks 就可以了
Ansible Vault
Running Ansible with Vault-Encrypted Files
Using an Interactive Prompt
➜ ansible-vault create secret_key
➜ ansible vi inventory/hosts
#Aug 11 2023
[database]
localhost ansible_connection=local
➜ ansible ansible --ask-vault-pass -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost
BECOME password:
Vault password:
[WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was 127.0.0.1
localhost | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": true,
"checksum": "15bb6433cbfcba861b6e7c1121fbe097f68ff14f",
"dest": "/tmp/secret_key",
"gid": 0,
"group": "root",
"md5sum": "e894b01b2cc7fc8f341df858e031798a",
"mode": "0600",
"owner": "root",
"size": 17,
"src": "/home/evan/.ansible/tmp/ansible-tmp-1691743336.7170281-39285-290202074/source",
"state": "file",
"uid": 0
}
➜ ansible sudo cat /tmp/secret_key
onfidential data
Using Ansible Vault with a Password File
echo 'my_vault_password' > .vault_pass
➜ .ansible ls
change-passwd.yml cp secret_key tmp
➜ .ansible ansible --vault-password-file=.vault_pass -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost
BECOME password:
[WARNING]: A duplicate localhost-like entry was found (localhost). First found localhost was 127.0.0.1
localhost | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": true,
"checksum": "478a4b2f4eed95489ca86c7d4f060da80f498202",
"dest": "/tmp/secret_key",
"gid": 0,
"group": "root",
"md5sum": "ee950cc0624bbba77126274ceb752e3c",
"mode": "0600",
"owner": "root",
"size": 7,
"src": "/home/evan/.ansible/tmp/ansible-tmp-1691749143.0555234-42774-280022701874123/source",
"state": "file",
"uid": 0
#我又新建议了一个
➜ .ansible sudo cat /tmp/secret_key
dafasf
https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data
https://docs.ansible.com/ansible/latest/vault_guide/vault_managing_passwords.html
see also
Galaxy
References
别让运维太忙,一文详解 Ansible 的自动化运维,提高工作效率
Jenkins + Ansible 实现 Golang 自动化编译部署
https://github.com/apenella/go-ansible#install
Ansible系列(四):playbook应用和roles自动化批量安装示例
langroot下载 分享Ansible批量安装golang环境
Ansible(1)—— Ansible详解及inventory文件配置
