Ansible by default manages machines over the SSH
protocol.
Once Ansible is installed, it will not add a database, and there will be no daemons to start or keep running. You only need to install it on one machine (which could easily be a laptop) and it can manage an entire fleet of remote machines from that central point. When Ansible manages remote machines, it does not leave software installed or running on them, so there’s no real question about how to upgrade Ansible when moving to a new version.
依赖SSH,无需安装任何daemon,database,agent,无需考虑升级ansible,很适合跳板机.
目前授控主机不支持windows,支持装有python2.6-2.7(目前不支持python3)的Unix-like操作系统
目前被收编到开源领袖红帽麾下
| |
Puppet | Saltstack | ansible |
|---|---|---|---|
| 开发语言 | Ruby | Python | Python |
| 是否有客户端 | 有 | 有 | 无 |
| 是否支持二次开发 | 不支持 | 支持 | 支持 |
| 服务器与远程机器是否相互验证 | 是 | 是 | 是 |
| 服务器与远程机器通信是否加密 | 是,标准 SSL 协议 | 是,使用 AES 加密 | 是,使用 OpenSSH |
| 平台支持 | 支持 AIX、BSD、HP-UX、Linux、 MacOSX、Solaris、 Windows | 支持 BSD、Linux、Mac OS X、Solaris、 Windows | 支持 AIX、BSD、 HP-UX、 Linux、Mac OSX、Solaris |
| 是否提供 web ui | 提供(Forman,PuppetDashboard) | 提供 | 商业版(Ansible Tower) |
| 配置文件格式 | Ruby 语法格式 | YAML | YAML |
| 命令行执行 | 不支持,但可通过配置模块实现 | 支持 | 支持 |
环境:
CentOS7.1 x64
安装:
方式一:yum安装
cat >/etc/yum.repos.d/ansible.repo <<HERE
[epel]
name=epel
baseurl=http://mirrors.sohu.com/fedora-epel/7/x86_64/
gpgcheck=0
enabled=1
HERE
yum -y install ansible
提示:官方建议,如果使用tower管控,请使用包管理器或pip安装
还可以打成rpm或deb,如:
apt-get
git clone git://github.com/ansible/ansible.git --recursive
cd ./ansible
git branch -a
git checkout remotes/origin/stable-2.3
make deb
或
yum -y install git python-setuptools python-jinja2 asciidoc rpm-build
git clone git://github.com/ansible/ansible.git --recursive
cd ./ansible
git branch -a
git checkout remotes/origin/stable-2.3
make rpm
方式二:pip安装
yum –y install python-setuptools
easy_install pip
pip install ansible
Ubuntu可通过PPA方式安装
sudo apt-get install software-properties-common
sudo apt-add-repository ppa:ansible/ansible
sudo apt-get update
sudo apt-get install ansible
配置:
Ansible will try to default to using OpenSSH as a connection method. This is suitable when using SSH keys to authenticate, but when using SSH passwords, Ansible relies on sshpass.
1.配置远程主机列表或组
http://docs.ansible.com/ansible/intro_inventory.html
http://docs.ansible.com/ansible/intro_patterns.html
cat >> /etc/ansible/hosts <<HERE
[foo]
192.168.8.100
192.168.8.150
HERE
默认该ansible hosts文件有很多模板,无需过多解释,我这里加添了一个加foo的主机组,有两台主机
再比如
[apache]
192.168.8.101
[nginx]
node2
ansible_host=192.168.8.102
ansible_port=22
[nginx:vars]
nginx_basedir=/opt/nginx
[test:children]
apache
nginx
[self]
self ansible_host=127.0.0.1 ansible_connection=local
[docker]
192.168.8.10[1:2]
2.生成ssh公私钥对
ssh-keygen
可以为密钥设置密码
root@jlive:~#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key
(/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
c3:33:36:f9:3c:a4:04:1c:20:3c:7e:4a:92:31:bf:66 root@jlive.example.com
The key's randomart image is:
+--[ RSA 2048]----+
| .. ...
|o o. . .
| * .
|o + .
| o +
|
| o
|
|
+-----------------+
3.将ssh钥匙(通常是公钥)导入到远程主机的授权文件
chmod 600 ~/.ssh/id_rsa*
ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.8.100
ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.8.150
提示:默认情况下ssh-copy-id可以自动将公钥导入到远程主机的~/.ssh/authorized_keys
4.测试ansible
root@jlive:~#ssh-agent bash
root@jlive:~#ssh-add ~/.ssh/id_rsa
Enter passphrase for
/root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
提示:ssh-agent可以代理密码输入,在整个ansible期间不需要每台主机都输入一次密码
root@jlive:~#ansible foo -m ping
192.168.8.100 | success >> {
}
192.168.8.150 | success >> {
}
root@jlive:~#ansible foo -a "echo hello"
192.168.8.150 | success | rc=0 >>
hello
192.168.8.100 | success | rc=0 >>
hello
root@jlive:~#ansible foo -a "uptime"
192.168.8.150 | success | rc=0 >>
192.168.8.100 | success | rc=0 >>
sudo范例
# With latest version of ansible `sudo` is deprecated so use become # as bruce, sudoing to root $ ansible all -m ping -u bruce -b # as bruce, sudoing to batman $ ansible all -m ping -u bruce -b --become-user batman
5.禁用Host Key Checking
系统一旦重装,ssh校验'known_hosts'就会报错
针对该问题,可以
1.修改known_hosts
2.禁用Host Key Checking
cat >>~/.ansible.cfg <<HERE
[defaults]
host_key_checking = False
HERE
或者添加到ansible全局配置文件/etc/ansible/ansible.cfg
还可以申明全局变量
export ANSIBLE_HOST_KEY_CHECKING=False