根据文章 【 自动化运维工具Ansible详细部署 】 搭建
==============================================================
1、Ansible基础安装
(1)、python2.7安装
wget https://www.python.org/ftp/python/2.7.8/Python-2.7.8.tgz # tar xvzf Python-2.7.8.tgz # cd Python-2.7.8 # ./configure --prefix=/usr/local # make --jobs=`grep processor/proc/cpuinfo | wc -l` # make install
## 将python头文件拷贝到标准目录,以避免编译ansible时,找不到所需的头文件
# cd /usr/local/include/python2.7 # cp -a ./* /usr/local/include/
## 备份旧版本的python,并符号链接新版本的python
# cd /usr/bin # mv python python2.6 # ln -s /usr/local/bin/python
## 修改yum脚本,使其指向旧版本的python,已避免其无法运行
# vim /usr/bin/yum #!/usr/bin/python --> #!/usr/bin/python2.7 # vim /usr/libexec/urlgrabber-ext-down #!/usr/bin/python --> #!/usr/bin/python2.7
(2)、setuptools模块安装
wget https://pypi.python.org/packages/source/s/setuptools/setuptools-7.0.tar.gz # tar xvzf setuptools-7.0.tar.gz # cd setuptools-7.0 # python setup.py install
(3)、pycrypto模块安装
wget https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz # tar xvzf pycrypto-2.6.1.tar.gz # cd pycrypto-2.6.1 # python setup.py install
(4)、PyYAML模块安装
wget http://pyyaml.org/download/libyaml/yaml-0.1.5.tar.gz # tar xvzf yaml-0.1.5.tar.gz # cd yaml-0.1.5 # ./configure --prefix=/usr/local # make --jobs=`grep processor/proc/cpuinfo | wc -l` # make install
wget https://pypi.python.org/packages/source/P/PyYAML/PyYAML-3.11.tar.gz # tar xvzf PyYAML-3.11.tar.gz # cd PyYAML-3.11 # python setup.py install
(5)、Jinja2模块安装
wget https://pypi.python.org/packages/source/M/MarkupSafe/MarkupSafe-0.9.3.tar.gz # tar xvzf MarkupSafe-0.9.3.tar.gz # cd MarkupSafe-0.9.3 # python setup.py install wget https://pypi.python.org/packages/source/J/Jinja2/Jinja2-2.7.3.tar.gz # tar xvzf Jinja2-2.7.3.tar.gz # cd Jinja2-2.7.3 # python setup.py install
(6)、paramiko模块安装
wget https://pypi.python.org/packages/source/e/ecdsa/ecdsa-0.11.tar.gz # tar xvzf ecdsa-0.11.tar.gz # cd ecdsa-0.11 # python setup.py install wget https://pypi.python.org/packages/source/p/paramiko/paramiko-1.15.1.tar.gz # tar xvzf paramiko-1.15.1.tar.gz # cd paramiko-1.15.1 # python setup.py install
(7)、simplejson模块安装
wget https://pypi.python.org/packages/source/s/simplejson/simplejson-3.6.5.tar.gz # tar xvzf simplejson-3.6.5.tar.gz # cd simplejson-3.6.5 # python setup.py install
(8)、ansible安装 【2.1.2】
wget https://releases.ansible.com/ansible/ansible-2.1.2.0.tar.gz # tar xvzf ansible-2.1.2.0.tar.gz # cd ansible-2.1.2.0 # python setup.py install
【Ansible的使用配置】
(1)ssh免密钥登录的配置,此操作在中控服务器执行,生成的公钥发布到受控机:说明----id_rsa_storm1可随意命名,
ssh-keygen -t rsa -P '' /root/.ssh/id_rsa_storm1
在受控机器将公钥导入授权文件,并赋权限600,以供远程调用操作时验证。
cat /root/.ssh/id_rsa_storm1.pub >> /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys
(2)ansible配置--中控服务器
mkdir -p /etc/ansible
a) vim /etc/ansible/ansible.cfg [defaults] remote_port = 36000 private_key_file = /root/.ssh/id_rsa_storm1
hostfile=/etc/ansible/hosts
b) vim /etc/ansible/hosts
[test_ansible]
192.168.52.101
192.168.52.200
192.168.52.4
[local]
127.0.0.1
{【注:】标准的官方配置文件,ansible.cfg 可通过此URL获取 。
# config file for ansible -- http://ansible.com/ # ============================================== # nearly all parameters can be overridden in ansible-playbook # or with command line flags. ansible will read ANSIBLE_CONFIG, # ansible.cfg in the current working directory, .ansible.cfg in # the home directory or /etc/ansible/ansible.cfg, whichever it # finds first [defaults] # some basic default values... #inventory = /etc/ansible/hosts #library = /usr/share/my_modules/ #remote_tmp = $HOME/.ansible/tmp #local_tmp = $HOME/.ansible/tmp #forks = 5 #poll_interval = 15 #sudo_user = root #ask_sudo_pass = True #ask_pass = True #transport = smart #remote_port = 22 #module_lang = C #module_set_locale = False # plays will gather facts by default, which contain information about # the remote system. # # smart - gather by default, but don't regather if already gathered # implicit - gather by default, turn off with gather_facts: False # explicit - do not gather by default, must say gather_facts: True #gathering = implicit # This only affects the gathering done by a play's gather_facts directive, # by default gathering retrieves all facts subsets # all - gather all subsets # network - gather min and network facts # hardware - gather hardware facts (longest facts to retrieve) # virtual - gather min and virtual facts # facter - import facts from facter # ohai - import facts from ohai # You can combine them using comma (ex: network,virtual) # You can negate them using ! (ex: !hardware,!facter,!ohai) # A minimal set of facts is always gathered. #gather_subset = all # some hardware related facts are collected # with a maximum timeout of 10 seconds. This # option lets you increase or decrease that # timeout to something more suitable for the # environment. # gather_timeout = 10 # additional paths to search for roles in, colon separated #roles_path = /etc/ansible/roles # uncomment this to disable SSH key host checking #host_key_checking = False # change the default callback #stdout_callback = skippy # enable additional callbacks #callback_whitelist = timer, mail # Determine whether includes in tasks and handlers are "static" by # default. As of 2.0, includes are dynamic by default. Setting these # values to True will make includes behave more like they did in the # 1.x versions. #task_includes_static = True #handler_includes_static = True # Controls if a missing handler for a notification event is an error or a warning #error_on_missing_handler = True # change this for alternative sudo implementations #sudo_exe = sudo # What flags to pass to sudo # WARNING: leaving out the defaults might create unexpected behaviours #sudo_flags = -H -S -n # SSH timeout #timeout = 10 # default user to use for playbooks if user is not specified # (/usr/bin/ansible will use current user as default) #remote_user = root # logging is off by default unless this path is defined # if so defined, consider logrotate #log_path = /var/log/ansible.log # default module name for /usr/bin/ansible #module_name = command # use this shell for commands executed under sudo # you may need to change this to bin/bash in rare instances # if sudo is constrained #executable = /bin/sh # if inventory variables overlap, does the higher precedence one win # or are hash values merged together? The default is 'replace' but # this can also be set to 'merge'. #hash_behaviour = replace # by default, variables from roles will be visible in the global variable # scope. To prevent this, the following option can be enabled, and only # tasks and handlers within the role will see the variables there #private_role_vars = yes # list any Jinja2 extensions to enable here: #jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n # if set, always use this private key file for authentication, same as # if passing --private-key to ansible or ansible-playbook #private_key_file = /path/to/file # If set, configures the path to the Vault password file as an alternative to # specifying --vault-password-file on the command line. #vault_password_file = /path/to/vault_password_file # format of string {{ ansible_managed }} available within Jinja2 # templates indicates to users editing templates files will be replaced. # replacing {file}, {host} and {uid} and strftime codes with proper values. #ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} # {file}, {host}, {uid}, and the timestamp can all interfere with idempotence # in some situations so the default is a static string: #ansible_managed = Ansible managed # by default, ansible-playbook will display "Skipping [host]" if it determines a task # should not be run on a host. Set this to "False" if you don't want to see these "Skipping" # messages. NOTE: the task header will still be shown regardless of whether or not the # task is skipped. #display_skipped_hosts = True # by default, if a task in a playbook does not include a name: field then # ansible-playbook will construct a header that includes the task's action but # not the task's args. This is a security feature because ansible cannot know # if the *module* considers an argument to be no_log at the time that the # header is printed. If your environment doesn't have a problem securing # stdout from ansible-playbook (or you have manually specified no_log in your # playbook on all of the tasks where you have secret information) then you can # safely set this to True to get more informative messages. #display_args_to_stdout = False # by default (as of 1.3), Ansible will raise errors when attempting to dereference # Jinja2 variables that are not set in templates or action lines. Uncomment this line # to revert the behavior to pre-1.3. #error_on_undefined_vars = False # by default (as of 1.6), Ansible may display warnings based on the configuration of the # system running ansible itself. This may include warnings about 3rd party packages or # other conditions that should be resolved if possible. # to disable these warnings, set the following value to False: #system_warnings = True # by default (as of 1.4), Ansible may display deprecation warnings for language # features that should no longer be used and will be removed in future versions. # to disable these warnings, set the following value to False: #deprecation_warnings = True # (as of 1.8), Ansible can optionally warn when usage of the shell and # command module appear to be simplified by using a default Ansible module # instead. These warnings can be silenced by adjusting the following # setting or adding warn=yes or warn=no to the end of the command line # parameter string. This will for example suggest using the git module # instead of shelling out to the git command. # command_warnings = False # set plugin path directories here, separate with colons #action_plugins = /usr/share/ansible/plugins/action #cache_plugins = /usr/share/ansible/plugins/cache #callback_plugins = /usr/share/ansible/plugins/callback #connection_plugins = /usr/share/ansible/plugins/connection #lookup_plugins = /usr/share/ansible/plugins/lookup #inventory_plugins = /usr/share/ansible/plugins/inventory #vars_plugins = /usr/share/ansible/plugins/vars #filter_plugins = /usr/share/ansible/plugins/filter #test_plugins = /usr/share/ansible/plugins/test #strategy_plugins = /usr/share/ansible/plugins/strategy # by default callbacks are not loaded for /bin/ansible, enable this if you # want, for example, a notification or logging callback to also apply to # /bin/ansible runs #bin_ansible_callbacks = False # don't like cows? that's unfortunate. # set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 #nocows = 1 # set which cowsay stencil you'd like to use by default. When set to 'random', # a random stencil will be selected for each task. The selection will be filtered # against the `cow_whitelist` option below. #cow_selection = default #cow_selection = random # when using the 'random' option for cowsay, stencils will be restricted to this list. # it should be formatted as a comma-separated list with no spaces between names. # NOTE: line continuations here are for formatting purposes only, as the INI parser # in python does not support them. #cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes, # hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus, # stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www # don't like colors either? # set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1 #nocolor = 1 # if set to a persistent type (not 'memory', for example 'redis') fact values # from previous runs in Ansible will be stored. This may be useful when # wanting to use, for example, IP information from one group of servers # without having to talk to them in the same playbook run to get their # current IP information. #fact_caching = memory # retry files # When a playbook fails by default a .retry file will be created in ~/ # You can disable this feature by setting retry_files_enabled to False # and you can change the location of the files by setting retry_files_save_path #retry_files_enabled = False #retry_files_save_path = ~/.ansible-retry # squash actions # Ansible can optimise actions that call modules with list parameters # when looping. Instead of calling the module once per with_ item, the # module is called once with all items at once. Currently this only works # under limited circumstances, and only with parameters named 'name'. #squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper # prevents logging of task data, off by default #no_log = False # prevents logging of tasks, but only on the targets, data is still logged on the master/controller #no_target_syslog = False # controls whether Ansible will raise an error or warning if a task has no # choice but to create world readable temporary files to execute a module on # the remote machine. This option is False by default for security. Users may # turn this on to have behaviour more like Ansible prior to 2.1.x. See # https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user # for more secure ways to fix this than enabling this option. #allow_world_readable_tmpfiles = False # controls the compression level of variables sent to # worker processes. At the default of 0, no compression # is used. This value must be an integer from 0 to 9. #var_compression_level = 9 # controls what compression method is used for new-style ansible modules when # they are sent to the remote system. The compression types depend on having # support compiled into both the controller's python and the client's python. # The names should match with the python Zipfile compression types: # * ZIP_STORED (no compression. available everywhere) # * ZIP_DEFLATED (uses zlib, the default) # These values may be set per host via the ansible_module_compression inventory # variable #module_compression = 'ZIP_DEFLATED' # This controls the cutoff point (in bytes) on --diff for files # set to 0 for unlimited (RAM may suffer!). #max_diff_size = 1048576 # This controls how ansible handles multiple --tags and --skip-tags arguments # on the CLI. If this is True then multiple arguments are merged together. If # it is False, then the last specified argument is used and the others are ignored. #merge_multiple_cli_flags = False [privilege_escalation] #become=True #become_method=sudo #become_user=root #become_ask_pass=False [paramiko_connection] # uncomment this line to cause the paramiko connection plugin to not record new host # keys encountered. Increases performance on new host additions. Setting works independently of the # host key checking setting above. #record_host_keys=False # by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this # line to disable this behaviour. #pty=False [ssh_connection] # ssh arguments to use # Leaving off ControlPersist will result in poor performance, so use # paramiko on older platforms rather than removing it, -C controls compression use #ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s # The base directory for the ControlPath sockets. # This is the "%(directory)s" in the control_path option # # Example: # control_path_dir = /tmp/.ansible/cp #control_path_dir = $HOME/.ansible/cp # The path to use for the ControlPath sockets. This defaults to # "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with # very long hostnames or very long path names (caused by long user names or # deeply nested home directories) this can exceed the character limit on # file socket names (108 characters for most platforms). In that case, you # may wish to shorten the string below. # # Example: # control_path = %(directory)s/%%h-%%r #control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r # Enabling pipelining reduces the number of SSH operations required to # execute a module on the remote server. This can result in a significant # performance improvement when enabled, however when using "sudo:" you must # first disable 'requiretty' in /etc/sudoers # # By default, this option is disabled to preserve compatibility with # sudoers configurations that have requiretty (the default on many distros). # #pipelining = False # Control the mechanism for transfering files # * smart = try sftp and then try scp [default] # * True = use scp only # * False = use sftp only #scp_if_ssh = smart # if False, sftp will not use batch mode to transfer files. This may cause some # types of file transfer failures impossible to catch however, and should # only be disabled if your sftp version has problems with batch mode #sftp_batch_mode = False [accelerate] #accelerate_port = 5099 #accelerate_timeout = 30 #accelerate_connect_timeout = 5.0 # The daemon timeout is measured in minutes. This time is measured # from the last activity to the accelerate daemon. #accelerate_daemon_timeout = 30 # If set to yes, accelerate_multi_key will allow multiple # private keys to be uploaded to it, though each user must # have access to the system via SSH to add a new key. The default # is "no". #accelerate_multi_key = yes [selinux] # file systems that require special treatment when dealing with security context # the default behaviour that copies the existing context or uses the user default # needs to be changed to use the file system dependent context. #special_context_filesystems=nfs,vboxsf,fuse,ramfs # Set this to yes to allow libvirt_lxc connections to work without SELinux. #libvirt_lxc_noseclabel = yes [colors] #highlight = white #verbose = blue #warn = bright purple #error = red #debug = dark gray #deprecate = purple #skip = cyan #unreachable = red #ok = green #changed = yellow #diff_add = green #diff_remove = red #diff_lines = cyan
}
【Ansible的测试验证】
1)测试 磁盘监控的脚本 {注:远程脚本执行$符号转义}
[root@localhost ]# ansible local -m shell -a "df -hP|awk 'NR>1 && int($5) > 30'" 127.0.0.1 | SUCCESS | rc=0 >> /dev/sda1 497M 167M 330M 34% /boot [root@localhost ]# ansible test_ansible -m shell -a "df -hP|awk 'NR>1 && int($5) > 30'" 192.168.52.101 | SUCCESS | rc=0 >> /dev/sda1 497M 167M 330M 34% /boot 192.168.52.4 | SUCCESS | rc=0 >> /dev/vda1 25G 11G 15G 42% /
===========================================================
配置过程遇到的问题
【Q1】:运行测试命令 ansible all -a 'who' -vvv
返回错误结果:Failed to connect to the host via ssh.
【A1】 debug显示是ssh登录失败,按如下步骤解决
1)copy 公钥文件 /root/.ssh/id_rsa_storm1.pub 到受控机器并追加导入免验证文件;
2)检查openssh的版本,确保中控机器和受控机器使用同套ssh协议,2.0;
3)将开放端口换回22,特定端口在本机和受控机器开放后,telnet测试呗refused,改回22端口后正常;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
常用监控命令
【监控磁盘空间】 #storm_cluster--》/etc/ansible/hosts 定义的主机分组; #int($5) 其中,$需要在执行时进行转义,否则报错,监控使用率超过30%的磁盘
ansible storm_cluster -m shell -a "df -hP|awk 'NR>1 && int($5) > 30'"
【监控进程运行状态】 ansible 192.168.52.101 -m shell -a 'ps auxf|grep snmp'
【检查服务运行状态】 ansible 192.168.52.101 -m service -a 'service httpd status'
---------------------------------------------------------------------
【Ansible脚本使用相关资料】
ansible小结(九)playbook进阶 : http://www.361way.com/playbook-advanced/4443.html
ansible小结(十 二)磁盘使用率筛选 :http://www.361way.com/ansible-diskinfo/4995.html