service或者systemd 启动服务模块
script 远程执行脚本
file 创建目录,创建文件,往文件写内容
user 用户管理
group 组管理
cron 定时任务
mount 挂载
selinux和firewalld 防火墙管理
script 远程执行脚本
file 创建目录,创建文件,往文件写内容
user 用户管理
group 组管理
cron 定时任务
mount 挂载
selinux和firewalld 防火墙管理
service或者systemd 启动服务模块
- name --- 服务的名称
- state --- 指定服务状态是停止或是运行
- started --- 启动
- stopped --- 停止
- restarted --- 重启
- reloaded --- 重载
- enabled --- 是否让服务开启自启动
## web清单下主机安装httpd
[root@Ansible ~]# ansible web -m yum -a "name=httpd state=installed"
## web清单下主机写个主页
[root@Ansible ~]# ansible web -m copy -a "content='The is Ansible' dest='/var/www/html/index.html'"
## web清单下主机启动httpd,并开机启动
[root@Ansible ~]# ansible web -m service -a "name=httpd state=started enabled=yes"
web1 | CHANGED => {
"changed": true,
"enabled": true,
"name": "httpd",
"state": "started",
"status": {
…………(这里显示就省略了)……………………
## 访问一下网站(没有换行哈,并不影响使用)
[root@Ansible ~]# curl 192.168.1.2/index.html
The is Ansible[root@Ansible ~]#
## web清单下主机关闭httpd,并开机不启动
[root@Ansible ~]# ansible web -m systemd -a "name=httpd state=stopped enabled=no"
web1 | CHANGED => {
"changed": true,
"enabled": false,
"name": "httpd",
"state": "stopped",
"status": {
………………(同上省略了)………………
script 远程执行脚本
[root@Ansible ~]# vim script.sh
#!/bin/bash
echo "The is script"
[root@Ansible ~]# ansible hosts -m script -a "script.sh"
localhost | CHANGED => {
"changed": true,
"rc": 0,
"stderr": "",
"stderr_lines": [],
"stdout": "The is sctipt
",
"stdout_lines": [
"The is sctipt"
]
}
web1 | CHANGED => {
"changed": true,
"rc": 0,
"stderr": "Shared connection to web1 closed.
",
"stderr_lines": [
"Shared connection to web1 closed."
],
"stdout": "The is sctipt
",
"stdout_lines": [
"The is sctipt"
]
}
nfs1 | CHANGED => {
"changed": true,
"rc": 0,
"stderr": "Shared connection to nfs1 closed.
",
"stderr_lines": [
"Shared connection to nfs1 closed."
],
"stdout": "The is sctipt
",
"stdout_lines": [
"The is sctipt"
]
}
file 创建目录,创建文件,往文件写内容
- path --- 指定远程主机目录或文件信息
- recurse --- 递归授权
- state --- 指定状态
- directory --- 在远端创建目录
- touch --- 在远端创建文件
- link --- link或hard表示创建链接文件
- absent --- 表示删除文件或目录
- mode --- 设置文件或目录权限
- owner --- 设置文件或目录属主信息
- group --- 设置文件或目录属组信息
## nfs清单下主机创建目录
[root@Ansible ~]# ansible nfs -m file -a "path=/tmp/sgy state=directory"
nfs1 | CHANGED => {
"changed": true,
"gid": 0,
"group": "root",
"mode": "0755",
"owner": "root",
"path": "/tmp/sgy",
"size": 6,
"state": "directory",
"uid": 0
}
## nfs清单下主机创建文件
[root@Ansible ~]# ansible nfs -m file -a "path=/tmp/sgy state=touch mode=555 owner=root group=root"
nfs1 | CHANGED => {
"changed": true,
"dest": "/tmp/sgy",
"gid": 0,
"group": "root",
"mode": "0555",
"owner": "root",
"size": 6,
"state": "directory",
"uid": 0
}
## nfs清单下主机创建链接文件
[root@Ansible ~]# ansible nfs -m file -a "src=/tmp/sgy path=/tmp/sgy_link state=link"
nfs1 | CHANGED => {
"changed": true,
"dest": "/tmp/sgy_link",
"gid": 0,
"group": "root",
"mode": "0777",
"owner": "root",
"size": 8,
"src": "/tmp/sgy",
"state": "link",
"uid": 0
}
## nfs清单下主机删除文件
[root@Ansible ~]# ansible nfs -m file -a "path=/tmp/sgy state=absent"
nfs1 | CHANGED => {
"changed": true,
"path": "/tmp/sgy",
"state": "absent"
}
user 用户管理
- name ---用户名
- uid --- 指定用户的uid
- comment ---用户描述信息
- append ---是否添加一个新组
- group --- 指定用户组名称
- groups --- 指定附加组名称
- password --- 给用户添加密码
- shell --- 指定用户登录shell
- create_home --- 是否创建家目录
- expire ---过期时间
- generate_ssh_key ---是否创建密钥对
- ssh_key_bits ---密钥对字节数
- ssh_key_file ---密钥对文件位置
- state
- absent --- 删除用户
- remove ---是否移除家目录
## 创建系统用户sgy,并指定uid为888,加入组888,没有家目录,shell为/sbin/nologin
[root@Ansible ~]# ansible nfs -m user -a "name=sgy uid=8888 group=8888 shell=/sbin/nologin create_home=false"
nfs1 | CHANGED => {
"changed": true,
"comment": "",
"create_home": false,
"group": 8888,
"home": "/home/sgy",
"name": "sgy",
"shell": "/sbin/nologin",
"state": "present",
"system": false,
"uid": 8888
}
## 删除用户(没有家目录的删除家目录)
[root@Ansible ~]# ansible nfs -m user -a "name=sgy state=absent remove=yes"
nfs1 | CHANGED => {
"changed": true,
"force": false,
"name": "sgy",
"remove": true,
"state": "absent",
"stderr": "userdel:未找到 sgy 的主目录“/home/sgy”
",
"stderr_lines": [
"userdel:未找到 sgy 的主目录“/home/sgy”"
]
}
## 生成固定密文(下面创建用户用)
[root@Ansible ~]# ansible localhost -m debug -a "msg={{ '123.com' | password_hash('sha512', 'salt') }}"
localhost | SUCCESS => {
"msg": "$6$salt$kr3ZAi2XWTAu9GZk24RNhaFTZ3uY5TY6kyi9O71DeAEattqxShwIEmAcIiDos.SIpACLAZYoVTdqegFSR.ubL/"
}
## 生成随机密文(下面创建用户用)
[root@Ansible ~]# ansible localhost -m debug -a "msg={{ '123.com' | password_hash('sha512') }}"
localhost | SUCCESS => {
"msg": "$6$52/KtnaDqazWdlmz$JSvvZocdLRmh75SjxwZ50s2DVYiz5.JwXAsjki8VDDuj0kH47n0IUxeoXn/fKaPQszomXbeAAyWKO5TWLLrKF/"
}
## 创建普通用户,使用上面生成的密文设置密码(这个必须用单引号,防止解析密文。不要问我怎么知道的,这就是个坑),生成密钥对(可以直接把下面的公钥结果复制到自己的公钥文件中,实现密钥对访问)
[root@Ansible ~]# ansible nfs -m user -a 'name=sgy uid=6666 group=root password=$6$52/KtnaDqazWdlmz$JSvvZocdLRmh75SjxwZ50s2DVYiz5.JwXAsjki8VDDuj0kH47n0IUxeoXn/fKaPQszomXbeAAyWKO5TWLLrKF/ generate_ssh_key=yes ssh_key_bits=2048 ssh_key_file=.ssh/id_rsa'
nfs1 | CHANGED => {
"changed": true,
"comment": "",
"create_home": true,
"group": 0,
"home": "/home/sgy",
"name": "sgy",
"password": "NOT_LOGGING_PASSWORD",
"shell": "/bin/bash",
"ssh_fingerprint": "2048 SHA256:BEviA8kjstdFRYEu0a7EH2Mr+Tt3S99Zpfo3eZAX3OQ ansible-generated on Client1 (RSA)",
"ssh_key_file": "/home/sgy/.ssh/id_rsa",
"ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWiJ1kJ6ko7A7C4T1xL8qGn6d930VHr/wHfT2jEqkWltJI4E8niZa25B+un9cdgPzBn/RoLib2XwLkGpzRTTlm2ebQ1ST0PdCDff31SmNDHMwAIKXGtpDz1VXWX1ROsvPa6yitOjEDt/P55hVb2VN2Ph2idAv8aggBBHzMtg//0vKEFa6VGgYoJ0ww8H2Kur/19y+zxQGEhqAEx6+HG5bw0oXdrgfJm1DeULVKjVSgWybxUTczzRqhz0OmeEHdJmfWw530/3Yh52ym2I1FyC7O+RCkIGxnosBsCDzszz3L80OAPAFy5YCggLhZf+y9GY+Bpm0vy2PQp3L9b4g9Vtc3 ansible-generated on Client2",
"state": "present",
"system": false,
"uid": 6666
}
group 组管理
- name --- 指定创建的组名
- gid --- 指定组的gid
- state
- absent --- 移除远端主机的组
- present --- 创建远端主机的组(默认)
## 创建组sgy,指定gid为888
[root@Ansible ~]# ansible nfs -m group -a "name=sgy gid=888"
nfs1 | CHANGED => {
"changed": true,
"gid": 888,
"name": "sgy",
"state": "present",
"system": false
}
cron 定时任务
时间不指定默认为*
- name ---任务的描述
- user ---以哪个用户身份运行
- backup ---备份原任务计划(覆盖用到)
- minute ---指定分钟
- hour ---指定小时
- day ---指定日期
- month ---指定月份
- weekday ---指定星期
- special-time ---指定特殊时间(不常用)
- reboot ---每次重启后执行
- yearly或者annually ---每年执行
- monthly ---每月执行
- weekly ---每周执行
- daily ---每天执行
- hourly ---每时执行
- absent ---删除任务
## 添加一条任务
[root@Ansible ~]# ansible nfs -m cron -a "minute=0 hour=1 day=* month=* weekday=* job=pwd"
nfs1 | CHANGED => {
"changed": true,
"envs": [],
"jobs": [
"None"
]
}
## 添加一条重启执行的任务,添加描述和指定用户
[root@Ansible ~]# ansible nfs -m cron -a "name='user info' user=root special_time=reboot job=id"
nfs1 | CHANGED => {
"changed": true,
"envs": [],
"jobs": [
"None",
"user info"
]
}
## 查看任务
[root@Ansible ~]# ansible nfs -m command -a "crontab -l"
nfs1 | CHANGED | rc=0 >>
#Ansible: None
0 1 * * * pwd
#Ansible: user info
@reboot id
## 注释任务user info
[root@Ansible ~]# ansible nfs -m cron -a "name='user info' job=id disabled=yes"
nfs1 | CHANGED => {
"changed": true,
"envs": [],
"jobs": [
"None",
"user info"
]
}
## 删除任务user info
[root@Ansible ~]# ansible nfs -m cron -a "name='user info' state=absent"
nfs1 | CHANGED => {
"changed": true,
"envs": [],
"jobs": [
"None"
]
}
mount 挂载
- src ---要挂载的文件
- path ---挂载点
- fstype ---挂载文件类型
- opts ---传递给mount命令的参数
- state
- present ---开机挂载,仅将挂载配置写入/etc/fstab
- mounted ---挂载设备,并将配置写入/etc/fstab
- unmounted ---卸载设备,不会清除/etc/fstab写入的配置
- absent ---卸载设备,会清理/etc/fstab写入的配置
写个nfs服务吧挂载到web节点上
## 安装nfs
[root@Ansible ~]# ansible nfs -m yum -a "name=nfs-utils state=installed"
## 创建目录
[root@Ansible ~]# ansible nfs -m file -a "path=/data state=directory"
## 配置nfs
[root@Ansible ~]# ansible nfs -m copy -a "content='/data 192.168.1.0/24(rw,sync,no_all_squash)' dest=/etc/exports"
## 启动nfs
[root@Ansible ~]# ansible nfs -m systemd -a "name=nfs state=started enabled=yes"
## 在web上挂载nfs
[root@Ansible ~]# ansible web -m mount -a "src=192.168.1.3:/data path=/var/www fstype=nfs opts=defaults state=mounted"
web1 | CHANGED => {
"changed": true,
"dump": "0",
"fstab": "/etc/fstab",
"fstype": "nfs",
"name": "/var/www",
"opts": "defaults",
"passno": "0",
"src": "192.168.1.3:/data"
}
## 卸载挂载
[root@Ansible ~]# ansible web -m mount -a "src=192.168.1.3:/data path=/var/www fstype=nfs opts=defaults state=absent"
web1 | SUCCESS => {
"changed": false,
"dump": "0",
"fstab": "/etc/fstab",
"fstype": "nfs",
"name": "/var/www",
"opts": "defaults",
"passno": "0",
"src": "192.168.1.3:/data"
}
selinux和firewalld 防火墙管理
selinux模块
[root@Ansible ~]# ansible nfs -m selinux -a "state=disabled"
nfs1 | SUCCESS => {
"changed": false,
"configfile": "/etc/selinux/config",
"msg": "",
"policy": "targeted",
"reboot_required": false,
"state": "disabled"
}
firewalld模块
- service ---指定服务名称
- port ---指定端口
- masquerade ---开启地址伪装
- immediate ---是否临时生效
- permanent ---是否永久生效
- state ---开启或是关闭
- enabled 开启
- disabled 关闭
- zone ---指定配置某个区域
- rich_rule ---配置富规则
- source ---指定来源IP
## 开启httpd服务对应的端口
[root@Ansible ~]# ansible web -m firewalld -a "service=http immediate=yes permanent=yes state=enabled"
web1 | CHANGED => {
"changed": true,
"msg": "Permanent and Non-Permanent(immediate) operation, Changed service http to enabled"
}
## 开启端口tcp8080到8090
[root@Ansible ~]# ansible web -m firewalld -a "port=8080-8090/tcp immediate=yes permanent=yes state=enabled"
web1 | CHANGED => {
"changed": true,
"msg": "Permanent and Non-Permanent(immediate) operation, Changed port 8080-8090/tcp to enabled"
}