22 Ansible相关工具、ansible、ansible-vault、ansible-console、ansible-galaxy

Ansible相关工具

命令	解释
/usr/bin/ansible	主程序，临时命令执行工具
/usr/bin/ansible-doc	查看配置文档，模块功能查看工具,相当于man
/usr/bin/ansible-playbook	定制自动化任务，编排剧本工具,相当于脚本/usr/bin/ansible-pull 远程执行命令的工具
/usr/bin/ansible-vault	文件加密工具
/usr/bin/ansible-console	基于Console界面与用户交互的执行工具
/usr/bin/ansible-galaxy	下载/上传优秀代码或Roles模块的官网平台

利用ansible实现管理的主要方式：

• Ad-Hoc即利用ansible命令，主要用于临时命令使用场景
• Ansible-playbook主要用于长期规划好的，大型项目的场景，需要有前期的规划过程

ansible-doc

此工具用来显示模块帮助,相当于man

格式：

ansible-doc[options][module...]
-l,--list     # 列出可用模块
-s,--snippet  # 显示指定模块的playbook片段

范例：
#列出所有模块
[root@localhost ~]# ansible-doc -l
#查看指定模块帮助用法
[root@localhost ~]# ansible-doc ping 

[root@localhost ~]# ansible-doc -l | wc -l
3387

ansible

此工具通过ssh协议，实现对远程主机的配置管理、应用部署、任务执行等功能。

建议：使用此工具前，先配置ansible主控端能基于密钥认证的方式联系各个被管理节点

• 范例：利用sshpass批量实现基于key验证脚本

[root@instance-gvpb80ao ~]# vim /etc/ssh/ssh_config
StrictHostKeyChecking no
[root@instance-gvpb80ao ~]# cat hosts.list 
172.16.0.4
[root@instance-gvpb80ao ~]# vim push_ssh_key.sh 
#批量传输ssh密钥脚本

#!/bin/bash 

rpm -q sshpass &> /dev/null || yum -y install sshpass 
[ -f /root/.ssh/id_rsa ] || ssh-keygen -f /root/.ssh/id_rsa -P '' 
export SSHPASS=1	#密码
while read IP;do
        sshpass  -e  ssh-copy-id  -o  StrictHostKeyChecking=no $IP 
done<hosts	#在当前目录编辑一个hosts文件 存放ip

Ansible格式

#语法
ansible <hosts> -m [module_name] -a [执行命令]
选项说明：
--version #显示版本
-m module   #指定模块，默认为command
-v #详细过程 –vv -vvv更详细
--list-hosts #显示主机列表，可简写 --list
-C, --check   #检查，并不执行
-T, --timeout=TIMEOUT #执行命令的超时时间，默认10s
-k, --ask-pass     #提示输入ssh连接密码，默认Key验证
-u, --user=REMOTE_USER #执行远程执行的用户
-b, --become    #代替旧版的sudo 切换
--become-user=USERNAME  #指定sudo的runas用户，默认为root
-K, --ask-become-pass  #提示输入sudo时的口令

ansible的Host-pattern

用于匹配被控制的主机的列表。

• 范例：

[root@instance-gvpb80ao ~]# cat /etc/ansible/hosts
172.16.0.4
[root@instance-gvpb80ao ~]# ansible all -m ping
172.16.0.4 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

通配符

[root@instance-gvpb80ao ~]# cat /etc/ansible/hosts
[私网]
172.16.0.4
[公网]
106.13.81.75

# 第一种方式
[root@instance-gvpb80ao ~]# ansible "*" -m ping 
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
172.16.0.4 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}
106.13.81.75 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

# 第二种方式
[root@instance-gvpb80ao ~]# ansible "私网" -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
172.16.0.4 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

# 第三种方式
[root@instance-gvpb80ao ~]# ansible '172*' -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
172.16.0.4 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

# 第四种方式
[root@instance-gvpb80ao ~]# ansible '172.16.0.4 106.13.81.75' -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
172.16.0.4 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}
106.13.81.75 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

或关系

# 在公网组里面或者在私网组里面
[root@instance-gvpb80ao ~]# ansible '公网:私网' -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
172.16.0.4 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}
106.13.81.75 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

逻辑与

# 在公网组并且在私网组
[root@instance-gvpb80ao ~]# cat /etc/ansible/hosts
[私网]
172.16.0.4
106.13.81.75
[公网]
106.13.81.75
[root@instance-gvpb80ao ~]# ansible '公网:&私网' -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
106.13.81.75 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

逻辑非

# 在公网组不在私网组
[root@instance-gvpb80ao ~]# cat /etc/ansible/hosts
[私网]
172.16.0.4
[公网]
106.13.81.75
[root@instance-gvpb80ao ~]# ansible '公网:!私网' -m ping
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
106.13.81.75 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

正则表达式

[root@instance-gvpb80ao ~]# cat /etc/ansible/hosts
[private]
172.16.0.4
[public]
106.13.81.75

# 以pu开头
[root@instance-gvpb80ao ~]# ansible '~pu' -m ping
106.13.81.75 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

具体模块

[root@instance-gvpb80ao ~]# ansible private --list-hosts
  hosts (1):
    172.16.0.4

ansible命令执行过程

1. 加载自己的配置文件,默认/etc/ansible/ansible.cfg
2. 加载自己对应的模块文件，如：ping。通过ansible将模块或命令生成对应的临时py文件，并将该文件传输至远程服务器的对应执行用户$HOME/.ansible/tmp/ansible-tmp-数字/XXX.PY文件
3. 给文件+x执行
4. 执行并返回结果
5. 删除临时py文件，退出

ansible的执行状态

[root@instance-gvpb80ao tmp]# grep -A 14 '[colors]' /etc/ansible/ansible.cfg
[colors]
#highlight = white
#verbose = blue
#warn = bright purple
#error = red
#debug = dark gray
#deprecate = purple
#skip = cyan
#unreachable = red
#ok = green
#changed = yellow
#diff_add = green
#diff_remove = red
#diff_lines = cyan

• 绿色：执行成功并且不需要做改变的操作
• 黄色：执行成功并且对目标主机做变更
• 红色：执行失败

ansible使用范例

#以www用户执行ping存活检测
[root@m01 ansible]# ansible web -m ping -u www -k
SSH password: #这里输入的是www密码
web02 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}
web01 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}
web03 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}


#以www sudo至root用户执行ls 
#准备工作
[root@web01 ~]# vim /etc/sudoers
## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL
www   ALL=(ALL)       ALL

[root@m01 ansible]# ansible web01 -u www -a 'ls /root' -b --become-user=root -K -k
SSH password: #提权密码（root）
BECOME password[defaults to SSH password]: #www用户ssh连接密码 
web01 | CHANGED | rc=0 >>
1.txt
anaconda-ks.cfg
scripts

Ansible-playbook

此工具用于执行编写好的 playbook 任务

[root@m01 ~]# cat hello.yaml 
- hosts: web01
  remote_user: root
  gather_facts: no
  tasks:
    - name: hello world
      shell: echo "hello world" > /root/hello.txt
      
[root@instance-gvpb80ao ~]# ansible-playbook hello.yaml 

[root@m01 ~]# ansible-playbook hello.yaml 

PLAY [web01] ***********************************************************************

TASK [hello world] *****************************************************************
changed: [web01]

PLAY RECAP *************************************************************************
web01                      : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[root@web01 ~]# ll
total 8
-rw-r--r--  1 root root    0 May 27 11:54 1.txt
-rw-------. 1 root root 1730 Apr 15 09:47 anaconda-ks.cfg
-rw-r--r--  1 root root   12 May 28 19:31 hello.txt
drwxr-xr-x  2 root root   32 Apr 23 12:02 scripts
[root@web01 ~]# cat hello.txt 
hello world

ansible-vault

此工具可以用于加密解密yml文件。

格式

    create              #创建一个新的加密剧本
    decrypt             #解密剧本
    edit                #输密编辑剧本
    view                #查看加密剧本
    encrypt             #加密 YAML file
    encrypt_string      #给字符串加密
    rekey               #改密

范例

#create
[root@m01 ~]# ansible-vault create 1.yaml
New Vault password: 
Confirm New Vault password: 
[root@m01 ~]# cat 1.yaml 
$ANSIBLE_VAULT;1.1;AES256
31666134623337303165366133396236333665333238653437383766386530633561303230386432
6631316637396363663331363830646566303365646261370a306637396233373030356332356161
64326563623336333637363063653563656338386361386630616262346461633365626331356430
6464333634383362610a303463353238616138616438636532313863373537346330666133343136
66663630663062333133633034353162396338346233363133616636396237663261376138633861
33353638613834386661363839623034303133363566376131643430386637363963383633336565
62656537623061353961343865626231323138366338663966333164343363633731333366626636
37313063393433313232646362373361393230623161303934336431373861366331626138666232
66343461353932396165666136353666396466616137396662653936656437383062643334303365
35663162326636326338366235336333393934393239336363613131626335323431393466636364
613863353065353632376661343162633836

#decrypt
[root@m01 ~]# ansible-vault decrypt 1.yaml 
Vault password: 
Decryption successful
[root@m01 ~]# cat 1.yaml 
- hosts: web01
  remote_user: root
  gather_facts: no
  tasks:
    - name: hello world
      shell: echo "hello world" > /root/hello.txt



#encrypt
[root@m01 ~]# ansible-vault encrypt 1.yaml 
New Vault password: 
Confirm New Vault password: 
Encryption successful

#view
[root@m01 ~]# ansible-vault view 1.yaml 
Vault password: 
- hosts: web01
  remote_user: root
  gather_facts: no
  tasks:
    - name: hello world
      shell: echo "hello world" > /root/hello.txt
 
 #rekey
[root@m01 ~]# ansible-vault rekey 1.yaml 
Vault password: 
New Vault password: 
Confirm New Vault password: 
Rekey successful

ansible-console

此工具可交互执行命令，支持tab，ansible 2.0+新增

提示符格式

执行用户@当前操作的主机组 (当前组的主机数量)[f:并发数]$

常用子命令

• 设置并发数： forks n 例如： forks 3 #一次执行三组
• 切换组： cd 主机组 例如： cd web
• 列出当前组主机列表： list
• 列出所有的内置命令： ?或help

范例：

[root@m01 ~]# ansible-console
Welcome to the ansible console.
Type help or ? to list commands.

root@all (10)[f:5]$ cd web
root@web (3)[f:5]$ ping
web03 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}
web02 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}
web01 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}
root@web (3)[f:5]$ list
web01
web02
web03
root@web (3)[f:5]$ forks 3

ansible-galaxy

此工具会连接 https://galaxy.ansible.com 下载相应的roles

# 查看列表
[root@instance-gvpb80ao ~]# ansible-galaxy list
# /root/.ansible/roles
- geerlingguy.nginx, 3.0.0
# /usr/share/ansible/roles
# /etc/ansible/roles

# 下载nginx roles
[root@instance-gvpb80ao ~]# ansible-galaxy install geerlingguy.nginx
- downloading role 'nginx', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-nginx/archive/3.0.0.tar.gz
- extracting geerlingguy.nginx to /root/.ansible/roles/geerlingguy.nginx
- geerlingguy.nginx (3.0.0) was installed successfully

# 删除
[root@instance-gvpb80ao ~]# ansible-galaxy remove geerlingguy.nginx
- successfully removed geerlingguy.nginx