Ansible 学习
visudo sudo权限
useradd -aG wheel sun 保留原来的组,追加sudo
yum源 /etc/yum.repos.d/base.repo
echo export EDITOR=vim >> /etc/profile.d/env.sh
systemctl is-enabled vsftpd
ss -tln|grep 80 查看端口
hostnamectl set-hostname node1
getent group
1,安装
yum install -y ansible
2,查看
yum -ql ansible | less
3,举例
ansible server -m ping -k :走的是ssh协议
-m 模块 -k 密码
服务器列表放在 /etc/ansible/hosts ,
用all代替全部服务器
用[]分组
加速SSH的方法
服务器上 /etc/ssh/sshd_config
UseDNS no
GSSAPIAuthentication no
服务器和记住的主机 /root/.ssh/known_hosts
/etc/ansible/ansible.cfg中
host_key_checking = False,不用服务器的hostkey
log_path=/var/log/ansible.log 打开日志
建议建议居于key验证
ssh-keygen
ssh-copy-id 192.168.153.101
4,ansible帮助
ansible-doc -l / -a / -s command
5, ansible 命令
ansible server -m 模块 -a 参数 -v 查看详细过程 --list 查看主机列表
-u 用户 -K sudo
ansible 192.168.153.101 -m command -a 'ls -l /root/' -u sun -k -b -K
主机列表,与&,或:,非!alist:blist:&clist:!dlist ,用单引号
正则表达 用双引号 “~(web|db)" 用~开头
6,常见模块 ansible-doc 模块
command 可以不用写,不支持|,;,&,$等
shell 可以执行 ansible serlist -m shell -a 'echo medu|passwd --stdin test1'
script 运行脚本 ansible 192.168.153.101 -m script -a '/root/ansible/host.sh'
copy ansible serlist -m copy -a 'src=/root/ansible/selinux dest=/etc/selinux/config backup=yes'
fetch 和copy相反
file 模块
hostname
cron
ansible 192.168.153.101 -m cron -a 'minute=* weekday=1,3,5 job="/usr/bin/wall FBI warning" name=warningcron'
ansible 192.168.153.101 -m cron -a 'disabled=true job="/usr/bin/wall FBI warning" name=warningcron'
yum ansible 192.168.153.101 -m yum -a 'name=vsftpd'
service
user ansible webser -m user -a 'name=nginx shell='sbin/nologin system=yes home=/var/nginx groups=root comment="nginx server"'
group
7,galaxy
galaxy.ansible.com查看下载rules (一堆文件的集合)
ansible-galaxy list *****
ansible-galaxy install/remove *****
8.ansible-vault
ansible-vault decrypt *.yml
ansible-vault encrypt *.yml
ansible-vault view *.yml
ansible-vault edit *.yml
ansible-vault reky *.yml
9.ansible-console交互式工具
10,playbook
'''
-
hosts: serlist
remote_user: roottasks:
- name: test1
command: hostname
'''
列表 -
K/V k:v {k1: v1,k2: v2}
- name: test1
ansible-playbook -C file.yml 检查语法
--check检查
--list-hosts 列出服务器
--list-tasks 列出任务
--list-tages 列出标签
--limit 主机 只争对特定主机
'''
-
hosts: 192.168.153.101
remote_user: roottasks:
- name: create new file
file: name=/data/newfile state=touch - name: create new user
user: name=test1 system=yes shell=/sbin/nologin - name: install package
yum: name=httpd - name: copy html
copy: src=/var/www/html/index.html dest=/var/www/html/index.html - name: start service
service: name=httpd state=started enabled=yes
'''
如果命令出错还想继续
shell: /usr/bin/command || /bin/true
ignore_errors: True
- name: create new file
handlers当资源触发时执行
nofify通知
’''
-
hosts: 192.168.153.101
remote_user: roottasks:
- name: install httpd package
yum: name=httpd - name: copy conf file
copy: src=files/httpd.conf dest=/etc/httpd/conf/ backup=yes
notify: restart service - name: start service
service: name=httpd state=started enabled=yes
tages: rshttpd
handlers:
- name: restart service
service: name=httpd state=restarted
'''
ansible-playbook -t rshttpd http.yml 指定标签执行
ansible 192.168.153.101 -m setup | less 查看服务器信息
ansible 192.168.153.101 -m setup -a 'filter=ansible_×'
- name: install httpd package
使用变量
ansible-playbook -e 'pkname=vsftpd' app.yml
'''
-
hosts: 192.168.153.101
remote_user: roottasks:
- name: install package
yum: name={{ pkname }} - name: start service
service: name={{ pkname }} state=started enabled=yes
'''
程序里使用变量
- name: install package
-
hosts: 192.168.153.101
remote_user: root
vars:- pkname1: httpd
- pkname2: vsftpd
可以在/etc/ansible/hosts中定义
server1 var=l1
[webserver:vars]
var1=z1
var2=z2
直接文件里写入变量 eg vars.yml
-
hosts: 192.168.153.101
remote_user: root
vars_files:- vars.yml
使用模板
放到templates目录 file.j2 - name: create some file
template: src=file2.j2 dest=/data/x.conf
when语句 - name: install package
yum: name={{ pkname }}
when: ansible_os_family == "RedHat"
循环建文件 - name: create some file
file: name=/data/{{ item }} state=touch
with_items:
-file1:
-file2:
-file3:
嵌套变量 - name: create some users
user: name={{ item.name }} group={{ item.group }} state=present
with_items:
-{name:'user1',group:'g01'}
-{name:'user2',group:'g02'}
-{name:'user3',group:'g03'}
循环判断
{% for a in all %} dosomthing {% endfor %}
{% if %} {% endif %}
{{ a.listion | default('80 default_server') }}
- vars.yml
在有的时候play的结果依赖于变量、fact或者是前一个任务的执行结果,从而需要使用到条件语句。
一、when
有的时候在特定的主机需要跳过特定的步骤,例如在安装包的时候,需要指定主机的操作系统类型,或者是当操作系统的硬盘满了之后,需要清空文件等,可以使用when语句来做判断 。when关键字后面跟着的是python的表达式,在表达式中你能够使用任何的变量或者fact,当表达式的结果返回的是false,便会跳过本次的任务
1、基本用法,示例:
-
name: Install VIM
hosts: all tasks:- name:Install VIM via yum
yum: name=vim-enhanced state=installed
when: ansible_os_family =="RedHat" - name:Install VIM via apt
apt: name=vim state=installed
when: ansible_os_family =="Debian" - name: Unexpected OS family
debug: msg="OS Family {{ ansible_os_family }} is not supported" fail=yes
when: not ansible_os_family =="RedHat" or ansible_os_family =="Debian"
条件语句还有一种用法,它还可以让你当达到一定的条件的时候暂停下来,等待你的输入确认。一般情况下,当ansible遭遇到error时,它会直接结束运行。那其实你可以当遭遇到不是预期的情况的时候给使用pause模块,这样可以让用户自己决定是否继续运行任务:
- name:Install VIM via yum
-
name: pause for unexpected conditions
pause: prompt="Unexpected OS"
when: ansible_os_family !="RedHat"
2、在when中使用jinja2的语法,示例:
tasks:- command: /bin/false
register: result #将命令执行的结果传递给result变量
ignore_errors: True #忽略错误 - command: /bin/something
when: result|failed #如果注册变量的值 是任务failed则返回true - command: /bin/something_else
when: result|success #如果注册变量的值是任务success则返回true - command: /bin/still/something_else
when: result|skipped #如果注册变量的值是任务skipped则返回true - command: /bin/foo
when: result|changed #如果注册变量的值是任务changed则返回true
- command: /bin/false
-
hosts: all
user: root
vars:
epic: true
tasks: - shell: echo "This certainly is epic!" when: epic- shell: echo "This certainly is not epic!"
when: not epic
4、如果变量不存在,则可以通过jinja2的'defined'命令跳过,示例:
tasks: - shell: echo "I've got '{{ foo }}' and am not afraid to use it!"
when: foo is defined - fail: msg="Bailing out. this play requires 'bar'"
when: bar is not defined
5、when在循环语句中的使用方法,示例:
tasks: - command: echo {{ item }}
with_items: [ 0, 2, 4, 6, 8, 10 ]
when: item > 56、在include和roles中使用when:
在include中使用的示例:- include: tasks/sometasks.yml
when: "'reticulating splines' in output"
在roles中使用的示例:- hosts: webservers
roles: - { role: debian_stock_config, when: ansible_os_family == 'Debian' }
二、条件导入
有些时候,你也许想在一个Playbook中以不同的方式做事,比如说在debian和centos上安装apache,apache的包名不同,除了when语句,还可以使用下面的示例来解决:
- shell: echo "This certainly is not epic!"
- hosts: all
remote_user: root
vars_files:- "vars/common.yml"
- [ "vars/{{ ansible_os_family }}.yml", "vars/os_defaults.yml" ]
tasks: - name: make sure apache is running
service: name={{ apache }} state=running很多不同的yml文件只是包含键和值,如下:
for vars/CentOS.yml
apache: httpd
somethingelse: 42
如果操作系统是’CentOS’, Ansible导入的第一个文件将是’vars/CentOS.yml’,紧接着 是’/var/os_defaults.yml’,如果这个文件不存在。而且在列表中没有找到,就会报错。 在Debian系统中,最先查看的将是’vars/Debian.yml’而不是’vars/CentOS.yml’, 如果没找到,则寻找默认文件’vars/os_defaults.yml’。
三、with_first_found
有些时候,我们想基于不同的操作系统,选择不同的配置文件,及配置文件的存放路径,可以借助with_first_found来解决:
-
name: template a file
template: src={{ item }} dest=/etc/myapp/foo.conf
with_first_found:- files:
- {{ ansible_distribution }}.conf
- default.conf
paths: - search_location_one/somedir/
- /opt/other_location/somedir/
四、failed_when
failed_when其实是ansible的一种错误处理机制,是由fail模块使用了when条件语句的组合效果。示例如下:
- files:
name: this command prints FAILED when it fails
command: /usr/bin/example-command -x -y -z
register: command_result
failed_when: "'FAILED' in command_result.stderr"我们也可以直接通过fail模块和when条件语句,写成如下:name: this command prints FAILED when it fails
command: /usr/bin/example-command -x -y -z
register: command_result
ignore_errors: True-
name: fail the play if the previous command did not succeed
fail: msg="the command failed"
when: "'FAILED' in command_result.stderr"五、changed_when
当我们控制一些远程主机执行某些任务时,当任务在远程主机上成功执行,状态发生更改时,会返回changed状态响应,状态未发生更改时,会返回OK状态响应,当任务被跳过时,会返回skipped状态响应。我们可以通过changed_when来手动更改changed响应状态。示例如下:- shell: /usr/bin/billybass --mode="take me to the river"
register: bass_result
changed_when: "bass_result.rc != 2" #只有该条task执行以后,bass_result.rc的值不为2时,才会返回changed状态
this will never report 'changed' status
- shell: wall 'beep'
changed_when: False #当changed_when为false时,该条task在执行以后,永远不会返回changed状态
- shell: /usr/bin/billybass --mode="take me to the river"
