ansible 是一个轻量级的IT自动化工具,集合了众多运维工具(puppet、cfengine、chef、func、fabric)的优点,实现了批量系统配置、批量程序部署、批量运行命令等功能。
特点
- SSH by default
- No agents: controlled hosts / devices need no agent sofware
- No server: any linux machine can do Ansible activities via terminal commands
- Modules in any languages: the modules can be developed in any languages
- YAML, not code: using YAML language(标记语言,类XML) to write playbook
- Strong multi-tier solution:可实现多级指挥
ansible 配置文件
-
- 定义各种通用变量
- 查找ansible.cfg文件的顺序
- ANSIBLE_CONFIG环境变量所指定的文件
- ./ansible.cfg
- ~/.ansible.cfg
- /etc/ansible/ansible.cfg
- 配置举例:
inventory = /etc/ansible/hosts #指定inventory文件位置
Inventory
Ansible只能管理指定的服务器,在inventory文件中进行配置对应的主机/分组的数据,其格式如下:
--组名(对系统进行分组)
[webservers]
--主机名
foo.example.com
--指定系统的别名 + ssh的用户
jumper ansible_ssh_host=192.168.1.50 ansible_ssh_user=appadmin
--01到50,一组相似的hostname
www[01:50].example.com
--给host设定变量,后续playbook中可以使用
host1 http_port=80 maxRequestsPerChild=808
--给group设定变量,应用于组内的所有host
[atlanta]
host1
host2
[atlanta:vars]
ntp_server=ntp.atlanta.example.com
proxy=proxy.atlanta.example.com
--组内组
[southeast:children]
atlanta
raleigh
Ansible Ad-Hoc 命令
- 临时执行的命令
ansible <pattern_goes_here[webservers, all, *]> -m <module_name> -a <arguments>
- 不指定module的话,则默认执行command模块
- ansible-doc: 获取模块列表,以及模块使用格式
- ansible-doc [-l] [-s MODULE]
- -l : 列出支持的核心模块
- -s MODULE : 查看模块的用法
- ansible-doc [-l] [-s MODULE]
使用例子:ping主机
ansible -i hosts webservers -m ping --ask-pass -u user
ansible -i hosts all -m ping --ask-pass -u user
输出:
[root@Centos7 ~]# ansible all -m ping
host1 | success >> {
"changed": false,
"ping": "pong"
}
host2 | UNREACHABLE! => {
"changed": false,
"msg": "Authentication failed.",
"unreachable": true
}
参数解释
- -m, --module-name: module name to execute(default=command)
- -m ping : 执行ping module
- -a, --args: module arguments
- -i, --inventory-file: specify inventory host path(default=/etc/ansible/hosts) or comma separated host list.
- -k, --ask-pass: ask for connection password
- -u REMOTE_USER, --user=REMOTE_USER: connect as this user (default=None)
- webservers 表示执行该命令的分组,all 表示inventory中配置的所有主机
- -l, --limit=SUBSET: further limit selected hosts to an additional pattern,限定组或host来执行playbook
- -c, --connect: connect type to use (default=smart)
- --ask-vault-pass: ask for vault password(sudo 模式需要)
- -b, --become: run operations with become (does not imply password prompting)(使用playbook制定的become_user进行操作)
- -t TAGS, --tags=TAGS: only run plays and tasks tagged with these values
- -C, --check: don't make any changes; instead, try to predict some of the changes that may occur
Ansible Playbook
- Ad-Hoc命令只能执行一些临时性的、简单的命令
- 实际企业应用需要经过多个步骤,且各个步骤之间存在依赖关系,Ad-Hoc命令无法满足使用需求
- 使用playbook来定义步骤以及依赖
- playbook 由yaml编写,让远程主机按照事先编排的机制执行task
---
- hosts: all #执行tasks的主机,all表示所有
become: yes #使用特定用户执行tasks,该参数也可以配置在相应task中。
become_user: root
remote_user: username #the user log into machine.
tasks:
# 每个task都相当于在执行对应模块的功能
# 每个task感觉都是单次的连接,执行完之后断掉,之前的环境变量设置不会在后续的task中生效
# 描述task
- name: copy local file to remote machine
# 执行对应模块功能
copy:
src: ~/test
dest: ~/test
owner: root
mode: 0600
# 命令执行的结果存到变量中,方便后续使用
register: rsa
# 设置环境变量
environment:
JAVA_HOME: /usr/java/jre1.8.0_51
# task有失败之后,相同host后续的task不会执行,该参数可在失败后继续执行。
ignore_errors: yes
# 给这部分task打上tags,可指定只执行相应tags的task (命令中添加:-t deploy)
tags: deploy
# (call the tasks defined in handlers if module does some changes to the remote host)
notify:
- do something
# defines a list of tasks
handlers:
- name: do something
service: test
- name: task 2
debug: var={{ host_vars }} # 使用对应host的host_vars变量
-
例:在几台机子中执行hostname命令,并获取返回值
- 文件目录:
test # inventory文件,配置主机 test.yml # playbook- inventory 配置内容
[server] host1 ansible_ssh_host=1.1.1.1 ansible_ssh_user=appadmin host2 ansible_ssh_host=1.1.1.2 ansible_ssh_user=appadmin- test.yml 内容
--- - hosts: all tasks: - name: get hostname shell: hostname register: out - debug: var=out- 执行playbook:
$ ansible-playbook -i test test.yml,返回内容:
PLAY [all] *********************************************************************
TASK [setup] *******************************************************************
ok: [host1]
ok: [host2]
TASK [get hostname] ************************************************************
changed: [host1]
changed: [host2]
TASK [debug] *******************************************************************
ok: [host1] => {
"out": {
"changed": true,
"cmd": "hostname",
"delta": "0:00:00.003584",
"end": "2017-02-09 16:05:04.043118",
"rc": 0,
"start": "2017-02-09 16:05:04.039534",
"stderr": "",
"stdout": "host1.com",
"stdout_lines": [
"host1.com"
],
"warnings": []
}
}
ok: [host2] => {
"out": {
"changed": true,
"cmd": "hostname",
"delta": "0:00:00.003584",
"end": "2017-02-09 16:05:04.043118",
"rc": 0,
"start": "2017-02-09 16:05:04.039534",
"stderr": "",
"stdout": "host2.com",
"stdout_lines": [
"host1.com"
],
"warnings": []
}
}
PLAY RECAP *********************************************************************
# 以下是对应host的task执行情况,ok表示执行成功的task数量,charged表示对host产生修改的task数量。
host1 : ok=3 changed=1 unreachable=0 failed=0
host2 : ok=3 changed=1 unreachable=0 failed=0
role 使用
- playbook 直接调用 task 问题
- playbook 是需要处理的事情,task 是执行细节,playbook并不关心细节
- playbook 直接调用task 使task无法复用
- playbook会越来越长,难维护
- 将一个或多个task抽象成一个role,隐藏细节,供playbook调用
- role易于复用,可以从一个已知的文件结构中自动加载vars, tasks, handler。
- 部分文件结构:
test
test.yml
roles/
install/
files/
templates/
tasks/
main.yml #应用 install 时,优先执行main.yml
handlers/
vars/
deploy/
files/
templates/
tasks/
main.yml
handlers/
vars/
- playbook内容
---
- hosts: webservers
roles:
- install
- deploy
部分常用模块
- file: 包含了文件、文件夹、超级链接类的创立、拷贝、移动、删除操作。
- copy: copy a file on the local box to remote locations. (可以使用 remote_src,使src在远程机子上,2.0 以后的版本适用)
- fetch: copy files from remote locations to the local box.
- template: Templates a file out to a remote server.
- command: Executes a command on a remote node(It will not be processed through the shell, so variables like $HOME and operations like "<", ">", "|", ";" and "&" will not work)If you want to execute a command securely and predictably, it may be better to use the command module instead.
- lineinfile: Ensure a particular line is in a file, or replace an existing line using a back-referenced regular expression.
- pause : Pause playbook execution
- ping : Try to connect to host, verify a usable python and return pong on success. no sense in playbook.
- shell : Execute commands in nodes.(runs the command through a shell (/bin/sh) on the remote node.)If you want to execute a command securely and predictably, it may be better to use the command module instead.
- debug : Print statements during execution
- setup : Gathers facts about remote hosts(默认执行),支持filter。
- apt : Manages apt-packages
- service: Controls services on remote hosts
- fail: Fail with custom message
- subversion: Deploys a subversion repository.
- group: Add or remove groups
- user: Manage user accounts
- get_url: Downloads files from HTTP, HTTPS, or FTP to node
- wait_for: Waits for a condition before continuing.(port is open , file is present, and so on.)
- script: Runs a local script on a remote node after transferring it
实际场景应用
- 可以考虑使用原生的ansible进行管理,参考:Ansible Best Practices Summary
- 除了ansible自家出的 ansible tower, 也可以考虑尝试一些开源的ui,semaphore, semaphore使用教程,ansible ui,或者用django自己实现一个前端完成简单的管理。
参考:
an-intro-to-network-automation-3-ansible
an-ansible-tutorial
ansible-simple-tutorial
