自动化批量工具Ansible使用(1)

Ansible批量管理软件的使用

一、ansible介绍

1.1.1 什么是ansible

ansible是新出现的自动化运维工具,基于Python开发,集合了众多运维工具(puppet、chef、func、fabric)的优点,实现了批量系统配置、批量程序部署、批量运行命令等功能。
  ansible是基于 paramiko 开发的,并且基于模块化工作,本身没有批量部署的能力。真正具有批量部署的是ansible所运行的模块,ansible只是提供一种框架。ansible不需要在远程主机上安装client/agents,因为它们是基于ssh来和远
程主机通讯的。ansible目前已经已经被红帽官方收购,是自动化运维工具中大家认可度最高的,并且上手容易,学习简单。是每位运维工程师必须掌握的技能之一。

1.1.2 ansible的特点

  1. 部署简单,只需在主控端部署Ansible环境,被控端无需做任何操作:
  2. 默认使用SSH协议对设备进行管理;有大量常规运维操作模块,可实现日常绝大部分操作;
  3. 配置简单、功能强大、扩展性强;
  4. 支持API及自定义模块,可通过Python轻松扩展;
  5. 通过Playbooks来定制强大的配置、状态管理;
  6. 轻量级,无需在客户端安装agent,更新时,只需在操作机上进行一次更新即可;
  7. 提供一个功能强大、操作性强的Web管理界面和REST API接口——AWX平台。

1.1.3 为什么要用ansible

  1. 提高工作效率.
  2. 提高公司资源利用力。
  3. 节省公司成本。
    官方:http://docs.ansible.com

二、Ansible环境实战

2.1.1 安装ansible

  1. ansible管理节点安装
[root@m01 ~]# yum install epel-release -y
[root@m01 ~]# yum install ansible  libselinux-python -y
[root@m01 ~]# rpm -qa ansible
ansible-2.9.7-1.el7.noarch
  1. ansible 远程控制节点安装
[root@backup ~]# yum install libselinux-python -y
[root@nfs01 ~]# yum install libselinux-python -y
[root@web02 ~]# yum install libselinux-python -y

2.1.3 配置ansible主机配置文件

  1. 主机配置文件/etc/ansible/hosts
[root@m01 ~]# cp /etc/ansible/hosts{,.bak}
[root@m01 ~]# ll  /etc/ansible/hosts{,.bak}
-rw-r--r-- 1 root root 1016 Apr 19 05:24 /etc/ansible/hosts
-rw-r--r-- 1 root root 1016 May  3 12:57 /etc/ansible/hosts.bak
[root@m01 ~]# vim /etc/ansible/hosts 
#配置如下:
[root@m01 ~]# tail -8 /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.41

[oldgirl]
172.16.1.31
172.16.1.41
172.16.1.51
#####
#/etc/ansible/hosts主机资产清单文件,用于定义被管理主机的认证信息, 
例如ssh登录用户名、密码以及key相关信息。如何配置Inventory文件
1.主机支持主机名通配以及正则表达式,例如web[1:3].oldboy.com代表三台主机
2.主机支持基于非标准的ssh端口,例如web1.oldboyedu.com:6666
3.主机支持指定变量,可对个别主机的特殊配置,如登陆用户\密码
4.主机组支持指定变量[group_name:vars],同时支持嵌套组[game:children]
  1. 配置/etc/ansible/ansible.cfg
[root@m01 ~]# ll /etc/ansible/ansible.cfg{,.bak}
-rw-r--r-- 1 root root 20013 May  3 14:23 /etc/ansible/ansible.cfg
-rw-r--r-- 1 root root 20013 May  3 14:39 /etc/ansible/ansible.cfg.bak
[root@m01 ~]# vim /etc/ansible/ansible.cfg
修改ansible.cfg 374行:
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no
# 在此行后面加入-o StrictHostKeyChecking=no
  1. 实战命令
报错:
[root@m01 ~]# ansible oldboy -m command -a "ifconfig eth1"
The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
ECDSA key fingerprint is SHA256:bbt9sjPOENs3zK9cw7YmIo0ABuFkZnTxXbOaIdpSOo0.
ECDSA key fingerprint is MD5:e5:3b:15:2e:6c:82:4b:b1:f8:45:dc:80:72:de:11:47.
Are you sure you want to continue connecting (yes/no)? The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.
ECDSA key fingerprint is SHA256:bbt9sjPOENs3zK9cw7YmIo0ABuFkZnTxXbOaIdpSOo0.
ECDSA key fingerprint is MD5:e5:3b:15:2e:6c:82:4b:b1:f8:45:dc:80:72:de:11:47.
Are you sure you want to continue connecting (yes/no)? yes
172.16.1.31 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", 
    "unreachable": true
}

172.16.1.41 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Host key verification failed.", 
    "unreachable": true
}

解决方法:

[oldboy]
172.16.1.31 ansible_ssh_user=root ansible_ssh_pass=123456
172.16.1.41 ansible_ssh_user=root ansible_ssh_pass=123456
#模块后面加上认证信息,让后手动ssh登录到对应IP主机,也可以基于秘钥解决此问题(推荐方案)

[root@m01 ~]# ansible oldboy -m command -a "ifconfig eth1"
172.16.1.31 | CHANGED | rc=0 >>
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.1.31  netmask 255.255.0.0  broadcast 172.16.255.255
        inet6 fe80::20c:29ff:fea2:2c6d  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:a2:2c:6d  txqueuelen 1000  (Ethernet)
        RX packets 492  bytes 364464 (355.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 345  bytes 45470 (44.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
172.16.1.41 | CHANGED | rc=0 >>
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.1.41  netmask 255.255.0.0  broadcast 172.16.255.255
        inet6 fe80::20c:29ff:fe6c:1f2d  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:6c:1f:2d  txqueuelen 1000  (Ethernet)
        RX packets 209  bytes 107503 (104.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 171  bytes 30025 (29.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  1. 秘钥分发
[root@m01 ~]# sh /server/scripts/rsa_pub.sh 
========172.16.1.31=========
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' 'root@172.16.1.31'"
and check to make sure that only the key(s) you wanted were added.

its sopy successful                                        [  OK  ]
========172.16.1.41=========
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' 'root@172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

its sopy successful                                        [  OK  ]
  1. 秘钥脚本
[root@m01 ~]# vim /server/scripts/rsa_pub.sh 
#!/bin/bash
#auth chenhj 2020-2-15
. /etc/init.d/functions
#ssh-keygen -t rsa -N '' -f ~/.ssh/id_rsa
for ip in {31,41}
do
        echo "========172.16.1.$ip========="
        sshpass -p123456 ssh-copy-id -i ~/.ssh/id_rsa.pub "'ssh -o StrictHostKeyChecking=no' 'root@172.16.1.$ip'"
        action  "its sopy successful "        /bin/true
done

[root@m01 ~]# ansible oldboy -m command -a "ifconfig eth1"
172.16.1.31 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", 
    "unreachable": true
}
172.16.1.41 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", 
    "unreachable": true
}
  1. 实战
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.41 | CHANGED | rc=0 >>
              total        used        free      shared  buff/cache   available
Mem:           1980         110        1603           9         266        1716
Swap:          1023           0        1023
172.16.1.31 | CHANGED | rc=0 >>
              total        used        free      shared  buff/cache   available
Mem:           1980         117        1595           9         268        1710
Swap:          1023           0        1023
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。