前言

因为工作的缘故接触并积极推动Ansible在企业级生产环境的落地，独立承担并实现了《基于ansible的主机自动化配置管理》项目，此前也先后接触过Puppet和SaltStack，本文不会讨论开源或者自主研发方案的优劣，重点是和大伙儿分享自己在ansible技术领域积累的一些项目实战经验，如果大家遇到任何问题也欢迎通过留言或者其他方式进行互动，我尽力做到有效回复。

Ansible is Simple IT Automation

更新历史

2018年05月15日 - 初稿

阅读原文 - https://wsgzao.github.io/post/ansible/

扩展阅读

ansible - https://docs.ansible.com/

Ansible 标准化学习路径

Ansible相关的书籍在逐步增多，由于Ansible版本迭代更新频率高但学习成本低，个人建议书为辅，官方文档为主

Ansible is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates.

Ansible’s main goals are simplicity and ease-of-use. It also has a strong focus on security and reliability, featuring a minimum of moving parts, usage of OpenSSH for transport (with other transports and pull modes as alternatives), and a language that is designed around auditability by humans–even those not familiar with the program.

We believe simplicity is relevant to all sizes of environments, so we design for busy users of all types: developers, sysadmins, release engineers, IT managers, and everyone in between. Ansible is appropriate for managing all environments, from small setups with a handful of instances to enterprise environments with many thousands of instances.

Ansible manages machines in an agent-less manner. There is never a question of how to upgrade remote daemons or the problem of not being able to manage systems because daemons are uninstalled. Because OpenSSH is one of the most peer-reviewed open source components, security exposure is greatly reduced. Ansible is decentralized–it relies on your existing OS credentials to control access to remote machines. If needed, Ansible can easily connect with Kerberos, LDAP, and other centralized authentication management systems.

This documentation covers the current released version of Ansible and also some development version features. For recent features, we note in each section the version of Ansible where the feature was added.

Ansible releases a new major release of Ansible approximately every two months. The core application evolves somewhat conservatively, valuing simplicity in language design and setup. However, the community around new modules and plugins being developed and contributed moves very quickly, adding many new modules in each release.

Ansible Lightbulb 是 Ansible 官方推荐的入门教材，普通用户大概只需要10-20分钟时间即可入门

The Ansible Lightbulb project is an effort to provide a content toolkit and educational reference for effectively communicating and teaching Ansible topics.

Ansible Lightbulb - https://github.com/ansible/lightbulb

Ansible Documentation 是 Ansible 官方文档，我的建议还是对英文不要害怕，多动手查多敲命令去理解

Ansible Documentation - http://docs.ansible.com/ansible/latest/index.html

基于 Ansible 的开源项目

第一个是ansible官方开源项目，其他都是和ansible相关的运维平台开源项目，推荐学习和参考

Ansible - https://github.com/ansible/ansible

Jumpserver - http://www.jumpserver.org/

OpsManage - https://github.com/welliamcao/OpsManage

adminset - https://github.com/guohongze/adminset

Ansible 项目实践

以下内容来自于《基于ansible的主机自动化配置管理》项目，基于ansible目前可以满足生产环境所有基线要求，相信对大家有一定的参考价值

image

image

ansible 部署

因为生产环境为内外网物理隔离，所有的安装部署都是离线进行的

# Install Packages
yum install gcc zlib zlib-devel openssl-devel -y

# Install Python
tar xf Python-2.7.14.tgz
cd Python-2.7.14
./configure
make
make install
cd ..

# renew python env
exit

# ImportError: No module named six.moves
tar xf six-1.11.0.tar.gz 
cd six-1.11.0
python setup.py install
cd ..

# ImportError: No module named packaging.version
tar xf packaging-17.1.tar.gz 
cd packaging-17.1
python setup.py install
cd ..

# ImportError: No module named pyparsing
tar xf pyparsing-2.2.0.tar.gz 
cd pyparsing-2.2.0
python setup.py install
cd ..

# ImportError: No module named appdirs
tar xf appdirs-1.4.3.tar.gz 
cd appdirs-1.4.3
python setup.py install
cd ..

# Install Setuptools
unzip setuptools-38.5.2.zip
cd setuptools-38.5.2
python setup.py install
cd ..

# Install pip
tar xf pip-9.0.1.tar.gz
cd pip-9.0.1
python setup.py install
cd ..

# pip 离线下载
# pip download -d DIR -r requirements.txt
pip download -d ~/ansible/ ansible

# pip 离线安装
# pip install --no-index --find-links=DIR -r requirements.txt
pip install --no-index --find-links=pip-ansible-2.3.3/ -r requirements.txt
pip install --no-index --find-links=pip-ansible-2.5.0/ -r requirements.txt -U

# pip 离线安装pipenv
pip install --no-index --find-links=pip-pipenv/ pipenv

# 使用pipenv创建虚拟环境
mkdir win_ansible
cd win_ansible
pipenv shell
pip install --no-index --find-links=pip-ansible-2.5.2/ -r requirements.txt

ansible.cfg 配置解析

ansible.cfg不影响执行结果但合理的配置会有效提升效率

# 配置文件路径（优先级）
./ansible.cfg
/etc/ansible/ansible.cfg

# 配置文件内容
[defaults]
#inventory = /etc/ansible/hosts
#log_path = /var/log/ansible.log
forks = 100 # 设置并发数
host_key_checking = False # 不检查SSH主机登录的密钥
display_skipped_hosts = False # 不显示已跳过的主机
retry_files_enabled = False # 不创建任务失败后的重试文件
# 按照1d设置setup缓存，优化执行效率
gathering = smart
fact_caching_timeout = 86400
fact_caching = jsonfile
fact_caching_connection = cachedir

Linux

• 服务端操作系统：RHEL 6/7（Windows不可作为控制端）
• 服务端Python版本：2.7.14（实测安装完成无需额外调整）
• Ansible版本：2.3.3.0（实测2.4以上版本已不支持rhel5.5，客户端需simplejson）
• 管理对象：目前主要针对RHEL 5/6/7（Windows使用高版本Ansible）
• 基线标准：参考《主机岗配置基线 v1.1.xlsx》

服务端

• 操作系统版本：RHEL 6/7
• Python版本：2.7.14
• 安装方式：pip离线安装依赖包

客户端

• 操作系统版本：RHEL 5/6/7
• 非最小模式安装无需做调整
• RHEL5.5需要安装simplejson

核心用法

# 检测ansible是否可以正常访问主机
ansible-playbook -i hosts playbooks/ping.yml -v
# 配置好inventory，执行以下命令创建用户并建立信任关系
ansible-playbook -i hosts playbooks/user/default.yml -v
# 配置时间同步/进程服务/基线文件
ansible-playbook -i hosts playbooks/baseline/cfgset.yml -v
ansible-playbook -i hosts playbooks/baseline/cfgset.yml -v --tags="repo"
ansible-playbook -i hosts playbooks/baseline/cfgset.yml -v --skip-tags="ntp,repo"
# 更新系统软件包和补丁包
ansible-playbook -i hosts playbooks/baseline/pakset.yml -v
# 修改用户密码
ansible-playbook -i hosts_changepw playbooks/user/changepw.yml -v -e "@userpass.json"
# 备份配置，支持自定义日期命名，默认为"%Y%m%d"
ansible-playbook -i hosts backup/backup.yml -v
# 恢复配置，支持按日期目录全局或者局部主机恢复
ansible-playbook -i hosts backup/restore.yml -v -e "var_backup_date=20180305"

Windows

• 服务端操作系统：RHEL 6/7（Windows不可作为控制端）
• 服务端Python版本：2.7.14（实测安装完成无需额外调整）
• Ansible版本：2.5.0（Windows原生模块支持需要持续更新Ansible新版本）
• 管理对象：目前主要针对Windows 7/2008/2012（不支持xp/2003）
• 基线标准：参考《Windows 安全基线》

服务端

• 操作系统版本：RHEL 6/7
• Python版本：2.7.14
• 安装方式：pip离线安装依赖包（目前使用pipenv切换管理Linux和Windows）

客户端

• 操作系统版本：Window 7/2008/2012
• WinRM（Windows 7/2008 需要升级至 Powershell v3.0）

核心用法

# 检测ansible是否可以正常访问主机
ansible-playbook -i hosts win_playbooks/ping.yml -v
# 配置好inventory，执行以下命令创建用户并建立信任关系
ansible-playbook -i hosts win_playbooks/user/default.yml -v
# 配置时间同步/进程服务/基线文件
ansible-playbook -i hosts win_playbooks/baseline/cfgset.yml -v
ansible-playbook -i hosts win_playbooks/baseline/cfgset.yml -v --tags="wsus"
ansible-playbook -i hosts win_playbooks/baseline/cfgset.yml -v --skip-tags="ntp,wsus"
# 更新系统软件包和补丁包
ansible-playbook -i hosts win_playbooks/baseline/pakset.yml -v
# 修改用户密码
ansible-playbook -i win_hosts_changepw win_playbooks/user/changepw.yml -v -e "@userpass.json"
# 备份配置，支持自定义日期命名，默认为"%Y%m%d"
ansible-playbook -i win_hosts win_backup/backup.yml -v
# 恢复配置，支持按日期目录全局或者局部主机恢复
ansible-playbook -i win_hosts win_backup/restore.yml -v -e "var_backup_date=20180305"

结语

很抱歉我暂时不能分享全部信息，但是这并不妨碍技术上的交流，我会逐步分享有价值的可公开代码

1. 遵循what/why/how思路，要理解ansible能解决什么问题，为什么选择ansible，怎么使用ansible去解决
2. Ansible学习成本低但不等同于没有难度，学习路径推荐参考官方文档并积极实践，官网没有答案要善用Google搜索
3. Ansible纯后台模式只解决了部分问题，还有更多需求要通过基于Ansible的自动化运维平台来实现，拥抱开源技术不能固步自封