ansible关闭ssh首次连接时yes/no提示
使用ssh连接时,可以使用-o参数将StrictHostKeyChecking设置为no,
避免使用ssh连接时避免首次连接时让输入yes/no部分的提示。
方法1:修改 /etc/ansible/ansible.cfg中的374行
369 [ssh_connection]
370
371 # ssh arguments to use
372 # Leaving off ControlPersist will result in poor performance, so use
373 # paramiko on older platforms rather than removing it, -C controls compression use
374 #ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
374行改为:
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no
方法2:修改 /etc/ansible/ansible.cfg中的71行
70 # uncomment this to disable SSH key host checking
71 #host_key_checking = False
71行的注释取消:host_key_checking = False
==========================================
[root@m01 /server/scripts]# > ~/.ssh/known_hosts
[root@m01 /server/scripts]# ssh 172.16.1.31
The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
ECDSA key fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.
ECDSA key fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.
Are you sure you want to continue connecting (yes/no)? ^C
[root@m01 /server/scripts]# ansible oldboy -m command -a "free -m"
172.16.1.31 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 88 592 13 291 708
Swap: 767 0 767
172.16.1.41 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 89 572 13 310 706
Swap: 767 0 767
目标:ansible是不是需要免秘钥认证(ssh免秘钥认证)? yes
[root@m01 ~]# cat /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.7
还原ansible.cfg配置,重启服务器
[root@m01 ~]# ansible oldboy -m command -a "free -m"
The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established.
ECDSA key fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.
ECDSA key fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.
Are you sure you want to continue connecting (yes/no)? The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
ECDSA key fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.
ECDSA key fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.
Are you sure you want to continue connecting (yes/no)?
解决yes/no不需要输入问题:
修改ansible.cfg 374行:
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no
在执行报错:
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.7 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,password).",
"unreachable": true
}
172.16.1.31 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
解决公钥问题:
ssh-keygen -f ~/.ssh/id_rsa -P '' -q
for ip in 7
do
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done
#test
ssh 172.16.1.7 "ifconfig eth0"
执行ansible命令:
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.31 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
172.16.1.7 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 69 807 7 95 771
Swap: 767 0 767
for ip in 31
do
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done
#test
ssh 172.16.1.31 "ifconfig eth0"
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.7 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 69 807 7 95 771
Swap: 767 0 767
172.16.1.31 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 71 804 7 96 768
Swap: 767 0 767
验证:删除公钥,是不是不可以了?
重启后,不行,重启前可以
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.7 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,password).",
"unreachable": true
}
172.16.1.31 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Could not create directory '/root/.ssh'.\r\nWarning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
修改Host增加用户和密码:
[root@m01 ~]# cat /etc/ansible/hosts
#[oldboy]
#172.16.1.31
#172.16.1.7
[oldboy_pass]
172.16.1.31 ansible_ssh_user=root ansible_ssh_pass=123456
172.16.1.7 ansible_ssh_user=root ansible_ssh_pass=123456
结果:
[root@m01 ~]# ansible oldboy_pass -m command -a "free -m"
172.16.1.31 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 79 791 7 101 758
Swap: 767 0 767
172.16.1.7 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 69 806 7 95 771
Swap: 767 0 767
结论:使用SSH连接:
密码认证 host里主机后面加密码 Paramiko模块 重点:
秘钥认证:提前发公钥,才能用ansible. SSHPASS工具
http://docs.ansible.com/ansible/latest/intro_inventory.html#list-of-behavioral-inventory-parameters
特殊端口:
[oldboy]
172.16.1.7 ansible_port=52113 ansible_user=root ansible_ssh_pass=123456
172.16.1.8 ansible_port=52113 ansible_user=root ansible_ssh_pass=123456
12.基于SSH秘钥认证的实践
一键创建及分发秘钥:
#!/bin/bash
ssh-keygen -f ~/.ssh/id_rsa -P '' -q
for ip in 7 8 41 31
do
sshpass -p123456 ssh-copy-id -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done
[root@m01 ~]# cat /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.41
172.16.1.7
[root@m01 ~]# ansible oldboy -m command -a "free -m" #和前面sh cmd.sh "free -m"
11.ansible命令参数
-m MODULE_NAME, 模块名字,默认command
-a MODULE_ARGS, 模块参数
-f FORKS 并发进程数,默认5个。
-i INVENTORY(default=/etc/ansible/hosts)指定主机列表文件
===================
ansible
ansible-doc
ansible-playbook
ansible-galaxy
===================
12.ansible模块查看和帮助*****
查找模块
ansible-doc -l #模块就Linux命令了。
查看某个模块的具体参数帮助
ansible-doc -s command #Linux命令参数
[root@m01 /data]# ansible 172.16.1.31 -m copy -a "src=/data/root dest=/var/spool/cron/root"
172.16.1.31 | SUCCESS => {
"changed": false,
"checksum": "05bdd2e97b52cbd90bd71b6c3ee78118ebbbcad5",
"dest": "/var/spool/cron/root",
"gid": 0,
"group": "root",
"mode": "0600",
"owner": "root",
"path": "/var/spool/cron/root",
"size": 166,
"state": "file",
"uid": 0
}
12.1 command模块 *****
1)功能说明:
command Executes a command on a remote node
功能说明:执行一个命令在远程节点上
操作实践:
ansible oldboy -m command -a "free -m"
ansible oldboy -m command -a "df -h"
ansible oldboy -m command -a "ls /root"
ansible oldboy -m command -a "cat redhat-release"
ansible oldboy -m command -a "cat /etc/redhat-release"
最通用的功能。
[root@m01 ~]# ansible oldboy -m command -a "cat /etc/redhat-release"
172.16.1.7 | CHANGED | rc=0 >>
CentOS Linux release 7.6.1810 (Core)
172.16.1.31 | CHANGED | rc=0 >>
CentOS Linux release 7.6.1810 (Core)
172.16.1.41 | CHANGED | rc=0 >>
CentOS Linux release 7.6.1810 (Core)
[root@m01 ~]# cat /server/scripts/cmd.sh
for n in 31 41
do
echo "=====172.16.1.$n======"
ssh 172.16.1.$n "$1"
done
[root@m01 ~]# sh /server/scripts/cmd.sh "cat /etc/redhat-release"
=====172.16.1.31======
CentOS Linux release 7.6.1810 (Core)
=====172.16.1.41======
CentOS Linux release 7.6.1810 (Core)
特殊:不支持的东西,例如 > < | &等 $HOME,替代方案用shell模块
ansible oldboy -m shell -a "ps -ef|grep ssh"
ansible oldboy -m shell -a "echo oldboy >/tmp/a.log"
2)常用参数说明及实践
[root@m01 ~]# ansible-doc -s command
- name: Executes a command on a remote node
command:
argv: # Allows the user to provide the command as a list vs. a string. Only the
string or the list form can be provided, not
both. One or the other must be provided.
chdir: # Change into this directory before running the command.
creates: # A filename or (since 2.0) glob pattern. If it already exists, this step
*won't* be run.
free_form: # (required) The command module takes a free form command to run. There is no
parameter actually named 'free form'. See the
examples!
removes: # A filename or (since 2.0) glob pattern. If it already exists, this step *will* be run.
stdin: # Set the stdin of the command directly to the specified value.
warn: # If command_warnings are on in ansible.cfg, do not warn about this particular
line if set to `no'.
参数:chdir=/tmp配置相当于cd /tmp
[root@m01 ~]# ansible oldboy -m command -a "pwd chdir=/etc"
ansible oldboy -m shell -a "cd /etc/;pwd"
参数:creates=/etc 相当于条件测试 [ -e /etc ]||pwd 和下面removes相反
[root@m01 ~]# ansible oldboy -m command -a "pwd creates=/etc"
参数:removes=/root 相当于条件测试 [ -e /root ]&&ls /root
ansible oldboy -m command -a "ls /root removes=/root"
ansible oldboy -m shell -a "[ -d /etc ]||pwd"
[root@m01 ~]# ansible oldboy -m command -a "cat /etc/hosts removes=/etc/hosts"
参数:warn=False 忽略警告
[root@m01 ~]# ansible oldboy -m command -a "chmod 000 /etc/hosts warn=False"
更多官方链接:http://docs.ansible.com/ansible/latest/command_module.html或ansible-doc -s command
=====================================================================================
项目实践:
rsync服务器端:31、41
rsync客户端:7、8
实现:从7推送文件到31,从8推送文件到41.
shell模块:实现上面
12.2 shell模块功能说明:
功能说明:执行一个命令在远程节点上
shell Execute commands in nodes.
官方链接:http://docs.ansible.com/ansible/latest/shell_module.html
shell:
chdir: # cd into this directory before running the command
creates: # a filename, when it already exists, this step will *not* be
run.
executable: # change the shell used to execute the command. Should be an
absolute path to the
executable.
free_form: # (required) The shell module takes a free form command to run,
as a string. There's not an
actual option named "free
form". See the examples!
removes: # a filename, when it does not exist, this step will *not* be
run.
stdin: # Set the stdin of the command directly to the specified value.
warn: # if command warnings are on in ansible.cfg, do not warn about
this particular line if set to no/false.
[root@m01 ~]# cat /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.41
实践:增加文本文件
[root@m01 ~]# ansible oldboy -m shell -a "echo oldboy >/tmp/tmp.txt"
172.16.1.41 | CHANGED | rc=0 >>
172.16.1.31 | CHANGED | rc=0 >>
[root@m01 ~]# ansible oldboy -m shell -a "cat /tmp/tmp.txt"
172.16.1.41 | CHANGED | rc=0 >>
oldboy
172.16.1.31 | CHANGED | rc=0 >>
oldboy
要执行的脚本必须在远程机器上存在:
[root@m01 ~]# ansible oldboy -m shell -a "sh /server/scripts/bak.sh"
172.16.1.41 | FAILED | rc=127 >>
sh: /server/scripts/bak.sh: 没有那个文件或目录non-zero return code
172.16.1.31 | CHANGED | rc=0 >>
实践1:把/etc/hosts拷贝到/opt下,权限设置400,用户和组设置root
ansible oldboy -m copy -a "src=/etc/hosts dest=/opt mode=0400 owner=root group=root backup=yes"
实践2:把/etc/passwd拷贝/tmp下改名为oldgirl,用户和组为oldboy,权限600,如果有存在同名文件覆盖
ansible oldboy -m copy -a "src=/etc/passwd dest=/tmp/oldgirl.txt owner=oldboy group=oldboy mode=0600 force=yes"
批量分发host需求,操作前备份:
ansible oldboy -m copy -a "src=/etc/hosts dest=/etc/hosts mode=0644 owner=root group=root backup=yes"
结果:
[root@backup /tmp]# ls /etc/hosts* -l
-rw-r--r-- 1 root root 353 4月 24 10:49 /etc/hosts
---------- 1 root root 332 4月 12 11:24 /etc/hosts.21951.2019-04-24@10:49:00~
项目实践作业:
1、写好rsync一键客户端配置,一键服务端配置。
2、写好nfs一键服务端端配置,一键客户端挂载,并且加到自启动文件里(/etc/rc.local,/etc/fstab)。
shell模块远程执行脚本:脚本必须在远端存在
ansible oldboy -m shell -a "/bin/bash /server/scripts/setup.sh"
12.3 script模块功能说明:
功能说明:远程节点上运行本地脚本模块
官方链接:http://docs.ansible.com/ansible/latest/script_module.html
参数说明:
ansible oldboy -m shell -a "sh /server/scripts/bak.sh"
[root@m01 /server/scripts]# ansible oldboy -m shell -a "sh /server/scripts/bak.sh"
172.16.1.41 | FAILED | rc=127 >>
sh: /server/scripts/bak.sh: 没有那个文件或目录non-zero return code
172.16.1.31 | FAILED | rc=127 >>
sh: /server/scripts/bak.sh: 没有那个文件或目录non-zero return code
[root@m01 /server/scripts]# cat new.sh
#!/bin/sh
echo oldboy >/tmp/oldboy.txt
本地脚本,在远端执行。
[root@m01 /server/scripts]# ansible oldboy -m script -a "/server/scripts/new.sh"
项目实践作业:
rsync服务端写成脚本 r1.sh
rsync客户端写成脚本 r2.sh
nfs服务端写成脚本 n1.sh
nfs客户端写成脚本 n2.sh
sersync服务端写成脚本 s1.sh
sersync客户端写成脚本 s2.sh
/server/scripts/one_key_gaoding.sh
ansible r1 -m copy -a "src=/server/scripts/r1.sh dest=/server/scripts/ mode=ugo+x"
ansible r1 -m shell -a "sh /server/scripts/r1.sh"
ansible r1 -m copy -a "src=/server/scripts/r2.sh dest=/server/scripts/ mode=ugo+x"
ansible r2 -m shell -a "sh /server/scripts/r2.sh"
ansible n1 -m shell -a "sh /server/scripts/n1.sh"
ansible n2 -m shell -a "sh /server/scripts/n2.sh"
ansible s1 -m shell -a "sh /server/scripts/s1.sh"
ansible s2 -m shell -a "sh /server/scripts/s2.sh"
/bin/sh /server/scripts/one_key_gaoding.sh
也可以使用script模块,替代copy+shell模块
12.4 copy模块功能说明:
功能说明:复制文件到远程主机
官方链接:http://docs.ansible.com/ansible/latest/copy_module.html
参数说明:
[root@m01 ~]# ansible oldboy -m shell -a "sh /server/scripts/bak.sh"
172.16.1.31 | FAILED | rc=127 >>
sh: /server/scripts/bak.sh: 没有那个文件或目录non-zero return code
172.16.1.41 | FAILED | rc=127 >>
sh: /server/scripts/bak.sh: 没有那个文件或目录non-zero return code
ansible oldboy -m copy -a "src=/server/scripts/bak.sh dest=/server/scripts/ mode=ugo+x"
12.5 file模块功能说明:
功能说明:设置文件属性
官方链接:http://docs.ansible.com/ansible/latest/copy_module.html
参数实践:创建数据文件(普通文件 目录 软链接文件)
ansible oldboy -m file -a "dest=/tmp/oldboy_dir state=directory"
ansible oldboy -m command -a "mkdir -p /tmp/oldboy_dir1 warn=false"
ansible oldboy -m file -a "dest=/tmp/oldboy1 state=touch"
ansible oldboy -m command -a "touch /tmp/oldboy_file1.txt warn=false"
================================================================
替代方案:
ansible oldboy -m command -a "chmod 777 /etc/hosts warn=false"
ansible oldboy -m command -a "chmod 644 /etc/hosts warn=false"
ansible oldboy -m command -a "chown oldboy /etc/hosts warn=false"
ansible oldboy -m command -a "chown root /etc/hosts warn=false"
创建目录:mkdir /tmp/oldboy_dir
ansible oldboy -m file -a "dest=/tmp/oldboy_dir state=directory"
递归设置权限:
ansible oldboy -m file -a "dest=/tmp/oldboy_dir state=directory mode=644 recurse=yes"
创建文件:touch /tmp/oldboy_file
ansible oldboy -m file -a "dest=/tmp/oldboy_file state=touch"
删除文件:rm -f /tmp/oldboy_file
ansible oldboy -m file -a "dest=/tmp/oldboy_file state=absent"
创建链接文件:ln -s /etc/hosts /tmp/link_file
ansible oldboy -m file -a "src=/etc/hosts dest=/tmp/link_file state=link"
ansible oldboy -m file -a "dest=/tmp/oldboy_file state=touch owner=oldboy group=oldboy mode=000"
ansible oldboy -m file -a "dest=/tmp/oldboy_file state=touch owner=oldboy group=oldboy mode=ugo=rwx"
作业:批量创建5个用户oldboy01-05,然后设置123456密码,然后同时在所有客户端执行。
知识----能力-----价值-----金钱
12.6 yum模块功能说明:
功能说明:yum包管理模块
官方链接:http://docs.ansible.com/ansible/latest/yum_module.html
ansible oldboy -m command -a "yum install nginx -y"
ansible oldboy -m yum -a "name=nginx state=installed"
ansible oldboy -m yum -a "name=nc state=installed"
[root@nfs01 oldboy_dir]# rpm -qa nginx
nginx-1.10.2-1.el6.x86_64
###不要用yum卸载,可用rpm -e卸载。
ansible系统类型模块说明
12.7 systemd模块功能说明:(service模块)
功能说明:yum包管理模块
官方链接:http://docs.ansible.com/ansible/latest/service_module.html
参数说明:
service nfs restart
/etc/init.d/nfs restart
systemctl restart nfs
[root@backup /server/scripts]# ansible-doc -s systemd
- name: Manage services
systemd:
daemon_reload: # run daemon-reload before doing any other operations, to make sure systemd has read any
changes.
enabled: # Whether the service should start on boot. *At least one of state and enabled are
required.*
force: # Whether to override existing symlinks.
masked: # Whether the unit should be masked or not, a masked unit is impossible to start.
name: # Name of the service. When using in a chroot environment you always need to specify the full name i.e. (crond.service).
no_block: # Do not synchronously wait for the requested operation to finish. Enqueued job will
continue without Ansible blocking on its completion.
scope: # run systemctl within a given service manager scope, either as the default system scope
(system), the current user's scope (user), or the scope of
all users (global). For systemd to work with 'user', the
executing user must have its own instance of dbus started
(systemd requirement). The user dbus process is normally
started during normal login, but not during the run of
Ansible tasks. Otherwise you will probably get a 'Failed
to connect to bus: no such file or directory' error.
state: # `started'/`stopped' are idempotent actions that will not run commands unless necessary.
`restarted' will always bounce the service. `reloaded'
will always reload.
user: # (deprecated) run ``systemctl`` talking to the service manager of the calling user, rather
than the service manager of the system. This option is
deprecated and will eventually be removed in 2.11. The
``scope`` option should be used instead.
实践:
ansible oldboy -m systemd -a "name=crond.service enabled=no state=stopped "
ansible oldboy -m command -a "systemctl status crond"
ansible oldboy -m systemd -a "name=crond.service enabled=yes state=started"
百度 ansible systemd
https://hoxis.github.io/ansible-system-modules.html
https://www.cnblogs.com/mcsiberiawolf/articles/10083626.html
[root@backup ~]# service crond restart
Redirecting to /bin/systemctl restart crond.service
#service模块功能说明:
功能说明:启动停止服务
官方链接:http://docs.ansible.com/ansible/latest/service_module.html
#相当于
#service crond stop|/etc/init.d/crond stop
#chkconfig crond off
ansible oldboy -m service -a "name=crond state=stop enabled=no"
#相当于/etc/init.d/crond start
chkconfig crond on
ansible oldboy -m service -a "name=crond state=started enabled=yes"
ansible oldboy -m command -a "name=crond state=started enabled=yes"
有选择才叫有能力。
足球场上,让拿球队员有选择,就容易进球。
不让对方有选择,就得人盯人。
12.8 cron模块功能说明:
功能说明:管理定时任务条目信息模块
cron Manage cron.d and crontab entries
官方链接:http://docs.ansible.com/ansible/latest/cron_module.html
定时任务格式:
* * * * * CMD
[root@backup ~]# ansible-doc -s cron
- name: Manage cron.d and crontab entries
cron:
backup: # If set, create a backup of the crontab before it is modified.
The location of the backup is
returned in the `backup_file'
variable by this module.
cron_file: # If specified, uses this file instead of an individual user's
crontab. If this is a relative
path, it is interpreted with
respect to /etc/cron.d. (If it
is absolute, it will typically
be /etc/crontab). Many linux
distros expect (and some
require) the filename portion
to consist solely of upper- and
lower-case letters, digits,
underscores, and hyphens. To
:...skipping...
- name: Manage cron.d and crontab entries
cron:
backup: # If set, create a backup of the crontab before it is modified.
The location of the backup is returned in the `backup_file'
variable by this module.
cron_file: # If specified, uses this file instead of an individual user's
crontab. If this is a relative
path, it is interpreted with
respect to /etc/cron.d. (If it
is absolute, it will typically
be /etc/crontab). Many linux
distros expect (and some
require) the filename portion
to consist solely of upper- and
lower-case letters, digits,
underscores, and hyphens. To
use the `cron_file' parameter
you must specify the `user' as
well.
disabled: # If the job should be disabled (commented out) in the crontab.
Only has effect if `state=present'.
env: # If set, manages a crontab's environment variable. New
variables are added on top of
crontab. "name" and "value"
parameters are the name and the
value of environment variable.
insertafter: # Used with `state=present' and `env'. If specified, the
environment variable will be
inserted after the declaration
of specified environment
variable.
insertbefore: # Used with `state=present' and `env'. If specified, the
environment variable will be
inserted before the declaration
of specified environment
variable.
name: # Description of a crontab entry or, if env is set, the name of
environment variable. Required if state=absent. Note that if
name is not set and state=present, then a new
crontab entry will always be
created, regardless of existing
ones.
reboot: # If the job should be run at reboot. This option is deprecated.
Users should use special_time.
special_time: # Special time specification nickname.
state: # Whether to ensure the job or environment variable is present
or absent.
user: # The specific user whose crontab should be modified.
定时任务格式:
* * * * * CMD
定时任务时间参数:
minute: # Minute when the job should run ( 0-59, *, */2, etc )
hour: # Hour when the job should run ( 0-23, *, */2, etc )
day: # Day of the month the job should run ( 1-31, *, */2, etc )
month: # Month of the year the job should run ( 1-12, *, */2, etc )
weekday: # Day of the week that the job should run ( 0-6 for Sunday-Saturday, *, etc )
job: # The command to execute or, if env is set, the value of environment variable. The
command should not contain line breaks. Required if state=present.
创建定时任务:
ansible oldboy -m cron -a "name='sync time' minute=00 hour=00 job='/usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1'"
[root@backup ~]# crontab -l
#crond-id-001:time sync by oldboy
*/5 * * * * /usr/sbin/ntpdate ntp3.aliyun.com >/dev/null 2>&1
#Ansible: sync time
00 00 * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1
结果:
#Ansible: sync time
00 00 * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1
添加如下定时任务:
05 03 * * * /bin/sh /server/scripts/backup.sh >/dev/null 2>&1
命令如下:
ansible oldboy -m cron -a "name='backup data' minute=05 hour=03 job='/bin/sh /server/scripts/backup.sh >/dev/null 2>&1'"
结果:
#Ansible: backup data
05 03 * * * /bin/sh /server/scripts/backup.sh /server/scripts/list >/dev/null 2>&1
删除定时任务:state=absent backup=yes
ansible oldboy -m cron -a "name='backup data' state=absent backup=yes"
名字不变的前提下,修改ansible参数内容,就是修改定时任务。
查看结果:
[root@nfs01 /server/scripts]# crontab -l
#crond-id-001:time sync by oldboy
*/5 * * * * /usr/sbin/ntpdate ntp3.aliyun.com >/dev/null 2>&1
##bak config by oldboy at 2020.10.10
00 00 * * * /bin/sh /server/scripts/bak.sh >/dev/null 2>&1
[root@nfs01 /server/scripts]#
[root@nfs01 /server/scripts]# cat /tmp/crontabdMTe3e
#crond-id-001:time sync by oldboy
*/5 * * * * /usr/sbin/ntpdate ntp3.aliyun.com >/dev/null 2>&1
##bak config by oldboy at 2020.10.10
00 00 * * * /bin/sh /server/scripts/bak.sh >/dev/null 2>&1
#Ansible: backup data
05 03 * * * /bin/sh /server/scripts/backup.sh >/dev/null 2>&1
注释定时任务:disabled=yes
[root@m01 ~]# ansible oldboy -m cron -a "name='backup data' minute=05 hour=04 job='/bin/sh /server/scripts/backup.sh' disabled=yes"
替代方案:
自学mount模块。
============================================================
============================================================
今晚24日项目实践一分钟内,一键完成三个项目的安装:
1)各一键完成rsync服务端和客户端。 #完成
2)各一键完成nfs服务端和客户端。
3)各一键完成sersync服务端和客户端。
一个脚本one_key.sh或者一个ansible命令。完成
项目说明见:
老男孩教育_Linux58期-集群项目实战-03-三个项目实战大考察.pdf
管理配置好:
1、创建分发秘钥
2、安装ansible工具。
3、一键执行各服务脚本
具体服务一键实现的几个步骤:
1、计划要做。
2、单机安装好,步骤抽出来。
3、写成脚本,一键安装。
4、拿到管理机安装
1)一键完成rsync服务端安装。
剧本:
#1)安装
#yum install rsync -y
#2)配置配置文件/etc/rsyncd.conf
cp /etc/rsyncd.conf{,.ori}
cat>/etc/rsyncd.conf<<EOF
#rsync_config_______________start
#created by oldboy
#site: http://www.oldboyedu.com
uid = rsync
gid = rsync
use chroot = no
fake super = yes
max connections = 200
timeout = 600
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
log file = /var/log/rsyncd.log
ignore errors
read only = false
list = false
hosts allow = 172.16.1.0/24
hosts deny = 0.0.0.0/32
auth users = rsync_backup
secrets file = /etc/rsync.password
[backup]
comment = welcome to oldboyedu backup!
path = /backup/
EOF
#3)创建用户和备份目录
useradd rsync
id rsync
mkdir -p /backup
chown -R rsync.rsync /backup/
ls -ld /backup/
#4)启动和检查
systemctl start rsyncd
systemctl enable rsyncd
systemctl status rsyncd
ps -ef|grep sync|grep -v grep #检查进程
netstat -lntup|grep 873 #检查端口
#5)配置密码文件
echo "rsync_backup:oldboy" > /etc/rsync.password
chmod 600 /etc/rsync.password
cat /etc/rsync.password
ls -l /etc/rsync.password
#rsync服务端配置完成。
#最终脚本路径/server/scripts/install_rsync_server.sh,需提前测试成功。
2)一键完成rsync客户端安装。
#方法1:认证密码文件
echo "oldboy" > /etc/rsync.password
chmod 600 /etc/rsync.password
cat /etc/rsync.password
ls -l /etc/rsync.password
rsync -avz /etc/hosts rsync_backup@172.16.1.41::backup --password-file=/etc/rsync.password
#最终脚本路径/server/scripts/install_rsync_client.sh,需提前测试成功。
3)配置管理机61-m01:
1)实现批量分发秘钥,免秘钥管理
#!/bin/bash
yum install ansible -y #含sshpass
[ ~/.ssh/id_rsa ]&& rm -fr ~/.ssh
ssh-keygen -f ~/.ssh/id_rsa -P '' -q
for ip in 31 41 7 8
do
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
ssh 172.16.1.$ip "ifconfig eth0"
done
#脚本路径/server/scripts/create_key.sh
4)实现文件分发和命令管理
方法1:脚本开发分发工具
[root@m01 /server/scripts]# cat fenfa.sh
#!/bin/sh
. /etc/init.d/functions
if [ $# -ne 2 ]
then
echo "usage:/bin/sh $0 localfile remotedir"
exit 1
fi
for n in `cat /etc/ssh/hosts`
do
scp -P 22 -rp $1 root@$n:$2 &>/dev/null
if [ $? -eq 0 ]
then
action "$n successful" /bin/true
else
action "$n failure" /bin/false
fi
done
=============
[root@m01 /server/scripts]# cat fenfa.sh
#!/bin/sh
for n in 7 31 41
do
scp -P 22 -rp $1 root@$n:$2 &>/dev/null
done
[root@m01 /server/scripts]# cat cmd.sh
for n in 31 41 7
do
echo "=====172.16.1.$n======"
ssh 172.16.1.$n "$1"
done
方法2:使用ansible工具
yum install ansible -y
[root@m01 /server/scripts]# cat /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.41
172.16.1.7
2)优化所有机器SSH
优化目标sshd_config
[root@m01 /server/scripts]# sed -n '17,22p' /etc/ssh/sshd_config
####Start by oldboy#2020-04-26###
PermitEmptyPasswords no
UseDNS no
GSSAPIAuthentication no
#ListenAddress 172.16.1.7:22
####End by oldboy#2018-04-26###
方法1:脚本分发
[root@m01 /server/scripts]# sh fenfa.sh /etc/ssh/sshd_config /etc/ssh/
7 successful [ 确定 ]
31 successful [ 确定 ]
41 successful [ 确定 ]
[root@m01 /server/scripts]#
[root@m01 /server/scripts]#
[root@m01 /server/scripts]#
[root@m01 /server/scripts]# sh cmd.sh "systemctl restart sshd"
=====172.16.1.31======
=====172.16.1.41======
=====172.16.1.7======
方法2:使用ansible分发
ansible oldboy -m copy -a "src=/etc/ssh/sshd_config dest=/etc/ssh/sshd_config backup=yes"
ansible oldboy -m shell -a "systemctl restart sshd"
从管理机实现一键安装install_rsync_server.sh
ansible 172.16.1.41 -m script -a "/server/scripts/install_rsync_server.sh"
[root@m01 /server/scripts]# cat /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.41
172.16.1.7
172.16.1.8
[rsync_client]
172.16.1.31
172.16.1.8
ansible rsync_client -m script -a "/server/scripts/install_rsync_client.sh"
实现从管理机一键完成安装rsync服务端和客户端
3)一键完成nfs服务端。
4)一键完成nfs客户端。
5)一键完成sersync服务端。
6)一键完成sersync客户端。
一个脚本one_key.sh或者一个ansible命令。完成
项目实践作业:
rsync服务端写成脚本 r1.sh
rsync客户端写成脚本 r2.sh
nfs服务端写成脚本 n1.sh
nfs客户端写成脚本 n2.sh
sersync服务端写成脚本 s1.sh
sersync客户端写成脚本 s2.sh
/server/scripts/one_key_gaoding.sh
ansible r1 -m copy -a "src=/server/scripts/r1.sh dest=/server/scripts/ mode=ugo+x"
ansible r1 -m shell -a "sh /server/scripts/r1.sh"
ansible r1 -m copy -a "src=/server/scripts/r2.sh dest=/server/scripts/ mode=ugo+x"
ansible r2 -m shell -a "sh /server/scripts/r2.sh"
ansible n1 -m shell -a "sh /server/scripts/n1.sh"
ansible n2 -m shell -a "sh /server/scripts/n2.sh"
ansible s1 -m shell -a "sh /server/scripts/s1.sh"
ansible s2 -m shell -a "sh /server/scripts/s2.sh"
/bin/sh /server/scripts/one_key_gaoding.sh
也可以使用script模块,替代copy+shell模块
12.8 playbook
12.8.1 什么是playbook?
把所有操作按照ansible编程语法,放在文件里执行就是playbook。
12.8.2 ansible剧本编写格式说明
ansible剧本遵循PYyaml语法规则进行编写,yaml文件基本编写规则如下说明:
规则一:缩进
yaml使用一个固定的缩进风格表示数据层结构关系,需要每个缩进级别由两个空格组成。切记一定不能使用tab键进行缩进。
规则二:冒号
每个冒号后面一定要有一个空格(以冒号结尾不需要空格,表示文件路径的模版可以不需要空格)
规则三:短横线
想要表示列表项,使用一个短横杠加一个空格。多个项使用同样的缩进级别作为同一个列表的一部分
1.YAML介绍
YAML是一个可读性高的用来表达资料序列的格式。YAML参考了其他多种语言,包括:XML、C语言、Python、Perl以及电子邮件格式RFC2822等。Clark Evans在2001年在首次发表了这种语言,另外Ingy dt Net与Oren Ben-Kiki也是这语言的共同设计者。
YAML Ain't Markup Language,即YAML不是XML。不过,在开发的这种语言时,YAML的意思其实是:"Yet Another Markup Language"(仍是一种标记语言)。其特性:
YAML的可读性好
YAML和脚本语言的交互性好
YAML使用实现语言的数据类型
YAML有一个一致的信息模型
YAML易于实现
YAML可以基于流来处理
YAML表达能力强,扩展性好
更多的内容及规范参见http://www.yaml.org。
12.8.3 playbook替代方案
playbook替代方案1:不同样
[root@m01 ~]# cat ansible.sh #判断 循环,可以脚本实现。
ansible oldboy -m file -a "dest=/tmp/oldboy_file state=touch"
ansible oldboy -m file -a "dest=/tmp/oldboy_file state=touch owner=oldboy group=oldboy mode=ugo=rwx"
ansible oldboy -m yum -a "name=nginx state=installed"
ansible oldboy -m service -a "name=crond state=started enabled=yes"
ansible oldboy -m cron -a "name='sync time' minute=00 hour=00 job='/usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1'"
playbook替代方案2:通用
[root@m01 ~]# cat ~/set.sh
touch /tmp/oldboy_file
chown oldboy.oldboy /tmp/oldboy_file
yum install nginx -y
/etc/init.d/crond start
chkconfig cornd on
echo '#sync time oldboy' >>/var/spool/cron/root
echo '00 00 * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1' >>/var/spool/cron/root
执行:
ansible oldboy -m script -a "~/set.sh"
12.8.4实践
ansible oldboy -m shell -a "echo oldboy linux. >/tmp/oldboy.log"
把这行命令写成剧本:
准备:
mkdir -p /etc/ansible/yaml
cd /etc/ansible/yaml
vim p1.yml
开始编写:
[root@m01 /etc/ansible/yaml]# cat /etc/ansible/yaml/p1.yml
- hosts: oldboy
tasks:
- name: Create a log file
shell: echo oldboy linux. >/tmp/oldboy.log
[root@m01 /etc/ansible/yaml]# cat p2.yml
- hosts: oldboy
tasks:
- shell: echo oldboy linux. >/tmp/oldboy.log
[root@m01 /etc/ansible/yaml]# ansible-playbook -C /etc/ansible/yaml/p1.yml
说明:利用ansibl-playbook命令执行剧本,-C参数表示测试剧本任务执行,类似话剧的彩排一样。
PLAY [oldboy] ***********************************************************************************************************
TASK [Gathering Facts] **************************************************************************************************
ok: [172.16.1.41]
ok: [172.16.1.31]
TASK [Create a log file] ************************************************************************************************
skipping: [172.16.1.41]
skipping: [172.16.1.31]
PLAY RECAP **************************************************************************************************************
172.16.1.31 : ok=1 changed=0 unreachable=0 failed=0
172.16.1.41 : ok=1 changed=0 unreachable=0 failed=0
执行:
[root@m01 /etc/ansible/yaml]# ansible-playbook /etc/ansible/yaml/p1.yml
PLAY [oldboy] ***********************************************************************************************************
TASK [Gathering Facts] **************************************************************************************************
ok: [172.16.1.31]
ok: [172.16.1.41]
TASK [Create a log file] ************************************************************************************************
changed: [172.16.1.31]
changed: [172.16.1.41]
PLAY RECAP **************************************************************************************************************
172.16.1.31 : ok=2 changed=1 unreachable=0 failed=0
172.16.1.41 : ok=2 changed=1 unreachable=0 failed=0
ansible oldboy -m file -a "dest=/tmp/oldboy1 state=touch"
编写剧本:
[root@m01 /etc/ansible/yaml]# cat p3.yml
- hosts: oldboy
remote_user: root
tasks:
- name: Create New File
file: name=/tmp/oldboy1 state=touch
定时任务:
ansible oldboy -m cron -a "name='sync time' minute=00 hour=00 job='/usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1'"
#crond-id-001:time sync by oldboy
*/5 * * * * /usr/sbin/ntpdate ntp3.aliyun.com >/dev/null 2>&1
编写剧本:
[root@m01 /etc/ansible/yaml]# cat p4.yml
- hosts: oldboy
tasks:
- name: Cron time sync
cron: name='sync time' minute=*/10 job='/usr/sbin/ntpdate ntp3.aliyun.com >/dev/null 2>&1'
练习题:每周一1-5 上午8:30 /server/scripts/class.sh
编写剧本:
[root@m01 /etc/ansible/yaml]# cat p5.yml
- hosts: oldboy
tasks:
- name: Cron 每周1-5,8:30 老男孩脱产上课
cron: name='oldboy class' minute=30 hour=08 weekday=1-5 job='/bin/sh /server/scripts/class.sh>/dev/null 2>&1'
结果:
[root@nfs01 ~]# crontab -l|tail -2
#Ansible: oldboy class
30 08 * * 1-5 /bin/sh /server/scripts/class.sh>/dev/null 2>&1
ansible oldboy -m copy -a "src=/etc/rsyncd.conf dest=/etc/rsyncd.conf backup=yes"
ansible oldboy -m copy -a "content='rsync_backup:oldboy' dest=/etc/rsync.password backup=yes mode=0600"
编写剧本:
[root@m01 /etc/ansible/yaml]# cat p6.yml
- hosts: backup
tasks:
- name: copy rsyncd.conf
copy: src=/data/rsyncd.conf.template dest=/etc/rsyncd.conf mode=0600 backup=yes
- name: create rsync.password
copy: content='rsync_backup:oldboy' dest=/etc/rsync.password mode=0600
3个步骤
1、Linux命令行操作
#3)创建用户和备份目录
useradd rsync
id rsync
mkdir -p /backup
chown -R rsync.rsync /backup/
ls -ld /backup/
#4)启动和检查
systemctl start rsyncd
systemctl enable rsyncd
systemctl status rsyncd
2、ansible命令
ansible oldboy -m systemd -a "name=crond.service enabled=no state=stopped "
ansible oldboy -m command -a "systemctl status crond"
ansible oldboy -m systemd -a "name=crond.service enabled=yes state=started"
3、编写剧本:
[root@m01 ~]# cat /etc/ansible/yaml/p6.yml
- hosts: backup
tasks:
- name: copy rsyncd.conf
copy: src=/data/rsyncd.conf.template dest=/etc/rsyncd.conf mode=0600 backup=yes
- name: create rsync.password
copy: content='rsync_backup:oldboy' dest=/etc/rsync.password mode=0600
- name: create user 用user模块 替代
command: useradd rsync -s /sbin/nologin -M
- name: create dir 用file模块替代
command: mkdir -p /backup
- name: shouquan 用file模块替代
command: chown -R rsync.rsync /backup/
- name: startup rsyncd
systemd: name='rsyncd.service' state=restarted enabled=yes
执行三部曲:
ansible-playbook --syntax-check /etc/ansible/yaml/p6.yml
ansible-playbook -C /etc/ansible/yaml/p6.yml
ansible-playbook /etc/ansible/yaml/p6.yml
检测结果:
rsync -avz /etc/hosts rsync_backup@172.16.1.41::backup --password-file=/etc/rsync.password
今晚25日项目实践一分钟内,一键完成三个项目的安装:
使用playbook完成如下配置:
1)各一键完成rsync服务端和客户端。 #完成
2)各一键完成nfs服务端和客户端。
3)各一键完成sersync服务端和客户端。
一个脚本one_key.sh或者一个ansible命令。完成
- name: This command will change the working directory to somedir/ and will only run when /path/to/database doesn't exist.
command: /usr/bin/make_database.sh arg1 arg2
args:
chdir: somedir/
creates: /path/to/database
