在很多场景中我们都需要在多个主机上执行相同的命令或者是做相同的配置工作,此时,为了简化操作,我们可以借助一些自动化的工具来完成我们的需求,这种工具我们称之为自动化运维工具。ansible就是其中之一,下面我们就来用ansible来实现一些简单操作。
下面是ansible可以实现很多工具的功能,框架图如下所示:ansible不能实现操作系统的安装
ansible作者就是早期puppet和func的维护者之一,因为ansible充分吸取了puppet和func的优势,又力图避免他们的劣势。
OS Provisioning
PXE,cobbler
OS config
cfengine,puppet,saltstack, chef
Deployment
func(ssl)
fabric(ssh)
ansible(既具有OS config的功能又具有Deployment功能)
如何指挥一台主机上实现控制多台主机运行相同的命令?要指挥其他系统工作不仅仅是非特权的操作,比如创建一个账号,这通常都是和系统安全密切相关的。所以这种远程指挥工具,必须使用一种非常安全的方式进行。如何实现呢?
1.基于ssl加密远程连接;
2.基于ssh远程发送控制指令,让对方接收指令并运行;
基于ssl来如何实现?都会事先要求被管理端安装上一个应用程序,应用程序本身以特权方式运行,能够接收控制端二者能够对接的应用程序所发来的指令,并接收到指令在本地运行,并把运行的结果反馈给指令发送端,需要一种专门的程序在被控制端上能够接收控制端所发来的各种指令并且将指令运行后的结果反馈给控制端的程序称为控制程序的agent。agent之间的通信就是通过ssl加密,工作机制就是https协议,虽然使用https协议但其并不是一个http服务器。
如果不期望也不需要依赖于被控制安装一个agent的话,可以基于ssh来实现,意味着被控制端都运行着ssh服务,而这里所谓的远程控制端则以ssh客户端的方式向服务器端发起请求。服务器接收到请求后并运行。ssh连接每次都需要认证,ssh支持密钥认证,也可以都使用基于密钥认证,就不用输入密码了。
运维工具
基于agent:通常基于ssl实现,例如puppet, funct等
基于agentless:通常基于ssh实现,例如fabric, ansible等
这些工具都具有
幂等性:(同一个操作执行多半得到的结果是相同的)
期望状态:(只提供条件给ansible,至于实现过程由执行条件来自动完成,)
Several Tools In One
Conguration (cfengine, Chef, Puppet)
Deployment (Capistrano, Fabric)
Ad-Hoc Tasks (Func)
Multi-tier Orchestration (Juju, sort of)
ansible 特性
Minimal learning curve, auditability (学习曲线低)
No bootstrapping
No DAG ordering, Fails Fast
No agents (other than sshd) – 0 resource consumptionwhen not in use
No server
No additional PKI
Modules in any language
YAML, not code
SSH by default
Strong multi-tier solution
ansible是基于模块工作的,他的每一种功能都依赖于模块,ansible自身只是一个框架,它能够指挥着远程主机做某些操作,但是每一个特定操作都需要模块来实现,比如依赖yum模块,可以让远程工具用yum源的方式安装应用程序或者卸载应用程序,可以基于command模块让远程主机执行命令等。
如果需要让远程主机同时运行多个任务,此时就需要多项配置,这多项配置可以定义在一个文本文件中,让ansible通过读取这个文件一次性把任务都执行完,而此文件就叫playbook(剧本),playbook是yaml格式的,但是yaml只是所谓的文档格式。
ansible的架构
ansible是通过指挥着多个远程主机来完成运维工作,hostX是远程主机(被指挥段),ansible连接每一个被指挥端让其能够工作时,是使用连接插件(Connection Plugins)向每一个被控制端发起连接请求,这个连接请求是ssh的,ansible需要读取配置文件,在配置文件中事先定义好有主机组,这些主机组都是分别做不同的功用的,就要依赖于(Host Inventory),这个文件可以静态的(手动编写好)也可以动态生成,这个文件中把主机事先分好组,而后使用ansible指挥操作时,ansible会自动读取那个配置文件,去获取指定组名下都有哪些主机而后仅去连接所指定的组名下的主机,在默认情况ansible只控制5台节点,5个完成后就接着去执行下面的5个,一批一批去执行,要改变其值可以自己设定,ansible模块有两类:核心模块、自定义模块(可以使用多种语言开发属于自己的模块),【工作过程:用户指定主机,ansible读取Inventory获取主机,然后去连接主机,并且借助模块,通过Connection Plugins向主机发送指令,每一个节点运行指令,并返回结果】,要使用其他什么功能都可以通过加载对应的插件来实现。
ansible是基于Python研发的,官方站点:www.ansible.com/home,Linux下centos 6.6在epel源上提供了其rpm包,查看一下
ansible.noarch 1.9.0.1-2.el6 epel
此处yum源为阿里云的配置如下:
[epel]
nama=epel package
baseurl=http://mirrors.aliyun.com/epel/6/x86_64/
gpgcheck=1
enabled=1
gpgkey=http://mirrors.aliyun.com/epel/RPM-GPG-KEY-EPEL-6
使用ansible实现的简单架构:
这里的实验中nodeX和hostname是对应的
在node1上安装ansible
[[email protected] ~]# yum install ansible -y
Installed: 安装的包
ansible.noarch 0:1.9.0.1-2.el6
Dependency Installed: 安装依赖的包
PyYAML.x86_64 0:3.10-3.1.el6 libyaml.x86_64 0:0.1.3-4.el6_6
python-babel.noarch 0:0.9.4-5.1.el6 python-crypto.x86_64 0:2.0.1-22.el6
python-crypto2.6.x86_64 0:2.6.1-2.el6 python-httplib2.noarch 0:0.7.7-1.el6
python-jinja2.x86_64 0:2.2.1-2.el6_5 python-keyczar.noarch 0:0.71c-1.el6
python-paramiko.noarch 0:1.7.5-2.1.el6 python-pyasn1.noarch 0:0.0.12a-1.el6
python-setuptools.noarch 0:0.6.10-3.el6 python-simplejson.x86_64 0:2.0.9-3.1.el6
查看安装ansible生成了哪些文件
[[email protected] ~]# rpm -ql ansible | less
/etc/ansible
/etc/ansible/ansible.cfg 主配置文件
/etc/ansible/hosts 主机分组定义的文件
/etc/ansible/roles
/usr/bin/ansible
/usr/bin/ansible-doc
/usr/bin/ansible-galaxy
/usr/bin/ansible-playbook 运行定义好的playbook程序
/usr/bin/ansible-pull 工作在推送模式
/usr/bin/ansible-vault 把playbook文件解密存放的
。。。。。
查看ansible命令的使用
[[email protected] ~]# ansible -h
Usage: ansible <host-pattern> [options]
<hostpattern> 主机模式
host-pattern
A name of a group in the inventory file, a shell-like glob selecting hosts in inventory file, or any combination of the two separated by semicolons.
-k, --ask-pass ask for SSH password 提示用户输入密码
-a ‘ARGUMENTS‘, --args=‘ARGUMENTS‘ The ARGUMENTS to pass to the module.
常用模块:
command 这里不能执行管道
user
copy
cron
file
filesystem
group
hostname
ping
yum
service
shell
script
/etc/ansible/hosts 文件的说明一定要注意此文件的属性
[[email protected] ~]# ls -l /etc/ansible/hosts
-rw-r--r-- 1 root root 965 Mar 26 10:25 /etc/ansible/hosts
# This is the default ansible ‘hosts‘ file.
#
# It should live in /etc/ansible/hosts
#
# - Comments be=ginwith the ‘#‘ character
# - Blank linesare ignored
# - Groups of hosts are delimited by [header] elements
# - You canenter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers. 没有分组的定义
# Ex 2: A collection of hosts belonging to the‘webservers‘ group这里是通过分组定义的
[webservers]
# If you have multiple hosts following a pattern you can specify 分组定义中的模式匹配
# them like this:
www[001:006].example.com 表示www.001.example.com到www.006.example.com是指定范文匹配的
修改文件自定义,先备份文件,后删除全部内容,添加如下
[constrol]
192.168.21.234
192.168.21.230
同一个主机可以在多个组中定义的
[[email protected] ~]# cp /etc/ansible/hosts /etc/ansible/hosts.bak
[[email protected] ~]# vim /etc/ansible/hosts
# This is the default ansible ‘hosts‘ file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the ‘#‘ character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
[constrol]
192.168.21.234
192.168.21.230
#ansible <host pattern> [-m MODULE] -a ‘MODULE_ARGS‘
连接执行date命令
[[email protected] ~]# ansible constrol -m command -a ‘date‘
The authenticity of host ‘192.168.21.230 (192.168.21.230)‘ can‘t be established.
RSA key fingerprint is 4f:33:a8:ce:34:20:2f:04:3b:ad:c9:26:f4:bd:d0:f5.
Are you sure you want to continue connecting (yes/no)? yes
192.168.21.230 | FAILED => SSH Error: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
while connecting to 192.168.21.230:22
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.
The authenticity of host ‘192.168.21.234 (192.168.21.234)‘ can‘t be established.
RSA key fingerprint is 30:43:cb:45:98:67:51:e5:36:82:e6:62:03:5e:98:fc.
Are you sure you want to continue connecting (yes/no)? yes
192.168.21.234 | FAILED => SSH Error: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
while connecting to 192.168.21.234:22
It is sometimes useful to re-run the command using -vvvv, which prints SSH debug output to help diagnose the issue.
SSH连接期间遇到了一个未知错误。我们建议您使用-vvvv重新运行命令,这将使SSH调试输出来帮助诊断问题
使用ansible constrol -m command -a ‘date‘ –vvvv可以查看详细的帮助信息
默认需要基于密钥方式来认证,-k指定需要基于口令来进行认证
[[email protected] ~]# ansible constrol -m command -a ‘date‘ -k
SSH password:
192.168.21.234 | FAILED => to use the ‘ssh‘ connection type with passwords, you must install the sshpass program
192.168.21.230 | FAILED => to use the ‘ssh‘ connection type with passwords, you must install the sshpass program
提示需要安装sshpass,安装sshpass,sshpass也是epel源提供的
[[email protected] ~]# yum install -y sshpass
[[email protected] ~]# ansible constrol -m command -a ‘date‘ -k
SSH password: 注意因为此处两端的口令一样,所以只提示一次,不一样的话会提示两次
192.168.21.230 | success | rc=0 >>
Tue Apr 7 01:11:47 CST 2015
192.168.21.234 | success | rc=0 >>
Mon Apr 13 03:12:42 CST 2015
被控制节点ip 执行成功 成功码显示
在主控节点上显示被控制节点上磁盘使用情况
[[email protected] ~]# ansible constrol -m command -a ‘df -lhP‘ -k
SSH password:
192.168.21.234 | success | rc=0 >>
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_lvm-lv1 20G 1.8G 17G 10% /
tmpfs 491M 0 491M 0% /dev/shm
/dev/sda1 190M 27M 153M 16% /boot
/dev/mapper/vg_lvm-lv2 9.8G 112M 9.2G 2% /var
192.168.21.230 | success | rc=0 >>
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_lvm-lv1 20G 814M 18G 5% /
tmpfs 491M 0 491M 0% /dev/shm
/dev/sda1 190M 27M 153M 15% /boot
/dev/mapper/vg_lvm-lv2 9.8G 110M 9.2G 2% /var
现在每次发送到被控节点上执行的指令都会提示说输入口令,我们把口令在配置文件中指定就不用每次都输入了,修改/etc/ansible/hosts文件指定密码选项 ansible_ssh_pass=password
我们的密码为123456,所以修改后如下:
[[email protected] ~]# cat /etc/ansible/hosts
# This is the default ansible ‘hosts‘ file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the ‘#‘ character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
[constrol]
192.168.21.234 ansible_ssh_pass=123456
192.168.21.230 ansible_ssh_pass=123456
此时不需要-k选项,不用输入密码了,使用指定用户登录可以用选项ansible_ssh_user=xxx,使用指定非标准端口ansible_ssh_port=xxx,显示各节点的date
[[email protected] ~]# ansible constrol -m command -a ‘date‘
192.168.21.234 | success | rc=0 >>
Mon Apr 13 03:21:15 CST 2015
192.168.21.230 | success | rc=0 >>
Tue Apr 7 01:20:20 CST 2015
在理时间不同步,使用ntpdate同步一下时间,时间服务器可以选择网络上的时间服务器,这里我们用的是time.windows.com
node3、node4节点都使用# crontab -e 添加如下内容
1 * * * * /usr/sbin/ntpdate time.windows.com > /dev/null 每小时同步一下时间,并把输出重定向到/dev/null上。
在远程主机上创建用户
[[email protected] ~]# ansible control -m command -a ‘useradd openstack‘
No hosts matched 这里如果hosts文件中不匹配也会提示的
[[email protected] ~]# ansible constrol -m command -a ‘useradd openstack‘
192.168.21.234 | success | rc=0 >>
192.168.21.230 | success | rc=0 >>
查看用户是否创建成功
[[email protected] ~]# ansible constrol -m command -a ‘tail -3 /etc/passwd‘
192.168.21.230 | success | rc=0 >>
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
openstack:x:500:500::/home/openstack:/bin/bash
192.168.21.234 | success | rc=0 >>
tcpdump:x:72:72::/:/sbin/nologin
mysql:x:498:498::/home/mysql:/sbin/nologin
openstack:x:500:500::/home/openstack:/bin/bash 发现用户已经成创建了
给用户指定密码
[[email protected] ~]# ansible constrol -m command -a ‘echo "puppet" | passwd --stdin openstack‘
192.168.21.234 | success | rc=0 >>
puppet | passwd --stdin openstack
192.168.21.230 | success | rc=0 >>
puppet | passwd --stdin openstack
[[email protected] ~]# ansible constrol -m command -a ‘tail -3 /etc/shadow‘
192.168.21.230 | success | rc=0 >>
sshd:!!:16519::::::
tcpdump:!!:16519::::::
openstack:!!:16531:0:99999:7::: 发现此时远程主机上没有设置好密码,上面命令只是显示而已,其实创建用户和密码有专门的模块实现的
192.168.21.234 | success | rc=0 >>
tcpdump:!!:16525::::::
mysql:!!:16525::::::
openstack:!!:16537:0:99999:7:::
获取模块帮助:
man ansible-doc -l
NAME
ansible-doc - show documentation on Ansible modules
SYNOPSIS
ansible-doc [-M module_path] [-l] [-s] [module...]
-l, --list=
Produce a terse listing of modules and a short description of each.
-s, --snippet Show playbook snippet for specified module(s)
[[email protected] ~]# ansible-doc -l
a10_server Manage A10 Networks AX/SoftAX/Thunder/vThunder devices
a10_service_group Manage A10 Networks AX/SoftAX/Thunder/vThunder devices
a10_virtual_server Manage A10 Networks AX/SoftAX/Thunder/vThunder devices
acl Sets and retrieves file ACL information.
add_host add a host (and alternatively a group) to the ansible-playbook in-m...
airbrake_deployment Notify airbrake about app deployments
....................
ansible-doc MODULE_NAME回车后就会显示对应模块的使用帮助
[[email protected] ~]# ansible-doc command
less 436
Copyright (C) 1984-2009 Mark Nudelman
less comes with NO WARRANTY, to the extent permitted by law.
For information about the terms of redistribution,
see the file named README in the less distribution.
Homepage: http://www.greenwoodsoftware.com/less
> COMMAND
The [command] module takes the command name followed by a list of
space-delimited arguments. The given command will be executed on all
selected nodes. It will not be processed through the shell, so
variables like `$HOME‘ and operations like `"<"‘, `">"‘, `"|"‘, and
`"&"‘ will not work (use the [shell] module if you need these
features).
Options (= is mandatory):
- chdir
cd into this directory before running the command [Default:
None]
- creates
a filename, when it already exists, this step will *not* be
run. [Default: None]
。。。。。。。。。。
user模块查看帮助
[[email protected] ~]# ansible-doc user
less 436
Copyright (C) 1984-2009 Mark Nudelman
less comes with NO WARRANTY, to the extent permitted by law.
For information about the terms of redistribution,
see the file named README in the less distribution.
Homepage: http://www.greenwoodsoftware.com/less
> USER
Manage user accounts and user attributes.
Options (= is mandatory):
- append
If `yes‘, will only add groups, not set them to just the list
in `groups‘. (Choices: yes, no) [Default: no]
- comment
Optionally sets the description (aka `GECOS‘) of user account.
。。。。。。。。。。。。。。
后面还有实例
EXAMPLES:
# Add the user ‘johnd‘ with a specific uid and a primary group of ‘admin‘
- user: name=johnd comment="John Doe" uid=1040 group=admin
# Add the user ‘james‘ with a bash shell, appending the group ‘admins‘ and ‘developers‘ to the user‘s
- user: name=james shell=/bin/bash groups=admins,developers append=yes
# Remove the user ‘johnd‘
- user: name=johnd state=absent remove=yes
# Create a 2048-bit SSH key for user jsmith in ~jsmith/.ssh/id_rsa
- user: name=jsmith generate_ssh_key=yes ssh_key_bits=2048 ssh_key_file=.ssh/id_rsa
用openssl生成随机的salt
[[email protected] ~]# openssl rand -hex 4
98a4afbe
生成加密后的密码
[[email protected] ~]# openssl passwd -1 -salt `openssl rand -hex 4`
Password:
$1$653fbb05$asLazeKl3u0SNit6lZWOe.
以密码为参数通过user模块来传递过去
[[email protected] ~]# ansible constrol -m user -a ‘name=openstack password=$1$653fbb05$asLazeKl3u0SNit6lZWOe.‘
192.168.21.230 | success >> {
"append": false,
"changed": true,
"comment": "",
"group": 500,
"home": "/home/openstack",
"move_home": false,
"name": "openstack",
"password": "NOT_LOGGING_PASSWORD",
"shell": "/bin/bash",
"state": "present",
"uid": 500
}
192.168.21.234 | success >> {
"append": false,
"changed": true,
"comment": "",
"group": 500,
"home": "/home/openstack",
"move_home": false,
"name": "openstack",
"password": "NOT_LOGGING_PASSWORD",
"shell": "/bin/bash",
"state": "present",
"uid": 500
}
查看发现密码已经生成了
[[email protected] ~]# ansible constrol -m command -a ‘tail -3 /etc/shadow‘
192.168.21.234 | success | rc=0 >>
tcpdump:!!:16525::::::
mysql:!!:16525::::::
openstack:$1$653fbb05$asLazeKl3u0SNit6lZWOe.:16538:0:99999:7:::
192.168.21.230 | success | rc=0 >>
sshd:!!:16519::::::
tcpdump:!!:16519::::::
openstack:$1$653fbb05$asLazeKl3u0SNit6lZWOe.:16538:0:99999:7:::
官网下ansible的所有模块列表
http://docs.ansible.com/list_of_all_modules.html
在hosts文件中指定用户和密码,修改后如下所示
[[email protected] ~]# cat /etc/ansible/hosts
# This is the default ansible ‘hosts‘ file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the ‘#‘ character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
[constrol]
192.168.21.234 ansible_ssh_user=openstack ansible_ssh_pass=zabbix
192.168.21.230 ansible_ssh_pass=123456
查看系统上当前运行的用户是谁whoami
[[email protected] ~]# ansible constrol -m command -a ‘whoami‘
192.168.21.230 | success | rc=0 >>
root
192.168.21.234 | success | rc=0 >>
openstack
各常用模块
command 默认
#ansible constrol –m command –a ‘date’
user
Manage user accounts and userattributes. 管理用户账号和用户属性
#ansible constrol –m user –a ‘name=fedora password=xxxx’
copy Copiesfiles to remote locations.
The [copy] module copies a fileon the local box to remote locations. Use the [fetch]module to copy files from remote locations to the local box.
#ansibleconstrol –m copy –a ‘src=how.txt dest=/tmp’
cron 定义管理任务计划 Manage cron.d andcrontab entries.
#ansible constrol -m cron -a ‘name="print info" minute="*/3"job="echo How are you. >> /tmp/echo.txt‘
file Sets attributes offiles
file:src=/file/to/link/to dest=/path/to/symlink owner=foo group=foo state=link 创建符号链接的
state 如果是If `absent‘,directorieswill be recursively deleted, and files or symlinkswill be unlinked.
#ansiblecontrol –m file –a ‘dest=/tmp/you state=absent’ 会删除文件
filesystem Makes file system on block device
#Create a ext2 filesystem on /dev/sdb1.
- filesystem:fstype=ext2 dev=/dev/sdb1
group Add or remove groups
hostname
ping
Try to connect to host and return `pong‘ onsuccess.,探测主机是否在线
#ansibleconstrol –m ping
yum
Installs, upgrade, removes, andlists packages and groups with the
`yum‘ package manager.
#ansibleconstrol –m yum –a ‘name=tree state=present’
service Controls services on remote hosts.
#Example action to enable service httpd, and not touch the running state
- service:name=httpd enabled=yes(enabled开机是否自动启动)
#ansible constrol–m service –a ‘name=httpd state=restart’
shell
#ansible constrol -m shell -a ‘name=fedora password=fedora‘
script
#ansibleconstrol –m script –a ‘/root/xxx.sh’
copy模块使用
[[email protected] ~]# ansible-doc copy
> COPY
The [copy]module copies a file on the local box to remote locations. Usethe [fetch] module to copy files from remote locations tothe local box.
Options (= is mandatory): (”=”号开头的是必须的)
目标
= dest
Remoteabsolute path where the file should be copied to. If src is adirectory, this must be a directory too. [Default:None] 远程节点的位置(绝对路径)
源
- src
Localpath to a file to copy to the remote server; can be absoluteor relative. If path is a directory, it is copied recursively. In this case, if path ends with "/", only inside contentsof that directory are copied to destination.
Otherwise, if it does not end with "/", the directory itself with all contents is copied. This behavioris similar to Rsync.[Default: None](可相对可绝对位置)
实例:
Notes: The"copy" module recursively copy facility does not scale to lots
(>hundreds) of files. For alternative, see synchronize module,which is a wrapper around rsync.
# Example from Ansible Playbooks
- copy: src=/srv/myfiles/foo.conf dest=/etc/foo.confowner=foo group=foo mode=0644
# The same example as above, but using a symbolic modeequivalent to 0644
- copy: src=/srv/myfiles/foo.conf dest=/etc/foo.confowner=foo group=foo mode="u=rw,g=r,o=r"
# Another symbolic mode example, adding somepermissions and removing others
- copy: src=/srv/myfiles/foo.conf dest=/etc/foo.confowner=foo group=foo mode="u+rw,g-wx,o-rwx"
# Copy a new "ntp.conf file into place, backing upthe original if it differs from the copied version
- copy: src=/mine/ntp.conf dest=/etc/ntp.confowner=root group=root mode=644 backup=yes
# Copy a new "sudoers" file into place, afterpassing validation with visudo
- copy: src=/mine/sudoers dest=/etc/sudoersvalidate=‘visudo -cf %s‘
新增一个复制的文件
[email protected] ~]# echo "The is new start." > start.txt
[[email protected] ~]# ansible constrol -m copy -a ‘src=/root/start.txt dest=/tmp/‘复制到/tmp目录下
192.168.21.230 | success >> {
"changed": true,
"checksum": "22be61e943af70c7ff8ae394428f195aaa72d10a",
"dest": "/tmp/start.txt",
"gid": 0,
"group": "root",
"md5sum": "589e84da9cb01000f0fccba722b6f4c2",
"mode": "0644",
"owner": "root",
"size": 18,
"src": "/root/.ansible/tmp/ansible-tmp-1427606759.7-78904826422288/source",
"state": "file",
"uid": 0
}
192.168.21.234 | success >> {
"changed": true,
"checksum": "22be61e943af70c7ff8ae394428f195aaa72d10a",
"dest": "/tmp/start.txt",
"gid": 500,
"group": "openstack",
"md5sum": "589e84da9cb01000f0fccba722b6f4c2",
"mode": "0664",
"owner": "openstack",
"size": 18,
"src": "/home/openstack/.ansible/tmp/ansible-tmp-1427606759.7-97947262909113/source",
"state": "file",
"uid": 500
}
[[email protected] ~]# ansible constrol -m command -a ‘cat /tmp/start.txt‘ 查看复制成功了
192.168.21.230 | success | rc=0 >>
The is new start.
192.168.21.234 | success | rc=0 >>
The is new start.
使用基于密钥的方式认证登录
[[email protected] ~]# ssh-keygen -t rsa -P ‘‘
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
11:b5:f7:85:ec:64:b1:b4:95:0b:e6:1c:48:0f:04:32 [email protected]
The key‘s randomart image is:
+--[ RSA 2048]----+
| E.o=+. o o|
| o. oo* B |
| . . =.X o|
| . . B o |
| S o |
| |
| |
| |
| |
+-----------------+
修改配置文件hosts
[[email protected] ~]# cat /etc/ansible/hosts
# This is the default ansible ‘hosts‘ file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the ‘#‘ character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
[constrol]
192.168.21.234 ansible_ssh_pass=123456
192.168.21.230 ansible_ssh_pass=123456
[[email protected] ~]# ansible constrol -m copy -a ‘src=/root/.ssh/id_rsa.pub dest=/root/.ssh/authorized_keys owner=root group=root mode=0600‘
192.168.21.234 | success >> {
"changed": true,
"checksum": "062161f3b71748dfd975c8c4c4fce4fd4f935734",
"dest": "/root/.ssh/authorized_keys",
"gid": 0,
"group": "root",
"md5sum": "ad2489d1b76241e939c92001ac2a54c1",
"mode": "0600",
"owner": "root",
"size": 392,
"src": "/root/.ansible/tmp/ansible-tmp-1427607180.58-136701398329016/source",
"state": "file",
"uid": 0
}
192.168.21.230 | FAILED >> {
"checksum": "062161f3b71748dfd975c8c4c4fce4fd4f935734",
"failed": true,
"msg": "Destination directory /root/.ssh does not exist" 目录不存在
}
[[email protected] ~]# ansible constrol -m command -a ‘mkdir /root/.ssh‘
192.168.21.230 | success | rc=0 >>
192.168.21.234 | FAILED | rc=1 >>
mkdir: cannot create directory `/root/.ssh‘: File exists
[[email protected] ~]# ansible constrol -m copy -a ‘src=/root/.ssh/id_rsa.pub
dest=/root/.ssh/authorized_keys owner=root group=root mode=0600‘
此时ok了,既然是部署好了基于密钥方式认证,那么把hosts文件中的ansible_ssh_pass删除,如下
[[email protected] ~]# ansible all -a ‘date‘(all是所有主机)执行过程的详细信息可通过加-vvvv选项
192.168.21.230 | success | rc=0 >>
Mon Apr 13 18:32:55 CST 2015
192.168.21.234 | success | rc=0 >>
Mon Apr 13 18:32:55 CST 2015
[[email protected] ~]# vim /etc/ansible/hosts
[[email protected] ~]# cat /etc/ansible/hosts
# This is the default ansible ‘hosts‘ file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the ‘#‘ character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
[constrol]
192.168.21.234
192.168.21.230
[[email protected] ~]# ansible all -a ‘date‘ 发现ok了
192.168.21.230 | success | rc=0 >>
Mon Apr 13 18:33:26 CST 2015
192.168.21.234 | success | rc=0 >>
Mon Apr 13 18:33:31 CST 2015
配置文件部分内容
[[email protected] ~]# cat /etc/ansible/ansible.cfg
# config file for ansible -- http://ansible.com/
# ==============================================
# nearly all parameters can be overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
# finds first
[defaults]
# some basic default values...
inventory = /etc/ansible/hosts
#library = /usr/share/my_modules/
remote_tmp = $HOME/.ansible/tmp
pattern = *
forks = 5 每次可以处理的批量主机个数
poll_interval = 15
sudo_user = root
#ask_sudo_pass = True
#ask_pass = True
transport = smart
#remote_port = 22 远程端口
。。。。。。。。。。
ping模块,查看远程主机是否在线
[[email protected] ~]# ansible-doc ping
less 436
Copyright (C) 1984-2009 Mark Nudelman
less comes with NO WARRANTY, to the extent permitted by law.
For information about the terms of redistribution,
see the file named README in the less distribution.
Homepage: http://www.greenwoodsoftware.com/less
> PING
A trivial test module, this module always returns `pong‘ on
successful contact. It does not make sense in playbooks, but it is
useful from `/usr/bin/ansible‘
EXAMPLES:
# Test ‘webservers‘ status
ansible webservers -m ping
[[email protected] ~]# ansible constrol -m ping
192.168.21.230 | success >> {
"changed": false,
"ping": "pong"
}
192.168.21.234 | success >> {
"changed": false,
"ping": "pong"
} ok了,都在线
本次ansible到此处结束,后面将介绍ansible的高级功能,使用playbook。欢迎关注