ansible 的一个典型例子
李二花 / 2020-05-16
关键词:ansible
例子的tree
├── Makefile # makefile 文件
├── ansible.cfg # ansible 配置文件,存放的是一些基本的ssh等的配置
├── group_vars #
│ └── all
├── hosts # inventory 设置,用于配置与主机和主机组相关的东西, 是 inventory 主文件
├── roles # 存放的是playbook可以执行的role有关的所有的东西
│ ├── base-env
│ │ └── vars
│ │ └── main.yml
│ └── goldeneye
│ ├── files
│ │ ├── gitconfig
│ │ ├── logrotate.conf
│ │ └── supervisord.conf
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ ├── templates
│ │ ├── aethas.supervisor.conf.j2
│ │ ├── aws.config.j2
│ │ ├── prod_config.json.j2
│ │ └── test_config.json.j2
│ └── vars
│ └── main.yml
└── site.yml # 执行playbook命令时需要携带的配置文件,这里面定义了 playbook 应用的机器(inventory配置的,通过名字去选择)和 执行的role (roles里配置的,通过名字选择)
关于hosts文件(inventory 文件) > 在 inventory 主文件中保存所有的变量并不是最佳的方式.还可以保存在独立的文件中,这些独立文件与 inventory 文件保持关联. 不同于 inventory 文件(INI 格式),这些独立文件的格式为 YAML
换句话说,如果hosts里的机器等配置特别多,特别杂,适合单开新的 hostvars 和 groupvars来定义配置,但是如果机器很少,甚至只有一台,那么完全可以直接用 hosts 就好了
比如可以转成如下的形式:
├── ansible.cfg
├── group_vars
│ └── goldeneye-test # hosts里有一个goldeneye-test的机器,在这里可以对应放置这个机器的配置,比如ssh key 的地址等等~
├── hosts
├── roles
执行的一个playbook的命令:
ansible-playbook -i hosts --become --become-method sudo -f 2 -e "app_version=$(VERSION)" site.yml
简单配置解释 - -i 后面跟的是inventory配置文件(机器与机器组) - –become 是一个bool值,因此后面不跟参数,这个参数的意思指的是ansible在目标机器上运行时需要进行提权运行(切换更高的user),true代表提权 - –become-method 后面接的参数是提权后的用户,后面接的参数代表提权为 root 用户 - -f 并行任务数 参数2 代表并行为2 - -e 在Playbook中引入外部参数变量, 这里定义好的app_version变量,可以直接在 role 里使用 - site.yml 配置文件,携带着需要在哪些机器上运行 playbook 和运行哪些role的配置信息,以及一些role里使用的变量文件
playbook 可携带的参数详解
Options:
--ask-vault-pass
#ask for vault password
#加密playbook文件时提示输入密码
-C, --check
#don't make any changes; instead, try to predict some of the changes that may occur
#模拟执行,不会真正在机器上执行(查看执行会产生什么变化)
-D, --diff
#when changing (small) files and templates, show the differences in those files; works great with --check
#当更新的文件数及内容较少时,该选项可显示这些文件不同的地方,该选项结合-C用会有较好的效果
-e EXTRA_VARS, --extra-vars=EXTRA_VARS
#set additional variables as key=value or YAML/JSON
#在Playbook中引入外部参数变量
--flush-cache
#clear the fact cache
#将fact清除到的远程主机缓存
--force-handlers
#run handlers even if a task fails
#强制运行handlers的任务,即使在任务失败的情况下
-f FORKS, --forks=FORKS
#specify number of parallel processes to use(default=5)
#并行任务数。FORKS被指定为一个整数,默认是5
-h, --help
#show this help message and exit
#打开帮助文档API
-i INVENTORY, --inventory-file=INVENTORY
#specify inventory host path (default=/etc/ansible/hosts) or comma separated host list.
#指定要读取的Inventory文件
-l SUBSET, --limit=SUBSET
#further limit selected hosts to an additional pattern
#限定执行的主机范围
--list-hosts
#outputs a list of matching hosts; does not execute anything else
#列出执行匹配到的主机,但并不会执行
--list-tags
#list all available tags
#列出所有可用的tags
--list-tasks
#list all tasks that would be executed
#列出所有即将被执行的任务
-M MODULE_PATH, --module-path=MODULE_PATH
#specify path(s) to module library (default=None)
#要执行的模块的路径
--new-vault-password-file=NEW_VAULT_PASSWORD_FILE
#new vault password file for rekey
#
--output=OUTPUT_FILE
#output file name for encrypt or decrypt; use - for stdout
#
--skip-tags=SKIP_TAGS
#only run plays and tasks whose tags do not match these values
#跳过指定的tags任务
--start-at-task=START_AT_TASK
#start the playbook at the task matching this name
#从第几条任务(START_AT_TASK)开始执行
--step
#one-step-at-a-time: confirm each task before running
#逐步执行Playbook定义的任务,并经人工确认后继续执行下一步任务
--syntax-check
#perform a syntax check on the playbook, but do not execute it
#检查Playbook中的语法书写,并不实际执行
-t TAGS, --tags=TAGS
#only run plays and tasks tagged with these values
#指定执行该tags的任务
--vault-password-file=VAULT_PASSWORD_FILE
#vault password file
#
-v, --verbose
#verbose mode (-vvv for more, -vvvv to enable connection debugging)
#执行详细输出
--version
#show program's version number and exit
#显示版本
Connection Options:
control as whom and how to connect to hosts
-k, --ask-pass
#ask for connection password
#
--private-key=PRIVATE_KEY_FILE, --key-file=PRIVATE_KEY_FILE
#use this file to authenticate the connection
#
-u REMOTE_USER, --user=REMOTE_USER
#connect as this user (default=None)
#指定远程主机以USERNAME运行命令
-c CONNECTION, --connection=CONNECTION
#connection type to use (default=smart)
#指定连接方式,可用选项paramiko (SSH)、ssh、local,local方式常用于crontab和kickstarts
-T TIMEOUT, --timeout=TIMEOUT
#override the connection timeout in seconds(default=10)
#SSH连接超时时间设定,默认10s
--ssh-common-args=SSH_COMMON_ARGS
#specify common arguments to pass to sftp/scp/ssh (e.g.ProxyCommand)
#
--sftp-extra-args=SFTP_EXTRA_ARGS
#specify extra arguments to pass to sftp only (e.g. -f, -l)
#
--scp-extra-args=SCP_EXTRA_ARGS
#specify extra arguments to pass to scp only (e.g. -l)
#
--ssh-extra-args=SSH_EXTRA_ARGS
#specify extra arguments to pass to ssh only (e.g. -R)
#
Privilege Escalation Options:
control how and which user you become as on target hosts
-s, --sudo
#run operations with sudo (nopasswd) (deprecated, use become)
#相当于Linux系统下的sudo命令
-U SUDO_USER, --sudo-user=SUDO_USER
#desired sudo user (default=root) (deprecated, use become)
#使用sudo,相当于Linux下的sudo命令
-S, --su
#run operations with su (deprecated, use become)
#
-R SU_USER, --su-user=SU_USER
#run operations with su as this user (default=root)(deprecated, use become)
-b, --become
#run operations with become (does not imply password prompting)
#
--become-method=BECOME_METHOD
#privilege escalation method to use (default=sudo),valid choices: [ sudo | su | pbrun | pfexec | doas |dzdo | ksu | runas ]
#
--become-user=BECOME_USER
#run operations as this user (default=root)
#
--ask-sudo-pass
#ask for sudo password (deprecated, use become)
#传递sudo密码到远程主机,来保证sudo命令的正常运行
--ask-su-pass
#ask for su password (deprecated, use become)
#
-K, --ask-become-pass
#ask for privilege escalation password
#
ansible配置文件,ansible.cfg Ansible 的配置文件的查找顺序如下:
- 环境变量 ANSIBLE_CONFIG
- 当前目录下的 ansible.cfg (这个比较重要,一般用这个比较多)
- home 目录下的 ~/.ansible.cfg
- /etc/ansible/ansible.cfg
Ansible 使用找到的第一个文件,忽略其余的。
配置文件的几个组成部分: - [defaults] —>通用默认配置 - [privilegeescalation] —> 提权配置 - [paramikoconnection] - [ssh_connection] - [accelerate]
例子:
[defaults] --->通用默认配置
# some basic default values...
inventory = /etc/ansible/hosts 这个是默认库文件位置,脚本,或者存放可通信主机的目录
#library = /usr/share/my_modules/ Ansible默认搜寻模块的位置
remote_tmp = $HOME/.ansible/tmp Ansible 通过远程传输模块到远程主机,然后远程执行,执行后在清理现场.在有些场景下,你也许想使用默认路径希望像更换补丁一样使用
pattern = * 如果没有提供“hosts”节点,这是playbook要通信的默认主机组.默认值是对所有主机通信
forks = 5 在与主机通信时的默认并行进程数 ,默认是5d
poll_interval = 15 当具体的poll interval 没有定义时,多少时间回查一下这些任务的状态, 默认值是5秒
sudo_user = root sudo使用的默认用户 ,默认是root
#ask_sudo_pass = True 用来控制Ansible playbook 在执行sudo之前是否询问sudo密码.默认为no
#ask_pass = True 控制Ansible playbook 是否会自动默认弹出密码
transport = smart 通信机制.默认 值为’smart’。如果本地系统支持 ControlPersist技术的话,将会使用(基于OpenSSH)‘ssh’,如果不支持讲使用‘paramiko’.其他传输选项包括‘local’, ‘chroot’,’jail’等等
#remote_port = 22 远程SSH端口。 默认是22
module_lang = C 模块和系统之间通信的计算机语言,默认是C语言
# plays will gather facts by default, which contain information about
# the remote system.
#
# smart - gather by default, but don't regather if already gathered# implicit - gather by default, turn off with gather_facts: False
# explicit - do not gather by default, must say gather_facts: True
gathering = implicit 控制默认facts收集(远程系统变量). 默认值为’implicit’, 每一次play,facts都会被收集
# additional paths to search for roles in, colon separated
#roles_path = /etc/ansible/roles roles 路径指的是’roles/’下的额外目录,用于playbook搜索Ansible roles
# uncomment this to disable SSH key host checking
#host_key_checking = False 检查主机密钥
# change this for alternative sudo implementations
sudo_exe = sudo 如果在其他远程主机上使用另一种方式执sudu操作.可以使用该参数进行更换
# what flags to pass to sudo 传递sudo之外的参数
#sudo_flags = -H
# SSH timeout SSH超时时间
timeout = 10# default user to use for playbooks if user is not specified
# (/usr/bin/ansible will use current user as default)
#remote_user = root 使用/usr/bin/ansible-playbook链接的默认用户名,如果不指定,会使用当前登录的用户名
# logging is off by default unless this path is defined
# if so defined, consider logrotate
#log_path = /var/log/ansible.log 日志文件存放路径
# default module name for /usr/bin/ansible
#module_name = command ansible命令执行默认的模块
# use this shell for commands executed under sudo
# you may need to change this to bin/bash in rare instances
# if sudo is constrained
#executable = /bin/sh 在sudo环境下产生一个shell交互接口. 用户只在/bin/bash的或者sudo限制的一些场景中需要修改
# if inventory variables overlap, does the higher precedence one win
# or are hash values merged together? The default is 'replace' but
# this can also be set to 'merge'.
#hash_behaviour = replace 特定的优先级覆盖变量
# list any Jinja2 extensions to enable here:
#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n 允许开启Jinja2拓展模块
# if set, always use this private key file for authentication, same as # if passing --private-key to ansible or ansible-playbook
#private_key_file = /path/to/file 私钥文件存储位置
# format of string {{ ansible_managed }} available within Jinja2
# templates indicates to users editing templates files will be replaced.
# replacing {file}, {host} and {uid} and strftime codes with proper values.
ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} 这个设置可以告知用户,Ansible修改了一个文件,并且手动写入的内容可能已经被覆盖.
# by default, ansible-playbook will display "Skipping [host]" if it determines a task
# should not be run on a host. Set this to "False" if you don't want to see these "Skipping" # messages. NOTE: the task header will still be shown regardless of whether or not the
# task is skipped.
#display_skipped_hosts = True 显示任何跳过任务的状态 ,默认是显示
# by default (as of 1.3), Ansible will raise errors when attempting to dereference
# Jinja2 variables that are not set in templates or action lines. Uncomment this line
# to revert the behavior to pre-1.3.
#error_on_undefined_vars = False 如果所引用的变量名称错误的话, 将会导致ansible在执行步骤上失败
# by default (as of 1.6), Ansible may display warnings based on the configuration of the
# system running ansible itself. This may include warnings about 3rd party packages or
# other conditions that should be resolved if possible.
# to disable these warnings, set the following value to False:
#system_warnings = True 允许禁用系统运行ansible相关的潜在问题警告
# by default (as of 1.4), Ansible may display deprecation warnings for language
# features that should no longer be used and will be removed in future versions.
# to disable these warnings, set the following value to False:
#deprecation_warnings = True 允许在ansible-playbook输出结果中禁用“不建议使用”警告
# (as of 1.8), Ansible can optionally warn when usage of the shell and
# command module appear to be simplified by using a default Ansible module
# instead. These warnings can be silenced by adjusting the following
# setting or adding warn=yes or warn=no to the end of the command line
# parameter string. This will for example suggest using the git module
# instead of shelling out to the git command.
# command_warnings = False 当shell和命令行模块被默认模块简化的时,Ansible 将默认发出警告
# set plugin path directories here, separate with colons
action_plugins = /usr/share/ansible_plugins/action_plugins
callback_plugins = /usr/share/ansible_plugins/callback_plugins
connection_plugins = /usr/share/ansible_plugins/connection_plugins
lookup_plugins = /usr/share/ansible_plugins/lookup_plugins
vars_plugins = /usr/share/ansible_plugins/vars_plugins
filter_plugins = /usr/share/ansible_plugins/filter_plugins
# by default callbacks are not loaded for /bin/ansible, enable this if you
# want, for example, a notification or logging callback to also apply to
# /bin/ansible runs
#bin_ansible_callbacks = False 用来控制callback插件是否在运行 /usr/bin/ansible 的时候被加载. 这个模块将用于命令行的日志系统,发出通知等特性
# don't like cows? that's unfortunate.
# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 #nocows = 1 默认ansible可以调用一些cowsay的特性 开启/禁用:0/1# don't like colors either?# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1#nocolor = 1 输出带上颜色区别, 开启/关闭:0/1# the CA certificate path used for validating SSL certs. This path
# should exist on the controlling node, not the target nodes
# common locations:
# RHEL/CentOS: /etc/pki/tls/certs/ca-bundle.crt
# Fedora : /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Ubuntu : /usr/share/ca-certificates/cacert.org/cacert.org.crt
#ca_file_path = # the http user-agent string to use when fetching urls. Some web server
# operators block the default urllib user agent as it is frequently used
# by malicious attacks/scripts, so we set it to something unique to
# avoid issues.
#http_user_agent = ansible-agent
# if set to a persistent type (not 'memory', for example 'redis') fact values
# from previous runs in Ansible will be stored. This may be useful when
# wanting to use, for example, IP information from one group of servers
# without having to talk to them in the same playbook run to get their
# current IP information.
fact_caching = memory
# retry files
#retry_files_enabled = False
#retry_files_save_path = ~/.ansible-retry
[privilege_escalation]
#become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False
[paramiko_connection]
# uncomment this line to cause the paramiko connection plugin to not record new host
# keys encountered. Increases performance on new host additions. Setting works independently of the
# host key checking setting above.
#record_host_keys=False
# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this# line to disable this behaviour.
#pty=False
[ssh_connection]
# ssh arguments to use
# Leaving off ControlPersist will result in poor performance, so use
# paramiko on older platforms rather than removing it
#ssh_args = -o ControlMaster=auto -o ControlPersist=60s
# The path to use for the ControlPath sockets. This defaults to
# "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with
# very long hostnames or very long path names (caused by long user names or
# deeply nested home directories) this can exceed the character limit on
# file socket names (108 characters for most platforms). In that case, you
# may wish to shorten the string below.
#
# Example:
# control_path = %(directory)s/%%h-%%r
#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r
# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled, however when using "sudo:" you must
# first disable 'requiretty' in /etc/sudoers
#
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
#
#pipelining = False
# if True, make ansible use scp if the connection type is ssh
# (default is sftp)
#scp_if_ssh = True
[accelerate]
accelerate_port = 5099accelerate_timeout = 30accelerate_connect_timeout = 5.0# The daemon timeout is measured in minutes. This time is measured
# from the last activity to the accelerate daemon.
accelerate_daemon_timeout = 30 # If set to yes, accelerate_multi_key will allow multiple
# private keys to be uploaded to it, though each user must
# have access to the system via SSH to add a new key. The default# is "no".
#accelerate_multi_key = yes
[selinux]
# file systems that require special treatment when dealing with security context
# the default behaviour that copies the existing context or uses the user default# needs to be changed to use the file system dependant context.
#special_context_filesystems=nfs,vboxsf,fuse
hosts 文件 就是我们说的inventory文件,用来定义主机和主机组 小例子:
10.0.0.4 ansible_ssh_pass='password'
10.0.0.7 ansible_ssh_pass='password'
[docker]
10.0.0.10[1:3]
[docker:vars]
ansible_ssh_pass='password'
[ansible:children]
docker
- 第一行与第二行,定义了主机 IP ,然后使用 Inventory 内置变量定义了 SSH 登入密码。
- 第三行定义了一个组叫 docker。
- 第四行定义了 docker 组下面 3 台主机从 10.0.0.101 ~ 10.0.0.103 。
- 第五行与第六行针对 docker 组使用 Inventory 内置变量定义 SSH 登入密码。
- 第七行与第八行定义了一个组 ansible,这个组下面包含 docker 组。
inventory 的内置参数如下:
ansible_ssh_host
将要连接的远程主机名.与你想要设定的主机的别名不同的话,可通过此变量设置.
ansible_ssh_port
ssh端口号.如果不是默认的端口号,通过此变量设置.
ansible_ssh_user
默认的 ssh 用户名
ansible_ssh_pass
ssh 密码(这种方式并不安全,我们强烈建议使用 --ask-pass 或 SSH 密钥)
ansible_sudo_pass
sudo 密码(这种方式并不安全,我们强烈建议使用 --ask-sudo-pass)
ansible_sudo_exe (new in version 1.8)
sudo 命令路径(适用于1.8及以上版本)
ansible_connection
与主机的连接类型.比如:local, ssh 或者 paramiko. Ansible 1.2 以前默认使用 paramiko.1.2 以后默认使用 'smart','smart' 方式会根据是否支持 ControlPersist, 来判断'ssh' 方式是否可行.
ansible_ssh_private_key_file
ssh 使用的私钥文件.适用于有多个密钥,而你不想使用 SSH 代理的情况.
ansible_shell_type
目标系统的shell类型.默认情况下,命令的执行使用 'sh' 语法,可设置为 'csh' 或 'fish'.
ansible_python_interpreter
目标主机的 python 路径.适用于的情况: 系统中有多个 Python, 或者命令路径不是"/usr/bin/python",比如 \*BSD, 或者 /usr/bin/python
不是 2.X 版本的 Python.我们不使用 "/usr/bin/env" 机制,因为这要求远程用户的路径设置正确,且要求 "python" 可执行程序名不可为 python以外的名字(实际有可能名为python26).
与 ansible_python_interpreter 的工作方式相同,可设定如 ruby 或 perl 的路径....
需要执行的playbook配置
例子:
- hosts: goldeneye-test
vars:
ENV: "test"
s3_path: "log"
roles:
- goldeneye
这里附一个对应的inventory文件的例子:
[goldeneye-test] # 主机组名字
52.204.76.3
[goldeneye-test:vars] # 主机组对应的配置
ansible_ssh_private_key_file=~/.ssh/websocketserver_goldeneye.pem
ansible_ssh_user=ubuntu
region=us
最开始有这个项目的tree,下面的解释可以对照着看。
解释: - hosts就是我们hosts文件里定义的主机和主机组名字,比如这里就是 inventory里的 goldeneye-test - roles:后面会讲到,会有一个roles的文件夹,放置的是对应的playbook的role,这个就是这个playbook需要执行的role的列表 - vars: 会在运行的role中用到的变量值
git克隆问题
https://codeday.me/bug/20181107/358872.html
- name: be sure prom-king has an up-to-date clone of its own repository
git:
repo: "ssh://[email protected]/prom-king.git"
dest: /home/promking/prom-king
accept_hostkey: yes
clone: yes
key_file: /home/promking/.ssh/id_rsa.pub
update: yes
使用用户名和密码
git clone https://fupeng.li.dev%40gmail.com:这里放我的密码@github.com/immotal/my_test.git
注意,为了识别出来,邮箱的中间需要把@换成 %40 来处理
使用 person access token
git clone https://oauth2:这里放我的[email protected]/immotal/my_test.git
access token 需要在github或者gitlab的个人头像处设置。
简单例子:
一个本地运行的playbook(如果是在本地机器运行的命令,需要添加local参数) 这个小例子完成了一个Python程序打包之后,上传到需要部署的机器上去的步骤
# hosts (inventry)
[local]
127.0.0.1 ansible_connection=local
# build.yml
- hosts: local
vars:
ENV: "test"
roles:
- local
# 执行的命令 , hosts 是上面那个 hosts 文件,build.yml 是上线那个文件
VERSION = master
ansible-playbook -i hosts -f 5 -e "console_version=$(VERSION)" build.yml
# local/task
# 其中{{}}中的变量存放在 local/vars中
- name: Build Strategy Code
connection: local
command: chdir={{ STRATEGY_DIR }} {{ PYTHON_ENV }} setup.py sdist
- name: SCP Strategy To Remote Machine
connection: local
command: chdir={{ DIST_DIR }} scp rock_strategy-{{ STRATEGY_VERSION }}.tar.gz {{ TEST_MACHINE }}
- name: Build Rock Code
connection: local
command: chdir={{ ROCK_DIR }} {{ PYTHON_ENV }} setup.py sdist
- name: SCP Rock To Remote Machine
connection: local
command: chdir={{ ROCK_DIST_DIR }} scp Rock-{{ ROCK_VERSION }}.tar.gz {{ TEST_MACHINE }}