江湖夜雨十年灯

ansible 的一个典型例子

李二花 / 2020-05-16


关键词:ansible

例子的tree
├── Makefile  # makefile 文件
├── ansible.cfg    # ansible 配置文件,存放的是一些基本的ssh等的配置
├── group_vars  # 
│   └── all
├── hosts  # inventory 设置,用于配置与主机和主机组相关的东西, 是 inventory 主文件
├── roles  # 存放的是playbook可以执行的role有关的所有的东西
│   ├── base-env
│   │   └── vars
│   │       └── main.yml
│   └── goldeneye
│       ├── files
│       │   ├── gitconfig
│       │   ├── logrotate.conf
│       │   └── supervisord.conf
│       ├── meta
│       │   └── main.yml
│       ├── tasks
│       │   └── main.yml
│       ├── templates
│       │   ├── aethas.supervisor.conf.j2
│       │   ├── aws.config.j2
│       │   ├── prod_config.json.j2
│       │   └── test_config.json.j2
│       └── vars
│           └── main.yml
└── site.yml  # 执行playbook命令时需要携带的配置文件,这里面定义了 playbook 应用的机器(inventory配置的,通过名字去选择)和 执行的role (roles里配置的,通过名字选择)

关于hosts文件(inventory 文件) > 在 inventory 主文件中保存所有的变量并不是最佳的方式.还可以保存在独立的文件中,这些独立文件与 inventory 文件保持关联. 不同于 inventory 文件(INI 格式),这些独立文件的格式为 YAML

换句话说,如果hosts里的机器等配置特别多,特别杂,适合单开新的 hostvars 和 groupvars来定义配置,但是如果机器很少,甚至只有一台,那么完全可以直接用 hosts 就好了

比如可以转成如下的形式:

├── ansible.cfg
├── group_vars
│   └── goldeneye-test   # hosts里有一个goldeneye-test的机器,在这里可以对应放置这个机器的配置,比如ssh key 的地址等等~
├── hosts
├── roles

执行的一个playbook的命令:

ansible-playbook -i hosts --become --become-method sudo -f 2 -e "app_version=$(VERSION)" site.yml

简单配置解释 - -i 后面跟的是inventory配置文件(机器与机器组) - –become 是一个bool值,因此后面不跟参数,这个参数的意思指的是ansible在目标机器上运行时需要进行提权运行(切换更高的user),true代表提权 - –become-method 后面接的参数是提权后的用户,后面接的参数代表提权为 root 用户 - -f 并行任务数 参数2 代表并行为2 - -e 在Playbook中引入外部参数变量, 这里定义好的app_version变量,可以直接在 role 里使用 - site.yml 配置文件,携带着需要在哪些机器上运行 playbook 和运行哪些role的配置信息,以及一些role里使用的变量文件

playbook 可携带的参数详解

Options:
  --ask-vault-pass      
             #ask for vault password
             #加密playbook文件时提示输入密码
  -C, --check           
             #don't make any changes; instead, try to predict some of the changes that may occur
             #模拟执行,不会真正在机器上执行(查看执行会产生什么变化)
  -D, --diff            
             #when changing (small) files and templates, show the differences in those files; works great with --check
             #当更新的文件数及内容较少时,该选项可显示这些文件不同的地方,该选项结合-C用会有较好的效果
  -e EXTRA_VARS, --extra-vars=EXTRA_VARS
             #set additional variables as key=value or YAML/JSON
             #在Playbook中引入外部参数变量
  --flush-cache         
             #clear the fact cache
             #将fact清除到的远程主机缓存
  --force-handlers      
             #run handlers even if a task fails
             #强制运行handlers的任务,即使在任务失败的情况下
  -f FORKS, --forks=FORKS
             #specify number of parallel processes to use(default=5)
             #并行任务数。FORKS被指定为一个整数,默认是5
  -h, --help            
             #show this help message and exit
             #打开帮助文档API
  -i INVENTORY, --inventory-file=INVENTORY
             #specify inventory host path (default=/etc/ansible/hosts) or comma separated host list.
             #指定要读取的Inventory文件
  -l SUBSET, --limit=SUBSET
             #further limit selected hosts to an additional pattern
             #限定执行的主机范围
  --list-hosts          
             #outputs a list of matching hosts; does not execute anything else
             #列出执行匹配到的主机,但并不会执行
  --list-tags           
             #list all available tags
             #列出所有可用的tags
  --list-tasks          
             #list all tasks that would be executed
             #列出所有即将被执行的任务
  -M MODULE_PATH, --module-path=MODULE_PATH
             #specify path(s) to module library (default=None)
             #要执行的模块的路径
  --new-vault-password-file=NEW_VAULT_PASSWORD_FILE
             #new vault password file for rekey
             #
  --output=OUTPUT_FILE  
             #output file name for encrypt or decrypt; use - for stdout
             #
  --skip-tags=SKIP_TAGS
             #only run plays and tasks whose tags do not match these values
             #跳过指定的tags任务
  --start-at-task=START_AT_TASK
             #start the playbook at the task matching this name
             #从第几条任务(START_AT_TASK)开始执行
  --step                
             #one-step-at-a-time: confirm each task before running
             #逐步执行Playbook定义的任务,并经人工确认后继续执行下一步任务
  --syntax-check        
             #perform a syntax check on the playbook, but do not execute it
             #检查Playbook中的语法书写,并不实际执行
  -t TAGS, --tags=TAGS  
             #only run plays and tasks tagged with these values
             #指定执行该tags的任务
  --vault-password-file=VAULT_PASSWORD_FILE
             #vault password file
             #
  -v, --verbose         
             #verbose mode (-vvv for more, -vvvv to enable connection debugging)
             #执行详细输出
  --version             
             #show program's version number and exit
             #显示版本

  Connection Options:
    control as whom and how to connect to hosts

    -k, --ask-pass      
             #ask for connection password
             #
    --private-key=PRIVATE_KEY_FILE, --key-file=PRIVATE_KEY_FILE
             #use this file to authenticate the connection
             #
    -u REMOTE_USER, --user=REMOTE_USER
             #connect as this user (default=None)
             #指定远程主机以USERNAME运行命令
    -c CONNECTION, --connection=CONNECTION
             #connection type to use (default=smart)
             #指定连接方式,可用选项paramiko (SSH)、ssh、local,local方式常用于crontab和kickstarts
    -T TIMEOUT, --timeout=TIMEOUT
             #override the connection timeout in seconds(default=10)
             #SSH连接超时时间设定,默认10s
    --ssh-common-args=SSH_COMMON_ARGS
             #specify common arguments to pass to sftp/scp/ssh (e.g.ProxyCommand)
             #
    --sftp-extra-args=SFTP_EXTRA_ARGS
             #specify extra arguments to pass to sftp only (e.g. -f, -l)
             #
    --scp-extra-args=SCP_EXTRA_ARGS
             #specify extra arguments to pass to scp only (e.g. -l)
             #
    --ssh-extra-args=SSH_EXTRA_ARGS
             #specify extra arguments to pass to ssh only (e.g. -R)
             #

  Privilege Escalation Options:
    control how and which user you become as on target hosts

    -s, --sudo          
             #run operations with sudo (nopasswd) (deprecated, use become)
             #相当于Linux系统下的sudo命令
    -U SUDO_USER, --sudo-user=SUDO_USER
             #desired sudo user (default=root) (deprecated, use become)
             #使用sudo,相当于Linux下的sudo命令
    -S, --su            
             #run operations with su (deprecated, use become)
             #
    -R SU_USER, --su-user=SU_USER
             #run operations with su as this user (default=root)(deprecated, use become)
    -b, --become        
             #run operations with become (does not imply password prompting)
             #
    --become-method=BECOME_METHOD
             #privilege escalation method to use (default=sudo),valid choices: [ sudo | su | pbrun | pfexec | doas |dzdo | ksu | runas ]
             #
    --become-user=BECOME_USER
             #run operations as this user (default=root)
             #
    --ask-sudo-pass     
             #ask for sudo password (deprecated, use become)
             #传递sudo密码到远程主机,来保证sudo命令的正常运行
    --ask-su-pass       
             #ask for su password (deprecated, use become)
             #
    -K, --ask-become-pass
             #ask for privilege escalation password
             #

ansible配置文件,ansible.cfg Ansible 的配置文件的查找顺序如下:

Ansible 使用找到的第一个文件,忽略其余的。

配置文件的几个组成部分: - [defaults] —>通用默认配置 - [privilegeescalation] —> 提权配置 - [paramikoconnection] - [ssh_connection] - [accelerate]

例子:

[defaults]   --->通用默认配置

# some basic default values...

inventory      = /etc/ansible/hosts     这个是默认库文件位置,脚本,或者存放可通信主机的目录
#library        = /usr/share/my_modules/   Ansible默认搜寻模块的位置
remote_tmp     = $HOME/.ansible/tmp   Ansible 通过远程传输模块到远程主机,然后远程执行,执行后在清理现场.在有些场景下,你也许想使用默认路径希望像更换补丁一样使用
pattern        = *    如果没有提供“hosts”节点,这是playbook要通信的默认主机组.默认值是对所有主机通信
forks          = 5    在与主机通信时的默认并行进程数 ,默认是5d
poll_interval  = 15    当具体的poll interval 没有定义时,多少时间回查一下这些任务的状态, 默认值是5秒
sudo_user      = root   sudo使用的默认用户 ,默认是root
#ask_sudo_pass = True   用来控制Ansible playbook 在执行sudo之前是否询问sudo密码.默认为no
#ask_pass      = True    控制Ansible playbook 是否会自动默认弹出密码
transport      = smart   通信机制.默认 值为’smart’。如果本地系统支持 ControlPersist技术的话,将会使用(基于OpenSSH)‘ssh’,如果不支持讲使用‘paramiko’.其他传输选项包括‘local’, ‘chroot’,’jail’等等
#remote_port    = 22    远程SSH端口。 默认是22
module_lang    = C   模块和系统之间通信的计算机语言,默认是C语言

# plays will gather facts by default, which contain information about
# the remote system.
#
# smart - gather by default, but don't regather if already gathered# implicit - gather by default, turn off with gather_facts: False
# explicit - do not gather by default, must say gather_facts: True
gathering = implicit   控制默认facts收集(远程系统变量). 默认值为’implicit’, 每一次play,facts都会被收集

# additional paths to search for roles in, colon separated
#roles_path    = /etc/ansible/roles   roles 路径指的是’roles/’下的额外目录,用于playbook搜索Ansible roles

# uncomment this to disable SSH key host checking
#host_key_checking = False    检查主机密钥

# change this for alternative sudo implementations
sudo_exe = sudo     如果在其他远程主机上使用另一种方式执sudu操作.可以使用该参数进行更换

# what flags to pass to sudo   传递sudo之外的参数
#sudo_flags = -H

# SSH timeout    SSH超时时间
timeout = 10# default user to use for playbooks if user is not specified
# (/usr/bin/ansible will use current user as default)
#remote_user = root   使用/usr/bin/ansible-playbook链接的默认用户名,如果不指定,会使用当前登录的用户名

# logging is off by default unless this path is defined
# if so defined, consider logrotate
#log_path = /var/log/ansible.log     日志文件存放路径

# default module name for /usr/bin/ansible
#module_name = command     ansible命令执行默认的模块

# use this shell for commands executed under sudo
# you may need to change this to bin/bash in rare instances
# if sudo is constrained
#executable = /bin/sh     在sudo环境下产生一个shell交互接口. 用户只在/bin/bash的或者sudo限制的一些场景中需要修改

# if inventory variables overlap, does the higher precedence one win
# or are hash values merged together?  The default is 'replace' but
# this can also be set to 'merge'.
#hash_behaviour = replace    特定的优先级覆盖变量

# list any Jinja2 extensions to enable here:
#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n      允许开启Jinja2拓展模块

# if set, always use this private key file for authentication, same as # if passing --private-key to ansible or ansible-playbook
#private_key_file = /path/to/file         私钥文件存储位置

# format of string {{ ansible_managed }} available within Jinja2 
# templates indicates to users editing templates files will be replaced.
# replacing {file}, {host} and {uid} and strftime codes with proper values.
ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}   这个设置可以告知用户,Ansible修改了一个文件,并且手动写入的内容可能已经被覆盖.

# by default, ansible-playbook will display "Skipping [host]" if it determines a task
# should not be run on a host.  Set this to "False" if you don't want to see these "Skipping" # messages. NOTE: the task header will still be shown regardless of whether or not the 
# task is skipped.
#display_skipped_hosts = True     显示任何跳过任务的状态 ,默认是显示

# by default (as of 1.3), Ansible will raise errors when attempting to dereference 
# Jinja2 variables that are not set in templates or action lines. Uncomment this line
# to revert the behavior to pre-1.3.
#error_on_undefined_vars = False      如果所引用的变量名称错误的话, 将会导致ansible在执行步骤上失败

# by default (as of 1.6), Ansible may display warnings based on the configuration of the
# system running ansible itself. This may include warnings about 3rd party packages or
# other conditions that should be resolved if possible.
# to disable these warnings, set the following value to False:
#system_warnings = True    允许禁用系统运行ansible相关的潜在问题警告

# by default (as of 1.4), Ansible may display deprecation warnings for language
# features that should no longer be used and will be removed in future versions.
# to disable these warnings, set the following value to False:
#deprecation_warnings = True     允许在ansible-playbook输出结果中禁用“不建议使用”警告

# (as of 1.8), Ansible can optionally warn when usage of the shell and
# command module appear to be simplified by using a default Ansible module
# instead.  These warnings can be silenced by adjusting the following
# setting or adding warn=yes or warn=no to the end of the command line 
# parameter string.  This will for example suggest using the git module
# instead of shelling out to the git command.
# command_warnings = False    当shell和命令行模块被默认模块简化的时,Ansible 将默认发出警告


# set plugin path directories here, separate with colons
action_plugins     = /usr/share/ansible_plugins/action_plugins  
callback_plugins   = /usr/share/ansible_plugins/callback_plugins
connection_plugins = /usr/share/ansible_plugins/connection_plugins
lookup_plugins     = /usr/share/ansible_plugins/lookup_plugins
vars_plugins       = /usr/share/ansible_plugins/vars_plugins
filter_plugins     = /usr/share/ansible_plugins/filter_plugins

# by default callbacks are not loaded for /bin/ansible, enable this if you
# want, for example, a notification or logging callback to also apply to 
# /bin/ansible runs
#bin_ansible_callbacks = False    用来控制callback插件是否在运行 /usr/bin/ansible 的时候被加载. 这个模块将用于命令行的日志系统,发出通知等特性


# don't like cows?  that's unfortunate.
# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 #nocows = 1    默认ansible可以调用一些cowsay的特性   开启/禁用:0/1# don't like colors either?# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1#nocolor = 1  输出带上颜色区别, 开启/关闭:0/1# the CA certificate path used for validating SSL certs. This path 
# should exist on the controlling node, not the target nodes
# common locations:
# RHEL/CentOS: /etc/pki/tls/certs/ca-bundle.crt
# Fedora     : /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Ubuntu     : /usr/share/ca-certificates/cacert.org/cacert.org.crt
#ca_file_path =    # the http user-agent string to use when fetching urls. Some web server
# operators block the default urllib user agent as it is frequently used
# by malicious attacks/scripts, so we set it to something unique to 
# avoid issues.
#http_user_agent = ansible-agent

# if set to a persistent type (not 'memory', for example 'redis') fact values
# from previous runs in Ansible will be stored.  This may be useful when
# wanting to use, for example, IP information from one group of servers
# without having to talk to them in the same playbook run to get their
# current IP information.
fact_caching = memory


# retry files
#retry_files_enabled = False
#retry_files_save_path = ~/.ansible-retry

[privilege_escalation]
#become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False

[paramiko_connection]

# uncomment this line to cause the paramiko connection plugin to not record new host
# keys encountered.  Increases performance on new host additions.  Setting works independently of the
# host key checking setting above.
#record_host_keys=False

# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this# line to disable this behaviour.
#pty=False

[ssh_connection]

# ssh arguments to use
# Leaving off ControlPersist will result in poor performance, so use 
# paramiko on older platforms rather than removing it
#ssh_args = -o ControlMaster=auto -o ControlPersist=60s

# The path to use for the ControlPath sockets. This defaults to
# "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with
# very long hostnames or very long path names (caused by long user names or 
# deeply nested home directories) this can exceed the character limit on
# file socket names (108 characters for most platforms). In that case, you 
# may wish to shorten the string below.
# 
# Example: 
# control_path = %(directory)s/%%h-%%r
#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r

# Enabling pipelining reduces the number of SSH operations required to 
# execute a module on the remote server. This can result in a significant 
# performance improvement when enabled, however when using "sudo:" you must 
# first disable 'requiretty' in /etc/sudoers
#
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
# 
#pipelining = False

# if True, make ansible use scp if the connection type is ssh 
# (default is sftp)
#scp_if_ssh = True

[accelerate]
accelerate_port = 5099accelerate_timeout = 30accelerate_connect_timeout = 5.0# The daemon timeout is measured in minutes. This time is measured
# from the last activity to the accelerate daemon.
accelerate_daemon_timeout = 30 # If set to yes, accelerate_multi_key will allow multiple
# private keys to be uploaded to it, though each user must
# have access to the system via SSH to add a new key. The default# is "no".
#accelerate_multi_key = yes

[selinux]
# file systems that require special treatment when dealing with security context
# the default behaviour that copies the existing context or uses the user default# needs to be changed to use the file system dependant context.
#special_context_filesystems=nfs,vboxsf,fuse

hosts 文件 就是我们说的inventory文件,用来定义主机和主机组 小例子:

10.0.0.4  ansible_ssh_pass='password'
10.0.0.7  ansible_ssh_pass='password'
[docker]
10.0.0.10[1:3]
[docker:vars]
ansible_ssh_pass='password'
[ansible:children]
docker

inventory 的内置参数如下:

ansible_ssh_host
      将要连接的远程主机名.与你想要设定的主机的别名不同的话,可通过此变量设置.
 
ansible_ssh_port
      ssh端口号.如果不是默认的端口号,通过此变量设置.
 
ansible_ssh_user
      默认的 ssh 用户名
 
ansible_ssh_pass
      ssh 密码(这种方式并不安全,我们强烈建议使用 --ask-pass 或 SSH 密钥)
 
ansible_sudo_pass
      sudo 密码(这种方式并不安全,我们强烈建议使用 --ask-sudo-pass)
 
ansible_sudo_exe (new in version 1.8)
      sudo 命令路径(适用于1.8及以上版本)
 
ansible_connection
      与主机的连接类型.比如:local, ssh 或者 paramiko. Ansible 1.2 以前默认使用 paramiko.1.2 以后默认使用 'smart','smart' 方式会根据是否支持 ControlPersist, 来判断'ssh' 方式是否可行.
 
ansible_ssh_private_key_file
      ssh 使用的私钥文件.适用于有多个密钥,而你不想使用 SSH 代理的情况.
 
ansible_shell_type
      目标系统的shell类型.默认情况下,命令的执行使用 'sh' 语法,可设置为 'csh' 或 'fish'.
 
ansible_python_interpreter
      目标主机的 python 路径.适用于的情况: 系统中有多个 Python, 或者命令路径不是"/usr/bin/python",比如  \*BSD, 或者 /usr/bin/python
      不是 2.X 版本的 Python.我们不使用 "/usr/bin/env" 机制,因为这要求远程用户的路径设置正确,且要求 "python" 可执行程序名不可为 python以外的名字(实际有可能名为python26).
 
      与 ansible_python_interpreter 的工作方式相同,可设定如 ruby 或 perl 的路径....

需要执行的playbook配置

例子:

- hosts: goldeneye-test
  vars:
    ENV: "test"
    s3_path: "log"
  roles:
    - goldeneye

这里附一个对应的inventory文件的例子:

[goldeneye-test] # 主机组名字
52.204.76.3 

[goldeneye-test:vars] # 主机组对应的配置
ansible_ssh_private_key_file=~/.ssh/websocketserver_goldeneye.pem
ansible_ssh_user=ubuntu
region=us

最开始有这个项目的tree,下面的解释可以对照着看。

解释: - hosts就是我们hosts文件里定义的主机和主机组名字,比如这里就是 inventory里的 goldeneye-test - roles:后面会讲到,会有一个roles的文件夹,放置的是对应的playbook的role,这个就是这个playbook需要执行的role的列表 - vars: 会在运行的role中用到的变量值


git克隆问题

https://codeday.me/bug/20181107/358872.html
- name: be sure prom-king has an up-to-date clone of its own repository
  git:
    repo: "ssh://[email protected]/prom-king.git"
    dest: /home/promking/prom-king
    accept_hostkey: yes
    clone: yes
    key_file: /home/promking/.ssh/id_rsa.pub
    update: yes

使用用户名和密码

git clone https://fupeng.li.dev%40gmail.com:这里放我的密码@github.com/immotal/my_test.git
注意,为了识别出来,邮箱的中间需要把@换成 %40 来处理

使用 person access token

git clone https://oauth2:这里放我的[email protected]/immotal/my_test.git
access token 需要在github或者gitlab的个人头像处设置。

简单例子:

一个本地运行的playbook(如果是在本地机器运行的命令,需要添加local参数) 这个小例子完成了一个Python程序打包之后,上传到需要部署的机器上去的步骤

# hosts (inventry)
[local]
127.0.0.1 ansible_connection=local
# build.yml
- hosts: local
  vars:
    ENV: "test"
  roles:
    - local
# 执行的命令 , hosts 是上面那个 hosts 文件,build.yml 是上线那个文件
VERSION = master
ansible-playbook -i hosts -f 5 -e "console_version=$(VERSION)" build.yml
# local/task
# 其中{{}}中的变量存放在 local/vars中
- name: Build Strategy Code
  connection: local
  command: chdir={{ STRATEGY_DIR }}  {{ PYTHON_ENV }} setup.py sdist

- name: SCP Strategy To Remote Machine
  connection: local
  command: chdir={{ DIST_DIR }} scp rock_strategy-{{ STRATEGY_VERSION }}.tar.gz {{ TEST_MACHINE }}

- name: Build Rock Code
  connection: local
  command: chdir={{ ROCK_DIR }}  {{ PYTHON_ENV }} setup.py sdist

- name: SCP Rock To Remote Machine
  connection: local
  command: chdir={{ ROCK_DIST_DIR }} scp Rock-{{ ROCK_VERSION }}.tar.gz {{ TEST_MACHINE }}