使用ansible实现轻量级的批量主机管理

  作者:邓聪聪

　　查看ansible配置文件下的hosts的文件

[root@ansible-server scripts]# cat /etc/ansible/hosts
[test]
172.16.16.7
172.16.16.8
[root@ansible-server scripts]# 

1.生成秘钥对

　　ssh-keygen -t dsa -f ~/.ssh/id_dsa -P ''  -q  #生产密钥对,免交互，并安静输出

　　这个命令会产生一个公钥(~/.ssh/id_dsa.pub)和密钥(~/.ssh/id_dsa)，

　　-t dsa：表示使用密钥的加密类型，可以为'rsa'和'dsa'

　　-P ''：表示不需要密码登录

　　-f ~/.ssh/id_dsa：表示密钥存放的路径为${USER}/.ssh/id_dsa

　　ssh-copy-id -i ~/.ssh/id_dsa.pub username@ip,hostname  #如果你是单台机器的话，可以使用这种方式把公钥文件传递到对方主机

　　 //被控主机下的文件信息

2.使用ansible-playbook来生成推送ymal文件,批量推送

　　这里使用到了authoried_keys模块,vi /opt/ssh_key.yaml　

# Using alternate directory locations:
- hosts: test    //可以是组也可以是全部
  user: root    //推送所使用的用户


  tasks: 
  - name: ssh-copy
    authorized_key:
      user=root 
      key="{{ lookup('file', '/root/.ssh/id_dsa.pub') }}"

单个设备推送公钥：
ssh-copy-id -i ~/.ssh/id_dsa.pub user@IP    #输入密码即可验证

[root@begon opt]# ansible-playbook /opt/push.ssh.ymal       
PLAY [test2] ********************************************************************************************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************************************************************************
fatal: [1.81.5.157]: FAILED! => {"msg": "Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host's fingerprint to your known_hosts file to manage this host."}
fatal: [1.81.5.154]: FAILED! => {"msg": "Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host's fingerprint to your known_hosts file to manage this host."}
PLAY RECAP **********************************************************************************************************************************************************************************
1.81.5.154                 : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   
1.81.5.157                 : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   
报错解决;
修改/etc/ansible/ansible.cfg下的host_key_checking = False （默认check）
[root@begon opt]# more   /opt/push.ssh.ymal  
- hosts: test2
  user: root
  tasks: 
  - name: ssh-copy
    authorized_key:
      user=root 
      key="{{ lookup('file', '/root/.ssh/id_dsa.pub') }}"
[root@begon opt]# ll /root/.ssh
total 12
-rw------- 1 root root 668 Apr  9 23:23 id_dsa
-rw-r--r-- 1 root root 600 Apr  9 23:23 id_dsa.pub
-rw-r--r-- 1 root root 352 Apr  9 23:27 known_hosts
[root@begon opt]# vi /etc/ansible/ansible.cfg 
[root@begon opt]# ansible-playbook /opt/push.ssh.ymal  
PLAY [test2] ********************************************************************************************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************************************************************************
fatal: [1.81.5.154]: UNREACHABLE! => {"changed": false, "msg": "Invalid/incorrect password: Warning: Permanently added '1.81.5.154' (ECDSA) to the list of known hosts.
Permission denied, please try again.", "unreachable": true}
fatal: [1.81.5.157]: UNREACHABLE! => {"changed": false, "msg": "Invalid/incorrect password: Warning: Permanently added '1.81.5.157' (ECDSA) to the list of known hosts.
Permission denied, please try again.", "unreachable": true}
PLAY RECAP **********************************************************************************************************************************************************************************
1.81.5.154                 : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0   
1.81.5.157                 : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0   
==============验证密码的可用性=================
[root@begon opt]# vi /etc/ansible/hosts                                                     
[root@begon opt]# ansible-playbook /opt/push.ssh.ymal        
PLAY [test2] ********************************************************************************************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************************************************************************
ok: [1.81.5.157]
ok: [1.81.5.154]
TASK [ssh-copy] *****************************************************************************************************************************************************************************
changed: [1.81.5.154]
changed: [1.81.5.157]
PLAY RECAP **********************************************************************************************************************************************************************************
1.81.5.154                 : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
1.81.5.157                 : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[root@begon opt]# ansible  test2 -a 'ping -c 3 222.222.222.1'
1.81.5.154 | CHANGED | rc=0 >>
PING 222.222.222.1 (222.222.222.1) 56(84) bytes of data.
64 bytes from 222.222.222.1: icmp_seq=1 ttl=54 time=18.6 ms
64 bytes from 222.222.222.1: icmp_seq=2 ttl=54 time=17.6 ms
64 bytes from 222.222.222.1: icmp_seq=3 ttl=54 time=17.7 ms

--- 222.222.222.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 17.685/18.020/18.605/0.429 ms
1.81.5.157 | CHANGED | rc=0 >>
PING 222.222.222.1 (222.222.222.1) 56(84) bytes of data.
64 bytes from 222.222.222.1: icmp_seq=1 ttl=54 time=15.5 ms
64 bytes from 222.222.222.1: icmp_seq=2 ttl=54 time=15.2 ms
64 bytes from 222.222.222.1: icmp_seq=3 ttl=54 time=15.2 ms

--- 222.222.222.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 15.219/15.323/15.506/0.129 ms
[root@begon opt]# 

3.测试

[root@ansible-server scripts]# ansible all -m command -a date
172.16.16.8 | SUCCESS | rc=0 >>
Mon Mar  4 22:24:56 EST 2019
172.16.16.7 | SUCCESS | rc=0 >>
Mon Mar  4 22:24:56 EST 2019
[root@ansible-server scripts]# 

 4.1ansible的各项命令参数的使用

　　1.service  #管理的服务必须存在在/etc/init.d/下有的服务脚本

　　name=service name  #服务的名称 

　　state=参数  　　        #停止服务 服务状态信息为过去时 （stared/stoped/restarted/reloaded )

　　案例：ansible test -m service -a "name=crond state=restarted"

　　2.yum 

　　name=name       #指定安装的软件

　　state=installed    #安装

　　案例：ansible test -m yum -a "name=vim state=installed "

　　3.copy #将/etc/hosts 文件 传输到各个服务器送,src=文件的源路径，dest=文件的目标路径

　　案例：ansible test -m copy -a "src=/etc/hosts dest=/tmp/"

　　4.script #脚本模块，在本地执行脚本时，将脚本中的内容传输到远程节点上运行

　　案例：ansible all -m script -a "/root/ansible-server/scripts/batch_free.sh"

4.2.剧本格式示例

　　剧本的检查 ansible-playbook --syntax-check name.ymal

　　剧本彩排 ansible-playbook -C name.ymal 

# Using alternate directory locations:
- hosts: test  //冒号后面跟参数必须有空格
  user: root

  tasks:   //冒号后面没有参数的时候可以省略掉空格
  - name: ssh-copy  //名称,可以跟多个剧本
    authorized_key:  
      user=root
      key="{{ lookup('file', '/root/.ssh/id_dsa.pub') }}"

 　　使用Ansible的user模块批量修改远程客户机的用户密码 

[root@ansible-server ~]# vi /opt/root_passwd.yaml
---
  - hosts: test
    gather_facts: false
    tasks:
    - name: change user passwd
      user: name={{ item.name }} password={{ item.chpass | password_hash('sha512') }}  update_password=always
      with_items:
           - { name: 'root', chpass: '123456' }
           - { name: 'test', chpass: '123456' }

　　注意上面在yaml文件中修改了远程客户机的root用户密码, test用户密码.如果还想要修改其他用户密码, 则继续按照上面规则添加即可!

[root@begon opt]# more   /opt/push.ssh.ymal  - hosts: test2  user: root
  tasks:   - name: ssh-copy    authorized_key:      user=root       key="{{ lookup('file', '/root/.ssh/id_dsa.pub') }}"[root@begon opt]# ll /root/.sshtotal 12-rw------- 1 root root 668 Apr  9 23:23 id_dsa-rw-r--r-- 1 root root 600 Apr  9 23:23 id_dsa.pub-rw-r--r-- 1 root root 352 Apr  9 23:27 known_hosts[root@begon opt]# vi /etc/ansible/ansible.cfg [root@begon opt]# ansible-playbook /opt/push.ssh.ymal  
PLAY [test2] ********************************************************************************************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************************************************************************fatal: [1.81.5.154]: UNREACHABLE! => {"changed": false, "msg": "Invalid/incorrect password: Warning: Permanently added '1.81.5.154' (ECDSA) to the list of known hosts. Permission denied, please try again.", "unreachable": true}fatal: [1.81.5.157]: UNREACHABLE! => {"changed": false, "msg": "Invalid/incorrect password: Warning: Permanently added '1.81.5.157' (ECDSA) to the list of known hosts. Permission denied, please try again.", "unreachable": true}
PLAY RECAP **********************************************************************************************************************************************************************************1.81.5.154                 : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0   1.81.5.157                 : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0   
[root@begon opt]# ansible  test2 -a 'ping -c 3 222.222.222.1'         1.81.5.157 | UNREACHABLE! => {    "changed": false,     "msg": "Invalid/incorrect password: Permission denied, please try again.",     "unreachable": true}1.81.5.154 | UNREACHABLE! => {    "changed": false,     "msg": "Invalid/incorrect password: Permission denied, please try again.",     "unreachable": true}[root@begon opt]# vi /etc/ansible/hosts                                                     [root@begon opt]# ansible-playbook /opt/push.ssh.ymal        
PLAY [test2] ********************************************************************************************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************************************************************************ok: [1.81.5.157]ok: [1.81.5.154]
TASK [ssh-copy] *****************************************************************************************************************************************************************************changed: [1.81.5.154]changed: [1.81.5.157]
PLAY RECAP **********************************************************************************************************************************************************************************1.81.5.154                 : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   1.81.5.157                 : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
[root@begon opt]# ansible  test2 -a 'ping -c 3 222.222.222.1'1.81.5.154 | CHANGED | rc=0 >>PING 222.222.222.1 (222.222.222.1) 56(84) bytes of data.64 bytes from 222.222.222.1: icmp_seq=1 ttl=54 time=18.6 ms64 bytes from 222.222.222.1: icmp_seq=2 ttl=54 time=17.6 ms64 bytes from 222.222.222.1: icmp_seq=3 ttl=54 time=17.7 ms
--- 222.222.222.1 ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2003msrtt min/avg/max/mdev = 17.685/18.020/18.605/0.429 ms1.81.5.157 | CHANGED | rc=0 >>PING 222.222.222.1 (222.222.222.1) 56(84) bytes of data.64 bytes from 222.222.222.1: icmp_seq=1 ttl=54 time=15.5 ms64 bytes from 222.222.222.1: icmp_seq=2 ttl=54 time=15.2 ms64 bytes from 222.222.222.1: icmp_seq=3 ttl=54 time=15.2 ms
--- 222.222.222.1 ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2003msrtt min/avg/max/mdev = 15.219/15.323/15.506/0.129 ms[root@begon opt]#