一、Ansible常用模块
1、ansible常用模块command、shell、raw的区别:
- command模块不是调用的shell的指令,所以没有bash的环境变量
- shell模块调用的/bin/sh指令执行
- raw很多地方和shell类似,更多的地方建议使用shell和command模块
- 但是如果是使用老版本python,需要用到raw,又或者是客户端是路由器,因为没有安装python模块,那就需要使用raw模块了
二、Ansible常用模块使用详解
1、ping模块
1️⃣:ping模块用于检查指定节点机器是否连通,用法很简单,不涉及参数,主机如果在线,则回复pong
- 实例:
[root@localhost ~]# ansible all -m ping 192.168.121.81 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": false, "ping": "pong" }
2、user模块
①:user模块常用参数
create_home :【 yes | no 】
说明:默认创建帐户或主目录不存在时将为用户创建主目录;除非选择 no
group
说明:设置用户主要组
groups
说明:设置用户附加组;当设置为空字符串时' ',该用户将从主要组之外的所有组中删除
home
说明:设置用户的家目录
name
说明:要创建,删除或修改的用户的名称
password
说明:将用户密码设置为此加密值;要在Linux系统上创建禁用的帐户,请将其设置为'!'或'*'
remove :【 yes | no 】
说明:当 state=asbent 时,删除与用户关联的目录;相当于:userdel --remove
shell
说明:设置用户的登陆的shell;如果不希望登陆可以设置 /sbin/nologin
state :【 present | absent 】
说明:设置未present声明创建该用户;设置absent声明删除该用户
system :【 yes | no 】
说明:当 state=present 时,将其设置为 yes 会使该用户成为系统帐户
uid
说明:指明用户的UID
②:在受控机上添加一个系统用户,用户名为zhangsan,UID为888,设置登陆的shell为/sbin/nologin,无家目录
- 实例:
[root@localhost ~]# ansible 192.168.121.81 -m user -a 'name=zhangsan uid=888 system=yes shell=/sbin/nologin create_home=no state=present' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "comment": "", "create_home": false, "group": 888, "home": "/home/zhangsan", "name": "zhangsan", "shell": "/sbin/nologin", "state": "present", "system": true, "uid": 888 } //查看受控主机上是否存在zhangsan 用户 [root@localhost ~]# ansible 192.168.121.81 -m command -a 'id zhangsan' 192.168.121.81 | CHANGED | rc=0 >> uid=888(zhangsan) gid=888(zhangsan) groups=888(zhangsan) //删除受管主机上的zhangsan用户 [root@localhost ~]# ansible 192.168.121.81 -m user -a 'name=zhangsan state=absent' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "force": false, "name": "zhangsan", "remove": false, "state": "absent" } //查看受控主机上是否存在zhangsanzhangsan用户 [root@localhost ~]# ansible 192.168.121.81 -m command -a 'id zhangsan' 192.168.121.81 | FAILED | rc=1 >> id: ‘zhangsan’: no such usernon-zero return code //更改zhangsan用户的UID为1000 [root@localhost ~]# ansible 192.168.121.81 -m user -a 'name=zhangsan uid=1000' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "append": false, "changed": true, "comment": "", "group": 888, "home": "/home/zhangsan", "move_home": false, "name": "zhangsan", "shell": "/sbin/nologin", "state": "present", "uid": 1000 }
3、group模块
①:group模块常用参数
name
说明:指定组的名称
state : 【 present | absent 】
说明:设置present声明创建该组;设置absent声明删除该组
system : 【 yes | no 】
说明:如果yes,则表示创建的组是系统组
gid
说明:声明组的GID
②:在受控机上添加一个系统组,其GID为800,组名为zhangsan
- 实例:
[root@localhost ~]# ansible 192.168.121.81 -m group -a 'name=zhangsan system=yes gid=800 state=present' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "gid": 800, "name": "zhangsan", "state": "present", "system": true } //查看受控主机上是否存在zhangsan组 [root@localhost ~]# ansible 192.168.121.81 -m command -a 'grep zhangsan /etc/group' 192.168.121.81 | CHANGED | rc=0 >> zhangsan:x:800: //删除收控主机上的zhangsan组 [root@localhost ~]# ansible 192.168.121.81 -m group -a 'name=zhangsan state=absent' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "name": "zhangsan", "state": "absent" } //查看受控主机上是否存在zhangsan 组 [root@localhost ~]# ansible 192.168.121.81 -m command -a 'grep zhangsan /etc/group' 192.168.121.81 | FAILED | rc=1 >> non-zero return code //更改受控主机zhangsan组的GID为1000 [root@localhost ~]# ansible 192.168.121.81 -m group -a 'name=zhangsan gid=1000' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "gid": 1000, "name": "zhangsan", "state": "present", "system": false }
4、yum模块
1️⃣:yum模块用于在指定节点机器上通过yum管理软件
2️⃣:yum模块常用参数
name:安装的软件包名
state : 【 present | installed | latest | absent | removed 】
present: 安装软件
installed: 安装软件
latest: 安装软件
absent: 卸载软件
removed: 卸载软件
- 示例:在受控主机上使用yum模块安装httpd服务
-
[root@localhost ~]# ansible 192.168.121.81 -m yum -a 'name=httpd state=present' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "msg": "", "rc": 0, "results": [ "Installed: apr-1.6.3-9.el8.x86_64", "Installed: centos-logos-httpd-80.5-2.el8.noarch", "Installed: apr-util-1.6.1-6.el8.x86_64", "Installed: apr-util-bdb-1.6.1-6.el8.x86_64", "Installed: httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64", "Installed: httpd-filesystem-2.4.37-21.module_el8.2.0+382+15b0afa8.noarch", "Installed: mod_http2-1.11.3-3.module_el8.2.0+307+4d18d695.x86_64", "Installed: httpd-tools-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64", "Installed: apr-util-openssl-1.6.1-6.el8.x86_64", "Installed: mailcap-2.1.48-3.el8.noarch" ] } //启动httpd服务 [root@localhost ~]# ansible 192.168.121.81 -m command -a 'systemctl start httpd' 192.168.121.81 | CHANGED | rc=0 >> //查看httpd服务端口 [root@localhost ~]# ansible 192.168.121.81 -m shell -a 'ps -ef | grep httpd' 192.168.121.81 | CHANGED | rc=0 >> root 20991 1 0 18:58 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 20992 20991 0 18:58 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 20993 20991 0 18:58 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 20994 20991 0 18:58 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 20996 20991 0 18:58 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND root 21573 21572 0 18:59 pts/1 00:00:00 /bin/sh -c ps -ef | grep httpd root 21575 21573 0 18:59 pts/1 00:00:00 grep httpd //查看是否安装httpd服务 [root@localhost ~]# ansible 192.168.121.81 -m shell -a 'rpm -qa | grep httpd' 192.168.121.81 | CHANGED | rc=0 >> httpd-filesystem-2.4.37-21.module_el8.2.0+382+15b0afa8.noarch centos-logos-httpd-80.5-2.el8.noarch httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64 httpd-tools-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64
-
5、command模块
1️⃣:command模块用于在远程主机上执行命令,ansible默认就是使用command模块
2️⃣:command模块有一个缺陷就是不能使用管道符和重定向功能
- 实例:
//查看 /tmp下文件 [root@localhost ~]# ansible 192.168.121.81 -m command -a 'ls /tmp' 192.168.121.81 | CHANGED | rc=0 >> ansible_command_payload_bgh98niw ks-script-rz2t819q systemd-private-27d81652d04247e0aabf5ca3135190a7-httpd.service-34NQn0 vmware-root_987-4257200413 //在root目录下创建test文件 [root@localhost ~]# ansible 192.168.121.81 -m command -a 'touch /root/test' 192.168.121.81 | CHANGED | rc=0 >> [root@localhost ~]# ansible 192.168.121.81 -m command -a 'ls /root' 192.168.121.81 | CHANGED | rc=0 >> anaconda-ks.cfg test
6、shell模块
①:shell模块用于在受控机上执行受控机上的脚本,亦可直接在受控机上执行命令(一般当命名使用,脚本就用script模块)
②:shell模块可能使用的参数
chdir
说明:运行命令之前,先切换到该目录
removes
说明:文件名(如果文件名不存在)将不会删除指定的文件
stdin
说明:将命令的 stdin 直接设置为指定值
③:shell模块亦支持管道与重定向
- 实例:
//查看受控主机上的脚本文件 [root@localhost ~]# ls anaconda-ks.cfg test.sh [root@localhost ~]# chmod a+x test.sh [root@localhost ~]# ll test.sh -rwxr-xr-x. 1 root root 27 Aug 27 19:12 test.sh //在控制节点上执行受控主机上的脚本文件 [root@localhost ~]# ansible 192.168.121.81 -m shell -a '/root/test.sh' 192.168.121.81 | CHANGED | rc=0 >> Thu Aug 27 19:15:20 CST 2020/root/test.sh: line 1: !/bin/bash: No such file or directory //使用shell执行管道符 [root@localhost ~]# ansible 192.168.121.81 -m shell -a 'cat /etc/group | grep root' 192.168.121.81 | CHANGED | rc=0 >> root:x:0: //使用shell执行重定向 [root@localhost ~]# ansible 192.168.121.81 -m shell -a '/root/test.sh > /tmp/dir.txt' 192.168.121.81 | CHANGED | rc=0 >> /root/test.sh: line 1: !/bin/bash: No such file or directory [root@localhost ~]# ansible 192.168.121.81 -m shell -a 'cat /tmp/dir.txt' 192.168.121.81 | CHANGED | rc=0 >> Thu Aug 27 19:19:04 CST 2020
7、raw模块
1️⃣:raw模块用于在远程主机上执行命令,其支持管道符与重定向(除此之外,可以使用raw模块在其他不能安装服务:(例如路由器)上安装服务)
- 实例:
//使用管道符 [root@localhost ~]# ansible 192.168.121.81 -m raw -a 'cat /etc/group |grep root' 192.168.121.81 | CHANGED | rc=0 >> root:x:0: //使用重定向 [root@localhost ~]# ansible 192.168.121.81 -m raw -a 'echo "hellow word" > /root/test.txt' 192.168.121.81 | CHANGED | rc=0 >> [root@localhost ~]# ansible 192.168.121.81 -m raw -a 'cat /root/test.txt' 192.168.121.81 | CHANGED | rc=0 >> hellow word
8、script模块
①:script模块用于在受管主机上执行控制节点上的脚本
②:script模块常用参数
chdir
说明:运行脚本之前,先切换到远程节点上的此目录
creates
说明:远程节点上的文件名(如果已存在)将不会运行此步骤
removes
说明:远程节点上的文件名(如果文件名不存在)将不会运行
- 实例:
//查看控制节点上的脚本文件 [root@localhost ~]# ls anaconda-ks.cfg test.sh //执行控制节点上的脚本文件 [root@localhost ~]# ansible 192.168.121.81 -m script -a '/root/test.sh > /root/dir.txt' 192.168.121.81 | CHANGED => { "changed": true, "rc": 0, "stderr": "Shared connection to 192.168.121.81 closed. ", "stderr_lines": [ "Shared connection to 192.168.121.81 closed." ], "stdout": "", "stdout_lines": [] } [root@localhost ~]# ansible 192.168.121.81 -m shell -a 'cat /root/dir.txt' 192.168.121.81 | CHANGED | rc=0 >> This is test file.sh
9、service模块
1️⃣:service模块用于管理受控机上的服务
2️⃣:service模块常用参数列表
state : 【 started | stopped | restarted | reloaded 】
started 启动服务
stopped 停止服务
restarted 重新启动
reloaded 重现加载
enabled : 【 yes | no 】
yes 开机自启
no 不启用开机自启
设置服务是否开机自启
- 实例:
//查看受控主机上的httpd服务是否启动 [root@localhost ~]# ansible 192.168.121.81 -m command -a 'systemctl status httpd' 192.168.121.81 | FAILED | rc=3 >> ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:httpd.service(8) Aug 27 18:58:10 localhost.localdomain systemd[1]: Starting The Apache HTTP Server... Aug 27 18:58:10 localhost.localdomain httpd[20991]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message Aug 27 18:58:10 localhost.localdomain systemd[1]: Started The Apache HTTP Server. Aug 27 18:58:10 localhost.localdomain httpd[20991]: Server configured, listening on: port 80 Aug 27 19:31:21 localhost.localdomain systemd[1]: Stopping The Apache HTTP Server... Aug 27 19:31:22 localhost.localdomain systemd[1]: Stopped The Apache HTTP Server.non-zero return code //使用sevice模块启动httpd服务 [root@localhost ~]# ansible 192.168.121.81 -m service -a 'name=httpd state=started' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "name": "httpd", "state": "started", "status": { "ActiveEnterTimestampMonotonic": "0", "ActiveExitTimestampMonotonic": "0", ............ //查看受控主机httpd服务状态 [root@localhost ~]# ansible 192.168.121.81 -m command -a 'systemctl status httpd' 192.168.121.81 | CHANGED | rc=0 >> ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-08-27 19:37:22 CST; 1min 33s ago Docs: man:httpd.service(8) Main PID: 23488 (httpd) Status: "Running, listening on: port 80" Tasks: 213 (limit: 11340) Memory: 27.3M CGroup: /system.slice/httpd.service ├─23488 /usr/sbin/httpd -DFOREGROUND ├─23489 /usr/sbin/httpd -DFOREGROUND ├─23490 /usr/sbin/httpd -DFOREGROUND ├─23491 /usr/sbin/httpd -DFOREGROUND └─23492 /usr/sbin/httpd -DFOREGROUND Aug 27 19:37:22 localhost.localdomain systemd[1]: Starting The Apache HTTP Server... Aug 27 19:37:22 localhost.localdomain httpd[23488]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message Aug 27 19:37:22 localhost.localdomain systemd[1]: Started The Apache HTTP Server. Aug 27 19:37:23 localhost.localdomain httpd[23488]: Server configured, listening on: port 80 //设置受控主机httpd服务开机自启 [root@localhost ~]# ansible 192.168.121.81 -m service -a 'name=httpd enabled=yes' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "enabled": true, "name": "httpd", "status": { "ActiveEnterTimestamp": "Thu 2020-08-27 19:37:22 CST", "ActiveEnterTimestampMonotonic": "18191160572", ............. //查看受控主机上httpd服务开机自启状态 [root@localhost ~]# ansible 192.168.121.81 -m command -a 'systemctl is-enabled httpd' 192.168.121.81 | CHANGED | rc=0 >> enabled //停止受控主机上的httpd服务 [root@localhost ~]# ansible 192.168.121.81 -m service -a 'name=httpd state=stopped' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "name": "httpd", "state": "stopped", "status": { "ActiveEnterTimestamp": "Thu 2020-08-27 19:37:22 CST", "ActiveEnterTimestampMonotonic": "18191160572",
10、copy模块
1️⃣:copy模块用于复制文件至远程受控机
2️⃣:copy模块常用参数
src
说明:复制到远程服务器的文件的本地路径;可以是绝对的也可以是相对的
dest
说明:文件应复制到的远程主机的绝对路径
backup : 【 yes | no 】
说明:创建一个包含时间戳信息的备份文件,以便在不正确地破坏文件的情况下将其找回
force : 【 yes | no 】
说明:如果为yes,则当内容与源文件不同时,将替换远程文件;如果为no,则仅在目标不存在的情况下才传输文件
- 实例:
//查看控制节点文件 [root@localhost ~]# ls anaconda-ks.cfg test.sh //复制文件 [root@localhost ~]# ansible 192.168.121.81 -m copy -a 'src=/root/test.sh dest=/root' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "checksum": "6754b4785dbeace09c90e9ce4a2560d4e386efab", "dest": "/root/test.sh", "gid": 0, "group": "root", "md5sum": "b51ea9009c046cd325621fa7065782f0", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:admin_home_t:s0", "size": 41, "src": "/root/.ansible/tmp/ansible-tmp-1598558057.5922036-5111-245228725024513/source", "state": "file", "uid": 0 } //查看受管主机上是否存在改文件 [root@localhost ~]# ansible 192.168.121.81 -m shell -a 'ls /root' 192.168.121.81 | CHANGED | rc=0 >> anaconda-ks.cfg test.sh
11、template模块
1️⃣:template模块用于生成一个模板,并可将其传输至远程主机上(主要用于创建模板)
2️⃣:template模块常用参数
src
说明:本地模板的路径;这可以是相对或绝对路径
dest
说明:将模板呈现到远程计算机上的位置
backup : 【 yes | no 】
说明:创建一个包含时间戳信息的备份文件,以便在不正确地破坏文件的情况下将其找回
force : 【 yes | no 】
说明:设置yes为时,如果内容不同于源文件,则替换远程文件;设置为时 no,仅在目标不存在的情况下才传输文件
- 实例:
[root@localhost ~]# ansible 192.168.121.81 -m template -a 'src=/etc/yum.repos.d/CentOS-Base.repo dest=/etc/yum.repos.d' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "checksum": "4966466ad015ef3d2a3cc0b8252d43efbdcf2c94", "dest": "/etc/yum.repos.d/CentOS-Base.repo", "gid": 0, "group": "root", "md5sum": "d06fb7d5709727828bcaba7457ea673e", "mode": "0644", "owner": "root", "secontext": "system_u:object_r:system_conf_t:s0", "size": 2595, "src": "/root/.ansible/tmp/ansible-tmp-1598559298.4569452-5352-77842158483794/source", "state": "file", "uid": 0 } //查看受控主机上是否存在该文件 [root@localhost ~]# ansible 192.168.121.81 -m shell -a 'ls /etc/yum.repos.d' 192.168.121.81 | CHANGED | rc=0 >> CentOS-Base.repo redhat.repo
12、firewalld模块
1️⃣:firewalld模块常用参数
firewalld模块实现放行某个端口的权限:
permanent :【 yes | no 】
说明:此配置应处于正在运行的firewalld配置中,还是应在重新启动后持续存在;此外需要注意的是:如果设置为no,则假定为yes,永久启用;设置为yes,则假定为no,临时启用
port
说明:要添加到防火墙d或从防火墙删除的端口或端口范围的名称;对于端口范围,格式必须为 port/protocol 或 port-port/protocol;例如: 80/tcp
rich_rule
说明:富规则,用于添加到防火墙或从防火墙中删除
service
说明:要添加到防火墙或从防火墙删除的服务的名称
source
说明:您要添加到防火墙或从防火墙删除的源ip网络
state :【 present |enabled | absent | disabled 】
说明:对于端口:此端口应接受(enabled)还是拒绝(disabled)连接;状态present和absent只能在区域级别的操作中使用
- 实例:
-
//查看受控主机上得防火墙是否启用 [root@ansible ~]# ansible 192.168.121.81 -m shell -a 'systemctl is-active firewalld' 192.168.121.81 | CHANGED | rc=0 >> active //查看受控主机是否启用800端口 [root@ansible ~]# ansible 192.168.121.81 -m shell -a 'firewall-cmd --list-all' 192.168.121.81 | CHANGED | rc=0 >> public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client ssh ports: //800端口还没有放行 protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: //放行受控主机上800端口 [root@ansible ~]# ansible 192.168.121.81 -m firewalld -a 'port=800/tcp state=enabled permanent=no' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "msg": "Non-permanent operation, Changed port 800/tcp to enabled" } //再次查看受控主机上800端口是否放行 [root@ansible ~]# ansible 192.168.121.81 -m shell -a 'firewall-cmd --list-all' 192.168.121.81 | CHANGED | rc=0 >> public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client ssh ports: 800/tcp //800端口已经放行 protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: //关闭800端口放行 [root@ansible ~]# ansible 192.168.121.81 -m firewalld -a 'port=800/tcp state=disabled permanent=no' //permanent必须为yes,否则在开机自启后任然启用800端口放行 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "msg": "Non-permanent operation, Changed port 800/tcp to disabled" } //查看800端口是否放行 [root@ansible ~]# ansible 192.168.121.81 -m shell -a 'firewall-cmd --list-all' 192.168.121.81 | CHANGED | rc=0 >> public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client ssh ports: //800端口已经取消放行 protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
13、selinux模块
1️⃣:selinux模块常用参数:
policy
说明:如果state不是disabled,则需要使用要使用的SELinux策略的名称(例如)targeted
state : 【 enforcing | premissive | disabled 】
说明:
disabled #关闭selinux
permissive #临时关闭selinux
enforcing #强制执行selinux
例子:
- name: Enable SELinux
selinux:
policy: targeted
state: enforcing
- name: Put SELinux in permissive mode, logging actions that would be blocked.
selinux:
policy: targeted
state: permissive
- name: Disable SELinux
selinux:
state: disabled
- 实例:
//查看受管主机的selinux状态 [root@ansible ~]# ansible all -m shell -a 'getenforce' 192.168.121.81 | CHANGED | rc=0 >> Enforcing //设置selinux为disabled [root@ansible ~]# ansible all -m selinux -a 'state=disabled' [WARNING]: SELinux state temporarily changed from 'enforcing' to 'permissive'. State change will take effect next reboot. 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "configfile": "/etc/selinux/config", "msg": "Config SELinux state changed from 'enforcing' to 'disabled'", "policy": "targeted", "reboot_required": true, "state": "disabled" } //忽略警告 //查看selinux状态 [root@ansible ~]# ansible all -m shell -a 'getenforce' 192.168.121.81 | CHANGED | rc=0 >> Permissive
14、seport模块
1️⃣:seport模块管理网络端口类型定义(在selinux添加/删除允许开放的端口)
2️⃣:seport常用模块:
ports
说明:端口或端口范围 ;例如:1000-2000 ;200-500,7777(逗号分隔)
proto :【 tcp | udp 】
说明:指定端口的协议 ;例如:proto=tcp;proto=udp
reload :【 yes | no 】
说明:提交后重新加载SELinux策略
setype
说明:指定端口的selinux类型 ;例如:http服务:setype=http_port_t
state :【 present | absent 】
说明:指定端口的状态:
present #添加允许开放该端口
absent #删除/关闭该端口
- 实例:
//查看受控主机上是否开放777端口 [root@ansible ~]# ansible all -m shell -a 'semanage port -l | grep http' 192.168.121.81 | CHANGED | rc=0 >> http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989 //semanage命令需要安装额外的安装包才能使用该命令,我这是提前安装好了的 //使用seport模块允许开放777端口 [root@ansible ~]# ansible all -m seport -a 'ports=777 proto=tcp setype=http_port_t state=present' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "ports": [ "777" ], "proto": "tcp", "setype": "http_port_t", "state": "present" } //查看受控主机上是否开放777端口 [root@ansible ~]# ansible all -m shell -a 'semanage port -l | grep http' 192.168.121.81 | CHANGED | rc=0 >> http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 777, 80, 81, 443, 488, 8008, 8009, 8443, 9000 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989 //关闭777端口 [root@ansible ~]# ansible all -m seport -a 'ports=777 proto=tcp setype=http_port_t state=absent' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "ports": [ "777" ], "proto": "tcp", "setype": "http_port_t", "state": "absent" } //查看777端口是否删除 [root@ansible ~]# ansible all -m shell -a 'semanage port -l | grep http' 192.168.121.81 | CHANGED | rc=0 >> http_cache_port_t tcp 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 pegasus_http_port_t tcp 5988 pegasus_https_port_t tcp 5989
15、mount模块
1️⃣:mount模块用来挂载目录,也可以用来挂载镜像文件
2️⃣:mount常用的参数:
src
说明:选择所要安装文件的路径;当状态设置为present或mounted,必须使用该参数
path
说明:挂载的路径;例如 path=/mnt/files
fstype
说明:挂载文件系统类型;当状态为present或mounted,必须使用该参数
state :【 mounted | unmounted | remounted | present | absent 】
说明:
mounted:如果是mounted,将在fstab中主动安装设备并进行适当配置;如果没有安装点,则将创建安装点
如果是unmounted,则无需更改fstab即可卸载设备
remounted指定要在挂载本身上强制刷新时重新安装设备
present仅指定要在fstab中配置设备,并且不触发或不需要安装
absent指定将设备安装项从fstab中删除,还将卸载设备并删除安装点
opts
说明:以什么方式挂载;例如:ro,rw
- 实例:
//查看/dev/sr0是否已经挂载 [root@ansible ~]# ansible all -m shell -a 'df -h' 192.168.121.81 | CHANGED | rc=0 >> Filesystem Size Used Avail Use% Mounted on devtmpfs 887M 0 887M 0% /dev tmpfs 904M 0 904M 0% /dev/shm tmpfs 904M 8.6M 895M 1% /run tmpfs 904M 0 904M 0% /sys/fs/cgroup /dev/mapper/rhel-root 50G 1.7G 49G 4% / /dev/mapper/rhel-home 27G 225M 27G 1% /home /dev/nvme0n1p1 1014M 173M 842M 17% /boot tmpfs 181M 0 181M 0% /run/user/0 //挂载/dev/s/sr0到/mnt [root@ansible ~]# ansible all -m mount -a 'src=/dev/sr0 path=/mnt fstype=iso9660 state=mounted' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "dump": "0", "fstab": "/etc/fstab", "fstype": "iso9660", "name": "/mnt", "opts": "defaults", "passno": "0", "src": "/dev/sr0" } //查看是否挂载 [root@ansible ~]# ansible all -m shell -a 'df -h' 192.168.121.81 | CHANGED | rc=0 >> Filesystem Size Used Avail Use% Mounted on devtmpfs 887M 0 887M 0% /dev tmpfs 904M 0 904M 0% /dev/shm tmpfs 904M 8.6M 895M 1% /run tmpfs 904M 0 904M 0% /sys/fs/cgroup /dev/mapper/rhel-root 50G 1.7G 49G 4% / /dev/mapper/rhel-home 27G 225M 27G 1% /home /dev/nvme0n1p1 1014M 173M 842M 17% /boot tmpfs 181M 0 181M 0% /run/user/0 /dev/sr0 7.4G 7.4G 0 100% /mnt //卸载 [root@ansible ~]# ansible all -m mount -a 'src=/dev/sr0 path=/mnt state=unmounted' 192.168.121.81 | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/libexec/platform-python" }, "changed": true, "dump": "0", "fstab": "/etc/fstab", "name": "/mnt", "opts": "defaults", "passno": "0", "src": "/dev/sr0" } //查看是否卸载成功 [root@ansible ~]# ansible all -m shell -a 'df -h' 192.168.121.81 | CHANGED | rc=0 >> Filesystem Size Used Avail Use% Mounted on devtmpfs 887M 0 887M 0% /dev tmpfs 904M 0 904M 0% /dev/shm tmpfs 904M 8.6M 895M 1% /run tmpfs 904M 0 904M 0% /sys/fs/cgroup /dev/mapper/rhel-root 50G 1.7G 49G 4% / /dev/mapper/rhel-home 27G 225M 27G 1% /home /dev/nvme0n1p1 1014M 173M 842M 17% /boot tmpfs 181M 0 181M 0% /run/user/0 //查看/etc/fstab文件是否删除信息 [root@ansible ~]# ansible all -m shell -a 'cat /etc/fstab' 192.168.121.81 | CHANGED | rc=0 >> # # /etc/fstab # Created by anaconda on Wed Aug 26 03:25:38 2020 # # Accessible filesystems, by reference, are maintained under '/dev/disk/'. # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info. # # After editing this file, run 'systemctl daemon-reload' to update systemd # units generated from this file. # /dev/mapper/rhel-root / xfs defaults 0 0 UUID=234365dc-2262-452e-9cbb-a6acfde04385 /boot xfs defaults 0 0 /dev/mapper/rhel-home /home xfs defaults 0 0 /dev/mapper/rhel-swap swap swap defaults 0 0 /dev/sr0 /mnt iso9660 defaults 0 0
16、yum_repository模块
1️⃣:yum_repository模块是用来添加或删除YUM仓库的
2️⃣:yum_repository模块常用的参数:
name
说明:唯一的存储库ID。也就是配置文件中“[ ]”中括号中写的内容;名称必须唯一name参数是必须设置的;仅当状态设置为present或时,才需要此参数absent
description
说明:人类可读的字符串,描述存储库;也就是配置文件中name=描述的字符串;仅在state设置为present时才需要此参数
baseurl
说明:yum存储库“ repodata”目录所在目录的URL;它也可以是多个URL的列表;说白了就是给仓库的地址;如果需要的参数状态设置为present
enbaled :【 yes | no 】
说明:yum是否使用此存储库
yes 代表启用
no 代表不启用
pgpcheck :【 yes | no 】
说明:yum是否应该对软件包执行GPG签名检查;可选boolean值:
yes 如果设置启用签名检查:则需要写入gpgkey=URL
no 不启用签名检查
file
说明:不带 .repo 扩展名的文件名,用于保存存储库。默认为name的值。
如果设置里name参数,name改变的是文件中[ ] 中中括号中的值;而file改变的是文件名的名称
如果设置了name参数,但不给值,name就使用DEFAULT作为仓库的名称;file任然是改变文件名的名称
state :【 present | absent 】
说明:repo 文件的状态(是否创建)
3️⃣:演示实例:
//查看playbook
[root@localhost ~]# cat playbook.yml
---
- hosts: client
gather_facts: no
tasks:
- name: add repository
yum_repository:
name: dvd
baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/
description: my first repo
enabled: yes
gpgcheck: no
file: jjyy
//执行playbook后,查看
[root@localhost yum.repos.d]# ls
jjyy.repo
[root@localhost yum.repos.d]# cat jjyy.repo
[dvd]
baseurl = https://download.fedoraproject.org/pub/epel/$releasever/$basearch/
enabled = 1
gpgcheck = 0
name = my first repo