ansible系列命令有:ansible、ansible-doc、ansible-playbook、ansible-vault、ansible-console、ansible-galaxy、ansible-pull,这些命令每个命令都有它独特的作用和用法,接下来我们一一来了解它的用法。
1、ansible-doc:这个命令主要作用是显示模块的帮助信息,有点类似Linux里的man命令。
命令用法:
1
|
ansible-doc [options] [module...] |
常用选项:
-a:显示所有模块的文档
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
[root@localhost ~] # ansible-doc -a ping > A10_SERVER ( /usr/lib/python2 .7 /site-packages/ansible/modules/network/a10/a10_server .py) Manage SLB (Server Load Balancer) server objects on A10 Networks devices via aXAPIv2. OPTIONS (= is mandatory): = host Hostname or IP of the A10 Networks device. [Default: None] - partition set active-partition [Default: None] version_added: 2.3 = password Password for the `username' account. (Aliases: pass, pwd )[Default: None] - server_ip The SLB server IPv4 address. (Aliases: ip, address)[Default: None] : |
说明:-a选项列出了ping模块的所有用法,以上只显示了部分。
-l,--list列出全部可以模块
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
[root@localhost ~] # ansible-doc -l a10_server Manage A10 Networks AX /SoftAX/Thunder/vThunder devices' server object. a10_server_axapi3 Manage A10 Networks AX /SoftAX/Thunder/vThunder devices a10_service_group Manage A10 Networks AX /SoftAX/Thunder/vThunder devices' service groups . a10_virtual_server Manage A10 Networks AX /SoftAX/Thunder/vThunder devices' virtual servers. accelerate Enable accelerated mode on remote node aci_aep Manage attachable Access Entity Profile (AEP) on Cisco ACI fabrics (infr... aci_ap Manage top level Application Profile (AP) objects on Cisco ACI fabrics (... aci_bd Manage Bridge Domains (BD) on Cisco ACI Fabrics (fv:BD) aci_bd_subnet Manage Subnets on Cisco ACI fabrics (fv:Subnet) aci_bd_to_l3out Bind Bridge Domain to L3 Out on Cisco ACI fabrics (fv:RsBDToOut) aci_config_rollback Provides rollback and rollback preview functionality for Cisco ACI fabri... aci_config_snapshot Manage Config Snapshots on Cisco ACI fabrics (config:Snapshot, config:Ex... aci_contract Manage contract resources on Cisco ACI fabrics (vz:BrCP) aci_contract_subject Manage initial Contract Subjects on Cisco ACI fabrics (vz:Subj) aci_contract_subject_to_filter Bind Contract Subjects to Filters on Cisco ACI fabrics (vz:RsSubjFiltAtt... aci_epg Manage End Point Groups (EPG) on Cisco ACI fabrics (fv:AEPg) aci_epg_monitoring_policy Manage monitoring policies on Cisco ACI fabrics (mon:EPGPol) aci_epg_to_contract Bind EPGs to Contracts on Cisco ACI fabrics (fv:RsCons and fv:RsProv) aci_epg_to_domain Bind EPGs to Domains on Cisco ACI fabrics (fv:RsDomAtt) aci_filter Manages top level filter objects on Cisco ACI fabrics (vz:Filter) aci_filter_entry Manage filter entries on Cisco ACI fabrics (vz:Entry) aci_intf_policy_fc Manage Fibre Channel interface policies on Cisco ACI fabrics (fc:IfPol) aci_intf_policy_l2 Manage Layer 2 interface policies on Cisco ACI fabrics (l2:IfPol) : |
说明:-l选项列出了所有可用模块,并简要说明了模块主要功能,以上内容只显示了部分
-s,--snippet显示指定模块的playbook片段
1
2
3
4
5
6
|
[root@localhost ~] # ansible-doc -s ping - name: Try to connect to host, verify a usable python and return `pong' on success ping : data: # Data to return for the `ping' return value. If this parameter is set to `crash', the module will cause an exception. [root@localhost ~] # |
说明:-s这个选项是我们常用的选项,它主要列出模块的常用参数的使用和参数的作用。
2、ansible:这个命令就是ansible的主程序,我们经常用这个命令来管理主机,它可以调用各种模块对远端主机进行配置管理、应用部署、任务执行等功能。前文我们介绍了ansible有两种方式管理主机,一种是ad-hoc,也就是在命令行用ansible这个命令来管理主机,还有一种方式就是用ansible-playbook。
命令用法:
1
|
ansible <host-pattern> [-m module_name] [-a args] |
说明:它的用法还是很好理解,我们都知道ansible的强大之处是它有很多模块,ansible命令管理主机就是利用这些模块去管理主机的,以上用法就是说 用ansible管理哪些主机(我们需要指定主机或主机组),用什么模块(表现形式 -m指定模块名称,若不指定则表示使用默认模块),让模块干什么事(它的表现形式就是-a 指定给模块传递相应的参数)
常用选项:
--version:显示版本
1
2
3
4
5
6
7
8
|
[root@localhost ~] # ansible --version ansible 2.4.2.0 config file = /etc/ansible/ansible .cfg configured module search path = [u '/root/.ansible/plugins/modules' , u '/usr/share/ansible/plugins/modules' ] ansible python module location = /usr/lib/python2 .7 /site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, Aug 4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)] [root@localhost ~] # |
-m module:指定模块,才安装好ansible软件默认的模块是command
-v :显示简要的执行过程,-vv显示较为详细的过程,-vvv显示更为详细的执行过程
--list-hostss:显示主机列表,可以简写 --list
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@localhost ~] # ansible all --list hosts (3): 192.168.0.99 192.168.0.218 192.168.0.128 [root@localhost ~] # ansible websers --list hosts (1): 192.168.0.99 [root@localhost ~] # ansible appsers --list hosts (2): 192.168.0.218 192.168.0.128 [root@localhost ~] # |
说明:all 表示匹配主机列表中的所有主机
-k,--ask-pass:指定输入ssh连接密码,默认ansible是基于ssh key验证的(k是小写的)
1
2
3
4
5
6
7
|
[root@localhost ~] # ansible websers -m ping -k SSH password: 192.168.0.99 | SUCCESS => { "changed" : false , "ping" : "pong" } [root@localhost ~] # |
说明:这个选项一般用于我们主机列表中没有做ssh key验证的主机,通常不建议使用。
-K,--ask-become-pass提示输入sudo时的口令(k是大写的)
1
2
3
4
5
6
7
8
9
10
|
[root@localhost ~] # ansible websers -u 'qiuhom' -k -s -K -a " getent shadow qiuhom" [DEPRECATION WARNING]: The sudo command line option has been deprecated in favor of the "become" command line arguments. This feature will be removed in version 2.6. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. SSH password: SUDO password[defaults to SSH password]: 192.168.0.99 | SUCCESS | rc=0 >> qiuhom:$6$5mlfZaKT$YmDjmEnKPoC.xASTVA5JqUrTiIkuXOe1yDm9PCql89e4lGKUS.W1515phi1OgD1W7Zu6Lm9srTBHi9QAigWpz/:18068:0:99999:7::: [root@localhost ~] # |
说明:-u是指定远程以那个用户执行,-s 表示使用sudo运行后面的操作,-k(小写)指定用ssh口令验证,-K(大写)提示输入sudo时的口令,-a 指定给模块传递的参数,上面示例没有写-m指定的模块就是用的默认模块command,当然这个默认模块我们可以在/etc/ansible/ansible.cfg里指定
-C,--check 检查,并不执行,这个参数主要用于检查playbook是否写的正确。
-T,--timeout指定执行命令的超时时间,默认是10S
-u,指定以那个用户远程执行命令,指定的用户是远端服务器上存在的。并非本地管理端的用户
-b,--become代替旧版的sudo切换
--become-user-USERNAME指定sudo的runas用户,默认是root
了解了ansible的基本选项说明,接下来我们来说说匹配主机列表
1、all:表示匹配所有定义在主机清单中的主机
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[root@localhost ~] # ansible all -m ping 192.168.0.99 | SUCCESS => { "changed" : false , "ping" : "pong" } 192.168.0.128 | SUCCESS => { "changed" : false , "ping" : "pong" } 192.168.0.218 | SUCCESS => { "changed" : false , "ping" : "pong" } [root@localhost ~] # ansible all --list hosts (3): 192.168.0.99 192.168.0.218 192.168.0.128 [root@localhost ~] # |
2、“*”:通配符,也可表示匹配所有主机清单中的主机,它的用法和Linux里的通配符类似。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
[root@localhost ~] # ansible * -m ping 192.168.0.128 | SUCCESS => { "changed" : false , "ping" : "pong" } 192.168.0.218 | SUCCESS => { "changed" : false , "ping" : "pong" } 192.168.0.99 | SUCCESS => { "changed" : false , "ping" : "pong" } [root@localhost ~] # ansible 192.168.0.1* -m ping 192.168.0.128 | SUCCESS => { "changed" : false , "ping" : "pong" } [root@localhost ~] # ansible web* -m ping 192.168.0.99 | SUCCESS => { "changed" : false , "ping" : "pong" } [root@localhost ~] # |
3、或关系
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
[root@localhost ~] # tail -6 /etc/ansible/hosts [websers] 192.168.0.99:41319 192.168.0.218 [appsers] 192.168.0.218 192.168.0.128 [root@localhost ~] # ansible "websers:appsers" --list hosts (3): 192.168.0.99 192.168.0.218 192.168.0.128 [root@localhost ~] # ansible "192.168.0.1*:192.168.0.2*" --list hosts (2): 192.168.0.128 192.168.0.218 [root@localhost ~] # |
4、逻辑与
1
2
3
4
|
[root@localhost ~] # ansible "websers:&appsers" --list hosts (1): 192.168.0.218 [root@localhost ~] # |
说明:以上命令的意思是列出在websers组中,并且又在appsers组的主机
5、逻辑非
1
2
3
4
5
6
|
[root@localhost ~] # ansible "websers:!appsers" --list - bash : !appsers": event not found [root@localhost ~] # ansible 'websers:!appsers' --list hosts (1): 192.168.0.99 [root@localhost ~] # |
说明:这里需要注意一点的是逻辑非要用单引号,以上命令表达的意思是列出在websers组中,但是不在appsers组中的主机
6、综合逻辑
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
[root@localhost ~] # tail -13 /etc/ansible/hosts [websers] 192.168.0.99:41319 192.168.0.218 [appsers] 192.168.0.218 192.168.0.128 [dbsers] 192.168.0.208 192.168.0.199 [ftpsers] 192.168.0.123 192.168.0.233 [root@localhost ~] # ansible 'dbsers:websers:&appsers:!ftpsers' --list hosts (1): 192.168.0.218 [root@localhost ~] # |
说明:以上命令有逻辑或逻辑与逻辑非,在这种综合的匹配模式中我们要遵循这样一个优先级顺序来匹配,首先逻辑非的优先级最好,其次是逻辑与,优先级最低是逻辑或,以上命令表示匹配dbsers和websers两个组中的主机,在appsers中档不在ftpsers中的主机
7、正则表达式
1
2
3
4
5
6
7
|
[root@localhost ~] # ansible "~(web|db).*" --list hosts (4): 192.168.0.99 192.168.0.218 192.168.0.208 192.168.0.199 [root@localhost ~] # |
说明:以上命令表示匹配web开头的组或者db开头的组中的主机,~表示使用正则匹配
了解了ansible的主机列表匹配,接着我们再说下ansible命令的执行过程,我们在使用ansible执行命令的时候可以用-vvv选项来显示更为详细的执行过程
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
[root@localhost ~] # ansible "websers:&appsers" -m shell -a "getent passwd root" -vvv ansible 2.4.2.0 config file = /etc/ansible/ansible .cfg configured module search path = [u '/root/.ansible/plugins/modules' , u '/usr/share/ansible/plugins/modules' ] ansible python module location = /usr/lib/python2 .7 /site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, Aug 4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)] Using /etc/ansible/ansible .cfg as config file Parsed /etc/ansible/hosts inventory source with ini plugin META: ran handlers Using module file /usr/lib/python2 .7 /site-packages/ansible/modules/commands/command .py <192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None <192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath= /root/ .ansible /cp/82e2c5d794 192.168.0.218 '/bin/sh -c ' "'" ' echo ~ && sleep 0 '"' " '' <192.168.0.218> (0, '/root
' , '' ) <192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None <192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath= /root/ .ansible /cp/82e2c5d794 192.168.0.218 '/bin/sh -c ' "'" '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745 `" && echo ansible-tmp-1573399527.3-188437527440745= "` echo /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745 `" ) && sleep 0 '"' " '' <192.168.0.218> (0, 'ansible-tmp-1573399527.3-188437527440745=/root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745
' , '' ) <192.168.0.218> PUT /tmp/tmpPczCAu TO /root/ .ansible /tmp/ansible-tmp-1573399527 .3-188437527440745 /command .py <192.168.0.218> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath= /root/ .ansible /cp/82e2c5d794 '[192.168.0.218]' <192.168.0.218> (0, 'sftp> put /tmp/tmpPczCAu /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py
' , '' ) <192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None <192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath= /root/ .ansible /cp/82e2c5d794 192.168.0.218 '/bin/sh -c ' "'" ' chmod u+x /root/ .ansible /tmp/ansible-tmp-1573399527 .3-188437527440745/ /root/ .ansible /tmp/ansible-tmp-1573399527 .3-188437527440745 /command .py && sleep 0 '"' " '' <192.168.0.218> (0, '' , '' ) <192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None <192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath= /root/ .ansible /cp/82e2c5d794 -tt 192.168.0.218 '/bin/sh -c ' "'" ' /usr/bin/python /root/ .ansible /tmp/ansible-tmp-1573399527 .3-188437527440745 /command .py; rm -rf "/root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/" > /dev/null 2>&1 && sleep 0 '"' " '' <192.168.0.218> (0, '
{"changed": true, "end": "2019-11-10 23:25:23.100262", "stdout": "root:x:0:0:root:/root:/bin/bash", "cmd": "getent passwd root", "rc": 0, "start": "2019-11-10 23:25:23.082719", "stderr": "", "delta": "0:00:00.017543", "invocation": {"module_args": {"warn": true, "executable": null, "_uses_shell": true, "_raw_params": "getent passwd root", "removes": null, "creates": null, "chdir": null, "stdin": null}}}
' , 'Shared connection to 192.168.0.218 closed.
' ) 192.168.0.218 | SUCCESS | rc=0 >> root:x:0:0:root: /root : /bin/bash META: ran handlers META: ran handlers [root@localhost ~] # |
说明:通过以上信息的查看,我们可以大概知道ansible的执行命令的过程,如下
1、首先ansible会加载自己的配置文件,默认是/etc/ansible/ansible.cfg
2、加载对应模块文件,如上就是加载的是shell模块
3、通过ansible将模块或命令生成对应的python临时文件,并将该文件用sftp传输至远端主机的对应执行用户的家目录下的.ansible/tmp/ansible-tmp-数字/xxxx.py文件
4、然后对刚才传送过去的临时文件加可执行权限 chmod + x
5、执行临时文件,并返回结果
6、删除临时py文件,sleep 0 退出
ansible的返回结果一般会有3种颜色来表示执行结果:红色,绿色,橘黄色。其中红色表示执行失败,或者执行过程中有异常,一般会终止剩余的所有任务。绿色和橘黄色表示执行过程中没有异常,所有任务均正常执行,但橘黄色表示命令执行结束后目标有状态变化,而绿色表示命令执行后目标没有状态变化,不仅ansible命令执行结果有如此设置,ansible系列命令均有此设置,所以判断ansible系列命令的执行结果是否正常,我们看颜色即可
3、ansible-galaxy:命令主要作用是连接https://galaxy.ansible.com下载/上传相应的roles
命令用法:
1
|
Usage: ansible-galaxy [delete| import |info|init| install |list|login|remove|search|setup] [--help] [options] ... |
1、下载安装角色
1
2
3
4
5
6
|
[root@localhost ~] # ansible-galaxy install geerlingguy.redis - downloading role 'redis' , owned by geerlingguy - downloading role from https: //github .com /geerlingguy/ansible-role-redis/archive/1 .6.0. tar .gz - extracting geerlingguy.redis to /etc/ansible/roles/geerlingguy .redis - geerlingguy.redis (1.6.0) was installed successfully [root@localhost ~] # |
2、列出所有已经安装的角色列表
1
2
3
|
[root@localhost ~] # ansible-galaxy list - geerlingguy.redis, 1.6.0 [root@localhost ~] # |
3、删除已安装的角色
1
2
3
4
|
[root@localhost ~] # ansible-galaxy remove geerlingguy.redis - successfully removed geerlingguy.redis [root@localhost ~] # ansible-galaxy list [root@localhost ~] # |
说明:galaxy默认下载到/etc/ansible/roles目录下,我们删除也可直接删除该目录下的角色,当然我们也可把自己写好的角色放在该目录下,用ansible-galaxy list 也是可以查看到我们自己写的角色。
4、ansible-vault:命令主要功能管理机密解密yaml文件
命令用法:
1
|
Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml] |
1、加密
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
[root@localhost ansible] # cat test.yaml --- - hosts: websers remote_user: root tasks: - name: test command : hostname [root@localhost ansible] # ansible-vault encrypt test.yaml New Vault password: Confirm New Vault password: Encryption successful [root@localhost ansible] # cat test.yaml $ANSIBLE_VAULT;1.1;AES256 38653234373532306537633636343038383031613537303437623730626462306665363165363432 6162306332313031326330386136623464346533363164320a353734386632303837393633643932 62656262626265396236646536646231646631363431383261623530626639303132396139633731 6663633466373034320a323161316262653535353361353436353238663836623034366534393265 34663862363938653531346237323265633861663430313839653932633362333865333366353765 38326239386432373665396133346632346336373839386134366335663339363338306138363733 39653462373564383736373063333764653137356237353563396635633862623039373964326531 61626138316239663535346562643436666534333637313363663536393932313565623533666561 6564 [root@localhost ansible] # |
2、解密
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
[root@localhost ansible] # cat test.yaml $ANSIBLE_VAULT;1.1;AES256 38653234373532306537633636343038383031613537303437623730626462306665363165363432 6162306332313031326330386136623464346533363164320a353734386632303837393633643932 62656262626265396236646536646231646631363431383261623530626639303132396139633731 6663633466373034320a323161316262653535353361353436353238663836623034366534393265 34663862363938653531346237323265633861663430313839653932633362333865333366353765 38326239386432373665396133346632346336373839386134366335663339363338306138363733 39653462373564383736373063333764653137356237353563396635633862623039373964326531 61626138316239663535346562643436666534333637313363663536393932313565623533666561 6564 [root@localhost ansible] # ansible-vault decrypt test.yaml Vault password: Decryption successful [root@localhost ansible] # cat test.yaml --- - hosts: websers remote_user: root tasks: - name: test command : hostname [root@localhost ansible] # |
3、不解密查看
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
[root@localhost ansible] # cat test.yaml $ANSIBLE_VAULT;1.1;AES256 63623938346561623733663938396234303933353162326531353230366237373664663662623133 3136653066363866363461666438346531626439346134660a623231326637336464303965366263 38353637633962326233313664353966343663393931393131303361323139646530333566313739 3233336166653038630a626637366661646638376338653261373336373438353639333930363836 32353464313438633632323366323731333830326632313837623131636363393664323863663437 38346131303561373865316666346265653039346333373663383861653737373466356466393439 35386163636234623564353537373264636138636663663531356164313437373164633433303635 63306439633963636136663637643936373337376130616433396561303535313330656337323233 3065 [root@localhost ansible] # ansible-vault view test.yaml Vault password: --- - hosts: websers remote_user: root tasks: - name: test command : hostname [root@localhost ansible] # cat test.yaml $ANSIBLE_VAULT;1.1;AES256 63623938346561623733663938396234303933353162326531353230366237373664663662623133 3136653066363866363461666438346531626439346134660a623231326637336464303965366263 38353637633962326233313664353966343663393931393131303361323139646530333566313739 3233336166653038630a626637366661646638376338653261373336373438353639333930363836 32353464313438633632323366323731333830326632313837623131636363393664323863663437 38346131303561373865316666346265653039346333373663383861653737373466356466393439 35386163636234623564353537373264636138636663663531356164313437373164633433303635 63306439633963636136663637643936373337376130616433396561303535313330656337323233 3065 [root@localhost ansible] # |
4、编辑加密文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
[root@localhost ansible] # cat test.yaml $ANSIBLE_VAULT;1.1;AES256 63623938346561623733663938396234303933353162326531353230366237373664663662623133 3136653066363866363461666438346531626439346134660a623231326637336464303965366263 38353637633962326233313664353966343663393931393131303361323139646530333566313739 3233336166653038630a626637366661646638376338653261373336373438353639333930363836 32353464313438633632323366323731333830326632313837623131636363393664323863663437 38346131303561373865316666346265653039346333373663383861653737373466356466393439 35386163636234623564353537373264636138636663663531356164313437373164633433303635 63306439633963636136663637643936373337376130616433396561303535313330656337323233 3065 [root@localhost ansible] # ansible-vault edit test.yaml Vault password: --- - hosts: websers remote_user: root tasks: - name: test command : hostname - name: test1 shell: ls /root/ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ "/tmp/tmpBHavml.yaml" 9L, 135C written [root@localhost ansible] # cat test.yaml $ANSIBLE_VAULT;1.1;AES256 30653764326466326131636362363762356362393334383966303433306331316335373732633463 3430383065336336333232303933356161363861376335630a363837363963386265333866643265 35333133393861646662636261653662313864633866373930306664646563343966366239373432 3661376233383766610a306366633964343434313533333065623739313762326561303837666437 61623136303764326138643362653166633138653237383761323665393132656161663639353631 62333063323135623466386333633835346539653463656239393562616164656664353562316163 36373161326261336338613137386636653431336535376338313165343564616531653439333764 65653834333335346531316137663332643963323966373064653664656532343061326234373563 31636364663737376639336531313937363630306232613561373932306432623835663563643463 66366530396536373031613134326464623939396538383335633764363237653064656135373262 306462316363333863393765323932373737 [root@localhost ansible] # |
说明:这种编辑好的文件还是处于加密状态
5、修改加密口令
1
2
3
4
5
6
|
[root@localhost ansible] # ansible-vault rekey test.yaml Vault password: New Vault password: Confirm New Vault password: Rekey successful [root@localhost ansible] # |
说明:修改口令必须先输入原口令,正确后才可以修改,如果忘记密码则文件就无法查看,也无法修改口令
6、创建新加密文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
[root@localhost ansible] # ls test .yaml [root@localhost ansible] # ansible-vault create test2.yaml New Vault password: Confirm New Vault password: --- - hosts: appsers remote_user: root tasks: - name: test2 shell: getent passwd ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ "/tmp/tmpgYTB3x.yaml" 7L, 92C written [root@localhost ansible] # ls test2.yaml test .yaml [root@localhost ansible] # cat test2.yaml $ANSIBLE_VAULT;1.1;AES256 64616164373236646635383539366661646262383936613533363263303136393031633533373638 6261613964636466656439656464336635323337643632620a366133383633633837363432326138 63323331346437636365353866656233363139633364353833623933353732323038336364376539 3963643939383734350a643734356432663063383066313932333837323631636536613834333232 30393464376230633762663364333330343132386132343861636665343831653863653939356536 62333564303934303138356332376634313535373037663866323038363237323438633464623534 61303937313930363230353165346337393462666131303861646262333830333365393737326365 63346431613736303963346130363464313239646361653830303862333236303939613665383261 3230 [root@localhost ansible] |
5、ansible-console:可交互式执行ansible命令,支持tab补全,常用于ad-hoc和ansible-playbook之间的场景,常用于集中一批临时操作或命令。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
[root@localhost ansible] # ansible-console Vault password: Welcome to the ansible console. Type help or ? to list commands. root@all (7)[f:5]$ list 192.168.0.99 192.168.0.218 192.168.0.123 192.168.0.233 192.168.0.128 192.168.0.208 192.168.0.199 root@all (7)[f:5]$ cd websers root@websers (2)[f:5]$ list 192.168.0.99 192.168.0.218 root@websers (2)[f:5]$ forks 2 root@websers (2)[f:2]$ shell getent passwd root 192.168.0.218 | SUCCESS | rc=0 >> root:x:0:0:root: /root : /bin/bash 192.168.0.99 | SUCCESS | rc=0 >> root:x:0:0:root: /root : /bin/bash root@websers (2)[f:2]$ |
说明:在终端键入ansible-console命令后会进入类似shell一样的交互式终端环境,其中提示符格式是:执行用户@当前操作的主机组(主机组中的主机数量)[f:并发数]$,设置并发数:forks n,其中n 表示设置的并发数;切换组用cd 主机组,如cd websers;list是列出当前主机组里的主机列表,列出所有的内置命令用?或help
6、ansible-playbook:命令功能是执行playbook文件
命令用法:
1
|
Usage: ansible-playbook [options] playbook.yml [playbook2 ...] |
常用选项:
-C,--check:检查playbook 不执行
-e,传递变量
-f,设置并发数,默认是5
-t,指定tags运行
-l,--limit=subset针对某些主机执行
--list-hosts:列出匹配的主机列表
--list-tags:列出所有可用标签
--list-tasks:列出所有将被执行的任务
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
[root@localhost ansible] # cat test.yaml --- - hosts: websers remote_user: root tasks: - name: test command : /usr/bin/wall hello world [root@localhost ansible] # ansible-playbook -C test.yaml PLAY [websers] ******************************************************************************************************** TASK [Gathering Facts] ************************************************************************************************ ok: [192.168.0.218] ok: [192.168.0.99] TASK [ test ] *********************************************************************************************************** skipping: [192.168.0.218] skipping: [192.168.0.99] PLAY RECAP ************************************************************************************************************ 192.168.0.218 : ok=1 changed=0 unreachable=0 failed=0 192.168.0.99 : ok=1 changed=0 unreachable=0 failed=0 [root@localhost ansible] # ansible-playbook test.yaml PLAY [websers] ******************************************************************************************************** TASK [Gathering Facts] ************************************************************************************************ ok: [192.168.0.218] ok: [192.168.0.99] TASK [ test ] *********************************************************************************************************** changed: [192.168.0.218] changed: [192.168.0.99] PLAY RECAP ************************************************************************************************************ 192.168.0.218 : ok=2 changed=1 unreachable=0 failed=0 192.168.0.99 : ok=2 changed=1 unreachable=0 failed=0 [root@localhost ansible] # ansible-playbook test.yaml --list-hosts playbook: test .yaml play #1 (websers): websers TAGS: [] pattern: [u 'websers' ] hosts (2): 192.168.0.99 192.168.0.218 [root@localhost ansible] # ansible-playbook test.yaml --list-tags playbook: test .yaml play #1 (websers): websers TAGS: [] TASK TAGS: [] [root@localhost ansible] # ansible-playbook test.yaml --list-tasks playbook: test .yaml play #1 (websers): websers TAGS: [] tasks: test TAGS: [] [root@localhost ansible] # ansible-playbook test.yaml --limit 192.168.0.99 PLAY [websers] ******************************************************************************************************** TASK [Gathering Facts] ************************************************************************************************ ok: [192.168.0.99] TASK [ test ] *********************************************************************************************************** changed: [192.168.0.99] PLAY RECAP ************************************************************************************************************ 192.168.0.99 : ok=2 changed=1 unreachable=0 failed=0 [root@localhost ansible] # |
7、ansible-pull:命令功能从VCS存储库中提取剧本并为本地主机执行,该命令的使用涉及ansible的另一种工作模式:pull模式(ansible默认使用push模式)。这和通常的push模式工作机制刚好相反,其适用于一下场景。1、有数量巨大的机器需要配置,即使使用高并发线程依旧要花费很多时间;2、在刚启动的、没有网络连接的主机上使用运行ansible
命令用法:
1
|
ansible-pull -U <repository> [options] [<playbook.yml>] |
常用选项:
1
2
3
4
5
6
7
8
9
10
|
-U <URL>, --url <URL> 剧本资料库的网址 -d <DEST>, --directory <DEST> 检出存储库的目录 -i, --inventory, --inventory- file 指定清单主机路径或逗号分隔的主机列表。–不推荐使用库存文件 -o, --only- if -changed 仅在存储库已更新的情况下运行剧本 -u <REMOTE_USER>, --user <REMOTE_USER> 以该用户身份连接(默认=无) |
通常ansible-pull结合git和crontab 一并实现,其原理是通过crontab定期拉取指定的git库中的playbook到本地,并指定模式自动运行预先制定好的指令。
示例:
1
|
* /20 * * * * root /usr/local/bin/ansible-pull -o -C 2.1.0 -d /srv/www/king-gw/ -i /etc/ansible/hosts -U git: //git .kingifa.com /king-gw-ansiblepull >> /var/log/ansible-pull .log 2>&1 |
ansible-pull通常在配置大批量机器的场景会用到,灵活性稍有欠缺,但效率几乎可以无限提升,对运维人员的技术水平和前瞻性规划有较高要求。
更多的选项说明请参考https://docs.ansible.com/ansible/2.4/ansible-pull.html
作者:Linux-1874