阿里云Ansible自动化运维平台部署
以下是在阿里云平台上基于Ansible实现自动化运维的完整实践指南,整合所有核心操作流程和命令,适配指定的服务器规划:
一、环境规划
|
主机名 |
IP地址 |
角色 |
操作系统 |
|
manage01 |
192.168.98.200/24 |
Ansible控制节点 |
CentOS 7.9 |
|
node1 |
192.168.98.201/24 |
业务节点 |
CentOS 7.9 |
|
node2 |
192.168.98.202/24 |
业务节点 |
CentOS 7.9 |
|
node3 |
192.168.98.203/24 |
业务节点 |
CentOS 7.9 |
二、部署前准备
1. 阿里云安全组配置
- 所有ECS实例安全组放行规则:
- 入方向:TCP 22(SSH)、ICMP
- 出方向:All Traffic
2. 所有节点基础配置
# 1. 关闭防火墙与SELinux(所有节点执行)
systemctl stop firewalld && systemctl disable firewalld
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
# 2. 配置阿里云内网时间同步
yum install -y chrony
cat > /etc/chrony.conf << EOF
server ntp.aliyun.com iburst
server ntp1.aliyun.com iburst
EOF
systemctl restart chronyd && systemctl enable chronyd
三、Ansible控制节点部署(manage01)
1. 安装Ansible
# 安装EPEL仓库和Ansible
yum install -y epel-release
yum install -y ansible git
# 验证安装
ansible --version # 应显示ansible 2.9+版本
2. 配置SSH免密登录
# 1. 生成密钥对(默认路径)
ssh-keygen -t rsa -b 4096 -N "" -f ~/.ssh/id_rsa
# 2. 分发公钥到所有节点
for node in node1 node2 node3 manage01; do
ssh-copy-id -i ~/.ssh/id_rsa.pub root@$node
done
# 3. 测试连通性
ansible all -m ping -i inventory.ini
四、Ansible核心配置
1. 项目目录结构
mkdir -p ~/ansible-project/{inventory,group_vars,roles,playbooks}
cd ~/ansible-project
2. 主机清单文件
# ~/ansible-project/inventory/production.ini
[management]
manage01 ansible_host=192.168.98.200
[nodes]
node1 ansible_host=192.168.98.201
node2 ansible_host=192.168.98.202
node3 ansible_host=192.168.98.203
[all:vars]
ansible_user=root
ansible_ssh_private_key_file=~/.ssh/id_rsa
ansible_python_interpreter=/usr/bin/python
3. Ansible配置文件
# ~/ansible-project/ansible.cfg
[defaults]
inventory = ./inventory/production.ini
host_key_checking = False
log_path = ./ansible.log
roles_path = ./roles
forks = 20
[privilege_escalation]
become = True
become_method = sudo
become_user = root
become_ask_pass = False
五、基础环境自动化配置
1. 静态IP配置(所有节点)
# ~/ansible-project/playbooks/network_config.yml
---
- name: Configure Static IP
hosts: all
become: yes
vars:
interface: eth0
network_config:
manage01:
ip: 192.168.98.200
gateway: 192.168.98.1
node1:
ip: 192.168.98.201
gateway: 192.168.98.1
node2:
ip: 192.168.98.202
gateway: 192.168.98.1
node3:
ip: 192.168.98.203
gateway: 192.168.98.1
tasks:
- name: Configure network interface
template:
src: templates/ifcfg-eth0.j2
dest: /etc/sysconfig/network-scripts/ifcfg-{{ interface }}
notify: Restart network
handlers:
- name: Restart network
service:
name: network
state: restarted
模板文件 templates/ifcfg-eth0.j2:
DEVICE={{ interface }}
BOOTPROTO=static
ONBOOT=yes
IPADDR={{ network_config[inventory_hostname].ip }}
NETMASK=255.255.255.0
GATEWAY={{ network_config[inventory_hostname].gateway }}
DNS1=100.100.2.136 # 阿里云内网DNS
DNS2=100.100.2.138
2. 主机名配置
# ~/ansible-project/playbooks/hostname_config.yml
---
- name: Set Hostname
hosts: all
become: yes
tasks:
- name: Set system hostname
hostname:
name: "{{ inventory_hostname }}"
- name: Update /etc/hosts
lineinfile:
path: /etc/hosts
regexp: "^{{ ansible_default_ipv4.address }}"
line: "{{ ansible_default_ipv4.address }} {{ inventory_hostname }}"
state: present
执行命令:
ansible-playbook playbooks/network_config.yml
ansible-playbook playbooks/hostname_config.yml
六、核心运维场景实践
场景1:批量安装基础工具
# ~/ansible-project/playbooks/install_essentials.yml
---
- name: Install Base Packages
hosts: nodes
become: yes
tasks:
- name: Install common tools
yum:
name: [vim, wget, telnet, net-tools, lsof]
state: latest
场景2:部署Nginx集群
# ~/ansible-project/roles/nginx/tasks/main.yml
---
- name: Install Nginx
yum:
name: nginx
state: latest
- name: Copy customized config
template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
backup: yes
notify: Restart Nginx
- name: Ensure service running
service:
name: nginx
state: started
enabled: yes
handlers:
- name: Restart Nginx
service:
name: nginx
state: restarted
执行命令:
ansible-playbook playbooks/install_essentials.yml
ansible-playbook -i inventory.ini playbooks/deploy_nginx.yml
七、生产级增强配置
1. 敏感信息加密
# 创建加密文件
ansible-vault create group_vars/all_secrets.yml
# Playbook中调用
- name: Load secrets
include_vars: group_vars/all_secrets.yml
no_log: true
2. 阿里云动态Inventory集成
# 安装阿里云Python SDK
pip install aliyun-python-sdk-ecs
# 动态Inventory脚本示例
# ~/ansible-project/inventory/aliyun_ecs.py
#!/usr/bin/env python
from aliyunsdkcore.client import AcsClient
from aliyunsdkecs.request.v20140526 import DescribeInstancesRequest
client = AcsClient('<ACCESS_KEY>', '<SECRET_KEY>', 'cn-hangzhou')
def main():
request = DescribeInstancesRequest.DescribeInstancesRequest()
response = client.do_action_with_exception(request)
print(format_output(response))
if __name__ == "__main__":
main()
八、验证与监控
1. 服务状态验证
ansible nodes -m shell -a "systemctl status nginx"
ansible nodes -m uri -a "url=http://localhost/health"
2. 阿里云监控集成
# ~/ansible-project/roles/monitoring/tasks/main.yml
- name: Install CloudMonitor Agent
yum:
name: aliyun-cloudmonitor
state: present
- name: Start CloudMonitor
service:
name: cloudmonitor
state: started
enabled: yes
九、运维操作速查表
|
操作场景 |
命令示例 |
|
检查节点连通性 |
ansible all -m ping |
|
批量执行Shell命令 |
ansible nodes -m shell -a "df -h" |
|
文件分发 |
ansible web -m copy -a "src=app.conf dest=/etc/app/ owner=root" |
|
服务管理 |
ansible db -m service -a "name=mysql state=restarted" |
|
安全更新 |
ansible all -m yum -a "name=* state=latest update_cache=yes" |
|
剧本测试 |
ansible-playbook deploy.yml --check --diff |
|
加密剧本运行 |
ansible-playbook secure.yml --ask-vault-pass |
通过本指南,您已完成以下核心建设:
- 标准化基础环境:网络、主机名、安全策略统一配置
- 自动化运维体系:Ansible控制节点+被管节点架构
- 生产级最佳实践:动态Inventory、加密管理、监控集成
- 可扩展场景支持:通过Roles机制快速扩展新服务部署
后续建议:
- 使用Git进行配置版本管理
- 定期执行ansible-playbook --check验证配置漂移
- 通过阿里云OOS实现Ansible任务调度
- 使用Ansible Tower/AWX实现可视化运维
参考资料:
- https://github.com/ansible/ansible
- https://www.redhat.com/en/technologies/management/ansible
- https://ansible-tran.readthedocs.io/en/latest/docs/intro.html
学习视频:
浙公网安备 33010602011771号