Ansible之系列命令详解(转载)
ansible系列命令有:ansible、ansible-doc、ansible-playbook、ansible-vault、ansible-console、ansible-galaxy、ansible-pull,这些命令每个命令都有它独特的作用和用法,接下来我们一一来了解它的用法。
1、ansible-doc:这个命令主要作用是显示模块的帮助信息,有点类似Linux里的man命令。
命令用法:
|
1
|
ansible-doc [options] [module...] |
常用选项:
-a:显示所有模块的文档
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
[root@localhost ~]# ansible-doc -a ping> A10_SERVER (/usr/lib/python2.7/site-packages/ansible/modules/network/a10/a10_server.py) Manage SLB (Server Load Balancer) server objects on A10 Networks devices via aXAPIv2.OPTIONS (= is mandatory):= host Hostname or IP of the A10 Networks device. [Default: None]- partition set active-partition [Default: None] version_added: 2.3= password Password for the `username' account. (Aliases: pass, pwd)[Default: None]- server_ip The SLB server IPv4 address. (Aliases: ip, address)[Default: None]: |
说明:-a选项列出了ping模块的所有用法,以上只显示了部分。
-l,--list列出全部可以模块
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
[root@localhost ~]# ansible-doc -la10_server Manage A10 Networks AX/SoftAX/Thunder/vThunder devices' server object. a10_server_axapi3 Manage A10 Networks AX/SoftAX/Thunder/vThunder devices a10_service_group Manage A10 Networks AX/SoftAX/Thunder/vThunder devices' service groups.a10_virtual_server Manage A10 Networks AX/SoftAX/Thunder/vThunder devices' virtual servers.accelerate Enable accelerated mode on remote node aci_aep Manage attachable Access Entity Profile (AEP) on Cisco ACI fabrics (infr...aci_ap Manage top level Application Profile (AP) objects on Cisco ACI fabrics (...aci_bd Manage Bridge Domains (BD) on Cisco ACI Fabrics (fv:BD) aci_bd_subnet Manage Subnets on Cisco ACI fabrics (fv:Subnet) aci_bd_to_l3out Bind Bridge Domain to L3 Out on Cisco ACI fabrics (fv:RsBDToOut) aci_config_rollback Provides rollback and rollback preview functionality for Cisco ACI fabri...aci_config_snapshot Manage Config Snapshots on Cisco ACI fabrics (config:Snapshot, config:Ex...aci_contract Manage contract resources on Cisco ACI fabrics (vz:BrCP) aci_contract_subject Manage initial Contract Subjects on Cisco ACI fabrics (vz:Subj) aci_contract_subject_to_filter Bind Contract Subjects to Filters on Cisco ACI fabrics (vz:RsSubjFiltAtt...aci_epg Manage End Point Groups (EPG) on Cisco ACI fabrics (fv:AEPg) aci_epg_monitoring_policy Manage monitoring policies on Cisco ACI fabrics (mon:EPGPol) aci_epg_to_contract Bind EPGs to Contracts on Cisco ACI fabrics (fv:RsCons and fv:RsProv) aci_epg_to_domain Bind EPGs to Domains on Cisco ACI fabrics (fv:RsDomAtt) aci_filter Manages top level filter objects on Cisco ACI fabrics (vz:Filter) aci_filter_entry Manage filter entries on Cisco ACI fabrics (vz:Entry) aci_intf_policy_fc Manage Fibre Channel interface policies on Cisco ACI fabrics (fc:IfPol)aci_intf_policy_l2 Manage Layer 2 interface policies on Cisco ACI fabrics (l2:IfPol) : |
说明:-l选项列出了所有可用模块,并简要说明了模块主要功能,以上内容只显示了部分
-s,--snippet显示指定模块的playbook片段
|
1
2
3
4
5
6
|
[root@localhost ~]# ansible-doc -s ping- name: Try to connect to host, verify a usable python and return `pong' on success ping: data: # Data to return for the `ping' return value. If this parameter is set to `crash', the module will cause an exception.[root@localhost ~]# |
说明:-s这个选项是我们常用的选项,它主要列出模块的常用参数的使用和参数的作用。
2、ansible:这个命令就是ansible的主程序,我们经常用这个命令来管理主机,它可以调用各种模块对远端主机进行配置管理、应用部署、任务执行等功能。前文我们介绍了ansible有两种方式管理主机,一种是ad-hoc,也就是在命令行用ansible这个命令来管理主机,还有一种方式就是用ansible-playbook。
命令用法:
|
1
|
ansible <host-pattern> [-m module_name] [-a args] |
说明:它的用法还是很好理解,我们都知道ansible的强大之处是它有很多模块,ansible命令管理主机就是利用这些模块去管理主机的,以上用法就是说 用ansible管理哪些主机(我们需要指定主机或主机组),用什么模块(表现形式 -m指定模块名称,若不指定则表示使用默认模块),让模块干什么事(它的表现形式就是-a 指定给模块传递相应的参数)
常用选项:
--version:显示版本
|
1
2
3
4
5
6
7
8
|
[root@localhost ~]# ansible --versionansible 2.4.2.0 config file = /etc/ansible/ansible.cfg configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, Aug 4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)][root@localhost ~]# |
-m module:指定模块,才安装好ansible软件默认的模块是command
-v :显示简要的执行过程,-vv显示较为详细的过程,-vvv显示更为详细的执行过程
--list-hostss:显示主机列表,可以简写 --list
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@localhost ~]# ansible all --list hosts (3): 192.168.0.99 192.168.0.218 192.168.0.128[root@localhost ~]# ansible websers --list hosts (1): 192.168.0.99[root@localhost ~]# ansible appsers --list hosts (2): 192.168.0.218 192.168.0.128[root@localhost ~]# |
说明:all 表示匹配主机列表中的所有主机
-k,--ask-pass:指定输入ssh连接密码,默认ansible是基于ssh key验证的(k是小写的)
|
1
2
3
4
5
6
7
|
[root@localhost ~]# ansible websers -m ping -kSSH password:192.168.0.99 | SUCCESS => { "changed": false, "ping": "pong"}[root@localhost ~]# |
说明:这个选项一般用于我们主机列表中没有做ssh key验证的主机,通常不建议使用。
-K,--ask-become-pass提示输入sudo时的口令(k是大写的)
|
1
2
3
4
5
6
7
8
9
10
|
[root@localhost ~]# ansible websers -u 'qiuhom' -k -s -K -a " getent shadow qiuhom" [DEPRECATION WARNING]: The sudo command line option has been deprecated in favor of the "become" command linearguments. This feature will be removed in version 2.6. Deprecation warnings can be disabled by settingdeprecation_warnings=False in ansible.cfg.SSH password:SUDO password[defaults to SSH password]:192.168.0.99 | SUCCESS | rc=0 >>qiuhom:$6$5mlfZaKT$YmDjmEnKPoC.xASTVA5JqUrTiIkuXOe1yDm9PCql89e4lGKUS.W1515phi1OgD1W7Zu6Lm9srTBHi9QAigWpz/:18068:0:99999:7:::[root@localhost ~]# |
说明:-u是指定远程以那个用户执行,-s 表示使用sudo运行后面的操作,-k(小写)指定用ssh口令验证,-K(大写)提示输入sudo时的口令,-a 指定给模块传递的参数,上面示例没有写-m指定的模块就是用的默认模块command,当然这个默认模块我们可以在/etc/ansible/ansible.cfg里指定
-C,--check 检查,并不执行,这个参数主要用于检查playbook是否写的正确。
-T,--timeout指定执行命令的超时时间,默认是10S
-u,指定以那个用户远程执行命令,指定的用户是远端服务器上存在的。并非本地管理端的用户
-b,--become代替旧版的sudo切换
--become-user-USERNAME指定sudo的runas用户,默认是root
了解了ansible的基本选项说明,接下来我们来说说匹配主机列表
1、all:表示匹配所有定义在主机清单中的主机
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[root@localhost ~]# ansible all -m ping192.168.0.99 | SUCCESS => { "changed": false, "ping": "pong"}192.168.0.128 | SUCCESS => { "changed": false, "ping": "pong"}192.168.0.218 | SUCCESS => { "changed": false, "ping": "pong"}[root@localhost ~]# ansible all --list hosts (3): 192.168.0.99 192.168.0.218 192.168.0.128[root@localhost ~]# |
2、“*”:通配符,也可表示匹配所有主机清单中的主机,它的用法和Linux里的通配符类似。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
[root@localhost ~]# ansible * -m ping192.168.0.128 | SUCCESS => { "changed": false, "ping": "pong"}192.168.0.218 | SUCCESS => { "changed": false, "ping": "pong"}192.168.0.99 | SUCCESS => { "changed": false, "ping": "pong"}[root@localhost ~]# ansible 192.168.0.1* -m ping192.168.0.128 | SUCCESS => { "changed": false, "ping": "pong"}[root@localhost ~]# ansible web* -m ping 192.168.0.99 | SUCCESS => { "changed": false, "ping": "pong"}[root@localhost ~]# |
3、或关系
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
[root@localhost ~]# tail -6 /etc/ansible/hosts[websers]192.168.0.99:41319192.168.0.218[appsers]192.168.0.218192.168.0.128[root@localhost ~]# ansible "websers:appsers" --list hosts (3): 192.168.0.99 192.168.0.218 192.168.0.128[root@localhost ~]# ansible "192.168.0.1*:192.168.0.2*" --list hosts (2): 192.168.0.128 192.168.0.218[root@localhost ~]# |
4、逻辑与
|
1
2
3
4
|
[root@localhost ~]# ansible "websers:&appsers" --list hosts (1): 192.168.0.218[root@localhost ~]# |
说明:以上命令的意思是列出在websers组中,并且又在appsers组的主机
5、逻辑非
|
1
2
3
4
5
6
|
[root@localhost ~]# ansible "websers:!appsers" --list-bash: !appsers": event not found[root@localhost ~]# ansible 'websers:!appsers' --list hosts (1): 192.168.0.99[root@localhost ~]# |
说明:这里需要注意一点的是逻辑非要用单引号,以上命令表达的意思是列出在websers组中,但是不在appsers组中的主机
6、综合逻辑
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
[root@localhost ~]# tail -13 /etc/ansible/hosts [websers]192.168.0.99:41319192.168.0.218[appsers]192.168.0.218192.168.0.128[dbsers]192.168.0.208192.168.0.199[ftpsers]192.168.0.123192.168.0.233[root@localhost ~]# ansible 'dbsers:websers:&appsers:!ftpsers' --list hosts (1): 192.168.0.218[root@localhost ~]# |
说明:以上命令有逻辑或逻辑与逻辑非,在这种综合的匹配模式中我们要遵循这样一个优先级顺序来匹配,首先逻辑非的优先级最好,其次是逻辑与,优先级最低是逻辑或,以上命令表示匹配dbsers和websers两个组中的主机,在appsers中档不在ftpsers中的主机
7、正则表达式
|
1
2
3
4
5
6
7
|
[root@localhost ~]# ansible "~(web|db).*" --list hosts (4): 192.168.0.99 192.168.0.218 192.168.0.208 192.168.0.199[root@localhost ~]# |
说明:以上命令表示匹配web开头的组或者db开头的组中的主机,~表示使用正则匹配
了解了ansible的主机列表匹配,接着我们再说下ansible命令的执行过程,我们在使用ansible执行命令的时候可以用-vvv选项来显示更为详细的执行过程
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
[root@localhost ~]# ansible "websers:&appsers" -m shell -a "getent passwd root" -vvvansible 2.4.2.0 config file = /etc/ansible/ansible.cfg configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, Aug 4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]Using /etc/ansible/ansible.cfg as config fileParsed /etc/ansible/hosts inventory source with ini pluginMETA: ran handlersUsing module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py<192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None<192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 192.168.0.218 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''<192.168.0.218> (0, '/root\n', '')<192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None<192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 192.168.0.218 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745 `" && echo ansible-tmp-1573399527.3-188437527440745="` echo /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745 `" ) && sleep 0'"'"''<192.168.0.218> (0, 'ansible-tmp-1573399527.3-188437527440745=/root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745\n', '')<192.168.0.218> PUT /tmp/tmpPczCAu TO /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py<192.168.0.218> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 '[192.168.0.218]'<192.168.0.218> (0, 'sftp> put /tmp/tmpPczCAu /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py\n', '')<192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None<192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 192.168.0.218 '/bin/sh -c '"'"'chmod u+x /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/ /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py && sleep 0'"'"''<192.168.0.218> (0, '', '')<192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None<192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 -tt 192.168.0.218 '/bin/sh -c '"'"'/usr/bin/python /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py; rm -rf "/root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/" > /dev/null 2>&1 && sleep 0'"'"''<192.168.0.218> (0, '\r\n{"changed": true, "end": "2019-11-10 23:25:23.100262", "stdout": "root:x:0:0:root:/root:/bin/bash", "cmd": "getent passwd root", "rc": 0, "start": "2019-11-10 23:25:23.082719", "stderr": "", "delta": "0:00:00.017543", "invocation": {"module_args": {"warn": true, "executable": null, "_uses_shell": true, "_raw_params": "getent passwd root", "removes": null, "creates": null, "chdir": null, "stdin": null}}}\r\n', 'Shared connection to 192.168.0.218 closed.\r\n')192.168.0.218 | SUCCESS | rc=0 >>root:x:0:0:root:/root:/bin/bashMETA: ran handlersMETA: ran handlers[root@localhost ~]# |
说明:通过以上信息的查看,我们可以大概知道ansible的执行命令的过程,如下
1、首先ansible会加载自己的配置文件,默认是/etc/ansible/ansible.cfg
2、加载对应模块文件,如上就是加载的是shell模块
3、通过ansible将模块或命令生成对应的python临时文件,并将该文件用sftp传输至远端主机的对应执行用户的家目录下的.ansible/tmp/ansible-tmp-数字/xxxx.py文件
4、然后对刚才传送过去的临时文件加可执行权限 chmod + x
5、执行临时文件,并返回结果
6、删除临时py文件,sleep 0 退出
ansible的返回结果一般会有3种颜色来表示执行结果:红色,绿色,橘黄色。其中红色表示执行失败,或者执行过程中有异常,一般会终止剩余的所有任务。绿色和橘黄色表示执行过程中没有异常,所有任务均正常执行,但橘黄色表示命令执行结束后目标有状态变化,而绿色表示命令执行后目标没有状态变化,不仅ansible命令执行结果有如此设置,ansible系列命令均有此设置,所以判断ansible系列命令的执行结果是否正常,我们看颜色即可
3、ansible-galaxy:命令主要作用是连接https://galaxy.ansible.com下载/上传相应的roles
命令用法:
|
1
|
Usage: ansible-galaxy [delete|import|info|init|install|list|login|remove|search|setup] [--help] [options] ... |
1、下载安装角色
|
1
2
3
4
5
6
|
[root@localhost ~]# ansible-galaxy install geerlingguy.redis- downloading role 'redis', owned by geerlingguy- downloading role from https://github.com/geerlingguy/ansible-role-redis/archive/1.6.0.tar.gz- extracting geerlingguy.redis to /etc/ansible/roles/geerlingguy.redis- geerlingguy.redis (1.6.0) was installed successfully[root@localhost ~]# |
2、列出所有已经安装的角色列表
|
1
2
3
|
[root@localhost ~]# ansible-galaxy list- geerlingguy.redis, 1.6.0[root@localhost ~]# |
3、删除已安装的角色
|
1
2
3
4
|
[root@localhost ~]# ansible-galaxy remove geerlingguy.redis- successfully removed geerlingguy.redis[root@localhost ~]# ansible-galaxy list[root@localhost ~]# |
说明:galaxy默认下载到/etc/ansible/roles目录下,我们删除也可直接删除该目录下的角色,当然我们也可把自己写好的角色放在该目录下,用ansible-galaxy list 也是可以查看到我们自己写的角色。
4、ansible-vault:命令主要功能管理机密解密yaml文件
命令用法:
|
1
|
Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml] |
1、加密
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
[root@localhost ansible]# cat test.yaml---- hosts: websers remote_user: root tasks: - name: test command: hostname[root@localhost ansible]# ansible-vault encrypt test.yamlNew Vault password:Confirm New Vault password:Encryption successful[root@localhost ansible]# cat test.yaml$ANSIBLE_VAULT;1.1;AES256386532343735323065376336363430383830316135373034376237306264623066653631653634326162306332313031326330386136623464346533363164320a353734386632303837393633643932626562626262653962366465366462316466313634313832616235306266393031323961396337316663633466373034320a323161316262653535353361353436353238663836623034366534393265346638623639386535313462373232656338616634303138396539326333623338653333663537653832623938643237366539613334663234633637383938613436633566333936333830613836373339653462373564383736373063333764653137356237353563396635633862623039373964326531616261383162396635353465626434366665343336373133636635363939323135656235336665616564[root@localhost ansible]# |
2、解密
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
[root@localhost ansible]# cat test.yaml$ANSIBLE_VAULT;1.1;AES256386532343735323065376336363430383830316135373034376237306264623066653631653634326162306332313031326330386136623464346533363164320a353734386632303837393633643932626562626262653962366465366462316466313634313832616235306266393031323961396337316663633466373034320a323161316262653535353361353436353238663836623034366534393265346638623639386535313462373232656338616634303138396539326333623338653333663537653832623938643237366539613334663234633637383938613436633566333936333830613836373339653462373564383736373063333764653137356237353563396635633862623039373964326531616261383162396635353465626434366665343336373133636635363939323135656235336665616564[root@localhost ansible]# ansible-vault decrypt test.yamlVault password:Decryption successful[root@localhost ansible]# cat test.yaml---- hosts: websers remote_user: root tasks: - name: test command: hostname[root@localhost ansible]# |
3、不解密查看
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
[root@localhost ansible]# cat test.yaml$ANSIBLE_VAULT;1.1;AES256636239383465616237336639383962343039333531623265313532303662373736646636626231333136653066363866363461666438346531626439346134660a623231326637336464303965366263383536376339623262333136643539663436633939313931313033613231396465303335663137393233336166653038630a626637366661646638376338653261373336373438353639333930363836323534643134386336323233663237313338303266323138376231316363633936643238636634373834613130356137386531666634626565303934633337366338386165373737346635646639343935386163636234623564353537373264636138636663663531356164313437373164633433303635633064396339636361366636376439363733373761306164333965613035353133306563373232333065[root@localhost ansible]# ansible-vault view test.yamlVault password:---- hosts: websers remote_user: root tasks: - name: test command: hostname[root@localhost ansible]# cat test.yaml$ANSIBLE_VAULT;1.1;AES256636239383465616237336639383962343039333531623265313532303662373736646636626231333136653066363866363461666438346531626439346134660a623231326637336464303965366263383536376339623262333136643539663436633939313931313033613231396465303335663137393233336166653038630a626637366661646638376338653261373336373438353639333930363836323534643134386336323233663237313338303266323138376231316363633936643238636634373834613130356137386531666634626565303934633337366338386165373737346635646639343935386163636234623564353537373264636138636663663531356164313437373164633433303635633064396339636361366636376439363733373761306164333965613035353133306563373232333065[root@localhost ansible]# |
4、编辑加密文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
[root@localhost ansible]# cat test.yaml$ANSIBLE_VAULT;1.1;AES256636239383465616237336639383962343039333531623265313532303662373736646636626231333136653066363866363461666438346531626439346134660a623231326637336464303965366263383536376339623262333136643539663436633939313931313033613231396465303335663137393233336166653038630a626637366661646638376338653261373336373438353639333930363836323534643134386336323233663237313338303266323138376231316363633936643238636634373834613130356137386531666634626565303934633337366338386165373737346635646639343935386163636234623564353537373264636138636663663531356164313437373164633433303635633064396339636361366636376439363733373761306164333965613035353133306563373232333065[root@localhost ansible]# ansible-vault edit test.yamlVault password:---- hosts: websers remote_user: root tasks: - name: test command: hostname - name: test1 shell: ls /root/~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ "/tmp/tmpBHavml.yaml" 9L, 135C written[root@localhost ansible]# cat test.yaml$ANSIBLE_VAULT;1.1;AES256306537643264663261316363623637623563623933343839663034333063313163353737326334633430383065336336333232303933356161363861376335630a363837363963386265333866643265353331333938616466626362616536623138646338663739303066646465633439663662393734323661376233383766610a306366633964343434313533333065623739313762326561303837666437616231363037643261386433626531666331386532373837613236653931326561616636393536316233306332313562346638633363383534653965346365623939356261616465666435356231616336373161326261336338613137386636653431336535376338313165343564616531653439333764656538343333353465313161376633326439633239663730646536646565323430613262343735633163636466373737663933653131393736363030623261356137393230643262383566356364346366366530396536373031613134326464623939396538383335633764363237653064656135373262306462316363333863393765323932373737[root@localhost ansible]# |
说明:这种编辑好的文件还是处于加密状态
5、修改加密口令
|
1
2
3
4
5
6
|
[root@localhost ansible]# ansible-vault rekey test.yamlVault password:New Vault password:Confirm New Vault password:Rekey successful[root@localhost ansible]# |
说明:修改口令必须先输入原口令,正确后才可以修改,如果忘记密码则文件就无法查看,也无法修改口令
6、创建新加密文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
[root@localhost ansible]# lstest.yaml[root@localhost ansible]# ansible-vault create test2.yamlNew Vault password:Confirm New Vault password:---- hosts: appsers remote_user: root tasks: - name: test2 shell: getent passwd~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ "/tmp/tmpgYTB3x.yaml" 7L, 92C written[root@localhost ansible]# lstest2.yaml test.yaml[root@localhost ansible]# cat test2.yaml$ANSIBLE_VAULT;1.1;AES256646161643732366466353835393666616462623839366135333632633031363930316335333736386261613964636466656439656464336635323337643632620a366133383633633837363432326138633233313464376363653538666562333631396333643538336239333537323230383363643765393963643939383734350a643734356432663063383066313932333837323631636536613834333232303934643762306337626633643333303431323861323438616366653438316538636539393565366233356430393430313835633237663431353537303766386632303836323732343863346462353461303937313930363230353165346337393462666131303861646262333830333365393737326365633464316137363039633461303634643132396463616538303038623332363039396136653832613230[root@localhost ansible] |
5、ansible-console:可交互式执行ansible命令,支持tab补全,常用于ad-hoc和ansible-playbook之间的场景,常用于集中一批临时操作或命令。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
[root@localhost ansible]# ansible-consoleVault password:Welcome to the ansible console.Type help or ? to list commands.root@all (7)[f:5]$ list192.168.0.99192.168.0.218192.168.0.123192.168.0.233192.168.0.128192.168.0.208192.168.0.199root@all (7)[f:5]$ cd websersroot@websers (2)[f:5]$ list192.168.0.99192.168.0.218root@websers (2)[f:5]$ forks 2root@websers (2)[f:2]$ shell getent passwd root192.168.0.218 | SUCCESS | rc=0 >>root:x:0:0:root:/root:/bin/bash192.168.0.99 | SUCCESS | rc=0 >>root:x:0:0:root:/root:/bin/bashroot@websers (2)[f:2]$ |
说明:在终端键入ansible-console命令后会进入类似shell一样的交互式终端环境,其中提示符格式是:执行用户@当前操作的主机组(主机组中的主机数量)[f:并发数]$,设置并发数:forks n,其中n 表示设置的并发数;切换组用cd 主机组,如cd websers;list是列出当前主机组里的主机列表,列出所有的内置命令用?或help
6、ansible-playbook:命令功能是执行playbook文件
命令用法:
|
1
|
Usage: ansible-playbook [options] playbook.yml [playbook2 ...] |
常用选项:
-C,--check:检查playbook 不执行
-e,传递变量
-f,设置并发数,默认是5
-t,指定tags运行
-l,--limit=subset针对某些主机执行
--list-hosts:列出匹配的主机列表
--list-tags:列出所有可用标签
--list-tasks:列出所有将被执行的任务
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
[root@localhost ansible]# cat test.yaml---- hosts: websers remote_user: root tasks: - name: test command: /usr/bin/wall hello world[root@localhost ansible]# ansible-playbook -C test.yamlPLAY [websers] ********************************************************************************************************TASK [Gathering Facts] ************************************************************************************************ok: [192.168.0.218]ok: [192.168.0.99]TASK [test] ***********************************************************************************************************skipping: [192.168.0.218]skipping: [192.168.0.99]PLAY RECAP ************************************************************************************************************192.168.0.218 : ok=1 changed=0 unreachable=0 failed=0 192.168.0.99 : ok=1 changed=0 unreachable=0 failed=0 [root@localhost ansible]# ansible-playbook test.yaml PLAY [websers] ********************************************************************************************************TASK [Gathering Facts] ************************************************************************************************ok: [192.168.0.218]ok: [192.168.0.99]TASK [test] ***********************************************************************************************************changed: [192.168.0.218]changed: [192.168.0.99]PLAY RECAP ************************************************************************************************************192.168.0.218 : ok=2 changed=1 unreachable=0 failed=0 192.168.0.99 : ok=2 changed=1 unreachable=0 failed=0 [root@localhost ansible]# ansible-playbook test.yaml --list-hostsplaybook: test.yaml play #1 (websers): websers TAGS: [] pattern: [u'websers'] hosts (2): 192.168.0.99 192.168.0.218[root@localhost ansible]# ansible-playbook test.yaml --list-tagsplaybook: test.yaml play #1 (websers): websers TAGS: [] TASK TAGS: [][root@localhost ansible]# ansible-playbook test.yaml --list-tasksplaybook: test.yaml play #1 (websers): websers TAGS: [] tasks: test TAGS: [][root@localhost ansible]# ansible-playbook test.yaml --limit 192.168.0.99PLAY [websers] ********************************************************************************************************TASK [Gathering Facts] ************************************************************************************************ok: [192.168.0.99]TASK [test] ***********************************************************************************************************changed: [192.168.0.99]PLAY RECAP ************************************************************************************************************192.168.0.99 : ok=2 changed=1 unreachable=0 failed=0 [root@localhost ansible]# |
7、ansible-pull:命令功能从VCS存储库中提取剧本并为本地主机执行,该命令的使用涉及ansible的另一种工作模式:pull模式(ansible默认使用push模式)。这和通常的push模式工作机制刚好相反,其适用于一下场景。1、有数量巨大的机器需要配置,即使使用高并发线程依旧要花费很多时间;2、在刚启动的、没有网络连接的主机上使用运行ansible
命令用法:
|
1
|
ansible-pull -U <repository> [options] [<playbook.yml>] |
常用选项:
|
1
2
3
4
5
6
7
8
9
10
|
-U <URL>, --url <URL>剧本资料库的网址-d <DEST>, --directory <DEST>检出存储库的目录-i, --inventory, --inventory-file指定清单主机路径或逗号分隔的主机列表。–不推荐使用库存文件-o, --only-if-changed仅在存储库已更新的情况下运行剧本-u <REMOTE_USER>, --user <REMOTE_USER>以该用户身份连接(默认=无) |
通常ansible-pull结合git和crontab 一并实现,其原理是通过crontab定期拉取指定的git库中的playbook到本地,并指定模式自动运行预先制定好的指令。
示例:
|
1
|
*/20 * * * * root /usr/local/bin/ansible-pull -o -C 2.1.0 -d /srv/www/king-gw/ -i /etc/ansible/hosts -U git://git.kingifa.com/king-gw-ansiblepull >> /var/log/ansible-pull.log 2>&1 |
ansible-pull通常在配置大批量机器的场景会用到,灵活性稍有欠缺,但效率几乎可以无限提升,对运维人员的技术水平和前瞻性规划有较高要求。
更多的选项说明请参考https://docs.ansible.com/ansible/2.4/ansible-pull.html
作者:Linux-1874
浙公网安备 33010602011771号