[系统运维]01Ansible介绍与安装

1.介绍Ansible

1.1什么是Ansible

Ansible是一款自动化运维工具，基于Python开发，集合了众多运维工具（puppet、cfengine、chef、func、fabric）的优点，实现了批量系统配置、批量程序部署、批量运行命令等功能。

Ansible是基于模块工作的，本身没有批量部署的能力。真正具有批量部署的是Ansible所运行的模块，Ansible只是提供一种框架。主要包括：

(1) 连接插件connection plugins：负责和被监控端实现通信；
(2) host inventory：指定操作的主机，是一个配置文件里面定义监控的主机；
(3) 各种模块核心模块、command模块、自定义模块；
(4) 借助于插件完成记录日志邮件等功能；
(5) playbook：剧本执行多个任务时，非必需可以让节点一次性运行多个任务。

1.2Ansible架构图及其工作原理

• Ansible Ansible的核心程序

• Host Inventory 记录了每一个由Ansible管理的主机信息，信息包括ssh端口，root帐号密码，ip地址等等。可以通过file来加载，可以通过CMDB加载

• Playbooks YAML格式文件，多个任务定义在一个文件中，使用时可以统一调用，用来定义哪些主机需要调用哪些模块来完成的功能

• Core Modules Ansible执行任何管理任务都不是由Ansible自己完成，而是由核心模块完成；Ansible管理主机之前，先调用core Modules中的模块，然后指明管理Host Inventory中的主机，就可以完成管理主机

• Custom Modules 自定义模块，完成Ansible核心模块无法完成的功能，此模块支持任何语言编写

• Connection Plugins 连接插件，Ansible和Host通信使用

2.Ansible自动化运维工具的部署安装

• 实验环境：Redhat8.2

2.1部署安装Ansible

• 安装配置yum源

//先配置好网络仓库
[root@master ~]# curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-8.repo

[root@master ~]# dnf -y install epel-release

• 安装Ansible工具

[root@master ~]# dnf -y install ansible

• 查看Ansible版本信息

[root@master ~]# ansible --version
ansible 2.9.23
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Dec  5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
[root@master ~]# 

3.构建Ansible清单

3.1 Ansible配置文件

• /etc/ansible/hosts文件被视为系统的默认静态清单文件。不过，通常的做法是不使用该文件，而是在Ansible配置文件中为清单文件定义一个不同的位置。

[root@master ~]# cd /etc/ansible/
[root@master ansible]# ls
ansible.cfg  hosts  roles
[root@master ansible]# 
[root@master ansible]# vim ansible.cfg 
[root@master ansible]# vim ansible.cfg 

# config file for ansible -- https://ansible.com/
# ===============================================

# nearly all parameters can be overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
# finds first

[defaults]

# some basic default values...

#inventory      = /etc/ansible/hosts
inventory      = /etc/ansible/inventory  //在这里添加一行构建一个inventory新清单
#library        = /usr/share/my_modules/
#module_utils   = /usr/share/my_module_utils/
#remote_tmp     = ~/.ansible/tmp
#local_tmp      = ~/.ansible/tmp
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
#forks          = 5
#poll_interval  = 15
#sudo_user      = root
[root@master ansible]# touch inventory  //创建inventory文件
[root@master ansible]# ls
ansible.cfg  hosts  inventory  roles
[root@master ansible]# 

3.2编写清单

• 但通常而言，可以将受管主机组织为主机组。通过主机组，可以更加有效的对一系列系统运行Ansible。这时，每一部分的开头为以中括号括起来的主机组名称。其后为该组中每一受管主机的主机名或IP地址，每行一个。

[root@master ansible]# vim inventory 
[webservers]      //添加一个组方便对这个组进行管理
192.168.8.130    //添加被管理主机的ip

• 验证清单

//运行以下所有命令可以列出所有主机
[root@master ~]# ansible webservers --list-hosts
  hosts (1):
    192.168.8.130
[root@master ~]# 
[root@master ~]# ansible 192.168.8.130 --list-hosts
  hosts (1):
    192.168.8.130
[root@master ~]# 
[root@master ~]# ansible all --list-hosts
  hosts (1):
    192.168.8.130
[root@master ~]# 
[root@master ~]# ansible ungrouped --list-host    //列出不属于任何组的主机
[WARNING]: No hosts matched, nothing to do
  hosts (0):
[root@master ~]# 

• 如果清单中含有名称相同的主机和主机组，ansible 命令将显示警告并以主机作为其目标。主机组则被忽略。

• 应对这种情况的方法有多种，其中最简单的是确保主机组不使用与清单中主机相同的名称。

3.3控制主机

[root@master ~]# ansible all -m ping      //因为这里没有给它设置用户名和密码所有才会报错
The authenticity of host '192.168.8.130 (192.168.8.130)' can't be established.
ECDSA key fingerprint is SHA256:4Q2ZziaMX2llFBT+mqwjrcp6jzKWtHuNrTR5OJTlXNU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
192.168.8.130 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Warning: Permanently added '192.168.8.130' (ECDSA) to the list of known hosts.\r\nroot@192.168.8.130: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}
[root@master ~]# 
[root@master ansible]# vim inventory    //修改清单配置文件并添加用户名和密码
[webservers]
192.168.8.130 ansible_user=root ansible_password=1
[root@master ansible]# ansible all -m ping    //现在发现可以ping通了
192.168.8.130 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
[root@master ansible]# 

• 除了上面这种方法我们还可以做免密登录

[root@master ansible]# cat inventory       //删除清单文件中的用户名和密码
[webservers]
192.168.8.130
[root@master ansible]# 
[root@master ansible]# cd
[root@master ~]# 

[root@master ~]# ssh-keygen -t rsa    //下面直接回车
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:VI05OJI1mGBir3J9bvE24cQhdb4IyOjms5yR/910HE8 root@master
The key's randomart image is:
+---[RSA 3072]----+
|  o o. =+.o+     |
| . * .=.o=+ .    |
|  . + o.o...     |
| . o   = o .     |
|. = . o S . . E  |
| = . o = . . +   |
|  =   o = . o .  |
| . * . o + .     |
|  + ... . .      |
+----[SHA256]-----+
[root@master ~]# ssh-copy-id root@192.168.8.130   发送到被控制主机上
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.8.130's password:     //被控制主机密码

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.8.130'"
and check to make sure that only the key(s) you wanted were added.

[root@master ~]# ansible all -m ping    //验证效果
192.168.8.130 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
[root@master ~]# 

3.4管理Ansible配置文件

• ansible软件包提供一个基本的配置文件，它位于/etc/ansible/ansible.cfg

• 可以通过修改 Ansible 配置文件中的设置来自定义 Ansible安装的行为。Ansible从控制节点上多个可能的位置之一选择其配置文件。

root@master ansible]# 
[root@master ansible]# ls
ansible.cfg  hosts  inventory  roles
[root@master ansible]# mv inventory /opt/     //这里将Ansible配置文件移动到/opt目录下
[root@master ansible]# cp ansible.cfg /opt/
[root@master ansible]# ansible all -m ping     //再次验证清单发现ping不通
[WARNING]: Unable to parse /etc/ansible/inventory as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
[root@master ansible]# cd
[root@master ~]# cd /opt/
[root@master opt]# ls
ansible.cfg  inventory
[root@master opt]# vim ansible.cfg 

# config file for ansible -- https://ansible.com/
# ===============================================

# nearly all parameters can be overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
# finds first

[defaults]

# some basic default values...

#inventory      = /etc/ansible/hosts
inventory      = inventory      //修改目录位置
#library        = /usr/share/my_modules/
#module_utils   = /usr/share/my_module_utils/
#remote_tmp     = ~/.ansible/tmp
#local_tmp      = ~/.ansible/tmp
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml

//再次验证清单效果
[root@master opt]# pwd
/opt
[root@master opt]# ansible all -m ping
192.168.8.130 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
[root@master opt]# 

• 还可以放到某个文件夹中

[root@master opt]# mkdir pengyudong 
[root@master opt]# ls
ansible.cfg  inventory  pengyudong
[root@master opt]# mv * pengyudong/
mv: 无法将目录'pengyudong' 移动至自身的子目录'pengyudong/pengyudong' 下
[root@master opt]# cd pengyudong/
[root@master pengyudong]# ls
ansible.cfg  inventory
[root@master pengyudong]# cd ..
[root@master opt]# ls
pengyudong
[root@master opt]# 
[root@master opt]# cd pengyudong/
[root@master pengyudong]# ansible all -m ping
192.168.8.130 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
[root@master pengyudong]#