ansible系列指令有:ansible、ansible-doc、ansible-playbook、ansible-vault、ansible-console、ansible-galaxy、ansible-pull,這些指令每個指令都有它獨特的作用和用法,接下來我們一一來了解它的用法。
1、ansible-doc:這個指令主要作用是顯示子產品的幫助資訊,有點類似Linux裡的man指令。
ansible系列指令有:ansible、ansible-doc、ansible-playbook、ansible-vault、ansible-console、ansible-galaxy、ansible-pull,這些指令每個指令都有它獨特的作用和用法,接下來我們一一來了解它的用法。
指令用法:
ansible-doc [options] [module...] 常用選項:
-a:顯示所有子產品的文檔
[root@localhost ~]# ansible-doc -a ping
> A10_SERVER (/usr/lib/python2.7/site-packages/ansible/modules/network/a10/a10_server.py)
Manage SLB (Server Load Balancer) server objects on A10 Networks devices via aXAPIv2.
OPTIONS (= is mandatory):
= host
Hostname or IP of the A10 Networks device.
[Default: None]
- partition
set active-partition
[Default: None]
version_added: 2.3
= password
Password for the `username' account.
(Aliases: pass, pwd)[Default: None]
- server_ip
The SLB server IPv4 address.
(Aliases: ip, address)[Default: None]
:
說明:-a選項列出了ping子產品的所有用法,以上隻顯示了部分。
-l,--list列出全部可以子產品
[root@localhost ~]# ansible-doc -l
a10_server Manage A10 Networks AX/SoftAX/Thunder/vThunder devices' server object.
a10_server_axapi3 Manage A10 Networks AX/SoftAX/Thunder/vThunder devices
a10_service_group Manage A10 Networks AX/SoftAX/Thunder/vThunder devices' service groups.
a10_virtual_server Manage A10 Networks AX/SoftAX/Thunder/vThunder devices' virtual servers.
accelerate Enable accelerated mode on remote node
aci_aep Manage attachable Access Entity Profile (AEP) on Cisco ACI fabrics (infr...
aci_ap Manage top level Application Profile (AP) objects on Cisco ACI fabrics (...
aci_bd Manage Bridge Domains (BD) on Cisco ACI Fabrics (fv:BD)
aci_bd_subnet Manage Subnets on Cisco ACI fabrics (fv:Subnet)
aci_bd_to_l3out Bind Bridge Domain to L3 Out on Cisco ACI fabrics (fv:RsBDToOut)
aci_config_rollback Provides rollback and rollback preview functionality for Cisco ACI fabri...
aci_config_snapshot Manage Config Snapshots on Cisco ACI fabrics (config:Snapshot, config:Ex...
aci_contract Manage contract resources on Cisco ACI fabrics (vz:BrCP)
aci_contract_subject Manage initial Contract Subjects on Cisco ACI fabrics (vz:Subj)
aci_contract_subject_to_filter Bind Contract Subjects to Filters on Cisco ACI fabrics (vz:RsSubjFiltAtt...
aci_epg Manage End Point Groups (EPG) on Cisco ACI fabrics (fv:AEPg)
aci_epg_monitoring_policy Manage monitoring policies on Cisco ACI fabrics (mon:EPGPol)
aci_epg_to_contract Bind EPGs to Contracts on Cisco ACI fabrics (fv:RsCons and fv:RsProv)
aci_epg_to_domain Bind EPGs to Domains on Cisco ACI fabrics (fv:RsDomAtt)
aci_filter Manages top level filter objects on Cisco ACI fabrics (vz:Filter)
aci_filter_entry Manage filter entries on Cisco ACI fabrics (vz:Entry)
aci_intf_policy_fc Manage Fibre Channel interface policies on Cisco ACI fabrics (fc:IfPol)
aci_intf_policy_l2 Manage Layer 2 interface policies on Cisco ACI fabrics (l2:IfPol)
:
說明:-l選項列出了所有可用子產品,并簡要說明了子產品主要功能,以上内容隻顯示了部分
-s,--snippet顯示指定子產品的playbook片段
[root@localhost ~]# ansible-doc -s ping
- name: Try to connect to host, verify a usable python and return `pong' on success
ping:
data: # Data to return for the `ping' return value. If this parameter is set to `crash', the
module will cause an exception.
[root@localhost ~]#
說明:-s這個選項是我們常用的選項,它主要列出子產品的常用參數的使用和參數的作用。
2、ansible:這個指令就是ansible的主程式,我們經常用這個指令來管理主機,它可以調用各種子產品對遠端主機進行配置管理、應用部署、任務執行等功能。前文我們介紹了ansible有兩種方式管理主機,一種是ad-hoc,也就是在指令行用ansible這個指令來管理主機,還有一種方式就是用ansible-playbook。
ansible <host-pattern> [-m module_name] [-a args]
說明:它的用法還是很好了解,我們都知道ansible的強大之處是它有很多子產品,ansible指令管理主機就是利用這些子產品去管理主機的,以上用法就是說 用ansible管理哪些主機(我們需要指定主機或主機組),用什麼子產品(表現形式 -m指定子產品名稱,若不指定則表示使用預設子產品),讓子產品幹什麼事(它的表現形式就是-a 指定給子產品傳遞相應的參數)
常用選項:
--version:顯示版本
[root@localhost ~]# ansible --version
ansible 2.4.2.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Aug 4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]
[root@localhost ~]#
-m module:指定子產品,才安裝好ansible軟體預設的子產品是command
-v :顯示簡要的執行過程,-vv顯示較為詳細的過程,-vvv顯示更為詳細的執行過程
--list-hostss:顯示主機清單,可以簡寫 --list
[root@localhost ~]# ansible all --list
hosts (3):
192.168.0.99
192.168.0.218
192.168.0.128
[root@localhost ~]# ansible websers --list
hosts (1):
192.168.0.99
[root@localhost ~]# ansible appsers --list
hosts (2):
192.168.0.218
192.168.0.128
[root@localhost ~]#
說明:all 表示比對主機清單中的所有主機
-k,--ask-pass:指定輸入ssh連接配接密碼,預設ansible是基于ssh key驗證的(k是小寫的)
[root@localhost ~]# ansible websers -m ping -k
SSH password:
192.168.0.99 | SUCCESS => {
"changed": false,
"ping": "pong"
}
[root@localhost ~]#
說明:這個選項一般用于我們主機清單中沒有做ssh key驗證的主機,通常不建議使用。
-K,--ask-become-pass提示輸入sudo時的密碼(k是大寫的)
[root@localhost ~]# ansible websers -u 'qiuhom' -k -s -K -a " getent shadow qiuhom"
[DEPRECATION WARNING]: The sudo command line option has been deprecated in favor of the "become" command line
arguments. This feature will be removed in version 2.6. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
SSH password:
SUDO password[defaults to SSH password]:
192.168.0.99 | SUCCESS | rc=0 >>
qiuhom:$6$5mlfZaKT$YmDjmEnKPoC.xASTVA5JqUrTiIkuXOe1yDm9PCql89e4lGKUS.W1515phi1OgD1W7Zu6Lm9srTBHi9QAigWpz/:18068:0:99999:7:::
[root@localhost ~]#
說明:-u是指定遠端以那個使用者執行,-s 表示使用sudo運作後面的操作,-k(小寫)指定用ssh密碼驗證,-K(大寫)提示輸入sudo時的密碼,-a 指定給子產品傳遞的參數,上面示例沒有寫-m指定的子產品就是用的預設子產品command,當然這個預設子產品我們可以在/etc/ansible/ansible.cfg裡指定
-C,--check 檢查,并不執行,這個參數主要用于檢查playbook是否寫的正确。
-T,--timeout指定執行指令的逾時時間,預設是10S
-u,指定以那個使用者遠端執行指令,指定的使用者是遠端伺服器上存在的。并非本地管理端的使用者
-b,--become代替舊版的sudo切換
--become-user-USERNAME指定sudo的runas使用者,預設是root
了解了ansible的基本選項說明,接下來我們來說說比對主機清單
1、all:表示比對所有定義在主機清單中的主機
[root@localhost ~]# ansible all -m ping
192.168.0.99 | SUCCESS => {
"changed": false,
"ping": "pong"
}
192.168.0.128 | SUCCESS => {
"changed": false,
"ping": "pong"
}
192.168.0.218 | SUCCESS => {
"changed": false,
"ping": "pong"
}
[root@localhost ~]# ansible all --list
hosts (3):
192.168.0.99
192.168.0.218
192.168.0.128
[root@localhost ~]#
2、“*”:通配符,也可表示比對所有主機清單中的主機,它的用法和Linux裡的通配符類似。
[root@localhost ~]# ansible * -m ping
192.168.0.128 | SUCCESS => {
"changed": false,
"ping": "pong"
}
192.168.0.218 | SUCCESS => {
"changed": false,
"ping": "pong"
}
192.168.0.99 | SUCCESS => {
"changed": false,
"ping": "pong"
}
[root@localhost ~]# ansible 192.168.0.1* -m ping
192.168.0.128 | SUCCESS => {
"changed": false,
"ping": "pong"
}
[root@localhost ~]# ansible web* -m ping
192.168.0.99 | SUCCESS => {
"changed": false,
"ping": "pong"
}
[root@localhost ~]#
3、或關系
[root@localhost ~]# tail -6 /etc/ansible/hosts
[websers]
192.168.0.99:41319
192.168.0.218
[appsers]
192.168.0.218
192.168.0.128
[root@localhost ~]# ansible "websers:appsers" --list
hosts (3):
192.168.0.99
192.168.0.218
192.168.0.128
[root@localhost ~]# ansible "192.168.0.1*:192.168.0.2*" --list
hosts (2):
192.168.0.128
192.168.0.218
[root@localhost ~]#
4、邏輯與
[root@localhost ~]# ansible "websers:&appsers" --list
hosts (1):
192.168.0.218
[root@localhost ~]#
說明:以上指令的意思是列出在websers組中,并且又在appsers組的主機
5、邏輯非
[root@localhost ~]# ansible "websers:!appsers" --list
-bash: !appsers": event not found
[root@localhost ~]# ansible 'websers:!appsers' --list
hosts (1):
192.168.0.99
[root@localhost ~]#
說明:這裡需要注意一點的是邏輯非要用單引号,以上指令表達的意思是列出在websers組中,但是不在appsers組中的主機
6、綜合邏輯
[root@localhost ~]# tail -13 /etc/ansible/hosts
[websers]
192.168.0.99:41319
192.168.0.218
[appsers]
192.168.0.218
192.168.0.128
[dbsers]
192.168.0.208
192.168.0.199
[ftpsers]
192.168.0.123
192.168.0.233
[root@localhost ~]# ansible 'dbsers:websers:&appsers:!ftpsers' --list
hosts (1):
192.168.0.218
[root@localhost ~]#
說明:以上指令有邏輯或邏輯與邏輯非,在這種綜合的比對模式中我們要遵循這樣一個優先級順序來比對,首先邏輯非的優先級最好,其次是邏輯與,優先級最低是邏輯或,以上指令表示比對dbsers和websers兩個組中的主機,在appsers中檔不在ftpsers中的主機
7、正規表達式
[root@localhost ~]# ansible "~(web|db).*" --list
hosts (4):
192.168.0.99
192.168.0.218
192.168.0.208
192.168.0.199
[root@localhost ~]#
說明:以上指令表示比對web開頭的組或者db開頭的組中的主機,~表示使用正則比對
了解了ansible的主機清單比對,接着我們再說下ansible指令的執行過程,我們在使用ansible執行指令的時候可以用-vvv選項來顯示更為詳細的執行過程
[root@localhost ~]# ansible "websers:&appsers" -m shell -a "getent passwd root" -vvv
ansible 2.4.2.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Aug 4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]
Using /etc/ansible/ansible.cfg as config file
Parsed /etc/ansible/hosts inventory source with ini plugin
META: ran handlers
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None
<192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 192.168.0.218 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<192.168.0.218> (0, '/root\n', '')
<192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None
<192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 192.168.0.218 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745 `" && echo ansible-tmp-1573399527.3-188437527440745="` echo /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745 `" ) && sleep 0'"'"''
<192.168.0.218> (0, 'ansible-tmp-1573399527.3-188437527440745=/root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745\n', '')
<192.168.0.218> PUT /tmp/tmpPczCAu TO /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py
<192.168.0.218> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 '[192.168.0.218]'
<192.168.0.218> (0, 'sftp> put /tmp/tmpPczCAu /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py\n', '')
<192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None
<192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 192.168.0.218 '/bin/sh -c '"'"'chmod u+x /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/ /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py && sleep 0'"'"''
<192.168.0.218> (0, '', '')
<192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None
<192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 -tt 192.168.0.218 '/bin/sh -c '"'"'/usr/bin/python /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py; rm -rf "/root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/" > /dev/null 2>&1 && sleep 0'"'"''
<192.168.0.218> (0, '\r\n{"changed": true, "end": "2019-11-10 23:25:23.100262", "stdout": "root:x:0:0:root:/root:/bin/bash", "cmd": "getent passwd root", "rc": 0, "start": "2019-11-10 23:25:23.082719", "stderr": "", "delta": "0:00:00.017543", "invocation": {"module_args": {"warn": true, "executable": null, "_uses_shell": true, "_raw_params": "getent passwd root", "removes": null, "creates": null, "chdir": null, "stdin": null}}}\r\n', 'Shared connection to 192.168.0.218 closed.\r\n')
192.168.0.218 | SUCCESS | rc=0 >>
root:x:0:0:root:/root:/bin/bash
META: ran handlers
META: ran handlers
[root@localhost ~]#
說明:通過以上資訊的檢視,我們可以大概知道ansible的執行指令的過程,如下
1、首先ansible會加載自己的配置檔案,預設是/etc/ansible/ansible.cfg
2、加載對應子產品檔案,如上就是加載的是shell子產品
3、通過ansible将子產品或指令生成對應的python臨時檔案,并将該檔案用sftp傳輸至遠端主機的對應執行使用者的家目錄下的.ansible/tmp/ansible-tmp-數字/xxxx.py檔案
4、然後對剛才傳送過去的臨時檔案加可執行權限 chmod + x
5、執行臨時檔案,并傳回結果
6、删除臨時py檔案,sleep 0 退出
ansible的傳回結果一般會有3種顔色來表示執行結果:紅色,綠色,橘黃色。其中紅色表示執行失敗,或者執行過程中有異常,一般會終止剩餘的所有任務。綠色和橘黃色表示執行過程中沒有異常,所有任務均正常執行,但橘黃色表示指令執行結束後目标有狀态變化,而綠色表示指令執行後目标沒有狀态變化,不僅ansible指令執行結果有如此設定,ansible系列指令均有此設定,是以判斷ansible系列指令的執行結果是否正常,我們看顔色即可
3、ansible-galaxy:指令主要作用是連接配接https://galaxy.ansible.com下載下傳/上傳相應的roles
Usage: ansible-galaxy [delete|import|info|init|install|list|login|remove|search|setup] [--help] [options] ... 1、下載下傳安裝角色
[root@localhost ~]# ansible-galaxy install geerlingguy.redis
- downloading role 'redis', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-redis/archive/1.6.0.tar.gz
- extracting geerlingguy.redis to /etc/ansible/roles/geerlingguy.redis
- geerlingguy.redis (1.6.0) was installed successfully
[root@localhost ~]#
2、列出所有已經安裝的角色清單
[root@localhost ~]# ansible-galaxy list
- geerlingguy.redis, 1.6.0
[root@localhost ~]#
3、删除已安裝的角色
[root@localhost ~]# ansible-galaxy remove geerlingguy.redis
- successfully removed geerlingguy.redis
[root@localhost ~]# ansible-galaxy list
[root@localhost ~]#
說明:galaxy預設下載下傳到/etc/ansible/roles目錄下,我們删除也可直接删除該目錄下的角色,當然我們也可把自己寫好的角色放在該目錄下,用ansible-galaxy list 也是可以檢視到我們自己寫的角色。
4、ansible-vault:指令主要功能管理機密解密yaml檔案
Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]
1、加密
[root@localhost ansible]# cat test.yaml
---
- hosts: websers
remote_user: root
tasks:
- name: test
command: hostname
[root@localhost ansible]# ansible-vault encrypt test.yaml
New Vault password:
Confirm New Vault password:
Encryption successful
[root@localhost ansible]# cat test.yaml
$ANSIBLE_VAULT;1.1;AES256
38653234373532306537633636343038383031613537303437623730626462306665363165363432
6162306332313031326330386136623464346533363164320a353734386632303837393633643932
62656262626265396236646536646231646631363431383261623530626639303132396139633731
6663633466373034320a323161316262653535353361353436353238663836623034366534393265
34663862363938653531346237323265633861663430313839653932633362333865333366353765
38326239386432373665396133346632346336373839386134366335663339363338306138363733
39653462373564383736373063333764653137356237353563396635633862623039373964326531
61626138316239663535346562643436666534333637313363663536393932313565623533666561
6564
[root@localhost ansible]#
2、解密
[root@localhost ansible]# cat test.yaml
$ANSIBLE_VAULT;1.1;AES256
38653234373532306537633636343038383031613537303437623730626462306665363165363432
6162306332313031326330386136623464346533363164320a353734386632303837393633643932
62656262626265396236646536646231646631363431383261623530626639303132396139633731
6663633466373034320a323161316262653535353361353436353238663836623034366534393265
34663862363938653531346237323265633861663430313839653932633362333865333366353765
38326239386432373665396133346632346336373839386134366335663339363338306138363733
39653462373564383736373063333764653137356237353563396635633862623039373964326531
61626138316239663535346562643436666534333637313363663536393932313565623533666561
6564
[root@localhost ansible]# ansible-vault decrypt test.yaml
Vault password:
Decryption successful
[root@localhost ansible]# cat test.yaml
---
- hosts: websers
remote_user: root
tasks:
- name: test
command: hostname
[root@localhost ansible]#
3、不解密檢視
[root@localhost ansible]# cat test.yaml
$ANSIBLE_VAULT;1.1;AES256
63623938346561623733663938396234303933353162326531353230366237373664663662623133
3136653066363866363461666438346531626439346134660a623231326637336464303965366263
38353637633962326233313664353966343663393931393131303361323139646530333566313739
3233336166653038630a626637366661646638376338653261373336373438353639333930363836
32353464313438633632323366323731333830326632313837623131636363393664323863663437
38346131303561373865316666346265653039346333373663383861653737373466356466393439
35386163636234623564353537373264636138636663663531356164313437373164633433303635
63306439633963636136663637643936373337376130616433396561303535313330656337323233
3065
[root@localhost ansible]# ansible-vault view test.yaml
Vault password:
---
- hosts: websers
remote_user: root
tasks:
- name: test
command: hostname
[root@localhost ansible]# cat test.yaml
$ANSIBLE_VAULT;1.1;AES256
63623938346561623733663938396234303933353162326531353230366237373664663662623133
3136653066363866363461666438346531626439346134660a623231326637336464303965366263
38353637633962326233313664353966343663393931393131303361323139646530333566313739
3233336166653038630a626637366661646638376338653261373336373438353639333930363836
32353464313438633632323366323731333830326632313837623131636363393664323863663437
38346131303561373865316666346265653039346333373663383861653737373466356466393439
35386163636234623564353537373264636138636663663531356164313437373164633433303635
63306439633963636136663637643936373337376130616433396561303535313330656337323233
3065
[root@localhost ansible]#
4、編輯加密檔案
[root@localhost ansible]# cat test.yaml
$ANSIBLE_VAULT;1.1;AES256
63623938346561623733663938396234303933353162326531353230366237373664663662623133
3136653066363866363461666438346531626439346134660a623231326637336464303965366263
38353637633962326233313664353966343663393931393131303361323139646530333566313739
3233336166653038630a626637366661646638376338653261373336373438353639333930363836
32353464313438633632323366323731333830326632313837623131636363393664323863663437
38346131303561373865316666346265653039346333373663383861653737373466356466393439
35386163636234623564353537373264636138636663663531356164313437373164633433303635
63306439633963636136663637643936373337376130616433396561303535313330656337323233
3065
[root@localhost ansible]# ansible-vault edit test.yaml
Vault password:
---
- hosts: websers
remote_user: root
tasks:
- name: test
command: hostname
- name: test1
shell: ls /root/
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"/tmp/tmpBHavml.yaml" 9L, 135C written
[root@localhost ansible]# cat test.yaml
$ANSIBLE_VAULT;1.1;AES256
30653764326466326131636362363762356362393334383966303433306331316335373732633463
3430383065336336333232303933356161363861376335630a363837363963386265333866643265
35333133393861646662636261653662313864633866373930306664646563343966366239373432
3661376233383766610a306366633964343434313533333065623739313762326561303837666437
61623136303764326138643362653166633138653237383761323665393132656161663639353631
62333063323135623466386333633835346539653463656239393562616164656664353562316163
36373161326261336338613137386636653431336535376338313165343564616531653439333764
65653834333335346531316137663332643963323966373064653664656532343061326234373563
31636364663737376639336531313937363630306232613561373932306432623835663563643463
66366530396536373031613134326464623939396538383335633764363237653064656135373262
306462316363333863393765323932373737
[root@localhost ansible]#
說明:這種編輯好的檔案還是處于加密狀态
5、修改加密密碼
[root@localhost ansible]# ansible-vault rekey test.yaml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
[root@localhost ansible]#
說明:修改密碼必須先輸入原密碼,正确後才可以修改,如果忘記密碼則檔案就無法檢視,也無法修改密碼
6、建立新加密檔案
[root@localhost ansible]# ls
test.yaml
[root@localhost ansible]# ansible-vault create test2.yaml
New Vault password:
Confirm New Vault password:
---
- hosts: appsers
remote_user: root
tasks:
- name: test2
shell: getent passwd
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"/tmp/tmpgYTB3x.yaml" 7L, 92C written
[root@localhost ansible]# ls
test2.yaml test.yaml
[root@localhost ansible]# cat test2.yaml
$ANSIBLE_VAULT;1.1;AES256
64616164373236646635383539366661646262383936613533363263303136393031633533373638
6261613964636466656439656464336635323337643632620a366133383633633837363432326138
63323331346437636365353866656233363139633364353833623933353732323038336364376539
3963643939383734350a643734356432663063383066313932333837323631636536613834333232
30393464376230633762663364333330343132386132343861636665343831653863653939356536
62333564303934303138356332376634313535373037663866323038363237323438633464623534
61303937313930363230353165346337393462666131303861646262333830333365393737326365
63346431613736303963346130363464313239646361653830303862333236303939613665383261
3230
[root@localhost ansible]
5、ansible-console:可互動式執行ansible指令,支援tab補全,常用于ad-hoc和ansible-playbook之間的場景,常用于集中一批臨時操作或指令。
[root@localhost ansible]# ansible-console
Vault password:
Welcome to the ansible console.
Type help or ? to list commands.
root@all (7)[f:5]$ list
192.168.0.99
192.168.0.218
192.168.0.123
192.168.0.233
192.168.0.128
192.168.0.208
192.168.0.199
root@all (7)[f:5]$ cd websers
root@websers (2)[f:5]$ list
192.168.0.99
192.168.0.218
root@websers (2)[f:5]$ forks 2
root@websers (2)[f:2]$ shell getent passwd root
192.168.0.218 | SUCCESS | rc=0 >>
root:x:0:0:root:/root:/bin/bash
192.168.0.99 | SUCCESS | rc=0 >>
root:x:0:0:root:/root:/bin/bash
root@websers (2)[f:2]$
說明:在終端鍵入ansible-console指令後會進入類似shell一樣的互動式終端環境,其中提示符格式是:執行使用者@目前操作的主機組(主機組中的主機數量)[f:并發數]$,設定并發數:forks n,其中n 表示設定的并發數;切換組用cd 主機組,如cd websers;list是列出目前主機組裡的主機清單,列出所有的内置指令用?或help
6、ansible-playbook:指令功能是執行playbook檔案
Usage: ansible-playbook [options] playbook.yml [playbook2 ...] -C,--check:檢查playbook 不執行
-e,傳遞變量
-f,設定并發數,預設是5
-t,指定tags運作
-l,--limit=subset針對某些主機執行
--list-hosts:列出比對的主機清單
--list-tags:列出所有可用标簽
--list-tasks:列出所有将被執行的任務
[root@localhost ansible]# cat test.yaml
---
- hosts: websers
remote_user: root
tasks:
- name: test
command: /usr/bin/wall hello world
[root@localhost ansible]# ansible-playbook -C test.yaml
PLAY [websers] ********************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************
ok: [192.168.0.218]
ok: [192.168.0.99]
TASK [test] ***********************************************************************************************************
skipping: [192.168.0.218]
skipping: [192.168.0.99]
PLAY RECAP ************************************************************************************************************
192.168.0.218 : ok=1 changed=0 unreachable=0 failed=0
192.168.0.99 : ok=1 changed=0 unreachable=0 failed=0
[root@localhost ansible]# ansible-playbook test.yaml
PLAY [websers] ********************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************
ok: [192.168.0.218]
ok: [192.168.0.99]
TASK [test] ***********************************************************************************************************
changed: [192.168.0.218]
changed: [192.168.0.99]
PLAY RECAP ************************************************************************************************************
192.168.0.218 : ok=2 changed=1 unreachable=0 failed=0
192.168.0.99 : ok=2 changed=1 unreachable=0 failed=0
[root@localhost ansible]# ansible-playbook test.yaml --list-hosts
playbook: test.yaml
play #1 (websers): websers TAGS: []
pattern: [u'websers']
hosts (2):
192.168.0.99
192.168.0.218
[root@localhost ansible]# ansible-playbook test.yaml --list-tags
playbook: test.yaml
play #1 (websers): websers TAGS: []
TASK TAGS: []
[root@localhost ansible]# ansible-playbook test.yaml --list-tasks
playbook: test.yaml
play #1 (websers): websers TAGS: []
tasks:
test TAGS: []
[root@localhost ansible]# ansible-playbook test.yaml --limit 192.168.0.99
PLAY [websers] ********************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************
ok: [192.168.0.99]
TASK [test] ***********************************************************************************************************
changed: [192.168.0.99]
PLAY RECAP ************************************************************************************************************
192.168.0.99 : ok=2 changed=1 unreachable=0 failed=0
[root@localhost ansible]#
7、ansible-pull:指令功能從VCS存儲庫中提取劇本并為本地主機執行,該指令的使用涉及ansible的另一種工作模式:pull模式(ansible預設使用push模式)。這和通常的push模式工作機制剛好相反,其适用于一下場景。1、有數量巨大的機器需要配置,即使使用高并發線程依舊要花費很多時間;2、在剛啟動的、沒有網絡連接配接的主機上使用運作ansible
ansible-pull -U <repository> [options] [<playbook.yml>] -U <URL>, --url <URL>
劇本資料庫的網址
-d <DEST>, --directory <DEST>
檢出存儲庫的目錄
-i, --inventory, --inventory-file
指定清單主機路徑或逗号分隔的主機清單。–不推薦使用庫存檔案
-o, --only-if-changed
僅在存儲庫已更新的情況下運作劇本
-u <REMOTE_USER>, --user <REMOTE_USER>
以該使用者身份連接配接(預設=無) 通常ansible-pull結合git和crontab 一并實作,其原理是通過crontab定期拉取指定的git庫中的playbook到本地,并指定模式自動運作預先制定好的指令。
示例:
*/20 * * * * root /usr/local/bin/ansible-pull -o -C 2.1.0 -d /srv/www/king-gw/ -i /etc/ansible/hosts -U git://git.kingifa.com/king-gw-ansiblepull >> /var/log/ansible-pull.log 2>&1
ansible-pull通常在配置大批量機器的場景會用到,靈活性稍有欠缺,但效率幾乎可以無限提升,對運維人員的技術水準和前瞻性規劃有較高要求。
更多的選項說明請參考https://docs.ansible.com/ansible/2.4/ansible-pull.html
作者:Linux-1874
出處:https://www.cnblogs.com/qiuhom-1874/
本文版權歸作者和部落格園共有,歡迎轉載,但未經作者同意必須保留此段聲明,且在文章頁面明顯位置給出原文連接配接,否則保留追究法律責任的權利.
![小技巧 (十一) ansible普通使用者執行[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)