2019独角兽企业重金招聘Python工程师标准>>>

自动化运维—ansible

一、Ansible介绍

Ansilbe是一个部署一群远程主机的工具。远程的主机可以是远程虚拟机或物理机，也可以是本地主机。

Ansilbe通过SSH协议实现远程节点和管理节点之间的通信,不需要安装客户端。

Ansible基于模块工作，模块可以由任何语言开发

Ansible不仅支持命令行使用模块，也支持编写yaml格式的playbook，易于编写和阅读

Ansible的安装十分简单，centos上可直接通过yum安装。

Ansible有提供命令行版本，免费。也有提供UI（浏览器图形化）版本，网址: www.ansible.com/tower，但是收费的。官方文档: http://docs.ansible.com/ansible/latest/index.html

Ansible已经被redhat公司收购，它在github上是一个非常受欢迎的开源软件，github地址https://github.com/ansible/ansible

一本不错的入门电子书 https://ansible-book.gitbooks.io/ansible-first-book/

二、ansible安装和远程执行命令

查看ansible 的yum清单，安装ansible ansible-doc

[root@ying01 salt]# yum list | grep ansible
ansible.noarch                            2.6.3-1.el7                  epel
ansible-doc.noarch                        2.6.3-1.el7                  epel
ansible-inventory-grapher.noarch          2.4.4-1.el7                  epel
ansible-lint.noarch                       3.4.21-1.el7                 epel
ansible-openstack-modules.noarch          0-20140902git79d751a.el7     epel
ansible-review.noarch                     0.13.4-1.el7                 epel
kubernetes-ansible.noarch                 0.6.0-0.1.gitd65ebd5.el7     epel
python2-ansible-runner.noarch             1.0.1-1.el7                  epel
python2-ansible-tower-cli.noarch          3.3.0-2.el7                  epel    [root@ying01 salt]# yum -y install ansible  ansible-doc

查看ying01 主机上是否有公钥存在，若不存在则要生成，生成秘钥命令： ssh-keygen

[root@ying01 ~]# ls /root/.ssh/
authorized_keys  id_rsa  id_rsa.pub  known_hosts
[root@ying01 ~]# cat /root/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+X/2tfggcYIe/3qp98blHj4ySD0GbVmP5QfU7tXXMbE/+FnktHOA3l9+noxXxNXFpaDjc4k+R9TV1R4yG8U0+bx8zucaVTSQWgFCiwDlKhY4pUgfQePtNX+AVUo7yf0+ysz7P3cyUTIInHORB2R/DoKzcxMEM9AHkb//G/UtLaRBhLLWhNGz/R8S5ZhdsC3+X+yKKDVffua8RWkAqevntf4lWz6KEYbuTjxzM7cOXOrHx0/w3/qtvD/Vee+I7vZHkCdqwMfQxn9pTh6c3RwBwcx9jzbJJ7YLV5KmOx0QqSK8qHylgjuO2ZS1wF1+eTdO1D2zP2aEykF6dDNhzQRb5 root@ying01

把此公钥分别存放在ying01、ying02、ying03机器的authorized_keys 文件下；

#ansible
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+X/2tfggcYIe/3qp98blHj4ySD0GbVmP5QfU7tXXMbE/+FnktHOA3l9+noxXxNXFpaDjc4k+R9TV1R4yG8U0+bx8zucaVTSQWgFCiwDlKhY4pUgfQePtNX+AVUo7yf0+ysz7P3cyUTIInHORB2R/DoKzcxMEM9AHkb//G/UtLaRBhLLWhNGz/R8S5ZhdsC3+X+yKKDVffua8RWkAqevntf4lWz6KEYbuTjxzM7cOXOrHx0/w3/qtvD/Vee+I7vZHkCdqwMfQxn9pTh6c3RwBwcx9jzbJJ7YLV5KmOx0QqSK8qHylgjuO2ZS1wF1+eTdO1D2zP2aEykF6dDNhzQRb5 root@ying01

编辑/etc/ansible/hosts文件，添加以下语句

[root@ying01 ~]# vim /etc/ansible/hosts [testhost]                //主机名称
127.0.0.1                 //主机IP
ying01                    //主机的ID
ying02
ying03

以上写IP也可以，要是写ID，就需要在 /etc/hosts 里面定义；因为之前已经定义ID

[root@ying01 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
113.108.182.52  www.hao123.com www.baidu.com
127.0.0.1  ying.com
192.168.112.136 ying01
192.168.112.138 ying02
192.168.112.139 ying03

测试以下127.0.0.1主机是否联通

[root@ying01 ~]# ssh 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:ZQlXi+kieRwi2t64Yc5vUhPPWkMub8f0CBjnYRlX2Iw.
ECDSA key fingerprint is MD5:ff:9f:37:87:81:89:fc:ed:af:c6:62:c6:32:53:7a:ad.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
Last login: Tue Sep 11 11:49:11 2018 from 192.168.112.1
[root@ying01 ~]# w13:30:28 up 13:31,  2 users,  load average: 0.12, 0.09, 0.07
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    192.168.112.1    11:49    4.00s  0.45s  0.01s ssh 127.0.0.1
root     pts/1    127.0.0.1        13:30    4.00s  0.06s  0.00s w
[root@ying01 ~]# logout
Connection to 127.0.0.1 closed.

在行testhost主机上，执行命令


[root@ying01 ~]# ansible testhost -m command -a 'wc -l /etc/passwd'
ying03 | SUCCESS | rc=0 >>
25 /etc/passwdying02 | SUCCESS | rc=0 >>
30 /etc/passwd127.0.0.1 | SUCCESS | rc=0 >>
53 /etc/passwdying01 | SUCCESS | rc=0 >>
53 /etc/passwd[root@ying01 ~]# ansible 127.0.0.1 -m command -a 'wc -l /etc/passwd'   //可以针对IP
127.0.0.1 | SUCCESS | rc=0 >>
53 /etc/passwd[root@ying01 ~]# ansible 'ying03' -m command -a 'wc -l /etc/passwd'   //可以针对单个定义ID
ying03 | SUCCESS | rc=0 >>
25 /etc/passwd

语句释义：ansible 批量执行命令，testhost 是主机的集合，-m后面接调用module的名字, -a后面接调用module的参数

shell模块也可以执行命令

[root@ying01 ~]# ansible  testhost -m shell -a 'wc -l /etc/passwd'
127.0.0.1 | SUCCESS | rc=0 >>
53 /etc/passwdying03 | SUCCESS | rc=0 >>
25 /etc/passwdying02 | SUCCESS | rc=0 >>
30 /etc/passwdying01 | SUCCESS | rc=0 >>
53 /etc/passwd[root@ying01 ~]# ansible  testhost -m shell -a 'hostname'
ying01 | SUCCESS | rc=0 >>
ying01127.0.0.1 | SUCCESS | rc=0 >>
ying01ying03 | SUCCESS | rc=0 >>
ying03ying02 | SUCCESS | rc=0 >>
ying02[root@ying01 ~]# ansible 'ying01' -m shell -a 'wc -l /etc/passwd'
ying01 | SUCCESS | rc=0 >>
53 /etc/passwd[root@ying01 ~]# ansible 127.0.0.1 -m shell -a 'wc -l /etc/passwd'
127.0.0.1 | SUCCESS | rc=0 >>
53 /etc/passwd

错误解决：

错误： "msg": "Aborting, target uses selinux but python bindings (libselinux-python) aren't installed!"

解决： yum install -y libselinux-python

三、 ansible拷贝文件或目录

ansible ying02 -m copy -a "src=/etc/ansible dest=/tmp/ansibletest owner=root group=root mode=0755"

ying02 : 指定认证主机，可以是testhost集合，也可以是ying03、127.0.0.1等；

copy -a "定义内容" ：复制定义的内容

src=/etc/ansible :定义复制的源目录及文件

dest=/tmp/ansibletest ：定义要复制到的位置

owner=root ：定义uid为root

group=root ：组为root

mode=0755 ：权限为755

整个语句意思为：把master机器的/etc/ansible目录复制到远程机器ying02上的/tmp/ansibletest目录，并指定所有者、所有组及其权限；

[root@ying01 ~]# ansible ying02 -m copy -a "src=/etc/ansible  dest=/tmp/ansibletest owner=root group=root mode=0755"
ying02 | SUCCESS => {"changed": true, "dest": "/tmp/ansibletest/", "src": "/etc/ansible"
}

在ying02上，查看复制结果

[root@ying02 ~]# ls -la /tmp/ansibletest
总用量 4
drwxr-xr-x   3 root root   21 9月  11 17:35 .
drwxrwxrwt. 17 root root 4096 9月  11 17:35 ..
drwxr-xr-x   3 root root   51 9月  11 17:35 ansible
[root@ying02 ~]# tree /tmp/ansibletest
/tmp/ansibletest
└── ansible├── ansible.cfg├── hosts└── roles2 directories, 2 files

[root@ying01 ~]# ansible ying02 -m copy -a "src=/etc/ansible  dest=/tmp/  owner=root group=root mode=0755"
ying02 | SUCCESS => {"changed": true, "dest": "/tmp/", "src": "/etc/ansible"
}

在ying02上，查看复制结果

[root@ying02 ~]# ls -ld /tmp/ansible
drwxr-xr-x 3 root root 51 9月  11 17:40 /tmp/ansible[root@ying02 ~]# tree /tmp/ansible
/tmp/ansible
├── ansible.cfg
├── hosts
└── roles1 directory, 2 files

注意：

源目录会放到目标目录下面去，

如果目标指定的目录不存在，它会自动创建。

如果拷贝的是文件，dest指定的名字和源如果不同，并且它不是已经存在的目录，相当于拷贝过去后又重命

但相反，如果desc是目标机器上已经存在的目录，则会直接把文件拷贝到该目录下面。

四、 ansible远程执行脚本

创建test.sh脚本

[root@ying01 ~]# vim /tmp/test.sh #!/bin/bashecho `date` > /tmp/ansible_test.txt   //创建ansible_test.txt文件

把此脚本复制到ying03主机上，并改名为test1.sh

[root@ying01 ~]# ansible ying03 -m copy -a "src=/tmp/test.sh  dest=/tmp/test1.sh  owner=root group=root mode=0755"
ying03 | SUCCESS => {"changed": true, "checksum": "1a6e4af02dba1bda6fc8e23031d4447efeba0ade", "dest": "/tmp/test1.sh", "gid": 0, "group": "root", "md5sum": "edfaa4371316af8c5ba354e708fe8a97", "mode": "0755", "owner": "root", "size": 48, "src": "/root/.ansible/tmp/ansible-tmp-1536660710.3-139886566503496/source", "state": "file", "uid": 0
}
[root@ying01 ~]# ansible ying03 -m shell -a "/tmp/test1.sh"  //远程执行test1.sh脚本
ying03 | SUCCESS | rc=0 >>

查看ansible_test.txt内容及相关情况

[root@ying03 ~]# cat /tmp/ansible_test.txt
2018年 09月 11日 星期二 18:12:56 CST
[root@ying03 ~]# ls -l  /tmp/ansible_test.txt
-rw-r--r-- 1 root root 43 9月  11 18:12 /tmp/ansible_test.txt

注意：-m command 不支持管道符，而-m shell 支持管道

-m command 不支持管道

[root@ying01 ~]# ansible testhost  -m command -a 'cat /etc/passwd |wc -l'
ying03 | FAILED | rc=1 >>
cat：无效选项 -- l
Try 'cat --help' for more information.non-zero return codeying02 | FAILED | rc=1 >>
cat：无效选项 -- l
Try 'cat --help' for more information.non-zero return codeying01 | FAILED | rc=1 >>
cat：无效选项 -- l
Try 'cat --help' for more information.non-zero return code127.0.0.1 | FAILED | rc=1 >>
cat：无效选项 -- l
Try 'cat --help' for more information.non-zero return code

-m shell 支持管道


[root@ying01 ~]# ansible testhost  -m shell -a 'cat /etc/passwd |wc -l'
ying02 | SUCCESS | rc=0 >>
30ying03 | SUCCESS | rc=0 >>
25127.0.0.1 | SUCCESS | rc=0 >>
53ying01 | SUCCESS | rc=0 >>
53

五、ansible管理任务计划

新建管理任务计划

给ying02机器，创建名为test cron 的管理认为计划

[root@ying01 ~]# ansible ying02 -m cron -a "name='test cron' job='/bin/touch /tmp/1212.txt' weekday=6"
ying02 | SUCCESS => {"changed": true, "envs": [], "jobs": ["test cron"]

用crontab -l查看此管理计划

[root@ying02 ~]# crontab -l
# Lines below here are managed by Salt, do not edit
#Ansible: test cron
* * * * 6 /bin/touch /tmp/1212.txt

管理计划任务

state=absent 定义状态为无，即可删除此计划任务

[root@ying01 ~]# ansible ying02 -m cron -a "name='test cron' state=absent"
ying02 | SUCCESS => {"changed": true, "envs": [], "jobs": []
}

在ying02上验证，此时已经无任务计划，说明删除成功

[root@ying02 ~]# crontab -l
# Lines below here are managed by Salt, do not edit

注意：由ansible管理的计划任务（crontab -e），请不要手动修改，否则会导致ansible无法再管理相应的计划任务

六、ansible安装包和管理服务

删除httpd模块

[root@ying01 ~]# ansible ying02 -m yum -a "name=httpd state=removed"
ying02 | SUCCESS => {"changed": true, "msg": "", "rc": 0, "results": ["已加载插件：fastestmirror\n正在解决依赖关系\n--> 正在检查事务\n---> 软件包 httpd.x86_64.0.2.4.6-80.el7.centos.1 将被 删除\n--> 正在处理依赖关系 httpd = 2.4.6-80.el7.centos.1，它被软件包 httpd-devel-2.4.6-80.el7.centos.1.x86_64 需要\n--> 正在检查事务\n---> 软件包 httpd-devel.x86_64.0.2.4.6-80.el7.centos.1 将被 删除\n--> 解决依赖关系完成\n\n依赖关系解决\n\n================================================================================\n Package          架构        版本                          源             大小\n================================================================================\n正在删除:\n httpd            x86_64      2.4.6-80.el7.centos.1         @updates      9.4 M\n为依赖而移除:\n httpd-devel      x86_64      2.4.6-80.el7.centos.1         @updates      749 k\n\n事务概要\n================================================================================\n移除  1 软件包 (+1 依赖软件包)\n\n安装大小：10 M\nDownloading packages:\nRunning transaction check\nRunning transaction test\nTransaction test succeeded\nRunning transaction\n  正在删除    : httpd-devel-2.4.6-80.el7.centos.1.x86_64                    1/2 \n  正在删除    : httpd-2.4.6-80.el7.centos.1.x86_64                          2/2 \n  验证中      : httpd-devel-2.4.6-80.el7.centos.1.x86_64                    1/2 \n  验证中      : httpd-2.4.6-80.el7.centos.1.x86_64                          2/2 \n\n删除:\n  httpd.x86_64 0:2.4.6-80.el7.centos.1                                          \n\n作为依赖被删除:\n  httpd-devel.x86_64 0:2.4.6-80.el7.centos.1                                    \n\n完毕！\n"]
}

在ying02机器上，查看httpd是否删除

[root@ying02 ~]# rpm -qa httpd
[root@ying02 ~]# netstat -lnpt |grep httpd

安装httpd

[root@ying01 ~]# ansible ying02 -m yum -a "name=httpd"
ying02 | SUCCESS => {"changed": true, "msg": "", "rc": 0, "results": ["Loaded plugins: fastestmirror\nLoading mirror speeds from cached hostfile\n * base: mirrors.aliyun.com\n * epel: mirrors.aliyun.com\n * extras: mirrors.aliyun.com\n * updates: centos.ustc.edu.cn\nResolving Dependencies\n--> Running transaction check\n---> Package httpd.x86_64 0:2.4.6-80.el7.centos.1 will be installed\n--> Finished Dependency Resolution\n\nDependencies Resolved\n\n================================================================================\n Package      Arch          Version                        Repository      Size\n================================================================================\nInstalling:\n httpd        x86_64        2.4.6-80.el7.centos.1          updates        2.7 M\n\nTransaction Summary\n================================================================================\nInstall  1 Package\n\nTotal download size: 2.7 M\nInstalled size: 9.4 M\nDownloading packages:\nRunning transaction check\nRunning transaction test\nTransaction test succeeded\nRunning transaction\n  Installing : httpd-2.4.6-80.el7.centos.1.x86_64                           1/1 \n  Verifying  : httpd-2.4.6-80.el7.centos.1.x86_64                           1/1 \n\nInstalled:\n  httpd.x86_64 0:2.4.6-80.el7.centos.1                                          \n\nComplete!\n"]
}

启动httpd

[root@ying01 ~]# ansible ying02 -m service -a "name=httpd state=started enabled=no"
ying02 | SUCCESS => {"changed": true, "enabled": false, "name": "httpd", "state": "started", 篇幅原因，省略

在ying02机器上，验证httpd是否启动

[root@ying02 ~]# netstat -lnpt |grep httpd
tcp6       0      0 :::80                   :::*                    LISTEN      31897/httpd
[root@ying02 ~]# ps aux |grep httpd
root     31897  0.0  0.2 224020  4996 ?        Ss   20:53   0:00 /usr/sbin/httpd -DFOREGROUND
apache   31898  0.0  0.1 224020  2952 ?        S    20:53   0:00 /usr/sbin/httpd -DFOREGROUND
apache   31899  0.0  0.1 224020  2952 ?        S    20:53   0:00 /usr/sbin/httpd -DFOREGROUND
apache   31900  0.0  0.1 224020  2952 ?        S    20:53   0:00 /usr/sbin/httpd -DFOREGROUND
apache   31901  0.0  0.1 224020  2952 ?        S    20:53   0:00 /usr/sbin/httpd -DFOREGROUND
apache   31902  0.0  0.1 224020  2952 ?        S    20:53   0:00 /usr/sbin/httpd -DFOREGROUND
root     32086  0.0  0.0 112720   984 pts/0    S+   21:01   0:00 grep --color=auto httpd

注意：这里的name是centos系统里的服务名，可以通过chkconfig --list查到。

ansible-doc -l ：列出所有的模块

[root@ying01 ~]# ansible-doc -l|grep httpd
apache2_mod_proxy                                    Set and/or get members' attributes of an Apache httpd 2.4 mod_proxy balancer pool
bigip_device_httpd                                   Manage HTTPD related settings on BIG-IP

ansible-doc cron ：查看指定模块的文档

[root@ying01 ~]# ansible-doc cron
> CRON    (/usr/lib/python2.7/site-packages/ansible/modules/system/cron.py)Use this module to manage crontab and environment variables entries. This module allows you to create environmentvariables and named crontab entries, update, or delete them. When crontab jobs are managed: the module includes oneline with the description of the crontab entry `"#Ansible: <name>"' corresponding to the "name" passed to the module,which is used by future ansible/module calls to find/check the state. The "name" parameter should be unique, andchanging the "name" value will result in a new cron task being created (or a different one being removed). Whenenvironment variables are managed: no comment line is added, but, when the module needs to find/check the state, ituses the "name" parameter to find the environment variable definition line. When using symbols such as %, they mustbe properly escaped.OPTIONS (= is mandatory):篇幅原因，下面内容省略

七、使用ansible playbook

Playbooks 是 Ansible的配置,部署,编排语言.他们可以被描述为一个需要希望远程主机执行命令的方案,或者一组IT程序运行的命令集合.

如果 Ansible 模块你是工作室中的工具,那么 playbooks 就是你设置的方案计划.

Playbooks 的格式是YAML。

[root@ying01 ~]# cd /etc/ansible/
[root@ying01 ansible]# ls
ansible.cfg  hosts  roles
[root@ying01 ansible]# vim test.yml---
- hosts: ying02                      //针对ying02主机，若果多个主机，可以用逗号隔开remote_user: root                  //远程用户为roottasks:                             //任务- name: test_playbook            //任务名 test_playbook shell: touch /tmp/qqq.txt      //用到shell模块

执行test.yml文件方案

[root@ying01 ansible]# ansible-playbook test.ymlPLAY [ying02] ***********************************************************************************************************************************************TASK [Gathering Facts] **************************************************************************************************************************************
ok: [ying02]TASK [test_playbook] ****************************************************************************************************************************************[WARNING]: Consider using the file module with state=touch rather than running touch.  If you need to use command because file is insufficient you can add
warn=False to this command task or set command_warnings=False in ansible.cfg to get rid of this message.changed: [ying02]PLAY RECAP **************************************************************************************************************************************************
ying02                     : ok=2    changed=1    unreachable=0    failed=0

在ying02机器上验证

[root@ying02 ~]# ls -l /tmp/qqq.txt
-rw-r--r-- 1 root root 0 9月  11 21:24 /tmp/qqq.txt
[root@ying02 ~]# date
2018年 09月 11日 星期二 21:26:19 CST

八、playbook里的变量

创建create_user.yml文件

[root@ying01 ansible]# vim create_user.yml---
- name: create_userhosts: ying02user: rootgather_facts: false              //false 不收集主机相关信息；ture :与之相反vars:- user: "test"tasks:- name: create useruser: name="{{ user }}"

create_user.yml文件语句释义：

name参数对该playbook实现的功能做一个概述，后面执行过程中，会打印name变量的值，可以省略；

gather_facts参数指定了在以下任务部分执行前，是否先执行setup模块获取主机相关信息，如果后面的task会使用到setup获取的信息时会用到；

vars参数，指定了变量，这里指字一个user变量，其值为test，需要注意的是，变量值一定要用引号引住；

user指定了调用user模块，name是user模块里的一个参数，而增加的用户名字调用了上面user变量的值。

执行此文件

[root@ying01 ansible]# ansible-playbook create_user.yml PLAY [create_user] ******************************************************************************************************************************************TASK [create user] ******************************************************************************************************************************************
changed: [ying02]PLAY RECAP **************************************************************************************************************************************************
ying02                     : ok=1    changed=1    unreachable=0    failed=0

在ying02上，测试执行结果

[root@ying02 ~]# id test
uid=1002(test) gid=1002(test) 组=1002(test)

九、playbook里的循环

创建while.yml文件

[root@ying01 ansible]# pwd
/etc/ansible
[root@ying01 ansible]# vim while.yml---
- hosts: ying02                                       //针对ying02主机user: root                                          //用户为roottasks: - name: change mode for files                      //任务名称属性   file: path=/tmp/{{ item }} state=touch mode=600  //定义变量item ，先创建，再给予权限with_items:                                      //item文本集合- 1.txt- 2.txt- 3.txt

执行 while.yml文件；Gathering Facts又出现，因为我们没有禁掉；

[root@ying01 ansible]# ansible-playbook while.yml PLAY [ying02] ***********************************************************************************************************************************************TASK [Gathering Facts] **************************************************************************************************************************************
ok: [ying02]TASK [change mode for files] ********************************************************************************************************************************
changed: [ying02] => (item=1.txt)
changed: [ying02] => (item=2.txt)
changed: [ying02] => (item=3.txt)PLAY RECAP **************************************************************************************************************************************************
ying02                     : ok=2    changed=1    unreachable=0    failed=0

在ying02上，测试此循环试验成功，每个文件都创建，并授予600权限

[root@ying02 ~]# ls -l /tmp/?.txt
-rw------- 1 root root 0 9月  11 22:49 /tmp/1.txt
-rw------- 1 root root 0 9月  11 22:49 /tmp/2.txt
-rw------- 1 root root 0 9月  11 22:49 /tmp/3.txt

十、playbook里的条件判断

创建when.yml条件判断的yml文本

[root@ying01 ansible]# vim when.yml---
- hosts: testhostuser: rootgather_facts: Truetasks:- name: use whenshell: touch /tmp/when.txt         //when: ansible_ens33.ipv4.address == "192.168.112.138"

when: ansible_ens33.ipv4.address == "192.168.112.138" 释义：

when：为ansble模块

ansible_ens33 ：为一个1级范围

ipv4:为ansible_ens33范围内的子集；

address：为ipv4的一个子集；

== "192.168.112.138" ：匹配此IP

上面的when条件语句，就通过查看facter信息，来设置条件；

查看所有的facter信息： ansible ying02 -m setup

[root@ying01 ansible]# ansible ying02 -m setup以下内容为节选，为了突出when条件"ansible_ens33": {                                //此为1级条件"active": true, "device": "ens33", "features": {"busy_poll": "off [fixed]", "fcoe_mtu": "off [fixed]", "generic_receive_offload": "on", "generic_segmentation_offload": "on", "vlan_challenged": "off [fixed]"}, "hw_timestamp_filters": [],  "ipv4": {                            //此为2级条件        "address": "192.168.112.138",    //此为3级条件"broadcast": "192.168.112.255", "netmask": "255.255.255.0", "network": "192.168.112.0"}, "ipv6": [{"address": "fe80::43bd:36bd:3f01:f8e8", "prefix": "64", "scope": "link"}

执行 when.yml方案

[root@ying01 ansible]# ansible-playbook when.yml PLAY [testhost] *********************************************************************************************************************************************TASK [Gathering Facts] **************************************************************************************************************************************
ok: [ying02]
ok: [ying03]
ok: [ying01]
ok: [127.0.0.1]TASK [use when] *********************************************************************************************************************************************
skipping: [127.0.0.1]
skipping: [ying01]
skipping: [ying03][WARNING]: Consider using the file module with state=touch rather than running touch.  If you need to use command because file is insufficient you can add
warn=False to this command task or set command_warnings=False in ansible.cfg to get rid of this message.changed: [ying02]PLAY RECAP **************************************************************************************************************************************************
127.0.0.1                  : ok=1    changed=0    unreachable=0    failed=0
ying01                     : ok=1    changed=0    unreachable=0    failed=0
ying02                     : ok=2    changed=1    unreachable=0    failed=0
ying03                     : ok=1    changed=0    unreachable=0    failed=0

在ying02机器上，验证,有when.txt生成；因为只有ying02符合条件

[root@ying02 ~]# ls -l /tmp/when.txt
-rw-r--r-- 1 root root 0 9月  11 23:09 /tmp/when.txt

其他机器都没有，因为不符合when条件

[root@ying03 ~]# ls -l /tmp/when.txt
ls: 无法访问/tmp/when.txt: 没有那个文件或目录

十一、playbook中的handlers

Ansible playbook中的handlers可实现类似逻辑与的功能。(相当于shell中&&)

运用场景为：修改完配置文件后，重新加载配置文件；

创建handlers.yml文件

[root@ying01 ansible]# vim handlers.yml---
- name: handlers testhosts: ying02user: roottasks:- name: copy filecopy: src=/etc/passwd dest=/tmp/bbb.txt      //先复制notify: test handlershandlers:- name: test handlersshell: echo "111111" >> /tmp/bbb.txt        //再写入内容

说明：此处必要copy步骤成功，handlers才能够继续执行；逻辑并且

执行 handlers.yml文件

[root@ying01 ansible]# ansible-playbook handlers.yml PLAY [handlers test] ****************************************************************************************************************************************TASK [Gathering Facts] **************************************************************************************************************************************
ok: [ying02]TASK [copy file] ********************************************************************************************************************************************
changed: [ying02]RUNNING HANDLER [test handlers] *****************************************************************************************************************************
changed: [ying02]PLAY RECAP **************************************************************************************************************************************************
ying02                     : ok=3    changed=2    unreachable=0    failed=0

在ying02机器上，测试bbb.txt文本有111111写入，试验成功

[root@ying02 ~]# tail /tmp/bbb.txt
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
zabbix:x:997:994:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologin
memcached:x:996:993:Memcached daemon:/run/memcached:/sbin/nologin
mongod:x:995:992:mongod:/var/lib/mongo:/bin/false
gitlab-www:x:994:990::/var/opt/gitlab/nginx:/bin/false
git:x:993:989::/var/opt/gitlab:/bin/sh
gitlab-redis:x:992:988::/var/opt/gitlab/redis:/bin/false
gitlab-psql:x:991:987::/var/opt/gitlab/postgresql:/bin/sh
gitlab-prometheus:x:990:986::/var/opt/gitlab/prometheus:/bin/sh
111111

十二、 playbook安装nginx

实战：批量安装源码nginx

思路：先在一台机器上编译安装好nginx、打包，然后再用ansible去下发

第一步：创建/etc/ansible/nginx_install目录及其子目录

[root@ying01 ~]# cd /etc/ansible
[root@ying01 ansible]# cd nginx_install/
[root@ying01 nginx_install]# mkdir -p roles/{common,install}/{handlers,files,meta,tasks,templates,vars}
[root@ying01 nginx_install]# tree
.
└── roles                    //install      此目录为安装nginx操作├── common               //此目录为一些准备操作│   ├── files               //此目录存放一些安装nginx时用到的文件│   ├── handlers            //当发生改变时要执行的操作，比如配置文件发生改变了，就要重启nginx服务│   ├── meta                //此目录存放说明信息│   ├── tasks               //存放核心的配置文件│   ├── templates           //存放一些配置文件，启动脚本等模块文件│   └── vars                //自定义变量└── install             //此目录为安装nginx操作├── files├── handlers├── meta├── tasks├── templates└── vars

第二步：确定需要打包的nginx目录文件

[root@ying01 nginx_install]# pwd
/etc/ansible/nginx_install
您在 /var/spool/mail/root 中有新邮件
[root@ying01 nginx_install]# ls /usr/local/nginx/
client_body_temp  conf  fastcgi_temp  html  logs  proxy_temp  sbin  scgi_temp  uwsgi_temp
[root@ying01 nginx_install]# ls /etc/init.d/nginx
/etc/init.d/nginx
[root@ying01 nginx_install]# ls /usr/local/nginx/conf/nginx.conf
/usr/local/nginx/conf/nginx.conf

第三步：打包nginx目录下，除vhost的所有有关nginxd文件；把nginx配置文件、启动脚本复制到roles/install/templates/下；

[root@ying01 nginx_install]# cd /usr/local/
[root@ying01 local]# tar czf nginx.tar.gz --exclude "nginx.conf" --exclude "vost"
[root@ying01 local]# tar czf nginx.tar.gz --exclude "nginx.conf" --exclude "vhost" nginx/
[root@ying01 local]# mv nginx.tar.gz /etc/ansible/nginx_install/roles/install/files/
[root@ying01 local]# cp nginx/conf/nginx.conf /etc/ansible/nginx_install/roles/install/templates/
[root@ying01 local]# cp /etc/init.d/nginx /etc/ansible/nginx_install/roles/install/templates[root@ying01 local]# cd /etc/ansible/nginx_install/roles/
[root@ying01 roles]# tree         //查看已复制到位的文件
.
├── common
│   ├── files
│   ├── handlers
│   ├── meta
│   ├── tasks
│   ├── templates
│   └── vars
└── install├── files│   └── nginx.tar.gz├── handlers├── meta├── tasks├── templates│   ├── nginx│   └── nginx.conf└── vars14 directories, 3 files

第四步：定义普通的tasks，创建main.yml文件

[root@ying01 roles]# cd common/
[root@ying01 common]# vim tasks/main.yml- name: Install initializtion require softwareyum: name={{ item }} state=installed   //循环安装所需包with_items:- zlib-devel- pcre-devel

第五步：定义变量，创建/install/vars/main.yml 文件

[root@ying01 common]# vim /etc/ansible/nginx_install/roles/install/vars/main.yml nginx_user: www                         //用户
nginx_port: 800                         //端口
nginx_basedir: /usr/local/nginx         //nginx目录

第六步：定义文件拷贝配置文件

[root@ying01 common]# vim /etc/ansible/nginx_install/roles/install/tasks/copy.yml- name: Copy Nginx Software                 //把nginx包复制到指定目录copy: src=nginx.tar.gz dest=/tmp/nginx.tar.gz owner=root group=root
- name: Uncompression Nginx Software         //用shell模块远程解压到/usr/local下shell: tar zxf /tmp/nginx.tar.gz -C /usr/local/
- name: Copy Nginx Start Script              //复制启动nginx脚本                     template: src=nginx dest=/etc/init.d/nginx owner=root group=root mode=0755
- name: Copy Nginx Config                    //复制nginx配置文件，通过变量，即/usr/local/nginx下template: src=nginx.conf dest={{ nginx_basedir }}/conf/ owner=root group=root mode=0644

第七步：建立用户、启动服务。删除安装包

[root@ying01 ~]# vim  /etc/ansible/nginx_install/roles/install/tasks/install.yml - name: Create Nginx User                   //创建用户信息等user: name={{ nginx_user }} state=present createhome=no shell=/sbin/nologin
- name: Start Nginx Service                 //远程启动nginxshell: /etc/init.d/nginx start
- name: Add Boot Start Nginx Service        //增加nginx服务，到启动项shell: chkconfig --level 345 nginx on
- name: Delete Nginx compression files        //删除nginx.tar.gz包shell: rm -rf /tmp/nginx.tar.gz

第八步：创建main.yml,调用copy和install

[root@ying01 ~]# vim /etc/ansible/nginx_install/roles/install/tasks/main.yml - include: copy.yml
- include: install.yml

第九步：创建入口文件

[root@ying01 ~]# vim /etc/ansible/nginx_install/install.yml---
- hosts: ying03remote_user: rootgather_facts: Trueroles:- common- install

在认证主机ying03上，因为之前安装有nginx，因此把设计nginx改为nginx1，防止试验干涉；

[root@ying03 ~]# cd /usr/local/
[root@ying03 local]# mv nginx nginx1
[root@ying03 local]# ls
bin  etc  games  include  lib  lib64  libexec  mysql  nginx1  sbin  share  src
[root@ying03 local]# ls /etc/init.d/
functions  mysqld  netconsole  network  nginx  README
[root@ying03 local]# cd /etc/init.d/
[root@ying03 init.d]# ls
functions  mysqld  netconsole  network  nginx  README
[root@ying03 init.d]# mv nginx nginx1

在ying01上，开始执行总入口的install.yml文件

[root@ying01 ~]# ansible-playbook /etc/ansible/nginx_install/install.ymlPLAY [ying03] ***********************************************************************************************************************************************TASK [Gathering Facts] **************************************************************************************************************************************
ok: [ying03]TASK [common : Install initializtion require software] ******************************************************************************************************
ok: [ying03] => (item=[u'zlib-devel', u'pcre-devel'])TASK [install : Copy Nginx Software] ************************************************************************************************************************
changed: [ying03]TASK [install : Uncompression Nginx Software] ***************************************************************************************************************[WARNING]: Consider using the unarchive module rather than running tar.  If you need to use command because unarchive is insufficient you can add
warn=False to this command task or set command_warnings=False in ansible.cfg to get rid of this message.changed: [ying03]TASK [install : Copy Nginx Start Script] ********************************************************************************************************************
changed: [ying03]TASK [install : Copy Nginx Config] **************************************************************************************************************************
changed: [ying03]TASK [install : Create Nginx User] **************************************************************************************************************************
changed: [ying03]TASK [install : Start Nginx Service] ************************************************************************************************************************
changed: [ying03]TASK [install : Add Boot Start Nginx Service] ***************************************************************************************************************
changed: [ying03]TASK [install : Delete Nginx compression files] *************************************************************************************************************[WARNING]: Consider using the file module with state=absent rather than running rm.  If you need to use command because file is insufficient you can add
warn=False to this command task or set command_warnings=False in ansible.cfg to get rid of this message.changed: [ying03]PLAY RECAP **************************************************************************************************************************************************
ying03                     : ok=10   changed=8    unreachable=0    failed=0

到ying03机器上测试，有nginx的进程，说明是试验成功

[root@ying03 init.d]# ps aux |grep nginx
root      8748  0.0  0.1  45576  1076 ?        Ss   01:01   0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody    8749  0.0  0.3  47928  3704 ?        S    01:01   0:00 nginx: worker process
nobody    8750  0.0  0.3  47928  3704 ?        S    01:01   0:00 nginx: worker process
root      8887  0.0  0.0 112720   980 pts/0    S+   01:02   0:00 grep --color=auto nginx

十三、 playbook管理配置文件

生产环境中安装软件包只是在初始化环境的时候用一下,大多时候是需要管理配置文件的。此时可以用playbook功能。

创建playbook配置目录结构

[root@ying01 ~]#  mkdir  -p /etc/ansible/nginx_config/roles/{new,old}/{files,handlers,vars,tasks}
[root@ying01 ~]# cd /etc/ansible/nginx_config/
[root@ying01 nginx_config]# tree
/etc/ansible/nginx_config/
└── roles├── new│   ├── files│   ├── handlers│   ├── tasks│   └── vars└── old├── files├── handlers├── tasks└── vars11 directories, 0 files

把nginx虚拟主机，复制到nginx_config/roles/new/files/目录下

[root@ying01 nginx_config]#  cd /usr/local/nginx/conf/
[root@ying01 conf]# cp -r nginx.conf vhost  /etc/ansible/nginx_config/roles/new/files/
[root@ying01 conf]# cd -
/etc/ansible/nginx_config
[root@ying01 nginx_config]# tree
.
└── roles├── new│   ├── files│   │   ├── nginx.conf│   │   └── vhost│   │       ├── aaa.com.conf│   │       ├── load.conf│   │       ├── proxy.conf│   │       ├── ssl.conf│   │       └── test.com.conf│   ├── handlers│   ├── tasks│   └── vars└── old├── files├── handlers├── tasks└── vars12 directories, 6 files

定义变量文件

[root@ying01 nginx_config]#  vim /etc/ansible/nginx_config/roles/new/vars/main.ymlnginx_basedir: /usr/local/nginx

定义nginx重新加载配置

[root@ying01 nginx_config]# vim /etc/ansible/nginx_config/roles/new/handlers/main.yml  - name: restart nginxshell: /etc/init.d/nginx reload

定义主配置文件

[root@ying01 nginx_config]# vim /etc/ansible/nginx_config/roles/new/tasks/main.yml - name: copy conf filecopy: src={{ item.src }} dest={{ nginx_basedir }}/{{ item.dest }} backup=yes owner=root group=root mode=0644with_items:- { src: nginx.conf, dest: conf/nginx.conf }- { src: vhosts, dest: conf/ }notify: restart nginx

定义总入口配置，创建update.yml文件

[root@ying01 nginx_config]# vim /etc/ansible/nginx_config/update.yml ---
- hosts: ying03user: rootroles:- new

执行update.yml文件

[root@ying01 nginx_config]# ansible-playbook /etc/ansible/nginx_config/update.ymlPLAY [ying03] ***********************************************************************************************************************************************TASK [Gathering Facts] **************************************************************************************************************************************
ok: [ying03]TASK [new : copy conf file] *********************************************************************************************************************************
ok: [ying03] => (item={u'dest': u'conf/nginx.conf', u'src': u'nginx.conf'})
changed: [ying03] => (item={u'dest': u'conf/', u'src': u'vhost'})RUNNING HANDLER [new : restart nginx] ***********************************************************************************************************************
changed: [ying03]PLAY RECAP **************************************************************************************************************************************************
ying03                     : ok=3    changed=2    unreachable=0    failed=0

在客户端ying03测试，nginx服务重新加载

[root@ying03 ~]# ps aux |grep nginx
root      8945  0.0  0.2  45856  2900 ?        Ss   01:07   0:00 nginx: master process /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
nobody   10713  0.0  0.3  48208  3964 ?        S    02:11   0:00 nginx: worker process
nobody   10714  0.0  0.3  48208  3964 ?        S    02:11   0:00 nginx: worker process
root     10724  0.0  0.0 112720   984 pts/0    R+   02:12   0:00 grep --color=auto nginx[root@ying03 ~]# ls /usr/local/nginx/conf/vhost/          //vhost也被复制到指定目录
aaa.com.conf  load.conf  proxy.conf  ssl.conf  test.com.conf

文件的回滚测试

在ying01机器上，把new文件夹备份到old文件夹

[root@ying01 nginx_config]# rsync -av roles/new/ roles/old/
sending incremental file list
files/
files/nginx.conf
files/vhost/
files/vhost/aaa.com.conf
files/vhost/load.conf
files/vhost/proxy.conf
files/vhost/ssl.conf
files/vhost/test.com.conf
handlers/
handlers/main.yml
tasks/
tasks/main.yml
vars/
vars/main.ymlsent 4,919 bytes  received 207 bytes  10,252.00 bytes/sec
total size is 4,105  speedup is 0.80
[root@ying01 nginx_config]# tree
.
├── roles
│   ├── new
│   │   ├── files
│   │   │   ├── nginx.conf
│   │   │   └── vhost
│   │   │       ├── aaa.com.conf
│   │   │       ├── load.conf
│   │   │       ├── proxy.conf
│   │   │       ├── ssl.conf
│   │   │       └── test.com.conf
│   │   ├── handlers
│   │   │   └── main.yml
│   │   ├── tasks
│   │   │   └── main.yml
│   │   └── vars
│   │       └── main.yml
│   └── old
│       ├── files
│       │   ├── nginx.conf
│       │   └── vhost
│       │       ├── aaa.com.conf
│       │       ├── load.conf
│       │       ├── proxy.conf
│       │       ├── ssl.conf
│       │       └── test.com.conf
│       ├── handlers
│       │   └── main.yml
│       ├── tasks
│       │   └── main.yml
│       └── vars
│           └── main.yml
├── update.retry
└── update.yml13 directories, 20 files

创建rollback.yml 文件

[root@ying01 nginx_config]# vim /etc/ansible/nginx_config/rollback.yml ---
- hosts: ying03user: rootroles:- old

在ying上，配置文件nginx.conf，在include前面加上#号

[root@ying01 nginx_config]# vim /etc/ansible/nginx_config/roles/new/files/nginx.conf# include vhost/*.conf;

在ying02上测试，发现include前面有#号

[root@ying03 ~]# tail -5 /usr/local/nginx/conf/nginx.confgzip_http_version 1.1;gzip_types text/plain application/x-javascript text/css text/htm application/xml;# include vhost/*.conf;

执行rollback.yml 文件

[root@ying01 nginx_config]# ansible-playbook /etc/ansible/nginx_config/rollback.yml PLAY [ying03] ***********************************************************************************************************************************************TASK [Gathering Facts] **************************************************************************************************************************************
ok: [ying03]TASK [old : copy conf file] *********************************************************************************************************************************
ok: [ying03] => (item={u'dest': u'conf/nginx.conf', u'src': u'nginx.conf'})
ok: [ying03] => (item={u'dest': u'conf/', u'src': u'vhost'})PLAY RECAP **************************************************************************************************************************************************
ying03                     : ok=2    changed=0    unreachable=0    failed=0

在ying02上测试，发现include的#消失了，试验成功

[root@ying03 ~]# tail -5 /usr/local/nginx/conf/nginx.confgzip_http_version 1.1;gzip_types text/plain application/x-javascript text/css text/htm application/xml;include vhost/*.conf;
}

转载于:https://my.oschina.net/u/3851633/blog/2049915