基础命令
主要的命令
ansible
ansible-doc
ansible-playbook
ansible-vault
ansible-console
ansible-galaxy
ansible-pull
1
2
3
4
5
6
7
2
3
4
5
6
7
# ansible 命令
ansible通过ssh实现配置管理、应用部署、任务执行等功能
建议配置ansible端能基于密钥认证的方式联系各被管理节点
本质是一个ansible执行命令的软连接
ansible <host-pattern> [-m module_name] [-a args]
# ansible +被管理的主机(ALL) +模块 +参数
--version 显示版本
-m module 指定模块,默认为command
-v 详细过程 –vv -vvv更详细
--list-hosts 显示主机列表,可简写 --list
-k, --ask-pass 提示输入ssh连接密码,默认Key验证
-C, --check 检查,并不执行
-T, --timeout=TIMEOUT 执行命令的超时时间,默认10s
-u, --user=REMOTE_USER 执行远程执行的用户
-b, --become 代替旧版的sudo切换
--become-user=USERNAME 指定sudo的runas用户,默认为root
-K, --ask-become-pass 提示输入sudo时的口令
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
# 查看帮助
ansible --help
1
# 测试主机是否连通
检测所有主机的网络状态,默认情况下连接被管理的主机是ssh基于key验证,如果没有配置key,权限将会被拒绝
因此需要指定以谁的身份连接,输入用户密码,必须保证被管理主机用户密码一致
ansible all -m ping -k
或者实现基于key验证 将公钥ssh-copy-id到被管理的主机上 , 实现免密登录
ansible all -m ping
使用ansible的ping模块进行测试,通过 -m 参数调用模块
[root@linux101 ~]# ansible 192.168.10.102 -m ping
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost
does not match 'all'
[WARNING]: Could not match supplied host pattern, ignoring: 192.168.10.102
1
2
3
4
2
3
4
有警告信息,需要添加到hosts清单中
[root@linux101 ~]# vim /etc/ansible/hosts
# 添加要测试的主机
192.168.10.102
192.168.10.103
192.168.10.104
1
2
3
4
5
6
2
3
4
5
6
再次尝试,由于没有权限(ansible 的ping是通过ssh协议进行访问)报错
[root@linux101 ~]# ansible 192.168.10.102 -m ping
192.168.10.102 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
1
2
3
4
5
6
2
3
4
5
6
使用用户名和密码进行访问,使用-k进行输入密码,而用户名则是当前主机的用户(如当前使用root登录),如果要使用其他用户,可以使用-u指定用户名
[root@linux101 ~]# ansible 192.168.10.102 -m ping -k
SSH password: # 输入密码
192.168.10.102 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
# 对多台主机发送ping命令
给多台主机发送命令
[root@linux101 ~]# ansible 192.168.10.102,192.168.10.103 -m ping -k
SSH password:
192.168.10.103 | FAILED! => {
"msg": "Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host's fingerprint to your known_hosts file to manage this host."
}
192.168.10.102 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
对于报错信息 known_hosts 需要调用ssh先登录一下,作为一个可信的host
- 注意:使用Ctrl + D退出ssh
- 注意:如果在ansible配置文件中host_key_checking=false,则不会出现该错误,则不需要执行如下命令
ssh 192.168.10.103
1
重新发送多个主机的ping命令
[root@linux101 ~]# ansible 192.168.10.102,192.168.10.103 -m ping -k
SSH password:
192.168.10.102 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
192.168.10.103 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
如此操作的缺点:多个主机使用相同的key,如何解决,需要对其他被控机进行秘钥对配置
# 对所有主机发送ping命令
针对配置的/etc/ansible/hosts中的所有主机执行相同的命令
ansible all -m ping -k
1
在进行ssh-keygen配置后,可以执行如下命令
ansible all -m ping
1
# 使用主机分组进行命令发送
在主机清单中配置如下
[websrvs]
192.168.10.10[2:4]
1
2
2
执行命令
ansible websrvs -m ping -k
1
# 查看主机列表
使用--list-host查看,也可以使用--list查看
列出所有主机
[root@linux101 ~]# ansible all --list-hosts
hosts (3):
192.168.10.102
192.168.10.103
192.168.10.104
1
2
3
4
5
2
3
4
5
列出指定分组的主机
[root@linux101 ~]# ansible websrvs --list-hosts
hosts (3):
192.168.10.102
192.168.10.103
192.168.10.104
[root@linux101 ~]# ansible websrvs --list
hosts (3):
192.168.10.102
192.168.10.103
192.168.10.104
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
# 在group中指定某台主机执行
ansible websrvs -a 'getent passwd test2' --limit=192.168.10.101
1
# host-pattern
匹配主机的列表,对于逻辑条件,推荐使用单引号括起来
# All
表示所有Inventory中的所有主机
ansible all –m ping
1
# 通配符 *
ansible "*" -m ping # *表示所有主机
ansible 192.168.1.* -m ping
ansible "*srvs" -m ping
1
2
3
2
3
# 或关系 :
取得并集
ansible "websrvs:appsrvs" -m ping
ansible “192.168.1.10:192.168.1.20” -m ping
1
2
2
# 逻辑与 :&
取得交集
# 在websrvs组并且在dbsrvs组中的主机
ansible "websrvs:&dbsrvs" –m ping
1
2
2
# 逻辑非 :!
注意:此处为单引号
# 在websrvs组,但不在dbsrvs组中的主机
ansible 'websrvs:!dbsrvs' –m ping
1
2
2
# 综合逻辑
注意:此处为单引号
ansible 'websrvs:dbsrvs:&appsrvs:!ftpsrvs' –m ping
1
# 正则表达式
ansible "websrvs:&dbsrvs" –m ping
ansible "~(web|db).*\.stt\.com" –m ping
1
2
2
# 命令执行过程
- 加载自己的配置文件,默认/etc/ansible/ansible.cfg
- 加载自己对应的模块文件,如command
- 通过ansible将模块或命令生成对应的临时py文件,并将该文件传输至远程服务器的对应执行用户$HOME/.ansible/tmp/ansible-tmp-数字/XXX.PY文件
- 给文件+x执行
- 执行并返回结果
- 删除临时py文件,sleep 0退出
执行状态
- 绿色:执行成功并且不需要做改变的操作
- 黄色:执行成功并且对目标主机做变更
- 红色:执行失败
使用-vv查看执行过程,如果使用-vvv可以查看更加详细的步骤
[root@linux101 ~]# ansible 192.168.10.103 -m ping -vv
ansible 2.9.27
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Nov 16 2020, 22:23:17) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
Using /etc/ansible/ansible.cfg as config file
Skipping callback 'actionable', as we already have a stdout callback.
Skipping callback 'counter_enabled', as we already have a stdout callback.
Skipping callback 'debug', as we already have a stdout callback.
Skipping callback 'dense', as we already have a stdout callback.
Skipping callback 'dense', as we already have a stdout callback.
Skipping callback 'full_skip', as we already have a stdout callback.
Skipping callback 'json', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'null', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
Skipping callback 'selective', as we already have a stdout callback.
Skipping callback 'skippy', as we already have a stdout callback.
Skipping callback 'stderr', as we already have a stdout callback.
Skipping callback 'unixy', as we already have a stdout callback.
Skipping callback 'yaml', as we already have a stdout callback.
META: ran handlers
192.168.10.103 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
META: ran handlers
META: ran handlers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# 使用示例
# 以wang用户执行ping存活检测
ansible all -m ping -u wang -k
# 以wang sudo至root执行ping存活检测,-b默认使用root用户
ansible all -m ping -u wang -k -b
# 以wang sudo至mage用户执行ping存活检测
ansible all -m ping -u wang -k -b --become-user=mage
# 以wang sudo至root用户执行ls,-k 表示wang的password ,-K 表示root的password
ansible all -m command -u wang -a 'ls /root' -b --become-user=root -k -K
# ansible ping模块测试连接
ansible 192.168.38.126,192.168.38.127 -m ping -k
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
# ansible-doc 命令
显示模块帮助
ansible-doc [options] [module...]
-a 显示所有模块的文档 # 不常用,显示太多
-l, --list 列出可用模块 # 常用
-s, --snippet 显示指定模块的playbook片段(简化版,便于查找语法)
1
2
3
4
2
3
4
# 列出所有模块
ansible-doc -l
1
# 查看指定模块帮助
[root@linux101 ~]# ansible-doc ping
> PING (/usr/lib/python2.7/site-packages/ansible/modules/system/ping.py)
A trivial test module, this module always returns 'pong' on successful contact. It does not make sense in playbooks, but it is useful from '/usr/bin/ansible' to verify the ability to login and that a usable Python is configured. This is NOT ICMP ping, this is just a trivial test module that requires Python on the remote-node. For Windows targets, use the [win_ping] module instead. For Network targets, use the [net_ping] module instead.
* This module is maintained by The Ansible Core Team
OPTIONS (= is mandatory):
- data
Data to return for the 'ping' return value.
If this parameter is set to 'crash', the module will cause an exception.
[Default: pong]
type: str
...
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
# 查看指定模块简化帮助
[root@linux101 ~]# ansible-doc -s ping
- name: Try to connect to host, verify a usable python and return 'pong' on success
ping:
data: # Data to return for the 'ping' return value. If this parameter is set to 'crash', the module will cause an exception.
1
2
3
4
2
3
4
# 附:ssh-keygen配置
[root@linux101 ~]# ssh-keygen
[root@linux101 ~]# ssh-copy-id 192.168.10.102
[root@linux101 ~]# ssh-copy-id 192.168.10.103
[root@linux101 ~]# ssh-copy-id 192.168.10.104
1
2
3
4
2
3
4
# ansible-galaxy 命令
通过他人在网上分享的配置,下载使用,访问地址 https://galaxy.ansible.com
# 安装一个role
从访问的网站中,选择一个role进行安装,如geerlingguy.nginx
[root@linux101 ~]# ansible install geerlingguy.nginx
usage: ansible [-h] [--version] [-v] [-b] [--become-method BECOME_METHOD]
[--become-user BECOME_USER] [-K] [-i INVENTORY] [--list-hosts]
[-l SUBSET] [-P POLL_INTERVAL] [-B SECONDS] [-o] [-t TREE] [-k]
[--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER]
[-c CONNECTION] [-T TIMEOUT]
[--ssh-common-args SSH_COMMON_ARGS]
[--sftp-extra-args SFTP_EXTRA_ARGS]
[--scp-extra-args SCP_EXTRA_ARGS]
[--ssh-extra-args SSH_EXTRA_ARGS] [-C] [--syntax-check] [-D]
[-e EXTRA_VARS] [--vault-id VAULT_IDS]
[--ask-vault-pass | --vault-password-file VAULT_PASSWORD_FILES]
[-f FORKS] [-M MODULE_PATH] [--playbook-dir BASEDIR]
[-a MODULE_ARGS] [-m MODULE_NAME]
pattern
ansible: error: unrecognized arguments: geerlingguy.nginx
[root@linux101 ~]# ansible-galaxy install geerlingguy.nginx
- downloading role 'nginx', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-nginx/archive/3.1.1.tar.gz
- extracting geerlingguy.nginx to /root/.ansible/roles/geerlingguy.nginx
- geerlingguy.nginx (3.1.1) was installed successfully
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# 列出已经安装的配置
[root@linux101 ~]# ansible-galaxy list
# /root/.ansible/roles
- geerlingguy.nginx, 3.1.1
# /usr/share/ansible/roles
# /etc/ansible/roles
1
2
3
4
5
2
3
4
5
# 删除已安装的配置
可以使用命令删除,也可以直接删除安装后所在的目录/root/.ansible/roles/geerlingguy.nginx达到相同的效果
ansible-galaxy remove geerlingguy.nginx
1
# ansible-pull 命令
推送命令至远程,效率无限提升,对运维要求较高
# ansible-playbook 命令
帮助文档:ansible-playbook --help 引用按照标准的yml语言写的脚本,详细使用参考后续的Playbook章节
示例:执行一个简单的playbook 创建一个playbook
cat hello.yml
#hello world yml file
- hosts: websrvs
remote_user: root
tasks:
- name: hello world
command: /usr/bin/wall hello world
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
执行
ansible-playbook hello.yml
1
# ansible-vault 命令
管理加密解密yml文件,主要用于playbook的yml文件的加解密 ansible-vault [create|decrypt|edit|encrypt|rekey|view]
示例
ansible-vault encrypt hello.yml 加密
ansible-vault decrypt hello.yml 解密
ansible-vault view hello.yml 查看
ansible-vault edit hello.yml 编辑加密文件
ansible-vault rekey hello.yml 修改口令
ansible-vault create new.yml 创建新文件
1
2
3
4
5
6
2
3
4
5
6
# ansible-console命令
可交互执行命令,支持tab
示例
[root@linux101 ~]# ansible-console
Welcome to the ansible console.
Type help or ? to list commands.
# 设置并发数: forks n 例如: forks 10
# 切换组: cd 主机组 例如: cd web
# 列出当前组主机列表: list
# 列出所有的内置命令: ?或help
# 执行用户@当前操作的主机组 (当前组的主机数量)[f:并发数]$
root@all (3)[f:5]$ list
192.168.10.102
192.168.10.103
192.168.10.104
root@all (3)[f:5]$ cd websrvs
root@websrvs (3)[f:5]$ list
192.168.10.102
192.168.10.103
192.168.10.104
root@websrvs (3)[f:5]$ yum name=httpd state=present
root@websrvs (3)[f:5]$ service name=httpd state=started
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Last Updated: 2022/05/22, 12:42:00