Ansible之系列命令详解

ansible系列命令有:ansible、ansible-doc、ansible-playbook、ansible-vault、ansible-console、ansible-galaxy、ansible-pull,这些命令每个命令都有它独特的作用和用法,接下来我们一一来了解它的用法。

1、ansible-doc:这个命令主要作用是显示模块的帮助信息,有点类似Linux里的man命令。

命令用法:

ansible-doc [options] [module...]

 常用选项:

-a:显示所有模块的文档

[ ~]# ansible-doc -a ping 
> A10_SERVER    (/usr/lib/python2.7/site-packages/ansible/modules/network/a10/a10_server.py)

        Manage SLB (Server Load Balancer) server objects on A10 Networks devices via aXAPIv2.

OPTIONS (= is mandatory):

= host
        Hostname or IP of the A10 Networks device.
        [Default: None]

- partition
        set active-partition
        [Default: None]
        version_added: 2.3

= password
        Password for the `username‘ account.
        (Aliases: pass, pwd)[Default: None]

- server_ip
        The SLB server IPv4 address.
        (Aliases: ip, address)[Default: None]

:

说明:-a选项列出了ping模块的所有用法,以上只显示了部分。

-l,--list列出可以用模块

[ ~]# ansible-doc -l
a10_server                                Manage A10 Networks AX/SoftAX/Thunder/vThunder devices‘ server object.  
a10_server_axapi3                         Manage A10 Networks AX/SoftAX/Thunder/vThunder devices                  
a10_service_group                         Manage A10 Networks AX/SoftAX/Thunder/vThunder devices‘ service groups. 
a10_virtual_server                        Manage A10 Networks AX/SoftAX/Thunder/vThunder devices‘ virtual servers.
accelerate                                Enable accelerated mode on remote node                                  
aci_aep                                   Manage attachable Access Entity Profile (AEP) on Cisco ACI fabrics (infr...
aci_ap                                    Manage top level Application Profile (AP) objects on Cisco ACI fabrics (...
aci_bd                                    Manage Bridge Domains (BD) on Cisco ACI Fabrics (fv:BD)                 
aci_bd_subnet                             Manage Subnets on Cisco ACI fabrics (fv:Subnet)                         
aci_bd_to_l3out                           Bind Bridge Domain to L3 Out on Cisco ACI fabrics (fv:RsBDToOut)        
aci_config_rollback                       Provides rollback and rollback preview functionality for Cisco ACI fabri...
aci_config_snapshot                       Manage Config Snapshots on Cisco ACI fabrics (config:Snapshot, config:Ex...
aci_contract                              Manage contract resources on Cisco ACI fabrics (vz:BrCP)                
aci_contract_subject                      Manage initial Contract Subjects on Cisco ACI fabrics (vz:Subj)         
aci_contract_subject_to_filter            Bind Contract Subjects to Filters on Cisco ACI fabrics (vz:RsSubjFiltAtt...
aci_epg                                   Manage End Point Groups (EPG) on Cisco ACI fabrics (fv:AEPg)            
aci_epg_monitoring_policy                 Manage monitoring policies on Cisco ACI fabrics (mon:EPGPol)            
aci_epg_to_contract                       Bind EPGs to Contracts on Cisco ACI fabrics (fv:RsCons and fv:RsProv)   
aci_epg_to_domain                         Bind EPGs to Domains on Cisco ACI fabrics (fv:RsDomAtt)                 
aci_filter                                Manages top level filter objects on Cisco ACI fabrics (vz:Filter)       
aci_filter_entry                          Manage filter entries on Cisco ACI fabrics (vz:Entry)                   
aci_intf_policy_fc                        Manage Fibre Channel interface policies on Cisco ACI fabrics (fc:IfPol) 
aci_intf_policy_l2                        Manage Layer 2 interface policies on Cisco ACI fabrics (l2:IfPol)       
:

说明:-l选项列出了所有可以用的所用模块,并简要说明了模块主要功能,以上内容只显示了部分

-s,--snippet显示指定模块的playbook片段

[ ~]# ansible-doc -s ping 
- name: Try to connect to host, verify a usable python and return `pong‘ on success
  ping:
      data:                  # Data to return for the `ping‘ return value. If this parameter is set to `crash‘, the
                               module will cause an exception.
[ ~]#

说明:-s这个选项是我们常用的选项,它主要列出模块的常用参数的使用,和参数的作用。

2、ansible:这个命令就是ansible的主程序,我们经常用这个命令来管理主机,它可以调用各种模块对远端主机进行配置管理、应用部署、认为执行等功能。前文我们介绍了ansible有两种方式管理主机,一种是ad-hoc,也就是在命令行用ansible这个命令来管理主机,还有一种方式就是用ansible-playbook。

命令用法:

ansible <host-pattern> [-m module_name] [-a args]

说明:它的用法还是很好理解,我们都知道ansible的强大之处是它有很多模块,ansible命令管理主机就是利用这些模块去管理主机的,以上用法就是说 用ansible管理哪些主机,用什么模块,让模块干什么事(它的表现形式就是给模块传递相应的参数)

常用选项:

--version:显示版本

[ ~]# ansible --version
ansible 2.4.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u‘/root/.ansible/plugins/modules‘, u‘/usr/share/ansible/plugins/modules‘]
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]
[ ~]#

-m  module:指定模块,才安装好ansible软件按默认的模块是command

-v :显示现象过程,-vv显示较详细的过程,-vvv显示更为详细的执行过程

--list-hostss:显示主机列表,可以简写 --list

[ ~]# ansible all --list
  hosts (3):
    192.168.0.99
    192.168.0.218
    192.168.0.128
[ ~]# ansible websers --list
  hosts (1):
    192.168.0.99
[ ~]# ansible appsers --list
  hosts (2):
    192.168.0.218
    192.168.0.128
[ ~]#

说明:all 表示匹配主机列表中的所有主机

-k,--ask-pass:指定输入ssh连接密码,默认ansible是基于key验证的(k是小写的)

[ ~]# ansible websers -m ping -k
SSH password: 
192.168.0.99 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
[ ~]#

说明:这个选项一般用于我们主机列表中没有做ssh key验证的主机,通常不建议使用。

-K,--ask-become-pass提示输入sudo时的口令(k是大写的)

[ ~]# ansible websers  -u ‘qiuhom‘ -k -s -K  -a " getent shadow qiuhom"     
[DEPRECATION WARNING]: The sudo command line option has been deprecated in favor of the "become" command line 
arguments. This feature will be removed in version 2.6. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.
SSH password: 
SUDO password[defaults to SSH password]: 
192.168.0.99 | SUCCESS | rc=0 >>
qiuhom:$6$5mlfZaKT$YmDjmEnKPoC.xASTVA5JqUrTiIkuXOe1yDm9PCql89e4lGKUS.W1515phi1OgD1W7Zu6Lm9srTBHi9QAigWpz/:18068:0:99999:7:::

[ ~]#

说明:-u是指定远程以那个用户执行,-s 表示使用sudo运行后面的操作,-k(小写)指定用ssh口令验证,-K(大写)提示输入sudo时的口令,-a 指定给模块传递的参数,上面示例没有写-m指定的模块就是用的默认模块command

-C,--check 检查,并不执行,这个参数主要用于检查playbook是否写的正确。

-T,--timeout指定执行命令的超时时间,默认是10S

-u,指定以那个用户远程执行命令,指定的用户是远端服务器上存在的。并非本地管理端的用户

-b,--become代替旧版的sudo切换

--become-user-USERNAME指定sudo的runas用户,默认是root

了解了ansible的基本选项说明,接下来我们来说说匹配主机列表

1、all:表示匹配所有定义在主机清单中的主机

[ ~]# ansible all -m ping 
192.168.0.99 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
192.168.0.128 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
192.168.0.218 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
[ ~]# ansible all --list
  hosts (3):
    192.168.0.99
    192.168.0.218
    192.168.0.128
[ ~]#

2、“*”:通配符,也表示匹配所有主机清单中的主机

[ ~]# ansible * -m ping 
192.168.0.128 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
192.168.0.218 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
192.168.0.99 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
[ ~]# ansible 192.168.0.1* -m ping 
192.168.0.128 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
[ ~]# ansible web* -m ping     
192.168.0.99 | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
[ ~]#

3、或关系

[ ~]# tail -6 /etc/ansible/hosts
[websers]
192.168.0.99:41319
192.168.0.218
[appsers]
192.168.0.218
192.168.0.128
[ ~]# ansible "websers:appsers" --list
  hosts (3):
    192.168.0.99
    192.168.0.218
    192.168.0.128
[ ~]# ansible "192.168.0.1*:192.168.0.2*" --list
  hosts (2):
    192.168.0.128
    192.168.0.218
[ ~]#

4、逻辑与

[ ~]# ansible "websers:&appsers" --list 
  hosts (1):
    192.168.0.218
[ ~]#

说明:以上命令的意思是列出在websers组中,并且又在appsers组的主机

5、逻辑非

[ ~]# ansible "websers:!appsers" --list 
-bash: !appsers": event not found
[ ~]# ansible ‘websers:!appsers‘ --list
  hosts (1):
    192.168.0.99
[ ~]#

说明:这里需要注意一点的是逻辑非要用单引号,以上命令表达的意思是列出在websers组中,但是不在appsers组中的主机

6、综合逻辑

[ ~]# tail -13 /etc/ansible/hosts  
[websers]
192.168.0.99:41319
192.168.0.218
[appsers]
192.168.0.218
192.168.0.128
[dbsers]
192.168.0.208
192.168.0.199
[ftpsers]
192.168.0.123
192.168.0.233

[ ~]#  ansible ‘dbsers:websers:&appsers:!ftpsers‘ --list  
  hosts (1):
    192.168.0.218
[ ~]#

说明:以上命令有逻辑或逻辑与逻辑非,在这种综合的匹配模式中我们要遵循这样一个优先级顺序来匹配,首先逻辑非的优先级最好,其次是逻辑与,优先级最低是逻辑或,以上命令表示匹配dbsers和websers两个组中的主机,在appsers中档不在ftpsers中的主机

7、正则表达式

[ ~]# ansible "~(web|db).*" --list
  hosts (4):
    192.168.0.99
    192.168.0.218
    192.168.0.208
    192.168.0.199
[ ~]#

说明:以上命令表示匹配web开头的组或者db开头的组中的主机,~表示使用正则匹配

了解了ansible的主机列表匹配,接着我们在说下ansible命令的执行过程,我们在使用ansible执行命令的时候可以用-vvv来显示更为现象的执行过程

[ ~]# ansible "websers:&appsers" -m shell -a "getent passwd root" -vvv
ansible 2.4.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u‘/root/.ansible/plugins/modules‘, u‘/usr/share/ansible/plugins/modules‘]
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]
Using /etc/ansible/ansible.cfg as config file
Parsed /etc/ansible/hosts inventory source with ini plugin
META: ran handlers
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None
<192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 192.168.0.218 ‘/bin/sh -c ‘"‘"‘echo ~ && sleep 0‘"‘"‘‘
<192.168.0.218> (0, ‘/root\n‘, ‘‘)
<192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None
<192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 192.168.0.218 ‘/bin/sh -c ‘"‘"‘( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745 `" && echo ansible-tmp-1573399527.3-188437527440745="` echo /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745 `" ) && sleep 0‘"‘"‘‘
<192.168.0.218> (0, ‘ansible-tmp-1573399527.3-188437527440745=/root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745\n‘, ‘‘)
<192.168.0.218> PUT /tmp/tmpPczCAu TO /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py
<192.168.0.218> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 ‘[192.168.0.218]‘
<192.168.0.218> (0, ‘sftp> put /tmp/tmpPczCAu /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py\n‘, ‘‘)
<192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None
<192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 192.168.0.218 ‘/bin/sh -c ‘"‘"‘chmod u+x /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/ /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py && sleep 0‘"‘"‘‘
<192.168.0.218> (0, ‘‘, ‘‘)
<192.168.0.218> ESTABLISH SSH CONNECTION FOR USER: None
<192.168.0.218> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/82e2c5d794 -tt 192.168.0.218 ‘/bin/sh -c ‘"‘"‘/usr/bin/python /root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/command.py; rm -rf "/root/.ansible/tmp/ansible-tmp-1573399527.3-188437527440745/" > /dev/null 2>&1 && sleep 0‘"‘"‘‘
<192.168.0.218> (0, ‘\r\n{"changed": true, "end": "2019-11-10 23:25:23.100262", "stdout": "root:x:0:0:root:/root:/bin/bash", "cmd": "getent passwd root", "rc": 0, "start": "2019-11-10 23:25:23.082719", "stderr": "", "delta": "0:00:00.017543", "invocation": {"module_args": {"warn": true, "executable": null, "_uses_shell": true, "_raw_params": "getent passwd root", "removes": null, "creates": null, "chdir": null, "stdin": null}}}\r\n‘, ‘Shared connection to 192.168.0.218 closed.\r\n‘)
192.168.0.218 | SUCCESS | rc=0 >>
root:x:0:0:root:/root:/bin/bash

META: ran handlers
META: ran handlers
[ ~]#

说明:通过以上信息的查看,我们可以大概知道ansible的执行命令的过程,如下

1、首先ansible会加载自己的配置文件,默认是/etc/ansible/ansible.cfg

2、加载对应模块文件,如上就是加载的是shell模块

3、通过ansible将模块或命令生成对应的python临时文件,并将该文件用sftp传输至远端主机的对应执行用户的家目录下的.ansible/tmp/ansible-tmp-数字/xxxx.py文件

4、然后对刚才传送过去的临时文件加可执行权限 chmod + x

5、执行临时文件,并返回结果

6、删除临时py文件,sleep 0 退出

ansible的返回结果一般会有3种颜色来表示执行结果:红色,绿色,橘黄色。其中红色表示执行失败,或者执行过程中有异常,一般会终止剩余的所有任务。绿色和橘黄色表示执行过程中没有异常,所有任务均正常执行,但橘黄色表示命令执行结束后目标有状态变化,而绿色表示命令执行后目标没有状态变化,不仅ansible命令执行结果有如此设置,ansible系列命令均有此设置,所以判断ansible系列命令的执行结果是否正常,我们看颜色即可

3、ansible-galaxy:命令主要作用是连接https://galaxy.ansible.com下载/上传相应的roles

命令用法:

Usage: ansible-galaxy [delete|import|info|init|install|list|login|remove|search|setup] [--help] [options] ...

1、安装下载角色

[ ~]# ansible-galaxy install geerlingguy.redis
- downloading role ‘redis‘, owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-redis/archive/1.6.0.tar.gz
- extracting geerlingguy.redis to /etc/ansible/roles/geerlingguy.redis
- geerlingguy.redis (1.6.0) was installed successfully
[ ~]#

2、列出所有已经安装的角色列表

[ ~]# ansible-galaxy list
- geerlingguy.redis, 1.6.0
[ ~]#

3、删除角色

[ ~]# ansible-galaxy remove geerlingguy.redis
- successfully removed geerlingguy.redis
[ ~]# ansible-galaxy list
[ ~]#

说明:galaxy默认下载到/etc/ansible/roles目录下,我们删除也可直接删除该目录下的角色,当然我们也可把自己写好的角色放在该目录下,用ansible-galaxy list 也是可以查看到我们自己写的角色。

4、ansible-vault:命令主要功能管理机密解密yaml文件

命令用法:

Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]

1、加密

[ ansible]# cat test.yaml 
---
- hosts: websers
  remote_user: root
  
  tasks:
    - name: test
      command: hostname
[ ansible]# ansible-vault encrypt test.yaml 
New Vault password: 
Confirm New Vault password: 
Encryption successful
[ ansible]# cat test.yaml
$ANSIBLE_VAULT;1.1;AES256
38653234373532306537633636343038383031613537303437623730626462306665363165363432
6162306332313031326330386136623464346533363164320a353734386632303837393633643932
62656262626265396236646536646231646631363431383261623530626639303132396139633731
6663633466373034320a323161316262653535353361353436353238663836623034366534393265
34663862363938653531346237323265633861663430313839653932633362333865333366353765
38326239386432373665396133346632346336373839386134366335663339363338306138363733
39653462373564383736373063333764653137356237353563396635633862623039373964326531
61626138316239663535346562643436666534333637313363663536393932313565623533666561
6564
[ ansible]#

2、解密

[ ansible]# cat test.yaml
$ANSIBLE_VAULT;1.1;AES256
38653234373532306537633636343038383031613537303437623730626462306665363165363432
6162306332313031326330386136623464346533363164320a353734386632303837393633643932
62656262626265396236646536646231646631363431383261623530626639303132396139633731
6663633466373034320a323161316262653535353361353436353238663836623034366534393265
34663862363938653531346237323265633861663430313839653932633362333865333366353765
38326239386432373665396133346632346336373839386134366335663339363338306138363733
39653462373564383736373063333764653137356237353563396635633862623039373964326531
61626138316239663535346562643436666534333637313363663536393932313565623533666561
6564
[ ansible]# ansible-vault decrypt test.yaml 
Vault password: 
Decryption successful
[ ansible]# cat test.yaml 
---
- hosts: websers
  remote_user: root
  
  tasks:
    - name: test
      command: hostname
[ ansible]#

3、不解密查看

[ ansible]# cat test.yaml
$ANSIBLE_VAULT;1.1;AES256
63623938346561623733663938396234303933353162326531353230366237373664663662623133
3136653066363866363461666438346531626439346134660a623231326637336464303965366263
38353637633962326233313664353966343663393931393131303361323139646530333566313739
3233336166653038630a626637366661646638376338653261373336373438353639333930363836
32353464313438633632323366323731333830326632313837623131636363393664323863663437
38346131303561373865316666346265653039346333373663383861653737373466356466393439
35386163636234623564353537373264636138636663663531356164313437373164633433303635
63306439633963636136663637643936373337376130616433396561303535313330656337323233
3065
[ ansible]# ansible-vault view test.yaml 
Vault password: 
---
- hosts: websers
  remote_user: root
  
  tasks:
    - name: test
      command: hostname
[ ansible]# cat test.yaml 
$ANSIBLE_VAULT;1.1;AES256
63623938346561623733663938396234303933353162326531353230366237373664663662623133
3136653066363866363461666438346531626439346134660a623231326637336464303965366263
38353637633962326233313664353966343663393931393131303361323139646530333566313739
3233336166653038630a626637366661646638376338653261373336373438353639333930363836
32353464313438633632323366323731333830326632313837623131636363393664323863663437
38346131303561373865316666346265653039346333373663383861653737373466356466393439
35386163636234623564353537373264636138636663663531356164313437373164633433303635
63306439633963636136663637643936373337376130616433396561303535313330656337323233
3065
[ ansible]#

4、编辑加密文件

[ ansible]# cat test.yaml 
$ANSIBLE_VAULT;1.1;AES256
63623938346561623733663938396234303933353162326531353230366237373664663662623133
3136653066363866363461666438346531626439346134660a623231326637336464303965366263
38353637633962326233313664353966343663393931393131303361323139646530333566313739
3233336166653038630a626637366661646638376338653261373336373438353639333930363836
32353464313438633632323366323731333830326632313837623131636363393664323863663437
38346131303561373865316666346265653039346333373663383861653737373466356466393439
35386163636234623564353537373264636138636663663531356164313437373164633433303635
63306439633963636136663637643936373337376130616433396561303535313330656337323233
3065
[ ansible]# ansible-vault edit test.yaml 
Vault password: 
---
- hosts: websers
  remote_user: root

  tasks:
    - name: test
      command: hostname
    - name: test1
      shell: ls /root/
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
"/tmp/tmpBHavml.yaml" 9L, 135C written
[ ansible]# cat test.yaml 
$ANSIBLE_VAULT;1.1;AES256
30653764326466326131636362363762356362393334383966303433306331316335373732633463
3430383065336336333232303933356161363861376335630a363837363963386265333866643265
35333133393861646662636261653662313864633866373930306664646563343966366239373432
3661376233383766610a306366633964343434313533333065623739313762326561303837666437
61623136303764326138643362653166633138653237383761323665393132656161663639353631
62333063323135623466386333633835346539653463656239393562616164656664353562316163
36373161326261336338613137386636653431336535376338313165343564616531653439333764
65653834333335346531316137663332643963323966373064653664656532343061326234373563
31636364663737376639336531313937363630306232613561373932306432623835663563643463
66366530396536373031613134326464623939396538383335633764363237653064656135373262
306462316363333863393765323932373737
[ ansible]#

说明:这种编辑好的文件还是处于加密状态

5、修改加密口令

[ ansible]# ansible-vault rekey test.yaml 
Vault password: 
New Vault password: 
Confirm New Vault password: 
Rekey successful
[ ansible]#

说明:修改口令必须先输入原口令,正确后才可以修改,如果忘记密码则文件就无法查看,也无法修改口令

6、创建新加密文件

[ ansible]# ls
test.yaml
[ ansible]# ansible-vault create test2.yaml
New Vault password: 
Confirm New Vault password: 
---
- hosts: appsers
  remote_user: root

  tasks:
  - name: test2
    shell: getent passwd
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
~                                                                                                                      
"/tmp/tmpgYTB3x.yaml" 7L, 92C written
[ ansible]# ls
test2.yaml  test.yaml
[ ansible]# cat test2.yaml 
$ANSIBLE_VAULT;1.1;AES256
64616164373236646635383539366661646262383936613533363263303136393031633533373638
6261613964636466656439656464336635323337643632620a366133383633633837363432326138
63323331346437636365353866656233363139633364353833623933353732323038336364376539
3963643939383734350a643734356432663063383066313932333837323631636536613834333232
30393464376230633762663364333330343132386132343861636665343831653863653939356536
62333564303934303138356332376634313535373037663866323038363237323438633464623534
61303937313930363230353165346337393462666131303861646262333830333365393737326365
63346431613736303963346130363464313239646361653830303862333236303939613665383261
3230
[ ansible]

5、ansible-console:可交互式执行ansible命令,支持tab补全,常用于ad-hoc和ansible-playbook之间的场景,常用于集中一批临时操作或命令。

[ ansible]# ansible-console
Vault password: 
Welcome to the ansible console.
Type help or ? to list commands.

 (7)[f:5]$ list
192.168.0.99
192.168.0.218
192.168.0.123
192.168.0.233
192.168.0.128
192.168.0.208
192.168.0.199
 (7)[f:5]$ cd websers
 (2)[f:5]$ list
192.168.0.99
192.168.0.218
 (2)[f:5]$ forks 2
 (2)[f:2]$ shell getent passwd root
192.168.0.218 | SUCCESS | rc=0 >>
root:x:0:0:root:/root:/bin/bash

192.168.0.99 | SUCCESS | rc=0 >>
root:x:0:0:root:/root:/bin/bash

 (2)[f:2]$

说明:在终端键入ansible-console命令后会进入类似shell一样的交互式终端环境,其中提示符格式是:执行用户@当前操作的主机组(主机组中的主机数量)[f:并发数]$,设置并发数:forks n,其中n 表示设置的并发数;切换组用cd 主机组,如cd websers;list是列出当前主机组里的主机列表,列出所有的内置命令用?或help

6、ansible-playbook:命令功能是执行playbook文件

命令用法:

Usage: ansible-playbook [options] playbook.yml [playbook2 ...]

常用选项:

-C,--check:检查playbook 不执行

-e,传递变量

-f,设置并发数,默认是5

-t,指定tags运行

-l,--limit=subset针对某些主机执行

--list-hosts:列出匹配的主机列表

--list-tags:列出所有可用标签

--list-tasks:列出所有将被执行的任务

[ ansible]# cat test.yaml 
---
- hosts: websers
  remote_user: root
  
  tasks:
    - name: test
      command: /usr/bin/wall hello world 
[ ansible]# ansible-playbook -C test.yaml 

PLAY [websers] ********************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************
ok: [192.168.0.218]
ok: [192.168.0.99]

TASK [test] ***********************************************************************************************************
skipping: [192.168.0.218]
skipping: [192.168.0.99]

PLAY RECAP ************************************************************************************************************
192.168.0.218              : ok=1    changed=0    unreachable=0    failed=0   
192.168.0.99               : ok=1    changed=0    unreachable=0    failed=0   

[ ansible]# ansible-playbook  test.yaml   

PLAY [websers] ********************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************
ok: [192.168.0.218]
ok: [192.168.0.99]

TASK [test] ***********************************************************************************************************
changed: [192.168.0.218]
changed: [192.168.0.99]

PLAY RECAP ************************************************************************************************************
192.168.0.218              : ok=2    changed=1    unreachable=0    failed=0   
192.168.0.99               : ok=2    changed=1    unreachable=0    failed=0   

[ ansible]# ansible-playbook  test.yaml --list-hosts

playbook: test.yaml

  play #1 (websers): websers    TAGS: []
    pattern: [u‘websers‘]
    hosts (2):
      192.168.0.99
      192.168.0.218
[ ansible]# ansible-playbook  test.yaml --list-tags

playbook: test.yaml

  play #1 (websers): websers    TAGS: []
      TASK TAGS: []
[ ansible]# ansible-playbook  test.yaml --list-tasks

playbook: test.yaml

  play #1 (websers): websers    TAGS: []
    tasks:
      test      TAGS: []
[ ansible]# ansible-playbook  test.yaml --limit 192.168.0.99

PLAY [websers] ********************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************
ok: [192.168.0.99]

TASK [test] ***********************************************************************************************************
changed: [192.168.0.99]

PLAY RECAP ************************************************************************************************************
192.168.0.99               : ok=2    changed=1    unreachable=0    failed=0   

[ ansible]#

7、ansible-pull:命令功能从VCS存储库中提取剧本并为本地主机执行,该命令的使用涉及ansible的另一种工作模式:pull模式(ansible默认使用push模式)。这和通常的使用的push模式工作机制刚好相反,其适用于一下场景。1、有数量巨大的机器需要配置,即使使用高并发线程依旧要花费很多时间;2、在刚启动的、没有网络连接的主机上使用运行ansible

命令用法:

ansible-pull -U <repository> [options] [<playbook.yml>]

 常用选项:

-U <URL>, --url <URL>
剧本资料库的网址
-d <DEST>, --directory <DEST>
检出存储库的目录
-i, --inventory, --inventory-file
指定清单主机路径或逗号分隔的主机列表。–不推荐使用库存文件
-o, --only-if-changed
仅在存储库已更新的情况下运行剧本
-u <REMOTE_USER>, --user <REMOTE_USER>
以该用户身份连接(默认=无)

通常ansible-pull结合git和crontab 一并实现,其原理是通过crontab定期拉取指定的git版本到本地,并指定模式自动运行预先制定好的指令。

示例:

*/20 * * * * root /usr/local/bin/ansible-pull -o -C 2.1.0 -d /srv/www/king-gw/ -i /etc/ansible/hosts -U git://git.kingifa.com/king-gw-ansiblepull >> /var/log/ansible-pull.log 2>&1

ansible-pull通常在配置大批量机器的场景会用到,灵活性稍有欠缺,但效率几乎可以无限提升,对运维人员的技术水平和前瞻性规划有较高要求。

更多的选项说明请参考https://docs.ansible.com/ansible/2.4/ansible-pull.html

相关推荐