運用 Ansible 進行多主機管理

sudo apt install ansible git sshpass

確認版本

jonathan@ct-ansible:~$ ansible --version
ansible 2.9.6
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/jonathan/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0]

設定自動寫入第一次 ssh 登入主機的 host key

sudo vi /etc/ansible/ansible.cfg

[defaults]
:
:
# uncomment this to disable SSH key host checking
#host_key_checking = False
host_key_checking = False
:

Exp.

servers:
  hosts:
    aac:
      ansible_host: 192.168.11.249
      ansible_port: 22
      ansible_user: root
      ansible_ssh_pass: "mypassword"
    h470:
      ansible_host: 192.168.11.252
      ansible_port: 22
      ansible_connection: ssh
      ansible_user: root
      ansible_ssh_pass: "mypassword"

簡單驗證

$ ansible all -i inventory.yaml --list-hosts
  hosts (2):
    aac
    h470

對 servers 群組主機指定安裝套件, 並針對以安裝套件進行更新, 如果有更新 Kernel 更新後自動重新開機

- hosts: servers
  become: true
  become_user: root
  tasks:
    - name: Ansible apt to install multiple packages - LAMP
      register: updatesys
      apt:
        update_cache: yes
        name:
          - python3-apt
          - snmp
          - libsasl2-modules
        state: present
        
    - name: Update apt repo and cache on all Debian/Ubuntu boxes
      apt: update_cache=yes force_apt_get=yes cache_valid_time=3600

    - name: Upgrade all packages on servers
      apt: upgrade=dist force_apt_get=yes

    - name: Check if a reboot is needed on all servers
      register: reboot_required_file
      stat: path=/var/run/reboot-required get_md5=no

    - name: Reboot the box if kernel updated
      reboot:
        msg: "Reboot initiated by Ansible for kernel updates"
        connect_timeout: 5
        reboot_timeout: 300
        pre_reboot_delay: 0
        post_reboot_delay: 30
        test_command: uptime
      when: reboot_required_file.stat.exists

驗證執行命令(加上 –check)

ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check

執行結果

$ ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check

PLAY [servers] ******************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************
ok: [aac]
ok: [h470]

TASK [Ansible apt to install multiple packages - LAMP] **************************************************************************************************************************************
changed: [h470]
changed: [aac]

TASK [Update apt repo and cache on all Debian/Ubuntu boxes] *********************************************************************************************************************************
ok: [h470]
ok: [aac]

TASK [Upgrade all packages on servers] ******************************************************************************************************************************************************
ok: [h470]
ok: [aac]

TASK [Check if a reboot is needed on all servers] *******************************************************************************************************************************************
ok: [h470]
ok: [aac]

TASK [Reboot the box if kernel updated] *****************************************************************************************************************************************************
skipping: [aac]
skipping: [h470]

PLAY RECAP **********************************************************************************************************************************************************************************
aac                        : ok=5    changed=1    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0
h470                       : ok=5    changed=1    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

使用 ansible-vault encrypt_string 登入密碼 –ask-vault-pass 方式來對要保護的密碼 Exp. MyPassword 產生加密, 並以 KeyPass 當解密密碼

$ ansible-vault encrypt_string MyPassword --ask-vault-pass
New Vault password: KeyPass
Confirm New Vault password: KeyPass
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          63613230353861653733633761663630643564323330613263343061656163383731386364666366
          3430303131616563616634386130613461636433383730360a663130653463313465623837373335
          61336333643663343535396339633165653334336236363032613130636537336664646535666666
          3863306137663763610a313034383233626563336365303431313564316338653363636432386438
          3736
Encryption successful

將這加密後的內容取代 ansible_ssh_pass 原本的明碼部分 Exp.

:
  hosts:
    aac:
      ansible_host: 192.168.11.249
      ansible_ssh_pass: "MyPassword"
:

改成

:
  hosts:
    aac:
      ansible_host: 192.168.11.249
      ansible_ssh_pass: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          63613230353861653733633761663630643564323330613263343061656163383731386364666366
          3430303131616563616634386130613461636433383730360a663130653463313465623837373335
          61336333643663343535396339633165653334336236363032613130636537336664646535666666
          3863306137663763610a313034383233626563336365303431313564316338653363636432386438
          3736
:

然後執行 ansible-playbook 後面必須加上 –ask-vault-pass 才會彈出讓你輸入解密密碼 Exp. KeyPass

$ ansible-playbook -i inventory.yaml upgrade.yaml --ask-vault-pass
Vault password: KeyPass

PLAY [servers] ******************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************
ok: [nuc]
:

也可以執行 ansible-playbook 後面加上 –vault-password-file 指定解密密碼檔案 Exp. .vault_pass

$ ansible-playbook -i inventory.yaml upgrade.yaml --vault-password-file ./.vault_pass

https://docs.ansible.com/ansible/latest/inventory_guide/intro_inventory.html

https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/

https://blog.yowko.com/ansible-bypass-fingerprint-check/

https://stackoverflow.com/questions/51622712/ansible-requires-python-apt-but-its-already-installed

https://stackoverflow.com/questions/21870083/specify-sudo-password-for-ansible

https://stackoverflow.com/questions/51771994/how-do-i-use-an-encrypted-variable-ansible-ssh-pass-in-an-ini-file

https://stackoverflow.com/questions/30209062/ansible-how-to-encrypt-some-variables-in-an-inventory-file-in-a-separate-vault

https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data