運用 Ansible 進行多主機管理

  • 管理端環境 :
    • CT - Ubuntu 20.04 LTS (2 vCore/ 2G RAM / 20G SSD)
    • 預計使用 git 管理 ansible 的定義檔
  • sudo apt install ansible git sshpass

    確認版本

    jonathan@ct-ansible:~$ ansible --version
    ansible 2.9.6
      config file = /etc/ansible/ansible.cfg
      configured module search path = ['/home/jonathan/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
      ansible python module location = /usr/lib/python3/dist-packages/ansible
      executable location = /usr/bin/ansible
      python version = 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0]

  • 設定自動寫入第一次 ssh 登入主機的 host key

    sudo vi /etc/ansible/ansible.cfg

    [defaults]
    :
    :
    # uncomment this to disable SSH key host checking
    #host_key_checking = False
    host_key_checking = False
    :
  • Exp.
    servers:
      hosts:
        aac:
          ansible_host: 192.168.11.249
          ansible_port: 22
          ansible_user: root
          ansible_ssh_pass: "mypassword"
        h470:
          ansible_host: 192.168.11.252
          ansible_port: 22
          ansible_connection: ssh
          ansible_user: root
          ansible_ssh_pass: "mypassword"
  • 簡單驗證

    $ ansible all -i inventory.yaml --list-hosts
      hosts (2):
        aac
        h470

  • 對 servers 群組主機指定安裝套件, 並針對以安裝套件進行更新, 如果有更新 Kernel 更新後自動重新開機
    - hosts: servers
      become: true
      become_user: root
      tasks:
        - name: Ansible apt to install multiple packages - LAMP
          register: updatesys
          apt:
            update_cache: yes
            name:
              - python3-apt
              - snmp
              - libsasl2-modules
            state: present
            
        - name: Update apt repo and cache on all Debian/Ubuntu boxes
          apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
    
        - name: Upgrade all packages on servers
          apt: upgrade=dist force_apt_get=yes
    
        - name: Check if a reboot is needed on all servers
          register: reboot_required_file
          stat: path=/var/run/reboot-required get_md5=no
    
        - name: Reboot the box if kernel updated
          reboot:
            msg: "Reboot initiated by Ansible for kernel updates"
            connect_timeout: 5
            reboot_timeout: 300
            pre_reboot_delay: 0
            post_reboot_delay: 30
            test_command: uptime
          when: reboot_required_file.stat.exists
  • 驗證執行命令(加上 –check)

    ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check

    執行結果

    $ ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check
    
    PLAY [servers] ******************************************************************************************************************************************************************************
    
    TASK [Gathering Facts] **********************************************************************************************************************************************************************
    ok: [aac]
    ok: [h470]
    
    TASK [Ansible apt to install multiple packages - LAMP] **************************************************************************************************************************************
    changed: [h470]
    changed: [aac]
    
    TASK [Update apt repo and cache on all Debian/Ubuntu boxes] *********************************************************************************************************************************
    ok: [h470]
    ok: [aac]
    
    TASK [Upgrade all packages on servers] ******************************************************************************************************************************************************
    ok: [h470]
    ok: [aac]
    
    TASK [Check if a reboot is needed on all servers] *******************************************************************************************************************************************
    ok: [h470]
    ok: [aac]
    
    TASK [Reboot the box if kernel updated] *****************************************************************************************************************************************************
    skipping: [aac]
    skipping: [h470]
    
    PLAY RECAP **********************************************************************************************************************************************************************************
    aac                        : ok=5    changed=1    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0
    h470                       : ok=5    changed=1    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

  • 使用 ansible-vault encrypt_string 登入密碼 –ask-vault-pass 方式來對要保護的密碼 Exp. MyPassword 產生加密, 並以 KeyPass 當解密密碼

    $ ansible-vault encrypt_string MyPassword --ask-vault-pass
    New Vault password: KeyPass
    Confirm New Vault password: KeyPass
    !vault |
              $ANSIBLE_VAULT;1.1;AES256
              63613230353861653733633761663630643564323330613263343061656163383731386364666366
              3430303131616563616634386130613461636433383730360a663130653463313465623837373335
              61336333643663343535396339633165653334336236363032613130636537336664646535666666
              3863306137663763610a313034383233626563336365303431313564316338653363636432386438
              3736
    Encryption successful

  • 將這加密後的內容取代 ansible_ssh_pass 原本的明碼部分 Exp.
    :
      hosts:
        aac:
          ansible_host: 192.168.11.249
          ansible_ssh_pass: "MyPassword"
    :

    改成

    :
      hosts:
        aac:
          ansible_host: 192.168.11.249
          ansible_ssh_pass: !vault |
              $ANSIBLE_VAULT;1.1;AES256
              63613230353861653733633761663630643564323330613263343061656163383731386364666366
              3430303131616563616634386130613461636433383730360a663130653463313465623837373335
              61336333643663343535396339633165653334336236363032613130636537336664646535666666
              3863306137663763610a313034383233626563336365303431313564316338653363636432386438
              3736
    :
  • 然後執行 ansible-playbook 後面必須加上 –ask-vault-pass 才會彈出讓你輸入解密密碼 Exp. KeyPass

    $ ansible-playbook -i inventory.yaml upgrade.yaml --ask-vault-pass
    Vault password: KeyPass
    
    PLAY [servers] ******************************************************************************************************************************************************************************
    
    TASK [Gathering Facts] **********************************************************************************************************************************************************************
    ok: [nuc]
    :

  • 也可以執行 ansible-playbook 後面加上 –vault-password-file 指定解密密碼檔案 Exp. .vault_pass

    $ ansible-playbook -i inventory.yaml upgrade.yaml --vault-password-file ./.vault_pass

  • tech/ansible.txt
  • 上一次變更: 2023/12/29 17:40
  • jonathan