運用 Ansible 進行多主機管理
- 管理端環境 :
- CT - Ubuntu 20.04 LTS (2 vCore/ 2G RAM / 20G SSD)
- 預計使用 git 管理 ansible 的定義檔
安裝程序
sudo apt install ansible git sshpass
確認版本
jonathan@ct-ansible:~$ ansible --version ansible 2.9.6 config file = /etc/ansible/ansible.cfg configured module search path = ['/home/jonathan/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3/dist-packages/ansible executable location = /usr/bin/ansible python version = 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0]
- 設定自動寫入第一次 ssh 登入主機的 host key
sudo vi /etc/ansible/ansible.cfg
[defaults] : : # uncomment this to disable SSH key host checking #host_key_checking = False host_key_checking = False :
建立主機清單檔 inventory.yaml
- Exp.
servers: hosts: aac: ansible_host: 192.168.11.249 ansible_port: 22 ansible_user: root ansible_ssh_pass: "mypassword" h470: ansible_host: 192.168.11.252 ansible_port: 22 ansible_connection: ssh ansible_user: root ansible_ssh_pass: "mypassword"
- 簡單驗證
$ ansible all -i inventory.yaml --list-hosts hosts (2): aac h470
撰寫 playbook
1. upgrade.yaml
- 對 servers 群組主機指定安裝套件, 並針對以安裝套件進行更新, 如果有更新 Kernel 更新後自動重新開機
- hosts: servers become: true become_user: root tasks: - name: Ansible apt to install multiple packages - LAMP register: updatesys apt: update_cache: yes name: - python3-apt - snmp - libsasl2-modules state: present - name: Update apt repo and cache on all Debian/Ubuntu boxes apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 - name: Upgrade all packages on servers apt: upgrade=dist force_apt_get=yes - name: Check if a reboot is needed on all servers register: reboot_required_file stat: path=/var/run/reboot-required get_md5=no - name: Reboot the box if kernel updated reboot: msg: "Reboot initiated by Ansible for kernel updates" connect_timeout: 5 reboot_timeout: 300 pre_reboot_delay: 0 post_reboot_delay: 30 test_command: uptime when: reboot_required_file.stat.exists
- 驗證執行命令(加上 –check)
ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check
執行結果
$ ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check PLAY [servers] ****************************************************************************************************************************************************************************** TASK [Gathering Facts] ********************************************************************************************************************************************************************** ok: [aac] ok: [h470] TASK [Ansible apt to install multiple packages - LAMP] ************************************************************************************************************************************** changed: [h470] changed: [aac] TASK [Update apt repo and cache on all Debian/Ubuntu boxes] ********************************************************************************************************************************* ok: [h470] ok: [aac] TASK [Upgrade all packages on servers] ****************************************************************************************************************************************************** ok: [h470] ok: [aac] TASK [Check if a reboot is needed on all servers] ******************************************************************************************************************************************* ok: [h470] ok: [aac] TASK [Reboot the box if kernel updated] ***************************************************************************************************************************************************** skipping: [aac] skipping: [h470] PLAY RECAP ********************************************************************************************************************************************************************************** aac : ok=5 changed=1 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0 h470 : ok=5 changed=1 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0
常見問題
1. 如何對 ansible_ssh_pass 這類登入密碼進行加密
- 使用 ansible-vault encrypt_string 登入密碼 –ask-vault-pass 方式來對要保護的密碼 Exp. MyPassword 產生加密, 並以 KeyPass 當解密密碼
$ ansible-vault encrypt_string MyPassword --ask-vault-pass New Vault password: KeyPass Confirm New Vault password: KeyPass !vault | $ANSIBLE_VAULT;1.1;AES256 63613230353861653733633761663630643564323330613263343061656163383731386364666366 3430303131616563616634386130613461636433383730360a663130653463313465623837373335 61336333643663343535396339633165653334336236363032613130636537336664646535666666 3863306137663763610a313034383233626563336365303431313564316338653363636432386438 3736 Encryption successful
- 將這加密後的內容取代 ansible_ssh_pass 原本的明碼部分 Exp.
: hosts: aac: ansible_host: 192.168.11.249 ansible_ssh_pass: "MyPassword" :
改成
: hosts: aac: ansible_host: 192.168.11.249 ansible_ssh_pass: !vault | $ANSIBLE_VAULT;1.1;AES256 63613230353861653733633761663630643564323330613263343061656163383731386364666366 3430303131616563616634386130613461636433383730360a663130653463313465623837373335 61336333643663343535396339633165653334336236363032613130636537336664646535666666 3863306137663763610a313034383233626563336365303431313564316338653363636432386438 3736 :
- 然後執行 ansible-playbook 後面必須加上 –ask-vault-pass 才會彈出讓你輸入解密密碼 Exp. KeyPass
$ ansible-playbook -i inventory.yaml upgrade.yaml --ask-vault-pass Vault password: KeyPass PLAY [servers] ****************************************************************************************************************************************************************************** TASK [Gathering Facts] ********************************************************************************************************************************************************************** ok: [nuc] :
- 也可以執行 ansible-playbook 後面加上 –vault-password-file 指定解密密碼檔案 Exp. .vault_pass
$ ansible-playbook -i inventory.yaml upgrade.yaml --vault-password-file ./.vault_pass