Ansible 介绍和安装

目录

• Ansible 介绍
  • 环境准备
  • Ansible安装
  • 配置秘钥管理
  • 配置Inventory文件
  • 简单测试连通性

Ansible 介绍

运维工具分类：

• agent: puppet， func

这类都需要在客户端上安装agent客户端

• agentless: ansible， fabric

这类是不需要在客户端上安装agent，只需要知道客户端的用户密码或者是秘钥验证就可以管理。

Ansible 特性：

• Minimal learning curve, auditability

入门很平滑，简单

• No bootstrapping

无需在客户端安装agent

• No DAG ordering, Fails Fast

无序，只需要按照自定义设定即可

• No agents (other than sshd) - 0 resourcee consumption when not in use
• No server

没有代理同时也没有服务器端，用户只需要手动发起命令来运行就可以了。

• No additional PKI

因为依赖于SSH工作，所以无序SSL证书的功能，

• Modules in any language
• SSH by default

模块化工作，模块可以是任何语言来编写，只需要遵循ansible的调用风格就可以。

• YAML， NOT code

简化的html或者json格式来定义文档或文本格式，非常容易学习

• Strong multi-tier solution

支持非常强大的多级的解决方案

Ansible的架构

下图：

Ansible工作原理

• ANSIBLE：
  • 组合INVENTORY、 API、 MODULES、PLUGINS的绿框，可以理解为是ansible命令工具，其为核心执行工具
• PLAYBOOKS：
  • 任务剧本（任务集），编排定义Ansible任务集的配置文件，由Ansible顺序依次执行，通常是JSON格式的YML文件
• INVENTORY：
  • Ansible管理主机的清单/etc/anaible/hosts
• MODULES：
  • Ansible执行命令的功能模块，多数为内置的核心模块，也可自定义,ansible-doc –l 可查看模块
• PLUGINS：
  • 模块功能的补充，如连接类型插件、循环插件、变量插件、过滤插件等，该功能不常用
• API：
  • 供第三方程序调用的应用程序编程接口

Ansible 特性：

• 基于Python语言实现，由Paramiko库实现连接管理主机，PyYAML和Jinjia2 三个关键模块。
• 部署简单，被管理节点无需安装agent
• 默认使用SSH协议
  • 1 能够让管理机能够通过秘钥认证到每一台被管理的主机上
  • 2 可以在inventory文件中指定被管理的用户密码，要确保该文件的安全
• 支持自定义模块： 支持各种编程语言
• 支持Playbook
• 基于“模块”完成各种“任务” tasks

环境准备

系统版本	内核版本	IP地址
Centos 7.5	4.18.9-1.el7.elrepo.x86_64	10.0.0.3

角色	IP	用户	密码
管理节点	10.0.0.9	root	123456
node-1	10.0.0.65	root	123456
node-2	10.0.0.66	root	123456

备注 该系统采用MINI最小化安装，安装之后对系统进行了最基础的优化操作，操作过程点击这里

Ansible安装

可以使用编译安装和yum安装，本次使用较为简洁的yum安装，需要有epel源,没有的可以在mirrors.aliyun.com上使用阿里云的epel源

在管理节点上操作

[root@node01 ~]# yum install ansible -y
...
Installed:
  ansible.noarch 0:2.7.0-1.el7                                                                                                                                                               

Dependency Installed:
  PyYAML.x86_64 0:3.10-11.el7            libtomcrypt.x86_64 0:1.17-26.el7            libtommath.x86_64 0:0.42.0-6.el7                             libyaml.x86_64 0:0.1.4-11.el7_0
  python-babel.noarch 0:0.9.6-8.el7      python-backports.x86_64 0:1.0-8.el7         python-backports-ssl_match_hostname.noarch 0:3.5.0.1-1.el7   python-cffi.x86_64 0:1.6.0-5.el7
  python-enum34.noarch 0:1.0.4-1.el7     python-httplib2.noarch 0:0.9.2-1.el7        python-idna.noarch 0:2.4-1.el7                               python-ipaddress.noarch 0:1.0.16-2.el7
  python-jinja2.noarch 0:2.7.2-2.el7     python-keyczar.noarch 0:0.71c-2.el7         python-markupsafe.x86_64 0:0.11-10.el7                       python-paramiko.noarch 0:2.1.1-4.el7
  python-ply.noarch 0:3.4-11.el7         python-pycparser.noarch 0:2.14-1.el7        python-setuptools.noarch 0:0.9.8-7.el7                       python-six.noarch 0:1.9.0-2.el7
  python2-crypto.x86_64 0:2.6.1-15.el7   python2-cryptography.x86_64 0:1.7.2-2.el7   python2-jmespath.noarch 0:0.9.0-3.el7                        python2-pyasn1.noarch 0:0.1.9-7.el7
  sshpass.x86_64 0:1.06-2.el7           

Complete!
[root@node02 ~]# yum info ansible
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
Available Packages
Name        : ansible
Arch        : noarch
Version     : 2.7.0
Release     : 1.el7
Size        : 11 M
Repo        : epel/x86_64
Summary     : SSH-based configuration management, deployment, and task execution system
URL         : http://ansible.com
License     : GPLv3+
Description : Ansible is a radically simple model-driven configuration management,
            : multi-node deployment, and remote task execution system. Ansible works
            : over SSH and does not require any software or daemons to be installed
            : on remote nodes. Extension modules can be written in any language and
            : are transferred to managed machines automatically.

可以看到按装的ansible的版本是 2.7的版本

文件名	说明
/etc/ansible/ansible.cfg	主配置文件，配置ansible工作特性
/etc/ansible/hosts	Inventory 被管理节点配置文件，主机清单
/etc/ansible/roles	存放角色的目录
/usr/bin/ansible	主程序，临时命令执行工具
/etc/ansible/ansible-doc	查看配置文档，模块功能查看工具
/usr/bin/ansible-galaxy	下载/上传优秀代码或Roles模块的官网平台
/etc/ansible/ansible-playbook	定制自动化任务，编排剧本工具
/usr/bin/ansible-pull	远程执行命令的工具
/usr/bin/ansible-vault	文件加密工具

配置秘钥管理

在管理节点上操作

生成密钥对，然后copy到node1 和nodde2 上使能够秘钥登陆

[root@node01 ~]# ssh-keygen -t rsa -P "" -f ~/.ssh/id_rsa
Generating public/private rsa key pair.
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:llhKseNPXM5O8O3M6lbz1sCj1p0eXtfED8d7Wrn/hRg root@node01
The key's randomart image is:
+---[RSA 2048]----+
|      .          |
|       o         |
|      + o .      |
|     o * B .   o |
|      + S = E.. =|
|       + o +oo+==|
|        . ..==.OX|
|          ..o =+X|
|         oo. .o+=|
+----[SHA256]-----+
[root@node01 ~]# ls -l .ssh/
total 8
-rw------- 1 root root 1675 Oct 15 13:27 id_rsa
-rw-r--r-- 1 root root  393 Oct 15 13:27 id_rsa.pub

[root@node01 ~]# ssh-copy-id root@10.0.0.65
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.0.0.65 (10.0.0.65)' can't be established.
ECDSA key fingerprint is SHA256:Vu10B9+4iuvebISnNca1EPQtAaBJUjquSXY7AmfhRnc.
ECDSA key fingerprint is MD5:a8:a0:32:f3:0a:07:25:1d:aa:0d:95:ec:cd:a8:c5:a0.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.0.65's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@10.0.0.65'"
and check to make sure that only the key(s) you wanted were added.

[root@node01 ~]# ssh-copy-id root@10.0.0.66
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.0.0.66 (10.0.0.66)' can't be established.
ECDSA key fingerprint is SHA256:Vu10B9+4iuvebISnNca1EPQtAaBJUjquSXY7AmfhRnc.
ECDSA key fingerprint is MD5:a8:a0:32:f3:0a:07:25:1d:aa:0d:95:ec:cd:a8:c5:a0.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.0.66's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@10.0.0.66'"
and check to make sure that only the key(s) you wanted were added.

# 测试连接10.0.0.65
[root@node01 ~]# ssh root@10.0.0.65
Last login: Fri Oct 12 14:15:30 2018 from 10.0.0.9
[root@node02 ~]# ip a | grep -w inet | tail -1 | awk '{print $2}'
10.0.0.65/24

# 测试连接10.0.0.66
[root@node01 ~]# ssh root@10.0.0.66
Last login: Fri Oct 12 14:15:29 2018 from 10.0.0.9
[root@node03 ~]# ip a | grep -w inet | tail -1 | awk '{print $2}'
10.0.0.66/24

配置Inventory文件

在/etc/ansible/hosts文件中，我们把65 和66 的两台机器配置成两个组

[root@node01 ~]# cd /etc/ansible/
[root@node01 ansible]# ls
ansible.cfg  apache.yml  cond.yml  hosts  nginx.retry  nginx.yaml  roles  test.yml
[root@node01 ansible]# cp hosts hosts.bak
[root@node01 ansible]# cat hosts
# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
#   - Comments begin with the '#' character
#   - Blank lines are ignored
#   - Groups of hosts are delimited by [header] elements
#   - You can enter hostnames or ip addresses
#   - A hostname/ip can be a member of multiple groups

[webservs]
10.0.0.65

[dbservs]
10.0.0.66

这样，Inverteroy文件就配置完成

简单测试连通性

下面使用ansible演示连通性的测试

[root@node01 ansible]# ansible all -m ping
10.0.0.65 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
10.0.0.66 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

上面显示SUCCESS，表示都正常