Linux下使用Ansible处理批量操作

Ansible介绍：

• ansible是一款为类unix系统开发的自由开源的配置和自动化工具。它用python写成，类似于saltstack和puppet，但是不同点是ansible不需要再节点中安装任何客户端。它使用ssh来通信。它基于python的paramiko开发，分布式，无需任何客户端，轻量级，配置语法使用ymal及jinja2模板语言，更强的远程命令执行操作。

Ansibe特性：

• 部署简单，只需在主控端部署Ansible环境，被控端无需做任何操作。
• 默认使用SSH协议对设备进行管理。
• 有大量常规运维操作模块，可实现日常绝大部分操作。
• 配置简单、功能强大、扩展性强；
• 支持API及自定义模块，可通过Python轻松扩展。
• 通过Playbooks来定制强大的配置、状态管理。
• 轻量级，无需在客户端安装agent，更新时，只需在操作机上进行一次更新即可。
• 提供一个功能强大、操作性强的Web管理界面和REST API接口——AWX平台。
• 支持非root用户管理操作，支持sudo。

Ansible架构：

　　　　

　　

核心组件构成：

• ansible（主体）：ansible的核心程序，提供一个命令行接口给用户对ansible进行管理操作；
• Host Inventory（主机清单）：为Ansible定义了管理主机的策略。一般小型环境下我们只需要在host文件中写入主机的IP地址即可，但是到了中大型环境我们有可能需要使用静态inventory或者动态主机清单来生成我们所需要执行的目标主机。
• Core Modules（核心模块）：Ansible执行命令的功能模块，多数为内置的核心模块。
• Custom Modules（拓展模块）：如何ansible自带的模块无法满足我么你的需求，用户可自定义相应的模块来满足自己的需求。
• Connection Plugins（连接插件）：模块功能的补充，如连接类型插件、循环插件、变量插件、过滤插件等，该功能不常用
• Playbook（任务剧本）：编排定义ansible任务集的配置文件，由ansible顺序依次执行，通常是JSON格式的* YML文件
• API：供第三方程序调用的应用程序编程接口

Ansible能做什么?

　ansible可以帮助运维人员完成一些批量任务，或者完成一些需要经常重复的工作。

• 比如：同时在100台服务器上安装nginx服务，并在安装后启动服务。
• 比如：将某个文件一次性拷贝到100台服务器上。
• 比如：每当有新服务器加入工作环境时，运维人员都要为新服务器部署某个服务。

其他详情见官方文档：https://docs.ansible.com/ansible/2.9/index.html

 环境准备：

属性	管理机	服务器-01	服务器-02
节点	wenCheng	Server-01	Server-02
系统	CentOS Linux release 7.5.1804 (Minimal)	CentOS Linux release 7.5.1804 (Minimal)	CentOS Linux release 7.5.1804 (Minimal)
内核	3.10.0-862.el7.x86_64	3.10.0-862.el7.x86_64	3.10.0-862.el7.x86_64
SELinux	setenforce 0 | disabled	setenforce 0 | disabled	setenforce 0 | disabled
Firewlld	systemctl stop/disable firewalld	systemctl stop/disable firewalld	systemctl stop/disable firewalld
IP地址	172.16.70.37	172.16.70.181	172.16.70.182

Ansible常用参数及语法。使用详情见官方模块文档：https://docs.ansible.com/ansible/2.9/modules

Ansible常用模块
    ping 模块: 检查指定节点机器是否还能连通，用法很简单，不涉及参数，主机如果在线，则回复pong 。
    raw 模块: 执行原始的命令，而不是通过模块子系统。
    yum 模块: RedHat和CentOS的软件包安装和管理工具。
    apt 模块: Ubuntu/Debian的软件包安装和管理工具。
    pip 模块 : 用于管理Python库依赖项，为了使用pip模块，必须提供参数name或者requirements。
    synchronize 模块: 使用rsync同步文件，将主控方目录推送到指定节点的目录下。
    template 模块: 基于模板方式生成一个文件复制到远程主机（template使用Jinjia2格式作为文件模版，进行文档内变量的替换的模块。
    copy 模块: 在远程主机执行复制操作文件。
    user 模块 与 group 模块: user模块是请求的是useradd, userdel, usermod三个指令，goup模块请求的是groupadd, groupdel, groupmod 三个指令。
    service 或 systemd 模块: 用于管理远程主机的服务。
    get_url 模块: 该模块主要用于从http、ftp、https服务器上下载文件（类似于wget）。
    fetch 模块: 它用于从远程机器获取文件，并将其本地存储在由主机名组织的文件树中。
    file 模块: 主要用于远程主机上的文件操作。
    lineinfile 模块: 远程主机上的文件编辑模块
    unarchive模块: 用于解压文件。
    command模块 和 shell模块: 用于在各被管理节点运行指定的命令. shell和command的区别：shell模块可以特殊字符，而command是不支持
    hostname模块: 修改远程主机名的模块。
    script模块: 在远程主机上执行主控端的脚本，相当于scp+shell组合。
    stat模块: 获取远程文件的状态信息，包括atime,ctime,mtime,md5,uid,gid等信息。
    cron模块: 远程主机crontab配置。
    mount模块: 挂载文件系统。
    find模块: 帮助在被管理主机中查找符合条件的文件，就像 find 命令一样。
    selinux模块：远程管理受控节点的selinux的模块

Ansible语法及配置参数
  语法格式：
    ansible <pattern_goes_here> -m <module_name> -a <arguments>
  也就是:
    ansible  匹配模式   -m  模块  -a  '需要执行的内容'
解释说明:
　　匹配模式：即哪些机器生效 (可以是某一台, 或某一组, 或all) , 默认模块为command , 执行常规的shell命令.

情景一：Ansible安装部署及首次批量分发公钥(管理机)。

• command模块 和 shell模块: 用于在各被管理节点运行指定的命令.；shell和command的区别：shell模块可以特殊字符，而command是不支持。

[root@wenCheng ~]# yum install epel-release -y
[root@wenCheng ~]# yum install ansible -y
[root@wenCheng ~]# ansible --version
ansible 2.9.21
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Apr 11 2018, 07:36:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

[root@wenCheng ~]# rpm -qa | grep ansible
ansible-2.9.21-1.el7.noarch
[root@wenCheng ~]# rpm -ql ansible-2.9.21-1.el7.noarch | less
/etc/ansible/ansible.cfg     #主配置文件，配置ansible工作特性
/etc/ansible/hosts             #主机清单
/etc/ansible/roles/         #存放角色的目录
/usr/bin/ansible             #主程序，临时命令执行工具
/usr/bin/ansible-doc         #查看配置文档，模块功能查看工具
/usr/bin/ansible-galaxy     #下载/上传优秀代码或Roles模块的官网平台
/usr/bin/ansible-playbook     #定制自动化任务，编排剧本工具
/usr/bin/ansible-pull         #远程执行命令的工具
/usr/bin/ansible-vault         #文件加密工具
/usr/bin/ansible-console     #基于Console界面与用户交互的执行工具
......

# 备份配置
[root@wenCheng ~]# cp /etc/ansible/hosts{,.bak}
[root@wenCheng ~]# cp /etc/ansible/ansible.cfg{,.bak}
[root@wenCheng ~]# vim /etc/ansible/hosts
......
# 末行添加内容
# 远程主机(根据实际情况)：单IP/IP段 用户名 密码 端口；下面举例2类形式
[type1]
172.16.70.181
172.16.70.182
[type1:vars]
ansible_ssh_user='root'
ansible_ssh_pass='centos'
ansible_ssh_port='22'

[type2]
172.16.70.[181:182] ansible_user='root' ansible_pass='centos' ansible_port='22'

[root@wenCheng ~]# vim /etc/ansible/ansible.cfg
......
host_key_checking = False　　　　# 首次连接是否需要检查key认证，取消注释以禁用主机的ssh的密钥检查

# 新建yaml文件
[root@wenCheng ~]# cat /root/ssh_key.yaml
---
  - hosts: all　　　　# 远程主机组
    tasks:
     - name: send id_rsa.pub
       authorized_key: user=root key="{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"　　# 被控制的远程服务上的用户名 本机的公钥地址

# 执行批量公钥分发
[root@wenCheng ~]# ansible-playbook ssh_key.yaml

PLAY [all] ********************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************
ok: [172.16.70.182]
ok: [172.16.70.181]

TASK [send id_rsa.pub] ********************************************************************************************************************
ok: [172.16.70.181]
ok: [172.16.70.182]

PLAY RECAP ********************************************************************************************************************************
172.16.70.181              : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
172.16.70.182              : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

# 验证结果
[root@wenCheng ~]# ansible all -m command -a "hostname"
172.16.70.182 | CHANGED | rc=0 >>
Server-02
172.16.70.181 | CHANGED | rc=0 >>
Server-01

[root@wenCheng ~]# ansible all -m shell -a "hostname"
172.16.70.182 | CHANGED | rc=0 >>
Server-02
172.16.70.181 | CHANGED | rc=0 >>
Server-01

# command模块不支持管道
[root@wenCheng ~]# ansible all -m command -a "cat /etc/passwd| grep centos"
172.16.70.181 | FAILED | rc=1 >>
cat: /etc/passwd|: No such file or directory
cat: grep: No such file or directory
cat: centos: No such file or directorynon-zero return code
172.16.70.182 | FAILED | rc=1 >>
cat: /etc/passwd|: No such file or directory
cat: grep: No such file or directory
cat: centos: No such file or directorynon-zero return code

[root@wenCheng ~]# ansible all -m shell -a "cat /etc/passwd| grep centos"
172.16.70.182 | CHANGED | rc=0 >>
centos:x:1000:1000::/home/centos:/bin/bash
172.16.70.181 | CHANGED | rc=0 >>
centos:x:1000:1000::/home/centos:/bin/bash

情景二：管理机批量安装软件。

• yum 模块: RedHat和CentOS的软件包安装和管理工具。

参数：
    config_file：yum的配置文件 （optional）
    disable_gpg_check：关闭gpg_check （optional）
    disablerepo：不启用某个源 （optional）
    enablerepo：启用某个源（optional）
    name：要进行操作的软件包的名字，默认最新的程序包，指明要安装的程序包，可以带上版本号，也可以传递一个url或者一个本地的rpm包的路径
    state：表示是安装还是卸载的状态, 其中present、installed、latest 表示安装,  absent 、removed表示卸载删除;  present默认状态, laster表示安装最新版本.

安装rsync：
[root@wenCheng ~]# ansible all -m yum -a "name=rsync state=present"
或
[root@wenCheng ~]# ansible all -m yum -a "name=http://mirror.centos.org/centos/7/os/x86_64/Packages/rsync-3.1.2-10.el7.x86_64.rpm state=present"

卸载rsync：
[root@wenCheng ~]# ansible all -m yum -a "name=rsync state=removed"

情景三：管理机批量分发文件/目录。

• synchronize 模块: 使用rsync同步文件，将主控方目录推送到指定节点的目录下。

参数：
    delete: 删除不存在的文件，delete=yes 使两边的内容一样（即以推送方为主），默认no
    src: 要同步到目的地的源主机上的路径; 路径可以是绝对的或相对的。如果路径使用”/”来结尾，则只复制目录里的内容，如果没有使用”/”来结尾，则包含目录在内的整个内容全部复制
    dest:目的地主机上将与源同步的路径; 路径可以是绝对的或相对的。
    dest_port:默认目录主机上的端口 ，默认是22，走的ssh协议。
    mode: push或pull，默认push，一般用于从本机向远程主机上传文件，pull 模式用于从远程主机上取文件。
    rsync_opts:通过传递数组来指定其他rsync选项。

# 接情景二环境，并创建所需文件/目录
[root@wenCheng ~]# tree /tmp/
/tmp/
├── dir_ansible1
│   └── 1
├── dir_ansible2
│   └── 2
├── dir_ansible3
│   └── 3
├── dir_ansible4
│   └── 4
├── file_ansible1
├── file_ansible2
├── file_ansible3
└── file_ansible4
4 directories, 8 files

# 推送文件/tmp/file_ansible1到远程主机目录/tmp下
[root@wenCheng ~]# ansible all -m synchronize -a 'src=/tmp/file_ansible1 dest=/tmp'

# 推送文件/tmp/file_ansible2到远程主机目录并覆盖原文件/tmp/file_ansible1
[root@wenCheng ~]# ansible all -m synchronize -a 'src=/tmp/file_ansible2 dest=/tmp/file_ansible1'

# 推送目录/tmp/dir_ansible1到远程主机目录/tmp下(保留远程主机原/tmp内容不变再新增dir_ansible1目录)
[root@wenCheng ~]# ansible all -m synchronize -a 'src=/tmp/dir_ansible1 dest=/tmp'

# 推送目录/tmp/的所有文件或目录到远程主机目录/tmp下，使内容一致，默认delete=no(删除远程主机原/tmp内容再同步推送的目录)
[root@wenCheng ~]# ansible all -m synchronize -a "src=/tmp/ dest=/tmp delete=yes"

# 拉取远程主机文件/etc/hostname到本地目录/tmp
[root@wenCheng ~]# ansible all -m synchronize -a "src=/etc/hostname dest=/tmp rsync_opts='-a' mode=pull"

• copy 模块: 在远程主机执行复制操作文件。

把主控节点本地的文件上传同步到远程受控节点上, 该模块不支持从远程受控节点拉取文件到主控节点上

参数：
    src:指定源文件路径，可以是相对路径，也可以是绝对路径，可以是目录(并非是必须的，可以使用content，直接生成文件内容). src即是要复制到远程主机的文件在本地的地址，可以是绝对路径，也可以是相对路径。
　　　　如果路径是一个目录，它将递归复制。在这种情况下，如果路径使用”/”来结尾，则只复制目录里的内容，如果没有使用”/”来结尾，则包含目录在内的整个内容全部复制，类似于rsync。
    dest:指定目标文件路径，只能是绝对路径，如果src是目录，此项必须是目录. 这个是必选项!
    owner:指定属主;
    group:指定属组;
    mode:指定权限,可以以数字指定比如0644;
    content:代替src，直接往dest文件中写内容，可以引用变量，也可以直接使用inventory中的主机变量. 写后会覆盖原文件内容!
    backup:在覆盖之前将原文件备份，备份文件包含时间信息。有两个选项：yes|no
    force: 如果目标主机包含该文件，但内容不同，如果设置为yes，则强制覆盖，如果为no，则只有当目标主机的目标位置不存在该文件时，才复制。默认为yes ;
    directory_mode：递归的设定目录的权限，默认为系统默认权限;
    others：所有的file模块里的选项都可以在这里使用;

特别注意:  src和content不能同时使用。

# 拷贝本地目录/tmp/dir_ansible1至远程主机目录/tmp
[root@wenCheng ~]# ansible all -m copy -a 'src=/tmp/dir_ansible1 dest=/tmp backup=yes'

# 拷贝本地文件/tmp/file_ansible1至远程主机目录/tmp，并修改属组为centos,权限为400
[root@wenCheng ~]# ansible all -m copy -a 'src=/tmp/file_ansible1 dest=/tmp group=centos mode=400'

 synchronize模块与copy模块区别：

• copy 模块不支持从远端到本地的拉去操作，fetch 模块支持，但是 src 参数不支持目录递归，只能回传具体文件；
• copy 模块的 remote_src 参数是指定从远端服务器上往远端服务器上复制，相当于在 shell 模块中执行 copy 命令；
• synchronize 则支持文件下发和回传，分别对应的 push 和 pull 模式。synchronize 模块的功能依赖于 rsync，但是功能不依赖于 rsync 配置文件中定义的模块；
• copy 模块适用于小规模文件操作，synchronize 支持大规模文件操作

附： Ansible默认配置解析：

[root@wenCheng ~]# cat /etc/ansible/ansible.cfg
......
[defaults]

# some basic default values...

#inventory      = /etc/ansible/hosts　　　　　　　　　　　　# 资源清单inventory文件的位置，脚本或连接管理主机列表
#library        = /usr/share/my_modules/　　　　　　　　　 # 库文件存放目录
#module_utils   = /usr/share/my_module_utils/　　　　　　 # 模块存放目录
#remote_tmp     = ~/.ansible/tmp　　　　　　　　　　　　　　# 临时文件远程主机存放目录
#local_tmp      = ~/.ansible/tmp　　　　　　　　　　　　　　# 临时文件本地存放目录
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml　　# 拒绝模块的配置文件　　
#forks          = 5　　　　　　　　　　# 默认开启的并发数
#poll_interval  = 15　　　　　　　　　 # 默认轮询的时间间隔
#sudo_user      = root　　　　　　　　 # 默认sudo用户　
#ask_sudo_pass = True　　　　　　　　　# 是否需要sudo密码
#ask_pass      = True　　　　　　　　　# 是否需要密码　　　　
#transport      = smart　　　　　　　　# 默认执行智能模式
#remote_port    = 22　　　　　　　　　　# 默认ssh远程端口
#module_lang    = C　　　　　　　　　　# 默认模块和系统之间通信的计算机语言,默认为'C'语言
#module_set_locale = False　　　　　　# 默认设置本地环境变量

# plays will gather facts by default, which contain information about
# the remote system.
#
# smart - gather by default, but don't regather if already gathered
# implicit - gather by default, turn off with gather_facts: False
# explicit - do not gather by default, must say gather_facts: True
#gathering = implicit

# This only affects the gathering done by a play's gather_facts directive,
# by default gathering retrieves all facts subsets
# all - gather all subsets
# network - gather min and network facts
# hardware - gather hardware facts (longest facts to retrieve)
# virtual - gather min and virtual facts
# facter - import facts from facter
# ohai - import facts from ohai
# You can combine them using comma (ex: network,virtual)
# You can negate them using ! (ex: !hardware,!facter,!ohai)
# A minimal set of facts is always gathered.
#gather_subset = all

# some hardware related facts are collected
# with a maximum timeout of 10 seconds. This
# option lets you increase or decrease that
# timeout to something more suitable for the
# environment.
# gather_timeout = 10　　# 收集一些与硬件相关的信息，允许根据系统情况来设置超时时间

# Ansible facts are available inside the ansible_facts.* dictionary
# namespace. This setting maintains the behaviour which was the default prior
# to 2.5, duplicating these variables into the main namespace, each with a
# prefix of 'ansible_'.
# This variable is set to True by default for backwards compatibility. It
# will be changed to a default of 'False' in a future release.
# ansible_facts.
# inject_facts_as_vars = True　　# 设置为True是为了向后兼容，为了维护2.5之前的默认行为

# additional paths to search for roles in, colon separated
#roles_path    = /etc/ansible/roles　　　　　　# 搜索角色的其它路径，冒号分隔

# uncomment this to disable SSH key host checking
#host_key_checking = False　　　　　　　　# 首次连接是否需要检查key认证，取消注释以禁用主机的ssh的密钥检查

# change the default callback, you can only have one 'stdout' type  enabled at a time.
#stdout_callback = skippy　　# 更改默认回调的类型

## Ansible ships with some plugins that require whitelisting,
## this is done to avoid running all of a type by default.
## These setting lists those that you want enabled for your system.
## Custom plugins should not need this unless plugin author specifies it.

# enable callback plugins, they can output to stdout but cannot be 'stdout' type.
#callback_whitelist = timer, mail　　# 回调插件白名单，限制默认插件自动调用。如果是自定义插件则不需要

# Determine whether includes in tasks and handlers are "static" by
# default. As of 2.0, includes are dynamic by default. Setting these
# values to True will make includes behave more like they did in the
# 1.x versions.　　# 默认情况下，tasks和handlers是静态。从2.0开始默认是动态
#task_includes_static = False
#handler_includes_static = False

# Controls if a missing handler for a notification event is an error or a warning
#error_on_missing_handler = True　　# 如果处理程序丢失是错误还是警告

# change this for alternative sudo implementations
#sudo_exe = sudo

# What flags to pass to sudo
# WARNING: leaving out the defaults might create unexpected behaviours　　
#sudo_flags = -H -S -n　　# 传递给sudo的标志，这里如果省略默认值可能会报错

# SSH timeout
#timeout = 10　　　　　　# 默认SSH超时时间

# default user to use for playbooks if user is not specified
# (/usr/bin/ansible will use current user as default)
#remote_user = root　　# /usr/bin/Ansible属于哪个用户，如果没有给定，那么属于playbook

# logging is off by default unless this path is defined
# if so defined, consider logrotate
#log_path = /var/log/ansible.log　　　　　　# 执行日志存放目录

# default module name for /usr/bin/ansible
#module_name = command　　　　　　# 默认执行的模块

# use this shell for commands executed under sudo
# you may need to change this to bin/bash in rare instances
# if sudo is constrained
#executable = /bin/sh

# if inventory variables overlap, does the higher precedence one win
# or are hash values merged together?  The default is 'replace' but
# this can also be set to 'merge'.
#hash_behaviour = replace　　# 如果inventory变量重叠，优先级越高的会被使用

# by default, variables from roles will be visible in the global variable
# scope. To prevent this, the following option can be enabled, and only
# tasks and handlers within the role will see the variables there
#private_role_vars = yes　　# 默认情况下，角色中的变量将在全局变量中可见

# list any Jinja2 extensions to enable here:
#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n　　# Jinjia2所有可用的扩展名

# if set, always use this private key file for authentication, same as
# if passing --private-key to ansible or ansible-playbook
#private_key_file = /path/to/file　　# 使用私钥文件进行身份验证，私钥的存储位置

# If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
#vault_password_file = /path/to/vault_password_file　　# 如果设置，则配置Vault密码文件的路径，以替代在命令行上指定--vault-password-file

# format of string {{ ansible_managed }} available within Jinja2
# templates indicates to users editing templates files will be replaced.
# replacing {file}, {host} and {uid} and strftime codes with proper values.
#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence
# in some situations so the default is a static string:
#ansible_managed = Ansible managed

# by default, ansible-playbook will display "Skipping [host]" if it determines a task
# should not be run on a host.  Set this to "False" if you don't want to see these "Skipping"
# messages. NOTE: the task header will still be shown regardless of whether or not the
# task is skipped.
#display_skipped_hosts = True
　　# 默认情况下，如果确定不应该在主机上运行任务，则ansible-playbook将显示Skipping [host]，如果你不想看到这条消息，将其设置为False

# by default, if a task in a playbook does not include a name: field then
# ansible-playbook will construct a header that includes the task's action but
# not the task's args.  This is a security feature because ansible cannot know
# if the *module* considers an argument to be no_log at the time that the
# header is printed.  If your environment doesn't have a problem securing
# stdout from ansible-playbook (or you have manually specified no_log in your
# playbook on all of the tasks where you have secret information) then you can
# safely set this to True to get more informative messages.
#display_args_to_stdout = False

# by default (as of 1.3), Ansible will raise errors when attempting to dereference
# Jinja2 variables that are not set in templates or action lines. Uncomment this line
# to revert the behavior to pre-1.3.
#error_on_undefined_vars = False

# by default (as of 1.6), Ansible may display warnings based on the configuration of the
# system running ansible itself. This may include warnings about 3rd party packages or
# other conditions that should be resolved if possible.
# to disable these warnings, set the following value to False:
#system_warnings = True

# by default (as of 1.4), Ansible may display deprecation warnings for language
# features that should no longer be used and will be removed in future versions.
# to disable these warnings, set the following value to False:
#deprecation_warnings = True

# (as of 1.8), Ansible can optionally warn when usage of the shell and
# command module appear to be simplified by using a default Ansible module
# instead.  These warnings can be silenced by adjusting the following
# setting or adding warn=yes or warn=no to the end of the command line
# parameter string.  This will for example suggest using the git module
# instead of shelling out to the git command.
# command_warnings = False

# set plugin path directories here, separate with colons　　# 插件的存储位置，ansible将会自动执行下面的插件
#action_plugins     = /usr/share/ansible/plugins/action　　　　　　
#become_plugins     = /usr/share/ansible/plugins/become
#cache_plugins      = /usr/share/ansible/plugins/cache
#callback_plugins   = /usr/share/ansible/plugins/callback
#connection_plugins = /usr/share/ansible/plugins/connection
#lookup_plugins     = /usr/share/ansible/plugins/lookup
#inventory_plugins  = /usr/share/ansible/plugins/inventory
#vars_plugins       = /usr/share/ansible/plugins/vars
#filter_plugins     = /usr/share/ansible/plugins/filter
#test_plugins       = /usr/share/ansible/plugins/test
#terminal_plugins   = /usr/share/ansible/plugins/terminal
#strategy_plugins   = /usr/share/ansible/plugins/strategy

# by default, ansible will use the 'linear' strategy but you may want to try
# another one
#strategy = free　　# 默认情况下，ansible将使用“linear”策略

# by default callbacks are not loaded for /bin/ansible, enable this if you
# want, for example, a notification or logging callback to also apply to
# /bin/ansible runs
#bin_ansible_callbacks = False
　　# 默认情况下没有为/bin/ansible加载回调，如果你想要启用它将其设置为True

# don't like cows?  that's unfortunate.
# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
#nocows = 1　　# 如果您不想要cowsay支持或导出ANSIBLE_NOCOWS = 1，则设置为1

# set which cowsay stencil you'd like to use by default. When set to 'random',
# a random stencil will be selected for each task. The selection will be filtered
# against the `cow_whitelist` option below.
#cow_selection = default
#cow_selection = random

# when using the 'random' option for cowsay, stencils will be restricted to this list.
# it should be formatted as a comma-separated list with no spaces between names.
# NOTE: line continuations here are for formatting purposes only, as the INI parser
#       in python does not support them.
#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
#              hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
#              stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www

# don't like colors either?
# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
#nocolor = 1

# if set to a persistent type (not 'memory', for example 'redis') fact values
# from previous runs in Ansible will be stored.  This may be useful when
# wanting to use, for example, IP information from one group of servers
# without having to talk to them in the same playbook run to get their
# current IP information.
#fact_caching = memory　　　　　　# fact缓存的存储类型。如果存储在memory那么只是暂时的，你可以将其存储在文件或者数据库中

#This option tells Ansible where to cache facts. The value is plugin dependent.
#For the jsonfile plugin, it should be a path to a local directory.
#For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0

#fact_caching_connection=/tmp　　# fact缓存的存储路径

# retry files
# When a playbook fails a .retry file can be created that will be placed in ~/
# You can enable this feature by setting retry_files_enabled to True
# and you can change the location of the files by setting retry_files_save_path

#retry_files_enabled = False
#retry_files_save_path = ~/.ansible-retry　　　　　　# 默认情况下，当playbook执行失败时，将在~/创建.retry文件

# squash actions
# Ansible can optimise actions that call modules with list parameters
# when looping. Instead of calling the module once per with_ item, the
# module is called once with all items at once. Currently this only works
# under limited circumstances, and only with parameters named 'name'.
#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper

# prevents logging of task data, off by default
#no_log = False　　# Ansible可以优化在循环时使用列表参数调用模块的操作

# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
#no_target_syslog = False　　# 防止记录任务，但仅在目标上，数据仍记录在主/控制器上

# controls whether Ansible will raise an error or warning if a task has no
# choice but to create world readable temporary files to execute a module on
# the remote machine.  This option is False by default for security.  Users may
# turn this on to have behaviour more like Ansible prior to 2.1.x.  See
# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
# for more secure ways to fix this than enabling this option.
#allow_world_readable_tmpfiles = False
　　# 控制Ansible是否会引发错误或警告，如果任务别无选择，只能创建可读的临时文件来执行远程计算机上的模块。对于安全性，默认情况下此选项为False

# controls the compression level of variables sent to
# worker processes. At the default of 0, no compression
# is used. This value must be an integer from 0 to 9.
#var_compression_level = 9　　# 控制发送到工作进程的变量的压缩级别。 默认值为0时，不使用压缩。 该值必须是0到9之间的整数

# controls what compression method is used for new-style ansible modules when
# they are sent to the remote system.  The compression types depend on having
# support compiled into both the controller's python and the client's python.
# The names should match with the python Zipfile compression types:
# * ZIP_STORED (no compression. available everywhere)
# * ZIP_DEFLATED (uses zlib, the default)
# These values may be set per host via the ansible_module_compression inventory
# variable
#module_compression = 'ZIP_DEFLATED'　　# 控制将ansible模块发送到远程系统时使用的压缩方法

# This controls the cutoff point (in bytes) on --diff for files
# set to 0 for unlimited (RAM may suffer!).
#max_diff_size = 1048576
　　# 这将控制文件的--diff的截止点（以字节为单位），设置为0表示无限制（RAM可能会受损！）

# This controls how ansible handles multiple --tags and --skip-tags arguments
# on the CLI.  If this is True then multiple arguments are merged together.  If
# it is False, then the last specified argument is used and the others are ignored.
# This option will be removed in 2.8.
#merge_multiple_cli_flags = True
　　# 这将控制ansible如何在CLI上处理多个--tags和--skip-tags参数。如果这是True，则将多个参数合并在一起。如果为False，则使用最后指定的参数，并忽略其他参数

# Controls showing custom stats at the end, off by default
#show_custom_stats = True　　# 最后显示自定义统计信息的控件，默认情况下已关闭

# Controls which files to ignore when using a directory as inventory with
# possibly multiple sources (both static and dynamic)
#inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo
　　# 控制将目录用作具有可能多个源（静态和动态）的库存时要忽略的文件

# This family of modules use an alternative execution path optimized for network appliances
# only update this setting if you know how this works, otherwise it can break module execution
#network_group_modules=eos, nxos, ios, iosxr, junos, vyos
　　# 此系列模块使用针对网络设备优化的替代执行路径，只有在您了解其工作原理的情况下才更新此设置，否则会破坏模块执行

# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as
# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain
# jinja2 templating language which will be run through the templating engine.
# ENABLING THIS COULD BE A SECURITY RISK
#allow_unsafe_lookups = False
　　#启用时，此选项允许查找（通过{{lookup（'foo'）}}之类的变量或当用作带有“with_foo”的循环时）返回未标记为“不安全”的数据

# set default errors for all plays
#any_errors_fatal = False　　　　# 为所有的操作设置默认错误

[inventory]
# enable inventory plugins, default: 'host_list', 'script', 'auto', 'yaml', 'ini', 'toml'
#enable_plugins = host_list, virtualbox, yaml, constructed　　# 默认启动的插件

# ignore these extensions when parsing a directory as inventory source
#ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry　　# 在将目录解析为库存源时忽略这些扩展

# ignore files matching these patterns when parsing a directory as inventory source
#ignore_patterns=　　　　# 在将目录解析为库存源时忽略与这些模式匹配的文件

# If 'true' unparsed inventory sources become fatal errors, they are warnings otherwise.
#unparsed_is_failed=False　　　　# 如果'true'未解析的库存来源成为致命错误，则会发出警告

[privilege_escalation]　　# 权限提升设置
#become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False

[paramiko_connection]　　# 该部分功能不常用，了解即可。

# uncomment this line to cause the paramiko connection plugin to not record new host
# keys encountered.  Increases performance on new host additions.  Setting works independently of the
# host key checking setting above.
#record_host_keys=False　　　　　　# 不记录新主机的Key，以提示效率

# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
# line to disable this behaviour.
#pty=False　　　　　　# 禁用sudo功能， 取消注释此行以禁用此行为

# paramiko will default to looking for SSH keys initially when trying to
# authenticate to remote devices.  This is a problem for some network devices
# that close the connection after a key failure.  Uncomment this line to
# disable the Paramiko look for keys function
#look_for_keys = False　　# 默认初始查找SSH密钥，取消注释此行以禁用Paramiko查找键功能

# When using persistent connections with Paramiko, the connection runs in a
# background process.  If the host doesn't already have a valid SSH key, by
# default Ansible will prompt to add the host key.  This will cause connections
# running in background processes to fail.  Uncomment this line to have
# Paramiko automatically add host keys.
#host_key_auto_add = True　　# 默认提示首次添加主机密钥，取消注释此行以使Paramiko自动添加主机密钥

[ssh_connection]　　# Ansible默认使用SSH协议连接对端主机，该部署是主要是SSH连接的一些配置，但配置项较少，多数默认即可。

# ssh arguments to use
# Leaving off ControlPersist will result in poor performance, so use
# paramiko on older platforms rather than removing it, -C controls compression use
#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
　　# 要使用的ssh参数离开ControlPersist会导致性能不佳，所以在较旧的平台上使用paramiko而不是删除它，-C控制压缩使用
# The base directory for the ControlPath sockets.
# This is the "%(directory)s" in the control_path option
#
# Example:
# control_path_dir = /tmp/.ansible/cp
#control_path_dir = ~/.ansible/cp

# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname,
# port and username (empty string in the config). The hash mitigates a common problem users
# found with long hostnames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format.
# In those cases, a "too long for Unix domain socket" ssh error would occur.
#
# Example:
# control_path = %(directory)s/%%h-%%r　　# 用于ControlPath套接字的路径。 默认为主机名，端口和用户名的散列字符串（配置中为空字符串）
#control_path =

# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled, however when using "sudo:" you must
# first disable 'requiretty' in /etc/sudoers
#
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
#
#pipelining = False　　　# 默认情况下，禁用此选项以保持兼容性，sudoers配置requiretty（许多发行版的默认设置）。

# Control the mechanism for transferring files (old)
#   * smart = try sftp and then try scp [default]
#   * True = use scp only
#   * False = use sftp only
#scp_if_ssh = smart　　# 控制传输文件的机制(旧)smart|True|False

# Control the mechanism for transferring files (new)
# If set, this will override the scp_if_ssh option
#   * sftp  = use sftp to transfer files
#   * scp   = use scp to transfer files
#   * piped = use 'dd' over SSH to transfer files
#   * smart = try sftp, scp, and piped, in that order [default]
#transfer_method = smart　　# 控制传输文件的机制(新) sftp|scp|piped|smart

# if False, sftp will not use batch mode to transfer files. This may cause some
# types of file transfer failures impossible to catch however, and should
# only be disabled if your sftp version has problems with batch mode
#sftp_batch_mode = False　　# False为sftp将不使用批处理模式传输文件，并且只有在sftp版本的批处理模式出现问题时才应禁用

# The -tt argument is passed to ssh when pipelining is not enabled because sudo
# requires a tty by default.
#usetty = True　　　# 未启用管道传输时，-tt参数将传递给ssh，因为默认情况下sudo需要tty 

# Number of times to retry an SSH connection to a host, in case of UNREACHABLE.
# For each retry attempt, there is an exponential backoff,
# so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max).
#retries = 3　　　　# 重试与主机的SSH连接的次数

[persistent_connection]

# Configures the persistent connection timeout value in seconds.  This value is
# how long the persistent connection will remain idle before it is destroyed.
# If the connection doesn't receive a request before the timeout value
# expires, the connection is shutdown. The default value is 30 seconds.
#connect_timeout = 30　　# 持久连接超时时间，单位秒

# The command timeout value defines the amount of time to wait for a command
# or RPC call before timing out. The value for the command timeout must
# be less than the value of the persistent connection idle timeout (connect_timeout)
# The default value is 30 second.
#command_timeout = 30　　# 命令超时时间，必须小持于久连接空闲超时的时间，单位秒

[accelerate]　　　　# 该配置项在提升Ansibile连接速度时会涉及，多数保持默认即可。
#accelerate_port = 5099　　　　　　　　# 加速连接端口
#accelerate_timeout = 30　　　　　 　　# 命令执行超时时间，单位秒
#accelerate_connect_timeout = 5.0　　 # 连接超时时间，单位秒

# The daemon timeout is measured in minutes. This time is measured
# from the last activity to the accelerate daemon.
#accelerate_daemon_timeout = 30　　　　# 上一个活动连接的时间，单位分钟

# If set to yes, accelerate_multi_key will allow multiple
# private keys to be uploaded to it, though each user must
# have access to the system via SSH to add a new key. The default
# is "no".
#accelerate_multi_key = yes　　　# 允许通过SSH使用多个私钥　

[selinux]　　　　　# 关于selinux的相关配置几乎不会涉及，保持默认配置即可。
# file systems that require special treatment when dealing with security context
# the default behaviour that copies the existing context or uses the user default
# needs to be changed to use the file system dependent context.
#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p,vfat

# Set this to yes to allow libvirt_lxc connections to work without SELinux.
#libvirt_lxc_noseclabel = yes

[colors]　　　　　　# Ansible对于输出结果的颜色也进行了详尽的定义且可配置，该选项对日常功能应用影响不大，几乎不用修改
#highlight = white
#verbose = blue
#warn = bright purple
#error = red
#debug = dark gray
#deprecate = purple
#skip = cyan
#unreachable = red
#ok = green
#changed = yellow
#diff_add = green
#diff_remove = red
#diff_lines = cyan

[diff]
# Always print diff when running ( same as always running with -D/--diff )
# always = no　　　　# 在运行时始终打印diff（与使用-D / - diff 运行相同）

# Set how many context lines to show in diff
# context = 3　　　　# 设置要在diff中显示的上下文行数