Ansible 運維自動化 ( 配置管理工具 )
簡介:
當下有許多的運維自動化工具( 配置管理 ),例如:Ansible、SaltStack、Puppet、Fabric 等。
Ansible 一種整合 IT 系統的配置管理、應用部署、執行特定任務的開源平臺,是 AnsibleWorks 公司名下的專案,該公司由 Cobbler 及 Func 的作者於 2012 年建立成立。
Ansible 基於 Python 語言實現,由 Paramiko 和 PyYAML 兩個關鍵模組構建。
Ansible 特點:
>> 部署簡單,只需在主控端部署 Ansible 環境,被控端無需做任何操作。
>> 預設使用 SSH(Secure Shell)協議對裝置進行管理。
>> 主從集中化管理。
>> 配置簡單、功能強大、擴充套件性強。
>> 支援 API 及自定義模組,可通過 Python 輕鬆擴充套件。
>> 通過 Playbooks 來定製強大的配置、狀態管理。
>> 對雲端計算平臺、大資料都有很好的支援。
>> 提供一個功能強大、操作性強的 Web 管理介面和 REST API 介面 ---- AWX 平臺。
Ansible 與 SaltStack
>> 最大的區別是 Ansible 無需在被監控主機部署任何客戶端代理,預設通過 SSH 通道進行遠端命令執行或下發配置。
>> 相同點是都具備功能強大、靈活的系統管理、狀態配置,都使用 YAML 格式來描述配置,兩者都提供豐富的模板及 API,對雲端計算平臺、大資料都有很好的支援。
一、安裝 Ansible
shell > yum -y install ansible
二、配置 Ansible
shell > ls /etc/ansible # ansible.cfg 是 Ansible 工具的配置檔案;hosts 用來配置被管理的機器;roles 是一個目錄,playbook 將使用它 ansible.cfg hosts roles
1、Ansible 管理機與被管理機做祕鑰認證
shell > ssh-keygen # 生成祕鑰 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: ea:11:72:ea:d2:d1:fa:1c:e0:df:4f:b0:98:31:be:fe [email protected] The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | | | o.= S | | ..*.B o | | .ooB . . | | ..o+ = . | | ..oB.E.. | +-----------------+ shell > ssh-copy-id -i ~/.ssh/id_rsa.pub "-p 22 [email protected]" # 將公鑰寫入被管理機 The authenticity of host '192.168.12.129 (192.168.12.129)' can't be established. RSA key fingerprint is f0:9e:01:73:a4:bf:14:10:ac:46:a9:48:cd:c5:d8:1c. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.12.129' (RSA) to the list of known hosts. [email protected]192.168.12.129's password: Now try logging into the machine, with "ssh '-p 22 [email protected]'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
2、hosts 檔案新增被管理機
shell > > /etc/ansible/hosts shell > vim /etc/ansible/hosts [Client] 192.168.12.129
三、測試 Ansible
shell > ansible Client -m ping # 操作 Client 組 ( all 為操作 hosts 檔案中所有主機 ),-m 指定執行 ping 模組,下面是返回結果 192.168.12.129 | SUCCESS => { "changed": false, "ping": "pong" }
# -i 指定 hosts 檔案位置
# -u username 指定 SSH 連線的使用者名稱
# -k 指定遠端使用者密碼
# -f 指定併發數
# -s 如需要 root 許可權執行時使用 ( 連線使用者不是 root 時 )
# -K -s 時,-K 輸入 root 密碼
四、附加
1、/etc/ansible/hosts 檔案
## Ansible 定義主機、組規則的配置檔案
shell > vim /etc/ansible/hosts www.abc.com # 定義域名 192.168.1.100 # 定義 IP 192.168.1.150:37268 # 指定埠號 [WebServer] # 定義分組 192.168.1.10 192.168.1.20 192.168.1.30 [DBServer] # 定義多個分組 192.168.1.50 192.168.1.60 Monitor ansible_ssh_port=12378 ansible_ssh_host=192.168.1.200 # 定義別名 # ansible_ssh_host 連線目標主機的地址 # ansible_ssh_port 連線目標主機的埠,預設 22 時無需指定 # ansible_ssh_user 連線目標主機預設使用者 # ansible_ssh_pass 連線目標主機預設使用者密碼 # ansible_ssh_connection 目標主機連線型別,可以是 local 、ssh 或 paramiko # ansible_ssh_private_key_file 連線目標主機的 ssh 私鑰 # ansible_*_interpreter 指定採用非 Python 的其他指令碼語言,如 Ruby 、Perl 或其他類似 ansible_python_interpreter 直譯器 [webservers] # 主機名支援正則描述 www[01:50].example.com [dbservers] db-[a:f].example.com
2、Ansible 常用模組學習
shell > ansible-doc -l # 列出 Ansible 支援的模組 shell > ansible-doc ping # 檢視該模組幫助資訊
>> 遠端命令模組( command / script / shell )
command 作為 Ansible 的預設模組,可以執行遠端許可權範圍所有的 shell 命令,不支援管道符。
例:
shell > ansible Client -m command -a "free -m" # 檢視 Client 分組主機記憶體使用情況
script 的功能是在遠端主機執行主控端儲存的 shell 指令碼檔案,相當於 scp + shell 組合。
例:
shell > ansible Client -m script -a "/home/test.sh 12 34" # 遠端執行本地指令碼
shell 的功能是執行遠端主機上的 shell 指令碼檔案,支援管道符。
例:
shell > ansible Client -m shell -a "/home/test.sh" # 執行遠端指令碼
>> copy 模組(實現主控端向目標主機拷貝檔案,類似於 scp 功能)
例:
shell > ansible Client -m copy -a "src=/home/test.sh desc=/tmp/ owner=root group=root mode=0755" # 向 Client 組中主機拷貝 test.sh 到 /tmp 下,屬主、組為 root ,許可權為 0755
>> stat 模組(獲取遠端檔案狀態資訊,atime/ctime/mtime/md5/uid/gid 等資訊)
例:
shell > ansible Client -m stat -a "path=/etc/syctl.conf"
>> get_url 模組(實現在遠端主機下載指定 URL 到本地,支援 sha256sum 檔案校驗)
例:
shell > ansible Client -m get_utl -a "url=http://www.baidu.com dest=/tmp/index.html mode=0440 force=yes"
>> yum 模組(軟體包管理)
例:
shell > ansible Client -m yum -a "name=curl state=latest"
>> cron 模組(遠端主機 crontab 配置)
例:
shell > ansible Client -m cron -a "name='check dirs' hour='5,2' job='ls -alh > /dev/null'"
效果:
#Ansible: check dirs * 5,2 * * * ls -alh > /dev/null
>> mount 模組(遠端主機分割槽掛載)
例:
shell > ansible Client -m mount -a "name=/mnt/data src=/dev/sd0 fstype=ext4 opts=ro state=present"
>> service 模組(遠端主機系統服務管理)
例:
shell > ansible Client -m service -a "name=nginx state=stoped" shell > ansible Client -m service -a "name=nginx state=restarted" shell > ansible Client -m service -a "name=nginx state=reloaded"
>> user 服務模組(遠端主機使用者管理)
例:
shell > ansible Client -m user -a "name=wang comment='user wang'" shell > ansible Client -m user -a "name=wang state=absent remove=yes" # 新增刪除使用者
五、Ansible-playbook
# 使用 Ansible-playbook 可以完成一組複雜的動作,例如部署環境、搭建服務、修改配置等。
簡單示例:
shell > vim /etc/ansible/playbook.yml # 將遠端主機IP地址寫入檔案中儲存 --- - hosts: Client remote_user: root tasks: - name: Save IP To info.txt shell: "ifconfig eth0 | awk -F '[ :]'+ '/inet addr/{print $4}' > ~/info.txt" # hosts 指定執行操作主機 # remote_user 指定執行使用者 # tasks 指明有哪些動作 # name 動作描述 # shell 模組,後面為具體指令
Playbook 實戰:
一、目錄結構
shell > cd /etc/ansible/ ; tree . . ├── ansible.cfg ├── delete_zabbix_agent.yml ├── hosts ├── install_zabbix_agent.yml └── roles ├── delete_zabbix_agent │ ├── tasks │ │ └── main.yml │ └── vars │ └── main.yml └── install_zabbix_agent ├── files │ └── zabbix-2.4.5.tar.gz ├── tasks │ └── main.yml ├── templates │ ├── zabbix_agentd │ └── zabbix_agentd.conf └── vars └── main.yml ## ansible.cfg 此檔案為 ansible 的主配置檔案 ## hosts 用於定義主機組 ## roles 定義不同的角色 ## install_zabbix_agent.yml 用於安裝 zabbix_agent 的引導檔案 ## delete_zabbix_agent.yml 刪除已安裝的 zabbix_agent 的引導檔案 └── install_zabbix_agent ├── files │ └── zabbix-2.4.5.tar.gz ├── tasks │ └── main.yml ├── templates │ ├── zabbix_agentd │ └── zabbix_agentd.conf └── vars └── main.yml ## 其中,install_zabbix_agent 為一個角色,用於安裝 zabbix_agent ## file 目錄:用於存放將要拷貝到遠端主機的安裝包等 ## tasks 目錄:將要執行的所有任務,如果比較複雜,可以單獨定義不同的任務,最後在 main.yml 檔案中引用即可 ## templates 目錄:模板目錄,這裡存放著一些可變的檔案,即:每臺主機上的這些檔案中的內容都不完全相同 ## vars 目錄:用於存放變數 ## 這是一個比較簡單的結構,其實一個角色中還可以有 meta 、handlers 等
二、Playbook 安裝軟體需要的步驟
1、定義 hosts( 給哪些主機安裝軟體 )
shell > vim /etc/ansible/hosts [mini] 129.139.153.78:16283 155.139.190.94:12573
2、定義入口檔案 install_zabbix_agent.yml
shell > vim /etc/ansible/install_zabbix_agent.yml --- - hosts: mini roles: - install_zabbix_agent ## 可以看到將要安裝的主機組為 mini 組,角色為 install_zabbix_agent
3、定義角色 install_zabbix_agent
shell > tree /etc/ansible/roles/install_zabbix_agent/ ├── files │ └── zabbix-2.4.5.tar.gz ├── tasks │ └── main.yml ├── templates │ ├── zabbix_agentd │ └── zabbix_agentd.conf └── vars └── main.yml ## 建立 files 目錄,存放編譯安裝過的 zabbix_agent 目錄的壓縮檔案,用於拷貝到遠端主機 ## 建立 tasks 目錄,用於編寫將要執行的任務 ## 建立 templates 目錄,用於存放可變的模板檔案 ## 建立 vars 目錄,用於存放變數資訊
shell > cat /etc/ansible/roles/install_zabbix_agent/tasks/main.yml --- - name: Install Software yum: name={{ item }} state=latest with_items: - libcurl-devel - name: Create Zabbix User user: name={{ zabbix_user }} state=present createhome=no shell=/sbin/nologin - name: Copy Zabbix.tar.gz copy: src=zabbix-{{ zabbix_version }}.tar.gz dest={{ zabbix_dir }}/src/zabbix-{{ zabbix_version }}.tar.gz owner=root group=root - name: Uncompression Zabbix.tar.gz shell: tar zxf {{ zabbix_dir }}/src/zabbix-{{ zabbix_version }}.tar.gz -C {{ zabbix_dir }}/ - name: Copy Zabbix Start Script template: src=zabbix_agentd dest=/etc/init.d/zabbix_agentd owner=root group=root mode=0755 - name: Copy Zabbix Config File template: src=zabbix_agentd.conf dest={{ zabbix_dir }}/zabbix/etc/zabbix_agentd.conf owner={{ zabbix_user }} group={{ zabbix_user }} mode=0644 - name: Modify Zabbix Dir Permisson file: path={{ zabbix_dir }}/zabbix owner={{ zabbix_user }} group={{ zabbix_user }} mode=0755 recurse=yes - name: Start Zabbix Service shell: /etc/init.d/zabbix_agentd start - name: Add Boot Start Zabbix Service shell: chkconfig --level 35 zabbix_agentd on
shell > cat /etc/ansible/roles/install_zabbix_agent/vars/main.yml zabbix_dir: /usr/local zabbix_version: 2.4.5 zabbix_user: zabbix zabbix_port: 10050 zabbix_server_ip: 131.142.101.120
shell > cat /etc/ansible/roles/install_zabbix_agent/templates/zabbix_agentd #!/bin/bash # # chkconfig: - 90 10 # description: Starts and stops Zabbix Agent using chkconfig # Tested on Fedora Core 2 - 5 # Should work on all Fedora Core versions # # @name: zabbix_agentd # @author: Alexander Hagenah <[email protected]> # @created: 18.04.2006 # # Modified for Zabbix 2.0.0 # May 2012, Zabbix SIA # # Source function library. . /etc/init.d/functions # Variables # Edit these to match your system settings # Zabbix-Directory BASEDIR={{ zabbix_dir }}/zabbix # Binary File BINARY_NAME=zabbix_agentd # Full Binary File Call FULLPATH=$BASEDIR/sbin/$BINARY_NAME # PID file PIDFILE=/tmp/$BINARY_NAME.pid # Establish args ERROR=0 STOPPING=0 # # No need to edit the things below # # application checking status if [ -f $PIDFILE ] && [ -s $PIDFILE ] then PID=`cat $PIDFILE` if [ "x$PID" != "x" ] && kill -0 $PID 2>/dev/null && [ $BINARY_NAME == `ps -e | grep $PID | awk '{print $4}'` ] then STATUS="$BINARY_NAME (pid `pidof $APP`) running.." RUNNING=1 else rm -f $PIDFILE STATUS="$BINARY_NAME (pid file existed ($PID) and now removed) not running.." RUNNING=0 fi else if [ `ps -e | grep $BINARY_NAME | head -1 | awk '{ print $1 }'` ] then STATUS="$BINARY_NAME (pid `pidof $APP`, but no pid file) running.." else STATUS="$BINARY_NAME (no pid file) not running" fi RUNNING=0 fi # functions start() { if [ $RUNNING -eq 1 ] then echo "$0 $ARG: $BINARY_NAME (pid $PID) already running" else action $"Starting $BINARY_NAME: " $FULLPATH touch /var/lock/subsys/$BINARY_NAME fi } stop() { echo -n $"Shutting down $BINARY_NAME: " killproc $BINARY_NAME RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$BINARY_NAME RUNNING=0 } # logic case "$1" in start) start ;; stop) stop ;; status) status $BINARY_NAME ;; restart) stop sleep 10 start ;; help|*) echo $"Usage: $0 {start|stop|status|restart|help}" cat <<EOF start - start $BINARY_NAME stop - stop $BINARY_NAME status - show current status of $BINARY_NAME restart - restart $BINARY_NAME if running by sending a SIGHUP or start if not running help - this screen EOF exit 1 ;; esac exit 0
shell > cat /etc/ansible/roles/install_zabbix_agent/templates/zabbix_agentd.conf # This is a config file for the Zabbix agent daemon (Unix) # To get more information about Zabbix, visit http://www.zabbix.com ############ GENERAL PARAMETERS ################# ### Option: PidFile # Name of PID file. # # Mandatory: no # Default: # PidFile=/tmp/zabbix_agentd.pid ### Option: LogFile # Name of log file. # If not set, syslog is used. # # Mandatory: no # Default: # LogFile= LogFile=/tmp/zabbix_agentd.log ### Option: LogFileSize # Maximum size of log file in MB. # 0 - disable automatic log rotation. # # Mandatory: no # Range: 0-1024 # Default: # LogFileSize=1 ### Option: DebugLevel # Specifies debug level # 0 - basic information about starting and stopping of Zabbix processes # 1 - critical information # 2 - error information # 3 - warnings # 4 - for debugging (produces lots of information) # # Mandatory: no # Range: 0-4 # Default: # DebugLevel=3 ### Option: SourceIP # Source IP address for outgoing connections. # # Mandatory: no # Default: # SourceIP= ### Option: EnableRemoteCommands # Whether remote commands from Zabbix server are allowed. # 0 - not allowed # 1 - allowed # # Mandatory: no # Default: # EnableRemoteCommands=0 ### Option: LogRemoteCommands # Enable logging of executed shell commands as warnings. # 0 - disabled # 1 - enabled # # Mandatory: no # Default: # LogRemoteCommands=0 ##### Passive checks related ### Option: Server # List of comma delimited IP addresses (or hostnames) of Zabbix servers. # Incoming connections will be accepted only from the hosts listed here. # If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally. # # Mandatory: no # Default: # Server= Server={{ zabbix_server_ip }} ### Option: ListenPort # Agent will listen on this port for connections from the server. # # Mandatory: no # Range: 1024-32767 # Default: # ListenPort=10050 ListenPort={{ zabbix_port }} ### Option: ListenIP # List of comma delimited IP addresses that the agent should listen on. # First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks. # # Mandatory: no # Default: # ListenIP=0.0.0.0 ### Option: StartAgents # Number of pre-forked instances of zabbix_agentd that process passive checks. # If set to 0, disables passive checks and the agent will not listen on any TCP port. # # Mandatory: no # Range: 0-100 # Default: # StartAgents=3 ##### Active checks related ### Option: ServerActive # List of comma delimited IP:port (or hostname:port) pairs of Zabbix servers for active checks. # If port is not specified, default port is used. # IPv6 addresses must be enclosed