Ansible批量管理软件的使用

一、ansible介绍

1.1.1 什么是ansible

ansible是新出现的自动化运维工具，基于Python开发，集合了众多运维工具（puppet、chef、func、fabric）的优点，实现了批量系统配置、批量程序部署、批量运行命令等功能。
　　ansible是基于 paramiko 开发的,并且基于模块化工作，本身没有批量部署的能力。真正具有批量部署的是ansible所运行的模块，ansible只是提供一种框架。ansible不需要在远程主机上安装client/agents，因为它们是基于ssh来和远
程主机通讯的。ansible目前已经已经被红帽官方收购，是自动化运维工具中大家认可度最高的，并且上手容易，学习简单。是每位运维工程师必须掌握的技能之一。

1.1.2 ansible的特点

1. 部署简单，只需在主控端部署Ansible环境，被控端无需做任何操作：
2. 默认使用SSH协议对设备进行管理；有大量常规运维操作模块，可实现日常绝大部分操作；
3. 配置简单、功能强大、扩展性强；
4. 支持API及自定义模块，可通过Python轻松扩展；
5. 通过Playbooks来定制强大的配置、状态管理；
6. 轻量级，无需在客户端安装agent，更新时，只需在操作机上进行一次更新即可；
7. 提供一个功能强大、操作性强的Web管理界面和REST API接口——AWX平台。

1.1.3 为什么要用ansible

1. 提高工作效率.
2. 提高公司资源利用力。
3. 节省公司成本。
   官方：http://docs.ansible.com

二、Ansible环境实战

2.1.1 安装ansible

1. ansible管理节点安装

[root@m01 ~]# yum install epel-release -y
[root@m01 ~]# yum install ansible  libselinux-python -y
[root@m01 ~]# rpm -qa ansible
ansible-2.9.7-1.el7.noarch

2. ansible 远程控制节点安装

[root@backup ~]# yum install libselinux-python -y
[root@nfs01 ~]# yum install libselinux-python -y
[root@web02 ~]# yum install libselinux-python -y

2.1.3 配置ansible主机配置文件

1. 主机配置文件/etc/ansible/hosts

[root@m01 ~]# cp /etc/ansible/hosts{,.bak}
[root@m01 ~]# ll  /etc/ansible/hosts{,.bak}
-rw-r--r-- 1 root root 1016 Apr 19 05:24 /etc/ansible/hosts
-rw-r--r-- 1 root root 1016 May  3 12:57 /etc/ansible/hosts.bak
[root@m01 ~]# vim /etc/ansible/hosts 
#配置如下：
[root@m01 ~]# tail -8 /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.41

[oldgirl]
172.16.1.31
172.16.1.41
172.16.1.51
#####
#/etc/ansible/hosts主机资产清单文件，用于定义被管理主机的认证信息， 
例如ssh登录用户名、密码以及key相关信息。如何配置Inventory文件
1.主机支持主机名通配以及正则表达式，例如web[1:3].oldboy.com代表三台主机
2.主机支持基于非标准的ssh端口，例如web1.oldboyedu.com:6666
3.主机支持指定变量，可对个别主机的特殊配置，如登陆用户\密码
4.主机组支持指定变量[group_name:vars]，同时支持嵌套组[game:children]

2. 配置/etc/ansible/ansible.cfg

[root@m01 ~]# ll /etc/ansible/ansible.cfg{,.bak}
-rw-r--r-- 1 root root 20013 May  3 14:23 /etc/ansible/ansible.cfg
-rw-r--r-- 1 root root 20013 May  3 14:39 /etc/ansible/ansible.cfg.bak
[root@m01 ~]# vim /etc/ansible/ansible.cfg
修改ansible.cfg 374行：
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no
# 在此行后面加入-o StrictHostKeyChecking=no

3. 实战命令

报错：
[root@m01 ~]# ansible oldboy -m command -a "ifconfig eth1"
The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
ECDSA key fingerprint is SHA256:bbt9sjPOENs3zK9cw7YmIo0ABuFkZnTxXbOaIdpSOo0.
ECDSA key fingerprint is MD5:e5:3b:15:2e:6c:82:4b:b1:f8:45:dc:80:72:de:11:47.
Are you sure you want to continue connecting (yes/no)? The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.
ECDSA key fingerprint is SHA256:bbt9sjPOENs3zK9cw7YmIo0ABuFkZnTxXbOaIdpSOo0.
ECDSA key fingerprint is MD5:e5:3b:15:2e:6c:82:4b:b1:f8:45:dc:80:72:de:11:47.
Are you sure you want to continue connecting (yes/no)? yes
172.16.1.31 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", 
    "unreachable": true
}

172.16.1.41 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Host key verification failed.", 
    "unreachable": true
}

解决方法：

[oldboy]
172.16.1.31 ansible_ssh_user=root ansible_ssh_pass=123456
172.16.1.41 ansible_ssh_user=root ansible_ssh_pass=123456
#模块后面加上认证信息，让后手动ssh登录到对应IP主机,也可以基于秘钥解决此问题（推荐方案）

[root@m01 ~]# ansible oldboy -m command -a "ifconfig eth1"
172.16.1.31 | CHANGED | rc=0 >>
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.1.31  netmask 255.255.0.0  broadcast 172.16.255.255
        inet6 fe80::20c:29ff:fea2:2c6d  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:a2:2c:6d  txqueuelen 1000  (Ethernet)
        RX packets 492  bytes 364464 (355.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 345  bytes 45470 (44.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
172.16.1.41 | CHANGED | rc=0 >>
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.1.41  netmask 255.255.0.0  broadcast 172.16.255.255
        inet6 fe80::20c:29ff:fe6c:1f2d  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:6c:1f:2d  txqueuelen 1000  (Ethernet)
        RX packets 209  bytes 107503 (104.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 171  bytes 30025 (29.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

4. 秘钥分发

[root@m01 ~]# sh /server/scripts/rsa_pub.sh 
========172.16.1.31=========
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' 'root@172.16.1.31'"
and check to make sure that only the key(s) you wanted were added.

its sopy successful                                        [  OK  ]
========172.16.1.41=========
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' 'root@172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

its sopy successful                                        [  OK  ]

5. 秘钥脚本

[root@m01 ~]# vim /server/scripts/rsa_pub.sh 
#!/bin/bash
#auth chenhj 2020-2-15
. /etc/init.d/functions
#ssh-keygen -t rsa -N '' -f ~/.ssh/id_rsa
for ip in {31,41}
do
        echo "========172.16.1.$ip========="
        sshpass -p123456 ssh-copy-id -i ~/.ssh/id_rsa.pub "'ssh -o StrictHostKeyChecking=no' 'root@172.16.1.$ip'"
        action  "its sopy successful "        /bin/true
done

[root@m01 ~]# ansible oldboy -m command -a "ifconfig eth1"
172.16.1.31 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", 
    "unreachable": true
}
172.16.1.41 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", 
    "unreachable": true
}

6. 实战

[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.41 | CHANGED | rc=0 >>
              total        used        free      shared  buff/cache   available
Mem:           1980         110        1603           9         266        1716
Swap:          1023           0        1023
172.16.1.31 | CHANGED | rc=0 >>
              total        used        free      shared  buff/cache   available
Mem:           1980         117        1595           9         268        1710
Swap:          1023           0        1023