"Ansible automated operation and maintenance: Techniques and Best Practices" chapter study notes

Ansible Installation and Configuration

This chapter is mainly about Ansible installation and basic configuration, mainly includes the following:

1. Ansible environment ready
2. Installation Ansible
3. Configuring Operating Environment
4. Ansible practice

Ansible environment ready

Get Ansible from GitHub, prepare the control panel to view the managed node.

Operating system used is Centos 7.0, comes with Python 2.7.5.

Character	CPU name	IP addresses	group name	CPU	Web root
Managed Nodes	web1	192.168.46.128	webservers	2	/website
Managed Nodes	web2	192.168.46.129	webservers	2	/website
Control node	ansiblecontrol	192.168.46.130	---	---	---

Permanently modify the host namehostnamectl set-hostname web1

Installation Ansible

Ansible installation directly into the source code and install installation package management tool.

Direct mounting with source code

From GitHub source library installation

1. Ansible extract the source code
   sh git clone https://github.com/ansible/ansible.git -- recursive cd ./ansible # 减少告警/错误信息输出，可在安装时加上 -q 参数 source ./hacking/env-setup -q
2. If you do not install pip, pip install the corresponding version of Python
   sudo easy_install pip
3. Ansible mounted control panel module required Python
   sudo pip install paramiko PyYAML Jinja2 httplib2 six
4. When Ansible updated version, to update the source tree and git git point to Ansible own module (referred to as submodules)
   git pull --rebase git submodule update --init --recursive

5. Run env-setup script (the default resource inventory inventory file is / etc / ansible / hosts)
   .. code-block:: bash echo "127.0.0.1" > ~/ansible_hosts export ANSIBLE_HOSTS=~/ansible_hosts

   GitHub repository installed by the need to copy ansible.cfg at warehouse examples directory to / etc / ansible directory

Installation package management tool

pip installation

#安装 pip
sudo easy_install pip
#通过 pip 命令安装 Ansible
sudo pip install ansible

By pip install, does not automatically generate configuration files, needs its own new /etc/ansible/ansible.cfg

Configuring Operating Environment

Profile priority:

1. ANSIBLE_CONFIG: First, Ansible command checks the environment variables, and the environment variable to point to the configuration file.
2. ./ansible.cfg: Secondly, checks ansible.cfg configuration files in the current directory.
3. ~ / Ansible.cfg: Again, checks ansible.cfg configuration files in the current user's home directory.
4. /etc/ansible/ansible.cfg: Finally, checks automatically generated when you install the configuration file.

Configuration Ansible environment

1. Use environment variable configuration mode
2. Set configuration parameters ansible.cfg

[defaults]

#inventory      = /etc/ansible/hosts    #inventory文件路径
#library        = /usr/share/my_modules/    #模块文件路径
#module_utils   = /usr/share/my_module_utils/   #自定义模块工具存放目录
#remote_tmp     = ~/.ansible/tmp    #临时文件远程主机存放目录
#local_tmp      = ~/.ansible/tmp    #临时文件本地存放目录
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
#forks          = 5 #默认开启的进程数
#poll_interval  = 15    #默认轮询时间间隔
#sudo_user      = root  #默认sudo用户
#ask_sudo_pass = True   #是否需要sudo密码
#ask_pass      = True   #是否需要密码
#transport      = smart 通信机制，如果本地系统支持 ControlPersist技术的话,将会使用(基于OpenSSH)‘ssh’,如果不支持将使用‘paramiko’，其他传输选项‘local’,‘chroot’,’jail’等等
#remote_port    = 22    #连接被管节点的管理端口
#module_lang    = C #模块运行的语言环境
#module_set_locale = False
#gathering = implicit   #facts信息收集开关，implicit（默认不收集）
#gather_subset = all    #facts 的收集范围
# gather_timeout = 10   #收集超时间隔

# Ansible facts are available inside the ansible_facts.* dictionary
# namespace. This setting maintains the behaviour which was the default prior
# to 2.5, duplicating these variables into the main namespace, each with a
# prefix of 'ansible_'.
# This variable is set to True by default for backwards compatibility. It
# will be changed to a default of 'False' in a future release.
# ansible_facts.
# inject_facts_as_vars = True

#roles_path    = /etc/ansible/roles #role存放路径

#host_key_checking = False  #是否检查SSH主机的密钥

# change the default callback, you can only have one 'stdout' type  enabled at a time.
#stdout_callback = skippy

# enable callback plugins, they can output to stdout but cannot be 'stdout' type.
#callback_whitelist = timer, mail

# Determine whether includes in tasks and handlers are "static" by
# default. As of 2.0, includes are dynamic by default. Setting these
# values to True will make includes behave more like they did in the
# 1.x versions.
#task_includes_static = False
#handler_includes_static = False

# Controls if a missing handler for a notification event is an error or a warning
#error_on_missing_handler = True

#sudo_exe = sudo    #ansible sudo执行命令
#sudo_flags = -H -S -n  #ansible sudo执行参数
#timeout = 10   #ansible SSH连接的超时间隔/秒
#remote_user = root #ansible 远程认证用户
#log_path = /var/log/ansible.log    #指定存储日志的文件
#module_name = command  #ansible 默认执行模块

#executable = /bin/sh   #ansible 命令执行 shell

# if inventory variables overlap, does the higher precedence one win
# or are hash values merged together?  The default is 'replace' but
# this can also be set to 'merge'.
#hash_behaviour = replace   #ansible 主机变量重复处理方式

# by default, variables from roles will be visible in the global variable
# scope. To prevent this, the following option can be enabled, and only
# tasks and handlers within the role will see the variables there
#private_role_vars = yes

#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n  #Jinja2 扩展列表

#private_key_file = /path/to/file   #ansible ssh 私钥文件

# If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
#vault_password_file = /path/to/vault_password_file


#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host} #在 jinja2 中格式化 ansible_managed 变量
#ansible_managed = Ansible managed

#display_skipped_hosts = True   #开启显示跳过的主机

# by default, if a task in a playbook does not include a name: field then
# ansible-playbook will construct a header that includes the task's action but
# not the task's args.  This is a security feature because ansible cannot know
# if the *module* considers an argument to be no_log at the time that the
# header is printed.  If your environment doesn't have a problem securing
# stdout from ansible-playbook (or you have manually specified no_log in your
# playbook on all of the tasks where you have secret information) then you can
# safely set this to True to get more informative messages.
#display_args_to_stdout = False

#error_on_undefined_vars = False    #开启错误，或者没有定义的变量

#system_warnings = True #开启第三方包系统警告

#deprecation_warnings = True    #配置是否显示弃用警告

# (as of 1.8), Ansible can optionally warn when usage of the shell and
# command module appear to be simplified by using a default Ansible module
# instead.  These warnings can be silenced by adjusting the following
# setting or adding warn=yes or warn=no to the end of the command line
# parameter string.  This will for example suggest using the git module
# instead of shelling out to the git command.
# command_warnings = False


# set plugin path directories here, separate with colons
#action_plugins     = /usr/share/ansible/plugins/action #ansible action 插件路径
#become_plugins     = /usr/share/ansible/plugins/become
#cache_plugins      = /usr/share/ansible/plugins/cache
#callback_plugins   = /usr/share/ansible/plugins/callback
#connection_plugins = /usr/share/ansible/plugins/connection
#lookup_plugins     = /usr/share/ansible/plugins/lookup
#inventory_plugins  = /usr/share/ansible/plugins/inventory
#vars_plugins       = /usr/share/ansible/plugins/vars
#filter_plugins     = /usr/share/ansible/plugins/filter
#test_plugins       = /usr/share/ansible/plugins/test
#terminal_plugins   = /usr/share/ansible/plugins/terminal
#strategy_plugins   = /usr/share/ansible/plugins/strategy


# by default, ansible will use the 'linear' strategy but you may want to try
# another one
#strategy = free

#bin_ansible_callbacks = False  #开启 ansible 命令加载 callback 插件

#nocows = 1 #是否开启 ansiblenocows 图形

# set which cowsay stencil you'd like to use by default. When set to 'random',
# a random stencil will be selected for each task. The selection will be filtered
# against the `cow_whitelist` option below.
#cow_selection = default
#cow_selection = random

# when using the 'random' option for cowsay, stencils will be restricted to this list.
# it should be formatted as a comma-separated list with no spaces between names.
# NOTE: line continuations here are for formatting purposes only, as the INI parser
#       in python does not support them.
#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
#              hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
#              stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www

#nocolor = 1    #是否开启 ansible 颜色输出

# if set to a persistent type (not 'memory', for example 'redis') fact values
# from previous runs in Ansible will be stored.  This may be useful when
# wanting to use, for example, IP information from one group of servers
# without having to talk to them in the same playbook run to get their
# current IP information.
#fact_caching = memory

#This option tells Ansible where to cache facts. The value is plugin dependent.
#For the jsonfile plugin, it should be a path to a local directory.
#For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0

#fact_caching_connection=/tmp



# retry files
# When a playbook fails a .retry file can be created that will be placed in ~/
# You can enable this feature by setting retry_files_enabled to True
# and you can change the location of the files by setting retry_files_save_path

#retry_files_enabled = False
#retry_files_save_path = ~/.ansible-retry

# squash actions
# Ansible can optimise actions that call modules with list parameters
# when looping. Instead of calling the module once per with_ item, the
# module is called once with all items at once. Currently this only works
# under limited circumstances, and only with parameters named 'name'.
#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper

# prevents logging of task data, off by default
#no_log = False

# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
#no_target_syslog = False

# controls whether Ansible will raise an error or warning if a task has no
# choice but to create world readable temporary files to execute a module on
# the remote machine.  This option is False by default for security.  Users may
# turn this on to have behaviour more like Ansible prior to 2.1.x.  See
# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
# for more secure ways to fix this than enabling this option.
#allow_world_readable_tmpfiles = False

# controls the compression level of variables sent to
# worker processes. At the default of 0, no compression
# is used. This value must be an integer from 0 to 9.
#var_compression_level = 9

# controls what compression method is used for new-style ansible modules when
# they are sent to the remote system.  The compression types depend on having
# support compiled into both the controller's python and the client's python.
# The names should match with the python Zipfile compression types:
# * ZIP_STORED (no compression. available everywhere)
# * ZIP_DEFLATED (uses zlib, the default)
# These values may be set per host via the ansible_module_compression inventory
# variable
#module_compression = 'ZIP_DEFLATED'

#max_diff_size = 1048576    #diff文件的大小限制/字节

# This controls how ansible handles multiple --tags and --skip-tags arguments
# on the CLI.  If this is True then multiple arguments are merged together.  If
# it is False, then the last specified argument is used and the others are ignored.
# This option will be removed in 2.8.
#merge_multiple_cli_flags = True

# Controls showing custom stats at the end, off by default
#show_custom_stats = True

# Controls which files to ignore when using a directory as inventory with
# possibly multiple sources (both static and dynamic)
#inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo

# This family of modules use an alternative execution path optimized for network appliances
# only update this setting if you know how this works, otherwise it can break module execution
#network_group_modules=eos, nxos, ios, iosxr, junos, vyos

# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as
# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain
# jinja2 templating language which will be run through the templating engine.
# ENABLING THIS COULD BE A SECURITY RISK
#allow_unsafe_lookups = False

# set default errors for all plays
#any_errors_fatal = False

[inventory]
# enable inventory plugins, default: 'host_list', 'script', 'auto', 'yaml', 'ini', 'toml'
#enable_plugins = host_list, virtualbox, yaml, constructed

# ignore these extensions when parsing a directory as inventory source
#ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry

# ignore files matching these patterns when parsing a directory as inventory source
#ignore_patterns=

# If 'true' unparsed inventory sources become fatal errors, they are warnings otherwise.
#unparsed_is_failed=False

[privilege_escalation]
#become=True    #是否开启 become 模式
#become_method=sudo #定义 become 方式
#become_user=root   #定义 become 用户
#become_ask_pass=False  #是否定义 become 提示密码

[paramiko_connection]

#record_host_keys=False #是否记录主机 key

#pty=False  #是否开启命令执行伪终端

# paramiko will default to looking for SSH keys initially when trying to
# authenticate to remote devices.  This is a problem for some network devices
# that close the connection after a key failure.  Uncomment this line to
# disable the Paramiko look for keys function
#look_for_keys = False

# When using persistent connections with Paramiko, the connection runs in a
# background process.  If the host doesn't already have a valid SSH key, by
# default Ansible will prompt to add the host key.  This will cause connections
# running in background processes to fail.  Uncomment this line to have
# Paramiko automatically add host keys.
#host_key_auto_add = True

[ssh_connection]
#SSH 连接配置
#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s  #ansib ssh参数，ControlMaster用于设置是否启用 SSH的Multiplexing，关闭则写no，ControlPersist为SSH session保持的时间

# control_path_dir = /tmp/.ansible/cp   #ansible ssh 长连接控制文件
#control_path_dir = ~/.ansible/cp

# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname,
# port and username (empty string in the config). The hash mitigates a common problem users
# found with long hostnames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format.
# In those cases, a "too long for Unix domain socket" ssh error would occur.
#
# Example:
# control_path = %(directory)s/%%h-%%r
#control_path =

#pipelining = False #是否开启 pipelining 模式

#scp_if_ssh = smart #是否开启scp模式推送脚本，smart（先尝试sftp推送，再尝试scp推送）

# Control the mechanism for transferring files (new)
# If set, this will override the scp_if_ssh option
#   * sftp  = use sftp to transfer files
#   * scp   = use scp to transfer files
#   * piped = use 'dd' over SSH to transfer files
#   * smart = try sftp, scp, and piped, in that order [default]
#transfer_method = smart

# if False, sftp will not use batch mode to transfer files. This may cause some
# types of file transfer failures impossible to catch however, and should
# only be disabled if your sftp version has problems with batch mode
#sftp_batch_mode = False

# The -tt argument is passed to ssh when pipelining is not enabled because sudo 
# requires a tty by default. 
#usetty = True

#retries = 3    #重试与主机SSH连接的次数

[persistent_connection]
#持久连接配置
#connect_timeout = 30   #持久连接超时间隔

# The command timeout value defines the amount of time to wait for a command
# or RPC call before timing out. The value for the command timeout must
# be less than the value of the persistent connection idle timeout (connect_timeout)
# The default value is 30 second.
#command_timeout = 30

[accelerate]
#accelerate_port = 5099 #accelerate 远程监听端口
#accelerate_timeout = 30    #accelerate 模式，命令执行超时时间/秒
#accelerate_connect_timeout = 5.0   #accelerate 模式，连接超时时间/秒

# The daemon timeout is measured in minutes. This time is measured
# from the last activity to the accelerate daemon.
#accelerate_daemon_timeout = 30

# If set to yes, accelerate_multi_key will allow multiple
# private keys to be uploaded to it, though each user must
# have access to the system via SSH to add a new key. The default
# is "no".
#accelerate_multi_key = yes

[selinux]
#上下文配置
#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p,vfat
#libvirt_lxc_noseclabel = yes

[colors]
#highlight = white
#verbose = blue
#warn = bright purple
#error = red
#debug = dark gray
#deprecate = purple
#skip = cyan
#unreachable = red
#ok = green
#changed = yellow
#diff_add = green
#diff_remove = red
#diff_lines = cyan


[diff]
# always = no   #是否一直打印diff
# context = 3   #diff中显示的上下文行数

Configure the Linux host SSH access without password

To avoid the need to enter the password when the target host instruction issued under Ansible, reached by the certificate signing SSH without password access. And using ssh-keygen ssh-copy-id issued to achieve rapid generation and public key certificate.

Control keys created on the host, perform ssh-keygen -t rsa, then generates the key at /root/.ssh/, wherein id_rsa the private key, the public key id_rsa.pub.

#生成密钥
ssh-keygen  -t rsa

Issued key is sent to the control panel will be .ssh directory under the public key of the user on the managed node is_rsa.pub, and renamed authorized_keys, and the permission is 400.

#下发公钥到 web1（192.168.46.128）
ssh-copy-id -i id_rsa [email protected]
#ssh连接验证
ssh [email protected]
#退出
exit

Ansible practice

Host Connectivity Test

Modify host group configuration / etc / ansible / hosts, add two hosts ip address, while the definition of a group that contains both addresses webservers

192.168.46.128
192.168.46.129

[webservers]
192.168.46.128
192.168.46.129

Ping to ping a single host module
ansible 192.168.46.128 -m ping

The results are as follows

192.168.46.128 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

Ping the group of webservers
ansible webservers -m ping

After the addition command or -v verbose output obtained -vvv

The results are as follows

192.168.46.128 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}
192.168.46.129 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

Batch Run on the managed node

Create a resource list of files in the home directory inventory.cfg

vim inventory.cfg

It reads as follows:

[webservers]
192.168.46.128
192.168.46.129

The shell module with Ansible displayed on the server hello ansible webservers group (with a common module may also be implemented)

ansible webservers -m shell -a '/bin/echo hello ansible' -i inventory.cfg

The results are as follows:

192.168.46.128 | CHANGED | rc=0 >>
hello ansible

192.168.46.129 | CHANGED | rc=0 >>
hello ansible

Ansible get help

ansible-doc -h Getting Help

ansible-doc -l The module lower tool can be used to obtain

ansible-doc -s Get motion module supports the lower tool

to sum up

CentOS by being mounted on a different way as well Ansible Ansible parameter configuration, and execute commands on the managed nodes Ansible.