ansible
文章目录
- ansible
- 一、ansible Ad-Hoc 命令
- 1.命令格式
- 2.模块类型
- 3.联机帮助
- 4.常用模块
- 4.1 command & shell 模块
- 4.2 script 模块
- 4.3 copy 模块
- 4.4 yum_repository
- 4.5 yum 模块
- 4.6 systemd 模块
- 4.7 group 模块
- 4.8 user 模块
- 4.9 file 模块
- 4.10 cron 模块
- 4.11 template 模块
- 4.12 lineinfile
一、ansible Ad-Hoc 命令
Ad-Hoc 命令是什么呢? 这其实是一个概念性的名字,是相对于写 ansible playbook 来说的。类似于在命令行敲入shell 命令和 写shell script 两者之间的关系,可以用于执行一些临时命令。
如果我们敲入一些命令去比较快的完成一些事情,而不需要将这些执行的命令特别保存下来,这样的命令就叫做 ad-hoc。
ansible 提供两种方式去完成任务,一是 ad-hoc 命令,二是写 ansible playbook 。
前者可以解决一些简单的任务,后者解决较复杂的任务,比如做配置管理或部署。
1.命令格式
在上一篇快速入门中执行的 ansible 命令,类似于批量执行命令。
在 ansible 中统称为 ansible Ad-Hoc。
命令语法格式如下:
ansible pattern [-i inventory] -m module -a argument
- pattern 资产选择器
- -i 指定资产清单文件的位置
- -m 指定本次ansible ad-hoc 要执行的模块,可以类别成 shell 中的命令。
- -a 模块的参数,可以类比成 shell 中的命令参数
2.模块类型
ansible 模块分三种类型:核心模块(core module)、附加模块(extra module)及用户自定义模块(consume module)。
核心模块是由 ansible 的官方团队提供的,附加模块是由各个社区提供的。例如:OpenStack社区、docker 社区等等。
当核心模块和附加模块都无法满足你的需要时,用户可以自定义模块。
默认情况下,在安装 ansible 的时候,核心模块和附加模块都已经安装而无需用户干预。
3.联机帮助
ansible 的核心模块和附加模块,数量有1000+。这样庞大的模块数量,对于任何一个接触ansible的人都不太可能将其完全记住、掌握使用。因此,能够顺利使用ansible 的帮助文档,对我们来说是很有必要的。ansible 的帮助文档,由它本身提供的命令 ansible-doc 实现。
常用帮助参数
- 列举出所有的核心模块和附加模块
ansible-doc -l
- 查询某个模块的使用方法
ansible-doc modulename//ansible-doc后跟模块名
- 查询某个模块的使用方法,比较简介的信息
ansible-doc -s modulename//ansible-doc后跟模块名
例子
[root@master1 ~]# ansible-doc yum
> YUM (/usr/lib/python2.7/site-packages/ansible/modules/packaging/os/yum.py)
Installs, upgrade, downgrades, removes, and lists packages and groups with
the `yum' package manager. This module only works on Python 2. If you
require Python 3 support see the [dnf] module.
* This module is maintained by The Ansible Core Team
* note: This module has a corresponding action plugin.
OPTIONS (= is mandatory):
- allow_downgrade
Specify if the named package and version is allowed to downgrade a maybe
already installed higher version of that package. Note that setting
allow_downgrade=True can make this module behave in a non-idempotent way.
The task could end up with a set of packages that does not match the
complete list of specified packages to install (because dependencies
between the downgraded package and others can cause changes to the
packages which were in the earlier transaction).
[Default: no]
type: bool
version_added: 2.4
- autoremove
If `yes', removes all "leaf" packages from the system that were originally
installed as dependencies of user-installed packages but which are no
longer required by any such package. Should be used alone or when state is
`absent'
NOTE: This feature requires yum >= 3.4.3 (RHEL/CentOS 7+)
[Default: no]
type: bool
version_added: 2.7
- bugfix
If set to `yes', and `state=latest' then only installs updates that have
been marked bugfix related.
[Default: no]
version_added: 2.6
- conf_file
The remote yum configuration file to use for the transaction.
[Default: (null)]
^C
[root@master1 ~]# ansible-doc -s yum
- name: Manages packages with the `yum' package manager
yum:
allow_downgrade: # Specify if the named package and version is allowed to downgrade a
maybe already installed higher version
of that package. Note that setting
allow_downgrade=True can make this
module behave in a non-idempotent way.
The task could end up with a set of
packages that does not match the
complete list of specified packages to
install (because dependencies between
the downgraded package and others can
cause changes to the packages which were
in the earlier transaction).
autoremove: # If `yes', removes all "leaf" packages from the system that were
originally installed as dependencies of
user-installed packages but which are no
longer required by any such package.
Should be used alone or when state is
`absent' NOTE: This feature requires yum
>= 3.4.3 (RHEL/CentOS 7+)
bugfix: # If set to `yes', and `state=latest' then only installs updates that
have been marked bugfix related.
conf_file: # The remote yum configuration file to use for the transaction.
disable_excludes: # Disable the excludes defined in YUM config files. If set to `all',
disables all excludes. If set to `main',
disable excludes defined in [main] in
yum.conf. If set to `repoid', disable
excludes defined for given repo id.
disable_gpg_check: # Whether to disable the GPG checking of signatures of packages being
installed. Has an effect only if state
is `present' or `latest'.
disable_plugin: # `Plugin' name to disable for the install/update operation. The disabled
plugins will not persist beyond the
transaction.
disablerepo: # `Repoid' of repositories to disable for the install/update operation.
These repos will not persist beyond the
transaction. When specifying multiple
repos, separate them with a `","'. As of
Ansible 2.7, this can alternatively be a
list instead of `","' separated string
download_dir: # Specifies an alternate directory to store packages. Has an effect only
:
4.常用模块
为了便于演示和操作,现在把之前的测试主机IP地址 192.168.200.182 和 192.168.200.183 保存到当前目录下的hosts文件中。
[root@master1 ~]# cat hosts
[master_servers]
192.168.200.182
[web_servers]
192.168.200.183
4.1 command & shell 模块
两个模块都是在远程服务器上去执行命令,但是 command 模块是 ad-hoc 的默认模块,在执行 ad-hoc 时,若不指定模块的名字则默认使用此模块。
[root@master1 ~]# ansible all -i hosts -a "echo 'hello word'"
192.168.200.183 | CHANGED | rc=0 >>
hello word
192.168.200.182 | CHANGED | rc=0 >>
hello word
[root@master1 ~]# ansible all -i hosts -a "hostname -i"
192.168.200.183 | CHANGED | rc=0 >>
192.168.200.183 192.168.122.1 fe80::2e53:1e73:716d:c608%ens32 fe80::5d99:b781:21b8:139b%ens32 fe80::8054:e8a7:a00d:e7f5%ens32
192.168.200.182 | CHANGED | rc=0 >>
192.168.200.182 192.168.122.1 fe80::2e53:1e73:716d:c608%ens32 fe80::5d99:b781:21b8:139b%ens32 fe80::8054:e8a7:a00d:e7f5%ens32
[root@master1 ~]# ansible all -i hosts -m shell -a "hostname -i"
192.168.200.183 | CHANGED | rc=0 >>
192.168.200.183 192.168.122.1 fe80::2e53:1e73:716d:c608%ens32 fe80::5d99:b781:21b8:139b%ens32 fe80::8054:e8a7:a00d:e7f5%ens32
192.168.200.182 | CHANGED | rc=0 >>
192.168.200.182 192.168.122.1 fe80::2e53:1e73:716d:c608%ens32 fe80::5d99:b781:21b8:139b%ens32 fe80::8054:e8a7:a00d:e7f5%ens32
两个模块的差异
- shell 模块可以执行 shell 的内置命令 和 特性(比如管道符)。
- command 模块无法执行 shell 的内置命令和特性
[root@master1 ~]# ansible all -i hosts -m shell -a "echo 'hello word'|grep -o 'llo'"
192.168.200.183 | CHANGED | rc=0 >>
llo
192.168.200.182 | CHANGED | rc=0 >>
llo
[root@master1 ~]# ansible all -i hosts -a "echo 'hello word'|grep -o 'llo'"
192.168.200.183 | CHANGED | rc=0 >>
hello word|grep -o llo
192.168.200.182 | CHANGED | rc=0 >>
hello word|grep -o llo
4.2 script 模块
将管理节点上的脚本传递到被管理节点(远程服务器)上进行执行,理论上此模块的执行完全不需要被管理服务器上有Python。
栗子
管理节点上的一个脚本
[root@master1 ~]# echo "touch /tmp/testfile" > test.sh
[root@master1 ~]# cat test.sh
touch /tmp/testfile
[root@master1 ~]# ansible web_servers -i hosts -m script -a "/root/test.sh"
192.168.200.183 | CHANGED => {
"changed": true,
"rc": 0,
"stderr": "Shared connection to 192.168.200.183 closed.\r\n",
"stderr_lines": [
"Shared connection to 192.168.200.183 closed."
],
"stdout": "",
"stdout_lines": []
}
[root@master1 ~]# ansible web_servers -i hosts -m shell -a "ls /tmp/*"
192.168.200.183 | CHANGED | rc=0 >>
/tmp/test.conf
/tmp/testfile
4.3 copy 模块
copy 模块的主要用于管理节点和被管理节点之间的文件拷贝。
经常使用到的参数如下:
- src 指定拷贝文件的源地址
- dest 指定拷贝文件的目标地址
- backup 拷贝文件前,若原目标文件发生变化,则对目标文件进行备份
- woner 指定新拷贝文件的所有者
- group 指定拷贝文件的所有组
- mode 指定新拷贝文件的权限
栗子
- copy 管理节点上的 CentOS-Base.repo 到被管理节点上
准备环境,删除CentOS-Base.repo
[root@web3 ~]# cd /etc/yum.repos.d/
[root@web3 yum.repos.d]# ls
CentOS-Base.repo epel.repo percona-original-release.repo zabbix.repo
CentOS-Base.repo.bak epel-testing.repo percona-prel-release.repo
[root@web3 yum.repos.d]# rm -rf CentOS-Base.repo
[root@web3 yum.repos.d]# ls
CentOS-Base.repo.bak epel-testing.repo percona-prel-release.repo
epel.repo percona-original-release.repo zabbix.repo
[root@master1 ~]# cat CentOS-Base.repo
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/os/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/os/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#released updates
[updates]
name=CentOS-$releasever - Updates - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/updates/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/updates/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/extras/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/extras/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/centosplus/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/centosplus/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib - mirrors.aliyun.com
failovermethod=priority
baseurl=http://mirrors.aliyun.com/centos/$releasever/contrib/$basearch/
http://mirrors.aliyuncs.com/centos/$releasever/contrib/$basearch/
http://mirrors.cloud.aliyuncs.com/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-7
[root@master1 ~]# ansible web_servers -i hosts -m copy -a "src=./CentOS-Base.repo dest=/etc/yum.repos.d/CentOS-Base.repo"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "f0a8c5a7d3059c17cebf7d0359a20c034204ee37",
"dest": "/etc/yum.repos.d/CentOS-Base.repo",
"gid": 0,
"group": "root",
"md5sum": "4861d3b742e8e8c05b67e3abf7904f17",
"mode": "0644",
"owner": "root",
"size": 2524,
"src": "/root/.ansible/tmp/ansible-tmp-1673270190.11-33398-26615270475966/source",
"state": "file",
"uid": 0
}
[root@master1 ~]# ansible web_servers -i hosts -m shell -a "ls /etc/yum.repos.d/"
192.168.200.183 | CHANGED | rc=0 >>
CentOS-Base.repo
CentOS-Base.repo.bak
epel.repo
epel-testing.repo
percona-original-release.repo
percona-prel-release.repo
zabbix.repo
- copy前,在被管理节点上对原文件进行备份
//如果从管理节点拷贝的文件和被管理节点的文件一样则不进行备份
[root@master1 ~]# ansible web_servers -i hosts -m copy -a "src=./CentOS-Base.repo dest=/etc/yum.repos.d/CentOS-Base.repo backup=yes"
192.168.200.183 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"checksum": "f0a8c5a7d3059c17cebf7d0359a20c034204ee37",
"dest": "/etc/yum.repos.d/CentOS-Base.repo",
"gid": 0,
"group": "root",
"mode": "0644",
"owner": "root",
"path": "/etc/yum.repos.d/CentOS-Base.repo",
"size": 2524,
"state": "file",
"uid": 0
}
//在修改被管理节点的文件之后进行备份会产生这样一个 CentOS-Base.repo.14606.2023-01-09@21:28:37~ 备份文件
[root@web3 yum.repos.d]# cat CentOS-Base.repo
11111111111111111111
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
...
...
...
[root@master1 ~]# ansible web_servers -i hosts -m copy -a "src=./CentOS-Base.repo dest=/etc/yum.repos.d/CentOS-Base.repo backup=yes"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"backup_file": "/etc/yum.repos.d/CentOS-Base.repo.14606.2023-01-09@21:28:37~",
"changed": true,
"checksum": "f0a8c5a7d3059c17cebf7d0359a20c034204ee37",
"dest": "/etc/yum.repos.d/CentOS-Base.repo",
"gid": 0,
"group": "root",
"md5sum": "4861d3b742e8e8c05b67e3abf7904f17",
"mode": "0644",
"owner": "root",
"size": 2524,
"src": "/root/.ansible/tmp/ansible-tmp-1673270915.72-33590-30442164385151/source",
"state": "file",
"uid": 0
}
[root@web3 yum.repos.d]# ls
CentOS-Base.repo epel.repo percona-prel-release.repo
CentOS-Base.repo.14606.2023-01-09@21:28:37~
- copy 文件的同时对文件进行用户及用户组设置
[root@master1 ~]# ansible all -i hosts -m copy -a "src=./CentOS-Base.repo dest=/etc/yum.repos.d/CentOS-Base.repo owner=nobody group=nobody"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "f0a8c5a7d3059c17cebf7d0359a20c034204ee37",
"dest": "/etc/yum.repos.d/CentOS-Base.repo",
"gid": 99,
"group": "nobody",
"mode": "0644",
"owner": "nobody",
"path": "/etc/yum.repos.d/CentOS-Base.repo",
"size": 2524,
"state": "file",
"uid": 99
}
192.168.200.182 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "f0a8c5a7d3059c17cebf7d0359a20c034204ee37",
"dest": "/etc/yum.repos.d/CentOS-Base.repo",
"gid": 99,
"group": "nobody",
"md5sum": "4861d3b742e8e8c05b67e3abf7904f17",
"mode": "0644",
"owner": "nobody",
"size": 2524,
"src": "/root/.ansible/tmp/ansible-tmp-1673271534.19-33724-52904985586713/source",
"state": "file",
"uid": 99
}
- copy 文件的同时对文件进行权限设置
[root@master1 ~]# ansible all -i hosts -m copy -a "src=./CentOS-Base.repo dest=/etc/yum.repos.d/CentOS-Base.repo mode=0755"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "f0a8c5a7d3059c17cebf7d0359a20c034204ee37",
"dest": "/etc/yum.repos.d/CentOS-Base.repo",
"gid": 99,
"group": "nobody",
"mode": "0755",
"owner": "nobody",
"path": "/etc/yum.repos.d/CentOS-Base.repo",
"size": 2524,
"state": "file",
"uid": 99
}
192.168.200.182 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "f0a8c5a7d3059c17cebf7d0359a20c034204ee37",
"dest": "/etc/yum.repos.d/CentOS-Base.repo",
"gid": 99,
"group": "nobody",
"mode": "0755",
"owner": "nobody",
"path": "/etc/yum.repos.d/CentOS-Base.repo",
"size": 2524,
"state": "file",
"uid": 99
}
4.4 yum_repository
添加 YUM 仓库
常用参数
name仓库名称就是仓库文件中第一行中括号中的名称,必须的参数。description仓库描述信息,添加时必须的参数baseurlyum 存储 “repodata” 目录所在目录的URL,添加时必须的参数,它也可以是多个URL的列表。- file 仓库文件保存到被管理节点的文件名,不包含
.rep。默认是name的值。 - state present 确认添加仓库文件,absent 确认删除仓库文件。
- gpgcheck 是否 GPG yes|no,没有默认值,使用
/etc/yum.conf中的配置。
栗子
添加 epel 源
[root@master1 ~]# ansible web_servers -i hosts -m yum_repository -a "name=epel baseurl='http://mirrors.aliyun.com/epel/7/$basearch' description='Extra Packages for Enterprise Linux 7 - $basearch'"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"repo": "epel",
"state": "present"
}
删除 epel 源
[root@master1 ~]# ansible web_servers -i hosts -m yum_repository -a "name=epel state=absent"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"repo": "epel",
"state": "absent"
}
4.5 yum 模块
等同于 Linux 上的 YUM 命令,对远程服务器上RPM包进行管理。
常用参数:
-
name 要安装的软件包名,多个软件包以英文逗号( ,)隔开
-
state 对当前指定的软件安装、移除操作(present installed latest absent removed)
支持的参数 -present 确认已经安装,但不升级 -installed 确认已经安装 -latest 确保安装,且升级为最新 -absent 和 removed 确认已经移除
栗子
- 安装一个软件包
[root@master1 yum.repos.d]# ansible web_servers -i hosts -m yum -a "name=nginx state=present"
[root@master1 yum.repos.d]# ansible web_servers -i hosts -m yum -a "name=nginx state=latest"
[root@master1 yum.repos.d]# ansible web_servers -i hosts -m yum -a "name=nginx state=installed"
- 移除一个软件包
[root@master1 yum.repos.d]# ansible web_servers -i hosts -m yum -a "name=nginx state=absent"
[root@master1 yum.repos.d]# ansible web_servers -i hosts -m yum -a "name=nginx state=removed"
- 安装一个软件包组
[root@master1 yum.repos.d]# ansible web_servers -i hosts -m yum -a "name='@Development tools' state=present"
4.6 systemd 模块
CentOS6 之前的版本使用 service 模块
使用 ansible-doc service 命令查看帮助信息
管理远程节点上的 systemd 服务,就是由 systemd 所管理的服务。
常用参数:
- daemon_reload 重新载入 systemd,扫描新的或变动的单元
- enable 是否开机自启动 yes| no
- name 必须项,服务名称,比如 httpd vsftpd
- state 对当前服务执行启动、停止、重启、重新加载等操作(started、stopped、restarted、reloaded)
栗子
- 重新加载 systemd
[root@master1 ~]# ansible web_servers -i hosts -m systemd -a "daemon_reload=yes"
192.168.200.183 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"name": null,
"status": {}
}
- 启动 Nginx 服务
[root@master1 ~]# ansible web_servers -i hosts -m systemd -a "name=nginx state=started"
- 关闭 Nginx 服务
[root@master1 ~]# ansible web_servers -i hosts -m systemd -a "name=nginx state=stopped"
- 重启 Nginx 服务
[root@master1 ~]# ansible web_servers -i hosts -m systemd -a "name=nginx state=restarted"
- 重新加载 Nginx 服务
[root@master1 ~]# ansible web_servers -i hosts -m systemd -a "name=nginx state=reloaded"
- 将 Nginx 服务设置开机自启动
[root@master1 ~]# ansible web_servers -i hosts -m systemd -a "name=nginx enabled=yes"
4.7 group 模块
在被管理节点上,对组进行管理。
常用参数:
- name 组名称,必须的
- system 是否为系统,yes/no ,默认是 no
- state 删除或者创建,present/absent,默认是 present
栗子
- 创建普通组 db_admin
[root@master1 ~]# ansible web_servers -i hosts -m group -a "name=db_admin"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"gid": 1027,
"name": "db_admin",
"state": "present",
"system": false
}
[root@web3 yum.repos.d]# tail -1 /etc/group //查看是否有这个组
db_admin:x:1027:
4.8 user 模块
用于在被管理节点上对用户进行管理。
常用参数:
- name 必须的参数,指定用户名
- password 设置用户的密码,这里接受的是一个加密的值,因为会直接存到 shadow,默认不设置密码
- update_passwd 假如设置的密码不同于原密码,则会更新密码,在1.3中被加入
- home 指定用户的家目录
- shell 设置用户的shell
- comment 用户的描述信息
- create_home 在创建用户时,是否创建其家目录。默认创建,假如不创建,设置为no。2.5版本之前使用 createhome
- group 设置用户的主组
- groups 将用户加入到多个其他组中,多个用逗号隔开。默认会把用户从其他已经加入的组中删除。
- append yes | no 和 groups 配合使用,yes时,不会把用户从其他已经加入的组中删除
- system 设置为yes时,将会创建一个系统账号
- expires 设置用户的过期时间,值为时间戳,会转为天数后,放在 shadow 的第 8 个字段里
- generate_ssh_key 设置为 yes 将会为用户生成秘钥,这不会覆盖原来的秘钥
- ssh_key_type 指定用户的秘钥类型,默认 rsa ,具体的类型取决于被管理节点
- state 删除或添加用户,present 为添加,absent为删除;默认值为 yes
- remove 当与 state=absent 一起使用,删除一个用户及关联的目录,比如家目录,邮箱目录。可选的值为:yes/no
栗子
- 创建用户并设置密码
先生成加密秘钥
[root@master1 ~]# pass=$(echo "123456" | openssl passwd -1 -stdin)
[root@master1 ~]# echo $pass
$1$aE3ITpQq$IWQae8QuFW2tmNUF7ZsnI/
- 执行 ansible 命令 创建用户 yuting 并设置密码
[root@master1 ~]# ansible web_servers -i hosts -m user -a "name=yuting password=${pass}"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": "",
"create_home": true,
"group": 1028,
"home": "/home/yuting",
"name": "yuting",
"password": "NOT_LOGGING_PASSWORD",
"shell": "/bin/bash",
"state": "present",
"system": false,
"uid": 1027
}
//查看用户和密码是否创建成功
[root@web3 yum.repos.d]# tail -1 /etc/passwd
yuting:x:1027:1028::/home/yuting:/bin/bash
[root@web3 yum.repos.d]# tail -1 /etc/shadow
yuting:$1$aE3ITpQq$IWQae8QuFW2tmNUF7ZsnI/:19366:0:99999:7:::
- 创建用户 apple,并且为其创建秘钥对,同时秘钥类型为:ecdsa
[root@master1 ~]# ansible all -i hosts -m user -a "name=apple generate_ssh_key=yes ssh_key_type=ecdsa"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": "",
"create_home": true,
"group": 1029,
"home": "/home/apple",
"name": "apple",
"shell": "/bin/bash",
"ssh_fingerprint": "256 SHA256:SeiUNcQPxrK0e/p5fft4FGhcqS+xCScpeGdyQaLUfkA ansible-generated on web3 (ECDSA)",
"ssh_key_file": "/home/apple/.ssh/id_ecdsa",
"ssh_public_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGw7OIwf9nP5BViUJx4nXyvMSOQpbRJs6ScxKM3eC/WV6pwFPjph4aVCw6aeiBral7myGV7M2Lf96chItO6i2d4= ansible-generated on web3",
"state": "present",
"system": false,
"uid": 1028
}
192.168.200.182 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": "",
"create_home": true,
"group": 1027,
"home": "/home/apple",
"name": "apple",
"shell": "/bin/bash",
"ssh_fingerprint": "256 SHA256:8F9uplMMTBsjJM5XmCsIPu4lm9ybt/MFg+p+c2t0F/c ansible-generated on master2 (ECDSA)",
"ssh_key_file": "/home/apple/.ssh/id_ecdsa",
"ssh_public_key": "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKJmFQzvGtf6vpp8DiGOS6xagfSa+0nxRhDhJNbdVJ4WcGJwheqK7nzI2nJ4dnNdfunwufEJfhuqSTnrxh7btJk= ansible-generated on master2",
"state": "present",
"system": false,
"uid": 1027
}
- 创建用户 jon,并且设置其有效期到 2020年4月15日, 加入到组 db_admin 中,不改变用户原有加入的组。
[root@master1 ~]# ansible web_servers -i hosts -m user -a "name=jon expires=$(date +%s -d 20230110) groups=db_admin"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": "",
"create_home": true,
"group": 1030,
"groups": "db_admin",
"home": "/home/jon",
"name": "jon",
"shell": "/bin/bash",
"state": "present",
"system": false,
"uid": 1029
}
[root@web3 yum.repos.d]# id jon
uid=1029(jon) gid=1030(jon) 组=1030(jon),1027(db_admin)
[root@web3 yum.repos.d]# tail -1 /etc/shadow
jon:!!:19366:0:99999:7::19366:
date 命令说明
//计算 3 小时之后是几点几分
#date +%T -d '3 hours'
//任意日期的前 N 天,后N天的具体日期
#date +%F -d "20230110 1 day"
#date +%F -d "20230110 -1 day"
//计算两个日期相差天数,比如计算生日距离现在还有多少天
#d1=$(date +%s -d 20230110)
#d2=$(date +%s -d 20230601)
#echo $((d1-d2))/86400
4.9 file 模块
file 模块主要用于远程主机上的文件操作
常用参数:
- owner 定义文件/目录的属主
- groups 定义文件/目录的属组
- mode 定义文件/目录的权限
- path 必须项,定义文件/目录的路径
- recurse 递归的设置文件的属性,只对目录有效
- src 链接(软/硬)文件的源文件的路径,只应用于state=link的情况
- dest 被链接到的路径,只应用于state 的情况
- state
1、directory 如果目录不存在,创建目录
2、file 文件不存在,则不会被创建,存在则返回文件的信息,常用于检查文件是否存在。
3、link 创建软链接
4、hard 创建硬链接
5、touch 如果文件不存在,则会创建一个新的文件,如果文件或目录已存在,则更新其最后修改时间
6、absent 删除目录、文件或者取消链接文件
栗子
- 创建一个文件
[root@master1 ~]# ansible web_servers -i hosts -m file -a "path=/tmp/abc.conf state=touch"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"dest": "/tmp/abc.conf",
"gid": 0,
"group": "root",
"mode": "0644",
"owner": "root",
"size": 0,
"state": "file",
"uid": 0
}
- 改变文件所有者及权限
[root@master1 ~]# ansible web_servers -i hosts -m file -a "path=/tmp/abc.conf owner=nobody mode=0644"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"gid": 0,
"group": "root",
"mode": "0644",
"owner": "nobody",
"path": "/tmp/abc.conf",
"size": 0,
"state": "file",
"uid": 99
}
- 创建一个软链接
[root@master1 ~]# ansible web_servers -i hosts -m file -a "src=/tmp/abc.conf dest=/tmp/link.conf state=link"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"dest": "/tmp/link.conf",
"gid": 0,
"group": "root",
"mode": "0777",
"owner": "root",
"size": 13,
"src": "/tmp/abc.conf",
"state": "link",
"uid": 0
}
[root@master1 ~]# ansible web_servers -i hosts -m shell -a "ls -l /tmp |grep abc.conf"
192.168.200.183 | CHANGED | rc=0 >>
-rw-r--r-- 1 root root 0 1月 10 01:25 abc.conf
lrwxrwxrwx 1 root root 13 1月 10 01:25 link.conf -> /tmp/abc.conf
- 创建一个目录
[root@master1 ~]# ansible web_servers -i hosts -m file -a "path=/tmp/testdir state=directory"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"gid": 0,
"group": "root",
"mode": "0755",
"owner": "root",
"path": "/tmp/testdir",
"size": 6,
"state": "directory",
"uid": 0
}
- 取消一个链接
[root@master1 ~]# ansible web_servers -i hosts -m file -a "src=/tmp/abc.conf dest=/tmp/link.conf state=absent"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"path": "/tmp/link.conf",
"state": "absent"
}
删除一个文件
[root@master1 ~]# ansible web_servers -i hosts -m file -a "path=/tmp/abc.conf state=absent"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"path": "/tmp/abc.conf",
"state": "absent"
}
4.10 cron 模块
管理远程节点的 cron 服务,等同于 Linux 中的任务计划。
注意:使用 ansible 创建的计划任务不能使用本地 crontab -e 编辑,否则 ansible 无法再次操作他。
常用参数:
- name 指定一个cron job 的名字,一定要指定,便于之后删除。
- minute 指定分钟,可以设置成(0~59,* ,*/2)格式,默认是 *,也就是每分钟。
- hour 指定小时,可以设置成(0~23,* ,*/2)格式,默认是 *,也就是每小时。
- day 指定天,可以设置成(1~31,* ,*/2)格式,默认是 *,也就是每天。
- month 指定月份,可以设置成(1~12,* ,*/2)格式,默认是 *,也就是每月。
- weekday 指定星期,可以设置成(0~6 for Sunday-Saturday,* 等) 格式,默认是 *,也就是每个星期。
- job 指定要执行的内容,通常可以写个脚本,或者一段内容。
- state 指定这个 job 的状态,可以是新增(present)或者是删除(absent),默认为新增(present)。
栗子
- 新创建一个 cron job 任务
[root@master1 ~]# ansible web_servers -i hosts -m cron -a "name='create new job' minute='0' job='ls -alh > /dev/null'"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"envs": [],
"jobs": [
"create new job"
]
}
//产看定时任务
[root@web3 yum.repos.d]# crontab -l
#Ansible: create new job
0 * * * * ls -alh > /dev/null
- 删除定时任务
//删除一个 cron job 任务,删除时一定要指定job的name参数,以免误删除。
[root@master1 ~]# ansible web_servers -i hosts -m cron -a "name='create new job' minute='0' state=absent"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"envs": [],
"jobs": []
}
[root@web3 yum.repos.d]# crontab -l
[root@web3 yum.repos.d]#
4.11 template 模块
template 模块使用了 jinjia2格式作为文件模板,可以进行文档内变量的替换。它的每次使用都会被ansible 标记为 “changed” 状态,文件以.j2结尾。
常用参数:
- src 指定ansible 控制端的文件路径
- dest 指定 ansible 被控制端的文件路径
- owner 指定文件的属性
- group 指定文件的属组
- mode 指定文件的权限
- backup 创建一个包含时间戳信息的备份文件,这样如果以某种方式错误破坏l原始文件,可以将其恢复原样。yes/no
栗子
用法和copy 模板基本一样,template 模板的强大之处就是使用变量替换,就是可以把传递给 ansible 的变量的值替换到模板文件中。
//1.建立一个 tmplate 文件,名为 hello_world.j2
[root@master1 ~]# cat hello_world.j2
Hello {{var}} !
//2.执行命令,并且设置变量 var 的值 为 wrold
[root@master1 ~]# ansible web_servers -i hosts -m template -a "src=hello_world.j2 dest=/tmp/hello_world.world" -e "var=world"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"checksum": "5eb2f40ccd931ea010260c7cd37e7063fdb6edf9",
"dest": "/tmp/hello_world.world",
"gid": 0,
"group": "root",
"md5sum": "c67d1f13ee82b598bb829e228789d84f",
"mode": "0644",
"owner": "root",
"size": 14,
"src": "/root/.ansible/tmp/ansible-tmp-1673287840.66-37392-224661082000520/source",
"state": "file",
"uid": 0
}
//3.在被管理节点主机上进行验证
[root@web3 ~]# cat /tmp/hello_world.world
Hello world !
4.12 lineinfile
在被管理节点上,用正则匹配的方式对目标文件的一行内容修改删除等操作。
如果是在一个文件中把所有匹配到的多行都进行统一处理,请参考 replace 模块。
如果想对文件中的多行进行添加/更新/删除等操作,参考 blockinfile 模块
常用参数
- path 在被管理节点的目标文件路径,必须
- state 可选值 absent 删除 | present 替换(默认值)。
- regexp 在文件的每一行中查找的正则表达式。对于 state = present,仅找到的最后一行将被替换。
- line 要在文件中插入/替换的行,需要
state =present。 - create 文件不存在时,是否要创建文件并添加内容。yes/no
栗子
删除被管理控制节点文件里的某一条内容
[root@master1 ~]# ansible web_servers -i hosts -m lineinfile -a "path=/etc/sudoers regexp='^%wheel' state=absent"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"backup": "",
"changed": true,
"found": 1,
"msg": "1 line(s) removed"
}
替换某一行
[root@master1 ~]# ansible web_servers -i hosts -m lineinfile -a "path=/etc/selinux/config regexp='^SELINUX=' line='SELINUX=disable' state=present"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"backup": "",
"changed": true,
"msg": "line replaced"
}
[root@web3 ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disable
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@web3 ~]#
blockinfile
[root@master1 ~]# ansible web_servers -i hosts -m blockinfile -a "path=/etc/ssh/sshd_config block='[Default: False]'"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"msg": "Block inserted"
}
[root@master1 ~]#
[root@web3 ~]# tail /etc/ssh/sshd_config
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
# BEGIN ANSIBLE MANAGED BLOCK
[Default: False]
# END ANSIBLE MANAGED BLOCK
删除
[root@master1 ~]# ansible web_servers -i hosts -m blockinfile -a "path=/etc/ssh/sshd_config block='[Default: False]' state=absent"
192.168.200.183 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"msg": "Block removed"
}
[root@web3 ~]# tail /etc/ssh/sshd_config
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
