差異處

這裏顯示兩個版本的差異處。

連向這個比對檢視

兩邊的前次修訂版 前次修改
下次修改		 前次修改
tech:ansible [2023/09/03 00:08] jonathantech:ansible [2023/12/29 17:40] (目前版本) jonathan
行 1: 行 1:
-====== [Draft]運用 Ansible 進行多主機管理 ======+====== 運用 Ansible 進行多主機管理 ======
   * 管理端環境 :   * 管理端環境 :
     * CT - Ubuntu 20.04 LTS (2 vCore/ 2G RAM / 20G SSD)     * CT - Ubuntu 20.04 LTS (2 vCore/ 2G RAM / 20G SSD)
行 6: 行 6:
 ===== 安裝程序 ===== ===== 安裝程序 =====
   * <cli>   * <cli>
-sudo apt install ansible git+sudo apt install ansible git sshpass
 </cli>確認版本<cli> </cli>確認版本<cli>
 jonathan@ct-ansible:~$ ansible --version jonathan@ct-ansible:~$ ansible --version
行 16: 行 16:
   python version = 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0]   python version = 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0]
 </cli> </cli>
 +  * 設定自動寫入第一次 ssh 登入主機的 host key <cli> 
 +sudo vi /etc/ansible/ansible.cfg 
 +</cli><file> 
 +[defaults] 
 +
 +
 +# uncomment this to disable SSH key host checking 
 +#host_key_checking = False 
 +host_key_checking = False 
 +
 +</file>
 ===== 建立主機清單檔 inventory.yaml ===== ===== 建立主機清單檔 inventory.yaml =====
   * Exp. <file>   * Exp. <file>
-pveserver:+servers:
   hosts:   hosts:
     aac:     aac:
行 34: 行 44:
 </file> </file>
   * 簡單驗證 <cli>   * 簡單驗證 <cli>
-$ ansible all -i test.yaml --list-hosts +$ ansible all -i inventory.yaml --list-hosts 
-  hosts (4):+  hosts (2):
     aac     aac
     h470     h470
 </cli> </cli>
  
 +===== 撰寫 playbook =====
 +==== 1. upgrade.yaml ====
 +  * 對 servers 群組主機指定安裝套件, 並針對以安裝套件進行更新, 如果有更新 Kernel 更新後自動重新開機<file>
 +- hosts: servers
 +  become: true
 +  become_user: root
 +  tasks:
 +    - name: Ansible apt to install multiple packages - LAMP
 +      register: updatesys
 +      apt:
 +        update_cache: yes
 +        name:
 +          - python3-apt
 +          - snmp
 +          - libsasl2-modules
 +        state: present
 +        
 +    - name: Update apt repo and cache on all Debian/Ubuntu boxes
 +      apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
 +
 +    - name: Upgrade all packages on servers
 +      apt: upgrade=dist force_apt_get=yes
 +
 +    - name: Check if a reboot is needed on all servers
 +      register: reboot_required_file
 +      stat: path=/var/run/reboot-required get_md5=no
 +
 +    - name: Reboot the box if kernel updated
 +      reboot:
 +        msg: "Reboot initiated by Ansible for kernel updates"
 +        connect_timeout: 5
 +        reboot_timeout: 300
 +        pre_reboot_delay: 0
 +        post_reboot_delay: 30
 +        test_command: uptime
 +      when: reboot_required_file.stat.exists
 +</file>
 +  * 驗證執行命令(**加上 --check**) <cli>
 +ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check
 +</cli>執行結果<cli>
 +$ ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check
 +
 +PLAY [servers] ******************************************************************************************************************************************************************************
 +
 +TASK [Gathering Facts] **********************************************************************************************************************************************************************
 +ok: [aac]
 +ok: [h470]
 +
 +TASK [Ansible apt to install multiple packages - LAMP] **************************************************************************************************************************************
 +changed: [h470]
 +changed: [aac]
 +
 +TASK [Update apt repo and cache on all Debian/Ubuntu boxes] *********************************************************************************************************************************
 +ok: [h470]
 +ok: [aac]
 +
 +TASK [Upgrade all packages on servers] ******************************************************************************************************************************************************
 +ok: [h470]
 +ok: [aac]
 +
 +TASK [Check if a reboot is needed on all servers] *******************************************************************************************************************************************
 +ok: [h470]
 +ok: [aac]
 +
 +TASK [Reboot the box if kernel updated] *****************************************************************************************************************************************************
 +skipping: [aac]
 +skipping: [h470]
 +
 +PLAY RECAP **********************************************************************************************************************************************************************************
 +aac                        : ok=5    changed=1    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0
 +h470                       : ok=5    changed=1    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0
 +</cli>
 +
 +===== 常見問題 =====
 +==== 1. 如何對 ansible_ssh_pass 這類登入密碼進行加密 ====
 +  * 使用 ansible-vault encrypt_string 登入密碼 --ask-vault-pass 方式來對要保護的密碼 Exp. MyPassword 產生加密, 並以 KeyPass 當解密密碼<cli>
 +$ ansible-vault encrypt_string MyPassword --ask-vault-pass
 +New Vault password: KeyPass
 +Confirm New Vault password: KeyPass
 +!vault |
 +          $ANSIBLE_VAULT;1.1;AES256
 +          63613230353861653733633761663630643564323330613263343061656163383731386364666366
 +          3430303131616563616634386130613461636433383730360a663130653463313465623837373335
 +          61336333643663343535396339633165653334336236363032613130636537336664646535666666
 +          3863306137663763610a313034383233626563336365303431313564316338653363636432386438
 +          3736
 +Encryption successful
 +</cli>
 +  * 將這加密後的內容取代 ansible_ssh_pass 原本的明碼部分 Exp. <file>
 +:
 +  hosts:
 +    aac:
 +      ansible_host: 192.168.11.249
 +      ansible_ssh_pass: "MyPassword"
 +:
 +</file>改成<file>
 +:
 +  hosts:
 +    aac:
 +      ansible_host: 192.168.11.249
 +      ansible_ssh_pass: !vault |
 +          $ANSIBLE_VAULT;1.1;AES256
 +          63613230353861653733633761663630643564323330613263343061656163383731386364666366
 +          3430303131616563616634386130613461636433383730360a663130653463313465623837373335
 +          61336333643663343535396339633165653334336236363032613130636537336664646535666666
 +          3863306137663763610a313034383233626563336365303431313564316338653363636432386438
 +          3736
 +:
 +</file>
 +  * 然後執行 ansible-playbook 後面必須加上 **--ask-vault-pass** 才會彈出讓你輸入解密密碼 Exp. KeyPass<cli>
 +$ ansible-playbook -i inventory.yaml upgrade.yaml --ask-vault-pass
 +Vault password: KeyPass
 +
 +PLAY [servers] ******************************************************************************************************************************************************************************
 +
 +TASK [Gathering Facts] **********************************************************************************************************************************************************************
 +ok: [nuc]
 +:
 +</cli>
 +  * 也可以執行 ansible-playbook 後面加上 **--vault-password-file** 指定解密密碼檔案 Exp. .vault_pass<cli>
 +$ ansible-playbook -i inventory.yaml upgrade.yaml --vault-password-file ./.vault_pass
 +</cli>
 ===== 參考網址 ===== ===== 參考網址 =====
-  * https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-and-upgrading-ansible+  * https://docs.ansible.com/ansible/latest/inventory_guide/intro_inventory.html 
 +  * https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/ 
 +  * https://blog.yowko.com/ansible-bypass-fingerprint-check/ 
 +  * https://stackoverflow.com/questions/51622712/ansible-requires-python-apt-but-its-already-installed 
 +  * https://stackoverflow.com/questions/21870083/specify-sudo-password-for-ansible 
 +  * https://stackoverflow.com/questions/51771994/how-do-i-use-an-encrypted-variable-ansible-ssh-pass-in-an-ini-file 
 +  * https://stackoverflow.com/questions/30209062/ansible-how-to-encrypt-some-variables-in-an-inventory-file-in-a-separate-vault 
 +  * https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data
  
-{{tag>自動化 大量部署}}+{{tag>ansible 自動化 大量部署}}
  • tech/ansible.1693670883.txt.gz
  • 上一次變更: 2023/09/03 00:08
  • jonathan