顯示頁面舊版反向連結Fold/unfold all回到頁頂 本頁是唯讀的,您可以看到原始碼,但不能更動它。您如果覺得它不應被鎖上,請詢問管理員。 ====== 運用 Ansible 進行多主機管理 ====== * 管理端環境 : * CT - Ubuntu 20.04 LTS (2 vCore/ 2G RAM / 20G SSD) * 預計使用 git 管理 ansible 的定義檔 ===== 安裝程序 ===== * <cli> sudo apt install ansible git sshpass </cli>確認版本<cli> jonathan@ct-ansible:~$ ansible --version ansible 2.9.6 config file = /etc/ansible/ansible.cfg configured module search path = ['/home/jonathan/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3/dist-packages/ansible executable location = /usr/bin/ansible python version = 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0] </cli> * 設定自動寫入第一次 ssh 登入主機的 host key <cli> sudo vi /etc/ansible/ansible.cfg </cli><file> [defaults] : : # uncomment this to disable SSH key host checking #host_key_checking = False host_key_checking = False : </file> ===== 建立主機清單檔 inventory.yaml ===== * Exp. <file> servers: hosts: aac: ansible_host: 192.168.11.249 ansible_port: 22 ansible_user: root ansible_ssh_pass: "mypassword" h470: ansible_host: 192.168.11.252 ansible_port: 22 ansible_connection: ssh ansible_user: root ansible_ssh_pass: "mypassword" </file> * 簡單驗證 <cli> $ ansible all -i inventory.yaml --list-hosts hosts (2): aac h470 </cli> ===== 撰寫 playbook ===== ==== 1. upgrade.yaml ==== * 對 servers 群組主機指定安裝套件, 並針對以安裝套件進行更新, 如果有更新 Kernel 更新後自動重新開機<file> - hosts: servers become: true become_user: root tasks: - name: Ansible apt to install multiple packages - LAMP register: updatesys apt: update_cache: yes name: - python3-apt - snmp - libsasl2-modules state: present - name: Update apt repo and cache on all Debian/Ubuntu boxes apt: update_cache=yes force_apt_get=yes cache_valid_time=3600 - name: Upgrade all packages on servers apt: upgrade=dist force_apt_get=yes - name: Check if a reboot is needed on all servers register: reboot_required_file stat: path=/var/run/reboot-required get_md5=no - name: Reboot the box if kernel updated reboot: msg: "Reboot initiated by Ansible for kernel updates" connect_timeout: 5 reboot_timeout: 300 pre_reboot_delay: 0 post_reboot_delay: 30 test_command: uptime when: reboot_required_file.stat.exists </file> * 驗證執行命令(**加上 --check**) <cli> ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check </cli>執行結果<cli> $ ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check PLAY [servers] ****************************************************************************************************************************************************************************** TASK [Gathering Facts] ********************************************************************************************************************************************************************** ok: [aac] ok: [h470] TASK [Ansible apt to install multiple packages - LAMP] ************************************************************************************************************************************** changed: [h470] changed: [aac] TASK [Update apt repo and cache on all Debian/Ubuntu boxes] ********************************************************************************************************************************* ok: [h470] ok: [aac] TASK [Upgrade all packages on servers] ****************************************************************************************************************************************************** ok: [h470] ok: [aac] TASK [Check if a reboot is needed on all servers] ******************************************************************************************************************************************* ok: [h470] ok: [aac] TASK [Reboot the box if kernel updated] ***************************************************************************************************************************************************** skipping: [aac] skipping: [h470] PLAY RECAP ********************************************************************************************************************************************************************************** aac : ok=5 changed=1 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0 h470 : ok=5 changed=1 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0 </cli> ===== 常見問題 ===== ==== 1. 如何對 ansible_ssh_pass 這類登入密碼進行加密 ==== * 使用 ansible-vault encrypt_string 登入密碼 --ask-vault-pass 方式來對要保護的密碼 Exp. MyPassword 產生加密, 並以 KeyPass 當解密密碼<cli> $ ansible-vault encrypt_string MyPassword --ask-vault-pass New Vault password: KeyPass Confirm New Vault password: KeyPass !vault | $ANSIBLE_VAULT;1.1;AES256 63613230353861653733633761663630643564323330613263343061656163383731386364666366 3430303131616563616634386130613461636433383730360a663130653463313465623837373335 61336333643663343535396339633165653334336236363032613130636537336664646535666666 3863306137663763610a313034383233626563336365303431313564316338653363636432386438 3736 Encryption successful </cli> * 將這加密後的內容取代 ansible_ssh_pass 原本的明碼部分 Exp. <file> : hosts: aac: ansible_host: 192.168.11.249 ansible_ssh_pass: "MyPassword" : </file>改成<file> : hosts: aac: ansible_host: 192.168.11.249 ansible_ssh_pass: !vault | $ANSIBLE_VAULT;1.1;AES256 63613230353861653733633761663630643564323330613263343061656163383731386364666366 3430303131616563616634386130613461636433383730360a663130653463313465623837373335 61336333643663343535396339633165653334336236363032613130636537336664646535666666 3863306137663763610a313034383233626563336365303431313564316338653363636432386438 3736 : </file> * 然後執行 ansible-playbook 後面必須加上 **--ask-vault-pass** 才會彈出讓你輸入解密密碼 Exp. KeyPass<cli> $ ansible-playbook -i inventory.yaml upgrade.yaml --ask-vault-pass Vault password: KeyPass PLAY [servers] ****************************************************************************************************************************************************************************** TASK [Gathering Facts] ********************************************************************************************************************************************************************** ok: [nuc] : </cli> * 也可以執行 ansible-playbook 後面加上 **--vault-password-file** 指定解密密碼檔案 Exp. .vault_pass<cli> $ ansible-playbook -i inventory.yaml upgrade.yaml --vault-password-file ./.vault_pass </cli> ===== 參考網址 ===== * https://docs.ansible.com/ansible/latest/inventory_guide/intro_inventory.html * https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/ * https://blog.yowko.com/ansible-bypass-fingerprint-check/ * https://stackoverflow.com/questions/51622712/ansible-requires-python-apt-but-its-already-installed * https://stackoverflow.com/questions/21870083/specify-sudo-password-for-ansible * https://stackoverflow.com/questions/51771994/how-do-i-use-an-encrypted-variable-ansible-ssh-pass-in-an-ini-file * https://stackoverflow.com/questions/30209062/ansible-how-to-encrypt-some-variables-in-an-inventory-file-in-a-separate-vault * https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data {{tag>ansible 自動化 大量部署}} tech/ansible.txt 上一次變更: 2023/12/29 17:40由 jonathan