1.ansible介绍
ssh秘钥认证+脚本批量管理,特点:简单、实用,
但是看起来比较LOW,需要人工写脚本,类似实时复制的inotify工具。
2013以前这种方式很普遍。
MySQL高可用 MHA集群,要求所有机器互相秘钥认证。
大数据集群也需要。
2.ansible能做什么?
ansible可以帮助我们完成一些批量任务,或者完成一些需要经常重复的工作。
比如:同时在100台服务器上安装nfs服务,并在安装后启动服务。
比如:将某个文件一次性拷贝到100台服务器上。
比如:每当有新服务器加入工作环境时,你都要为新服务器部署某个服务,也就是说你需要经常重复的完成相同的工作。
这些场景中我们都可以使用到ansible。
3.ansible软件特点:
ansible可以帮助我们完成一些批量任务,或者完成一些需要经常重复的工作。
比如:同时在100台服务器上安装nfs服务,并在安装后启动服务。
比如:将某个文件一次性拷贝到100台服务器上。
比如:每当有新服务器加入工作环境时,你都要为新服务器部署某个服务,也就是说你需要经常重复的完成相同的工作。
这些场景中我们都可以使用到ansible。
4.安装ansible
[root@m01 ~]# yum install ansible -y
.
配置ansible
[root@m01 ~]# vim /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.41
验证ansible
ansible是通过ssh端口探测通信
[root@m01 ~]# ansible oldboy -m ping
172.16.1.7 | SUCCESS => {
"changed": false,
"ping": "pong"
}
172.16.1.31 | SUCCESS => {
"changed": false,
"ping": "pong"
}
172.16.1.41 | SUCCESS => {
"changed": false,
"ping": "pong"
}
ansible命令参数介绍
Ansible中的临时命令的执行是通过Ad-Hoc来完成,能够快速执行,而且不需要保存执行的命令,例如:
ansible -i ~/hosts all -m command -a ‘who’ -u root
主要参数如下:
-u username 指定ssh连接的用户名,即执行后面命令的用户
-i inventory_file 指定所使用的inventory文件的位置,默认为/etc/ansible/hosts
-m module 指定使用的模块,默认为command
-f 10 指定并发数,并发量大的时候,提高该值
--sudo [-k] 当需要root权限执行的化,-k参数用来输入root密码
ansible模块查看和帮助
ansible模块查看和帮助*****
查找模块
ansible-doc -l #模块就Linux命令了。
查看某个模块的具体参数帮助
ansible-doc -s command #Linux命令参数
12.1 command模块 *****
1)功能说明:
command Executes a command on a remote node
功能说明:执行一个命令在远程节点上
操作实践:
ansible oldboy -m command -a "free -m"
ansible oldboy -m command -a "df -h"
ansible oldboy -m command -a "ls /root"
ansible oldboy -m command -a "cat redhat-release"
ansible oldboy -m command -a "cat /etc/redhat-release"
最通用的功能。
[root@m01 ~]# ansible oldboy -m command -a "cat /etc/redhat-release"
172.16.1.7 | CHANGED | rc=0 >>
CentOS Linux release 7.6.1810 (Core)
172.16.1.31 | CHANGED | rc=0 >>
CentOS Linux release 7.6.1810 (Core)
172.16.1.41 | CHANGED | rc=0 >>
CentOS Linux release 7.6.1810 (Core)
目标:ansible是不是需要免秘钥认证(ssh免秘钥认证)? yes
[root@m01 ~]# cat /etc/ansible/hosts
[oldboy]
172.16.1.31
172.16.1.7
还原ansible.cfg配置,重启服务器
[root@m01 ~]# ansible oldboy -m command -a "free -m"
The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established.
ECDSA key fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.
ECDSA key fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.
Are you sure you want to continue connecting (yes/no)? The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
ECDSA key fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.
ECDSA key fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.
Are you sure you want to continue connecting (yes/no)?
解决yes/no不需要输入问题:
修改ansible.cfg 374行:
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no
在执行报错:
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.7 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,password).",
"unreachable": true
}
172.16.1.31 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
解决公钥问题:
ssh-keygen -f ~/.ssh/id_rsa -P '' -q
for ip in 7
do
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done
#test
ssh 172.16.1.7 "ifconfig eth0"
执行ansible命令:
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.31 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
172.16.1.7 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 69 807 7 95 771
Swap: 767 0 767
for ip in 31
do
sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip
done
#test
ssh 172.16.1.31 "ifconfig eth0"
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.7 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 69 807 7 95 771
Swap: 767 0 767
172.16.1.31 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 71 804 7 96 768
Swap: 767 0 767
验证:删除公钥,是不是不可以了?
重启后,不行,重启前可以
[root@m01 ~]# ansible oldboy -m command -a "free -m"
172.16.1.7 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,password).",
"unreachable": true
}
172.16.1.31 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Could not create directory '/root/.ssh'.\r\nWarning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
修改Host增加用户和密码:
[root@m01 ~]# cat /etc/ansible/hosts
#[oldboy]
#172.16.1.31
#172.16.1.7
[oldboy_pass]
172.16.1.31 ansible_ssh_user=root ansible_ssh_pass=123456
172.16.1.7 ansible_ssh_user=root ansible_ssh_pass=123456
结果:
[root@m01 ~]# ansible oldboy_pass -m command -a "free -m"
172.16.1.31 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 79 791 7 101 758
Swap: 767 0 767
172.16.1.7 | CHANGED | rc=0 >>
total used free shared buff/cache available
Mem: 972 69 806 7 95 771
Swap: 767 0 767
结论:使用SSH连接:
密码认证 host里主机后面加密码
秘钥认证:提前发公钥,才能用ansible. SSHPASS工具