前言
因為工作的緣故接觸並積極推動Ansible在企業級生產環境的落地,獨立承擔並實現了《基於ansible的主機自動化配置管理》專案,此前也先後接觸過Puppet和SaltStack,本文不會討論開源或者自主研發方案的優劣,重點是和大夥兒分享自己在ansible技術領域積累的一些專案實戰經驗,如果大家遇到任何問題也歡迎通過留言或者其他方式進行互動,我盡力做到有效回覆。
Ansible is Simple IT Automation
更新歷史
2018年05月15日 - 初稿
閱讀原文 - https://wsgzao.github.io/post/ansible/
擴充套件閱讀
ansible - https://docs.ansible.com/
Ansible 標準化學習路徑
Ansible相關的書籍在逐步增多,由於Ansible版本迭代更新頻率高但學習成本低,個人建議書為輔,官方文件為主
Ansible is an IT automation tool. It can configure systems, deploy software, and orchestrate more advanced IT tasks such as continuous deployments or zero downtime rolling updates.
Ansible’s main goals are simplicity and ease-of-use. It also has a strong focus on security and reliability, featuring a minimum of moving parts, usage of OpenSSH for transport (with other transports and pull modes as alternatives), and a language that is designed around auditability by humans–even those not familiar with the program.
We believe simplicity is relevant to all sizes of environments, so we design for busy users of all types: developers, sysadmins, release engineers, IT managers, and everyone in between. Ansible is appropriate for managing all environments, from small setups with a handful of instances to enterprise environments with many thousands of instances.
Ansible manages machines in an agent-less manner. There is never a question of how to upgrade remote daemons or the problem of not being able to manage systems because daemons are uninstalled. Because OpenSSH is one of the most peer-reviewed open source components, security exposure is greatly reduced. Ansible is decentralized–it relies on your existing OS credentials to control access to remote machines. If needed, Ansible can easily connect with Kerberos, LDAP, and other centralized authentication management systems.
This documentation covers the current released version of Ansible and also some development version features. For recent features, we note in each section the version of Ansible where the feature was added.
Ansible releases a new major release of Ansible approximately every two months. The core application evolves somewhat conservatively, valuing simplicity in language design and setup. However, the community around new modules and plugins being developed and contributed moves very quickly, adding many new modules in each release.
Ansible Lightbulb 是 Ansible 官方推薦的入門教材,普通使用者大概只需要10-20分鐘時間即可入門
The Ansible Lightbulb project is an effort to provide a content toolkit and educational reference for effectively communicating and teaching Ansible topics.
Ansible Lightbulb - https://github.com/ansible/lightbulb
Ansible Documentation 是 Ansible 官方文件,我的建議還是對英文不要害怕,多動手查多敲命令去理解
Ansible Documentation - http://docs.ansible.com/ansible/latest/index.html
基於 Ansible 的開源專案
第一個是ansible官方開源專案,其他都是和ansible相關的運維平臺開源專案,推薦學習和參考
Ansible - https://github.com/ansible/ansible
Jumpserver - http://www.jumpserver.org/
OpsManage - https://github.com/welliamcao/OpsManage
adminset - https://github.com/guohongze/adminset
Ansible 專案實踐
以下內容來自於《基於ansible的主機自動化配置管理》專案,基於ansible目前可以滿足生產環境所有基線要求,相信對大家有一定的參考價值
ansible 部署
因為生產環境為內外網物理隔離,所有的安裝部署都是離線進行的
# Install Packages
yum install gcc zlib zlib-devel openssl-devel -y
# Install Python
tar xf Python-2.7.14.tgz
cd Python-2.7.14
./configure
make
make install
cd ..
# renew python env
exit
# ImportError: No module named six.moves
tar xf six-1.11.0.tar.gz
cd six-1.11.0
python setup.py install
cd ..
# ImportError: No module named packaging.version
tar xf packaging-17.1.tar.gz
cd packaging-17.1
python setup.py install
cd ..
# ImportError: No module named pyparsing
tar xf pyparsing-2.2.0.tar.gz
cd pyparsing-2.2.0
python setup.py install
cd ..
# ImportError: No module named appdirs
tar xf appdirs-1.4.3.tar.gz
cd appdirs-1.4.3
python setup.py install
cd ..
# Install Setuptools
unzip setuptools-38.5.2.zip
cd setuptools-38.5.2
python setup.py install
cd ..
# Install pip
tar xf pip-9.0.1.tar.gz
cd pip-9.0.1
python setup.py install
cd ..
# pip 離線下載
# pip download -d DIR -r requirements.txt
pip download -d ~/ansible/ ansible
# pip 離線安裝
# pip install --no-index --find-links=DIR -r requirements.txt
pip install --no-index --find-links=pip-ansible-2.3.3/ -r requirements.txt
pip install --no-index --find-links=pip-ansible-2.5.0/ -r requirements.txt -U
# pip 離線安裝pipenv
pip install --no-index --find-links=pip-pipenv/ pipenv
# 使用pipenv建立虛擬環境
mkdir win_ansible
cd win_ansible
pipenv shell
pip install --no-index --find-links=pip-ansible-2.5.2/ -r requirements.txt
複製程式碼
ansible.cfg 配置解析
ansible.cfg不影響執行結果但合理的配置會有效提升效率
# 配置檔案路徑(優先順序)
./ansible.cfg
/etc/ansible/ansible.cfg
# 配置檔案內容
[defaults]
#inventory = /etc/ansible/hosts
#log_path = /var/log/ansible.log
forks = 100 # 設定併發數
host_key_checking = False # 不檢查SSH主機登入的金鑰
display_skipped_hosts = False # 不顯示已跳過的主機
retry_files_enabled = False # 不建立任務失敗後的重試檔案
# 按照1d設定setup快取,優化執行效率
gathering = smart
fact_caching_timeout = 86400
fact_caching = jsonfile
fact_caching_connection = cachedir
複製程式碼
Linux
- 服務端作業系統:RHEL 6/7(Windows不可作為控制端)
- 服務端Python版本:2.7.14(實測安裝完成無需額外調整)
- Ansible版本:2.3.3.0(實測2.4以上版本已不支援rhel5.5,客戶端需simplejson)
- 管理物件:目前主要針對RHEL 5/6/7(Windows使用高版本Ansible)
- 基線標準:參考《主機崗配置基線 v1.1.xlsx》
服務端
- 作業系統版本:RHEL 6/7
- Python版本:2.7.14
- 安裝方式:pip離線安裝依賴包
客戶端
- 作業系統版本:RHEL 5/6/7
- 非最小模式安裝無需做調整
- RHEL5.5需要安裝simplejson
核心用法
# 檢測ansible是否可以正常訪問主機
ansible-playbook -i hosts playbooks/ping.yml -v
# 配置好inventory,執行以下命令建立使用者並建立信任關係
ansible-playbook -i hosts playbooks/user/default.yml -v
# 配置時間同步/程式服務/基線檔案
ansible-playbook -i hosts playbooks/baseline/cfgset.yml -v
ansible-playbook -i hosts playbooks/baseline/cfgset.yml -v --tags="repo"
ansible-playbook -i hosts playbooks/baseline/cfgset.yml -v --skip-tags="ntp,repo"
# 更新系統軟體包和補丁包
ansible-playbook -i hosts playbooks/baseline/pakset.yml -v
# 修改使用者密碼
ansible-playbook -i hosts_changepw playbooks/user/changepw.yml -v -e "@userpass.json"
# 備份配置,支援自定義日期命名,預設為"%Y%m%d"
ansible-playbook -i hosts backup/backup.yml -v
# 恢復配置,支援按日期目錄全域性或者區域性主機恢復
ansible-playbook -i hosts backup/restore.yml -v -e "var_backup_date=20180305"
複製程式碼
Windows
- 服務端作業系統:RHEL 6/7(Windows不可作為控制端)
- 服務端Python版本:2.7.14(實測安裝完成無需額外調整)
- Ansible版本:2.5.0(Windows原生模組支援需要持續更新Ansible新版本)
- 管理物件:目前主要針對Windows 7/2008/2012(不支援xp/2003)
- 基線標準:參考《Windows 安全基線》
服務端
- 作業系統版本:RHEL 6/7
- Python版本:2.7.14
- 安裝方式:pip離線安裝依賴包(目前使用pipenv切換管理Linux和Windows)
客戶端
- 作業系統版本:Window 7/2008/2012
- WinRM(Windows 7/2008 需要升級至 Powershell v3.0)
核心用法
# 檢測ansible是否可以正常訪問主機
ansible-playbook -i hosts win_playbooks/ping.yml -v
# 配置好inventory,執行以下命令建立使用者並建立信任關係
ansible-playbook -i hosts win_playbooks/user/default.yml -v
# 配置時間同步/程式服務/基線檔案
ansible-playbook -i hosts win_playbooks/baseline/cfgset.yml -v
ansible-playbook -i hosts win_playbooks/baseline/cfgset.yml -v --tags="wsus"
ansible-playbook -i hosts win_playbooks/baseline/cfgset.yml -v --skip-tags="ntp,wsus"
# 更新系統軟體包和補丁包
ansible-playbook -i hosts win_playbooks/baseline/pakset.yml -v
# 修改使用者密碼
ansible-playbook -i win_hosts_changepw win_playbooks/user/changepw.yml -v -e "@userpass.json"
# 備份配置,支援自定義日期命名,預設為"%Y%m%d"
ansible-playbook -i win_hosts win_backup/backup.yml -v
# 恢復配置,支援按日期目錄全域性或者區域性主機恢復
ansible-playbook -i win_hosts win_backup/restore.yml -v -e "var_backup_date=20180305"
複製程式碼
結語
很抱歉我暫時不能分享全部資訊,但是這並不妨礙技術上的交流,我會逐步分享有價值的可公開程式碼
- 遵循what/why/how思路,要理解ansible能解決什麼問題,為什麼選擇ansible,怎麼使用ansible去解決
- Ansible學習成本低但不等同於沒有難度,學習路徑推薦參考官方文件並積極實踐,官網沒有答案要善用Google搜尋
- Ansible純後臺模式只解決了部分問題,還有更多需求要通過基於Ansible的自動化運維平臺來實現,擁抱開源技術不能固步自封