1, Installation of Ansible
epel source
dnf install ansible -y
ansible --viersion
Basic information of ansible:
/etc/ansible/ansible.conf ## Global configuration file, rarely modified by default
/etc/ansible/hosts ## Global host manifest file
dnf install sshpass-1.06-9.el8.x86_64.rpm -y dnf install ansible-2.9.11-1.el8.noarch.rpm -y
2, Secret free connection between main control computer and controlled computer
[root@ansible mnt]# ssh-keygen ##Generate key
[root@ansible mnt]# dnf install expect -y
[root@ansible mnt]# vim sshkey.sh ##Pass the key to hosts 210 and 211 through script
[root@ansible mnt]# cat sshkey.sh
#!/bin/bash
AUTOSSH()
{
/usr/bin/expect <<EOF
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.254.$i
expect {
"yes/no" { send "yes\r";exp_continue }
"password" { send "westos\r" }
}
expect eof
EOF
}
for i in 210 211
do
AUTOSSH
done
[root@ansible mnt]# sh sshkey.sh
[root@ansible mnt]# ssh -l root 172.25.254.211 ##Test, you can log in directly without secret
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Fri Nov 26 11:09:48 2021 from 172.25.254.70
[root@westoslinux ~]# 
3, Build Anisble list
Listing is a list of ansible control hosts
/etc/ansible/hosts ## global manifest file
1. Write the managed host name or ip directly, one per line
node1.westos.com
node2.westos.com
172.25.254.240
2. Set the Group [group name] of the managed host
List view:
Group name in ansible manifest [- i manifest file]
ansible ungrouped --list-hosts
ansible all --list-hosts
Single layer list
[list1]
node1.westos.com
node2.westos.com
[list2]
node2.westos.com
[list3]
172.25.254.240
Nested list
[westos:children]
list1
list3
3, Scope operation of host specification
The Ansible host list can be simplified by specifying the host name or IP range
Syntax:
[start:end]
[westostest]
172.25.254.[100:108]
4, Specify another manifest file
vim inventory
172.25.254.240
[westostest]
172.25.254.100
172.25.254.200
The ansible command specifies the regular expression of the manifest
* ## All
##172.25.254.*
##westos*
: ## Logical or
##westos1:linux
##172.25.254.100:172.25.254.200
:& ## Logic and
##westos1:&linux
## The host is in both the westos1 list and the linux list
:! ## Logical non
##westos1:!linux
## In westos1, not in linux
~ ## Start with keyword
~(str1|str2) ## Start with condition 1 or condition 2
[root@ansible ansible]# vim hosts [westos] 172.25.254.[200:210] [westos1] 172.25.254.211 nodea.westos.org [westosall:children] westos westos1
4, Detailed explanation of Ansible configuration file parameters
Group name in ansible list - m module - u remote_user
1. Classification and priority of configuration files
/etc/ansible/ansible.cfg ## Basic configuration file, no other configuration file found. This file takes effect
~/.ansible.cfg ## The user does not have ansible.cfg in the current directory. This file takes effect
./ansible.cfg ## Highest priority
2. Common configuration parameters
#[default] ## Basic information setting
inventory= ## Specify manifest path
remote_user= ## The user name logged in on the managed host. The current user is not specified
ask_pass= ## Whether to prompt for SSH password. If public key login is set to false
library= ## Storage directory of library files
local_tmp= ## Local temporary command execution directory
remote_tmp= ## Remote host temporary py command file storage directory
forks= ## Default concurrency
host_key_checking= ## Do you want to enter yes to establish the host when connecting to the managed host for the first time_ key
sudo_user= ## Default sudo user
ask_sudo_pass= ## Whether to ask sudo password every time the controlled host executes the ansible command
module_name= ## The default module uses command by default and can be modified to shell
log_path= ## log file path
[privilege_escalation] ## Identity information setting
become= ## Whether to automatically switch users after connection
become_method= ## Set the user switching mode, usually sudo
become_user= ## The user to switch to in the managed host, usually root
become_ask_pass ## Do you need to be a become_method prompts for the password, which is false by default
5, Build user level Ansible operating environment
[root@ansible mnt]# sh sshkey.sh ##Delete the key previously transmitted to the client
#!/bin/bash
AUTOSSH()
{
/usr/bin/expect <<EOF
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.254.$i
expect {
"yes/no" { send "yes\r";exp_continue }
"password" { send "westos\r" }
}
expect eof
EOF
}
for i in 210 211
do
ssh -l root 172.25.254.$i rm -fr /root/.ssh
doneAdd user, add list
[root@ansible ansible]# useradd devops [root@ansible ansible]# su - devops [devops@ansible ~]$ mkdir .ansible [devops@ansible ~]$ cd .ansible/ [devops@ansible .ansible]$ vim inventory ##detailed list [westos] 172.25.254.210 [devops@ansible .ansible]$ ls inventory
Modify the previous master profile and delete the previous settings. Write user profile
[root@ansible ansible]#vim /etc/ansible/hosts ##Modify the previous master profile and delete the previous settings [root@ansible ansible]# su - devops Last login: Fri Nov 26 15:01:40 CST 2021 on pts/1 [devops@ansible ~]$ cd .ansible/ [devops@ansible .ansible]$ ls inventory [devops@ansible .ansible]$ vim ansible.cfg ##Write configuration file [defaults] inventory = ~/.ansible/inventory host_key_checking = False remote_user = root module_name = shell [privilege_escalation] #become=True #become_method=sudo #become_user=root #become_ask_pass=False
Create a user for the controlled machine in the main control machine
[devops@ansible .ansible]$ ansible 172.25.254.210 -m shell -a 'useradd devops' -k -u root SSH password: 172.25.254.210 | CHANGED | rc=0 >> [devops@ansible .ansible]$ ansible 172.25.254.210 -m shell -a 'echo westos | passwd --stdin devops' -k -u root SSH password: 172.25.254.210 | CHANGED | rc=0 >> Changing password for user devops. passwd: all authentication tokens updated successfully. [devops@ansible .ansible]$ ansible 172.25.254.210 -m shell -a 'echo "devops ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' -k -u root SSH password: 172.25.254.210 | CHANGED | rc=0 >> [devops@ansible .ansible]$
[devops@ansible .ansible]$ vim ansible.cfg [defaults] inventory = ~/.ansible/inventory host_key_checking = False remote_user = devops module_name = shell [privilege_escalation] ##After the comment, the login uses devops #become=True #become_method=sudo #become_user=root #become_ask_pass=False [devops@ansible .ansible]$ ansible westos -m shell -a 'whoami' -k SSH password: 172.25.254.211 | CHANGED | rc=0 >> devops 172.25.254.210 | CHANGED | rc=0 >> devops [devops@ansible .ansible]$ vim ansible.cfg [defaults] inventory = ~/.ansible/inventory host_key_checking = False remote_user = devops module_name = shell [privilege_escalation] become=True become_method=sudo become_user=root become_ask_pass=False [devops@ansible .ansible]$ ansible westos -m shell -a 'whoami' -k ##Remove the comments and log in to Devops sudo to root SSH password: 172.25.254.210 | CHANGED | rc=0 >> root 172.25.254.211 | CHANGED | rc=0 >> root
[devops@ansible .ansible]$ ansible 172.25.254.210 -m shell -a 'mkdir -p /home/devops/.ssh' -k ##Create a directory for the client SSH password: [WARNING]: Consider using the file module with state=directory rather than running 'mkdir'. If you need to use command because file is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message. 172.25.254.210 | CHANGED | rc=0 >> [devops@ansible .ansible]$ ansible 172.25.254.210 -m shell -a 'chown devops.devops /home/devops/.ssh' -k ##Modify owner and all groups SSH password: [WARNING]: Consider using the file module with owner rather than running 'chown'. If you need to use command because file is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message. 172.25.254.210 | CHANGED | rc=0 >> [devops@ansible .ansible]$ ansible 172.25.254.210 -m shell -a 'chmod 700 /home/devops/.ssh' -k SSH password: [WARNING]: Consider using the file module with mode rather than running 'chmod'. If you need to use command because file is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message. 172.25.254.210 | CHANGED | rc=0 >> [devops@ansible .ansible]$
[devops@ansible .ansible]$ ssh-keygen ##Generate key
[devops@ansible .ansible]$ ansible 172.25.254.210 -m copy -a 'src=/home/devops/.ssh/id_rsa.pub dest=/home/devops/.ssh/authorized_keys mode=0600 owner=devops group=devops' -k
SSH password:
172.25.254.210 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"checksum": "880b6c072bc8663a1c81ebdfe683ff9cceddf539",
"dest": "/home/devops/.ssh/authorized_keys",
"gid": 1001,
"group": "devops",
"md5sum": "49741185aa9e2f68c3d9fec822196c38",
"mode": "0600",
"owner": "devops",
"secontext": "unconfined_u:object_r:ssh_home_t:s0",
"size": 579,
"src": "/home/devops/.ansible/tmp/ansible-tmp-1637913963.6558049-34674-55602837977237/source",
"state": "file",
"uid": 1001
}
[devops@ansible .ansible]$ ansible 172.25.254.210 -m ping ##Test, the module can be executed without a password
172.25.254.210 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}