Ansible chapter I installation and deployment of ansible

1, Installation of Ansible

epel source
dnf install ansible -y
ansible --viersion

Basic information of ansible:
/etc/ansible/ansible.conf          ## Global configuration file, rarely modified by default
/etc/ansible/hosts                       ## Global host manifest file

dnf install sshpass-1.06-9.el8.x86_64.rpm -y
dnf install ansible-2.9.11-1.el8.noarch.rpm -y

  2, Secret free connection between main control computer and controlled computer

[root@ansible mnt]# ssh-keygen      ##Generate key
[root@ansible mnt]# dnf install expect -y
[root@ansible mnt]# vim sshkey.sh        ##Pass the key to hosts 210 and 211 through script
[root@ansible mnt]# cat sshkey.sh 
#!/bin/bash

AUTOSSH()
{
/usr/bin/expect <<EOF
spawn ssh-copy-id  -i /root/.ssh/id_rsa.pub root@172.25.254.$i
expect {
"yes/no" {  send "yes\r";exp_continue }
"password" { send "westos\r"  }
}
expect eof
EOF
}
for i in 210 211
do
  AUTOSSH
done
[root@ansible mnt]# sh sshkey.sh 
[root@ansible mnt]# ssh -l root 172.25.254.211    ##Test, you can log in directly without secret
Activate the web console with: systemctl enable --now cockpit.socket

This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register

Last login: Fri Nov 26 11:09:48 2021 from 172.25.254.70
[root@westoslinux ~]# 

  3, Build Anisble list

Listing is a list of ansible control hosts
/etc/ansible/hosts ## global manifest file

1. Write the managed host name or ip directly, one per line

node1.westos.com
node2.westos.com
172.25.254.240

2. Set the Group [group name] of the managed host

List view:

Group name in ansible manifest [- i manifest file]
ansible ungrouped --list-hosts
ansible all --list-hosts

 

  Single layer list

[list1]
node1.westos.com
node2.westos.com
[list2]
node2.westos.com
[list3]
172.25.254.240

Nested list

[westos:children]
list1
list3

 

3, Scope operation of host specification

The Ansible host list can be simplified by specifying the host name or IP range
Syntax:
[start:end]
[westostest]
172.25.254.[100:108]

 

  4, Specify another manifest file

vim inventory
172.25.254.240
[westostest]
172.25.254.100
172.25.254.200

 

  The ansible command specifies the regular expression of the manifest

*                 ## All
                  ##172.25.254.*
                  ##westos*

:                 ## Logical or
                  ##westos1:linux
                  ##172.25.254.100:172.25.254.200

:&               ## Logic and
                 ##westos1:&linux
                 ## The host is in both the westos1 list and the linux list

:!               ## Logical non
                ##westos1:!linux
                ## In westos1, not in linux

~                            ## Start with keyword
~(str1|str2)           ## Start with condition 1 or condition 2

[root@ansible ansible]# vim hosts 
[westos]
172.25.254.[200:210]

[westos1]
172.25.254.211
nodea.westos.org

[westosall:children]
westos
westos1

 

 

 

  4, Detailed explanation of Ansible configuration file parameters

Group name in ansible list - m module - u remote_user

1. Classification and priority of configuration files

/etc/ansible/ansible.cfg         ## Basic configuration file, no other configuration file found. This file takes effect
~/.ansible.cfg         ## The user does not have ansible.cfg in the current directory. This file takes effect
./ansible.cfg         ## Highest priority

2. Common configuration parameters

#[default]                 ## Basic information setting
inventory=                 ## Specify manifest path
remote_user=                 ## The user name logged in on the managed host. The current user is not specified
ask_pass=                 ## Whether to prompt for SSH password. If public key login is set to false
library=                 ## Storage directory of library files
local_tmp=                 ## Local temporary command execution directory
remote_tmp=                 ## Remote host temporary py command file storage directory
forks=                 ## Default concurrency
host_key_checking=                 ## Do you want to enter yes to establish the host when connecting to the managed host for the first time_ key
sudo_user=                 ## Default sudo user
ask_sudo_pass=                 ## Whether to ask sudo password every time the controlled host executes the ansible command
module_name=                 ## The default module uses command by default and can be modified to shell
log_path=                 ## log file path

[privilege_escalation]          ## Identity information setting
become=                         ## Whether to automatically switch users after connection
become_method=         ## Set the user switching mode, usually sudo
become_user=                 ## The user to switch to in the managed host, usually root
become_ask_pass                ## Do you need to be a become_method prompts for the password, which is false by default

5, Build user level Ansible operating environment

[root@ansible mnt]# sh sshkey.sh ##Delete the key previously transmitted to the client
#!/bin/bash

AUTOSSH()
{
/usr/bin/expect <<EOF
spawn ssh-copy-id  -i /root/.ssh/id_rsa.pub root@172.25.254.$i
expect {
"yes/no" {  send "yes\r";exp_continue }
"password" { send "westos\r"  }
}
expect eof
EOF
}
for i in 210 211
do
  ssh -l root 172.25.254.$i rm -fr /root/.ssh
done

Add user, add list

[root@ansible ansible]# useradd devops
[root@ansible ansible]# su - devops 
[devops@ansible ~]$ mkdir .ansible
[devops@ansible ~]$ cd .ansible/
[devops@ansible .ansible]$ vim inventory   ##detailed list
[westos]
172.25.254.210
[devops@ansible .ansible]$ ls
inventory

Modify the previous master profile and delete the previous settings. Write user profile

[root@ansible ansible]#vim /etc/ansible/hosts  ##Modify the previous master profile and delete the previous settings
[root@ansible ansible]# su - devops 
Last login: Fri Nov 26 15:01:40 CST 2021 on pts/1
[devops@ansible ~]$ cd .ansible/
[devops@ansible .ansible]$ ls
inventory
[devops@ansible .ansible]$ vim ansible.cfg          ##Write configuration file

[defaults]
inventory      = ~/.ansible/inventory
host_key_checking = False
remote_user = root
module_name = shell

[privilege_escalation]
#become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False

Create a user for the controlled machine in the main control machine

[devops@ansible .ansible]$ ansible 172.25.254.210 -m  shell -a 'useradd devops' -k -u root
SSH password: 
172.25.254.210 | CHANGED | rc=0 >>

[devops@ansible .ansible]$ ansible 172.25.254.210 -m  shell -a 'echo westos | passwd --stdin devops' -k -u root
SSH password: 
172.25.254.210 | CHANGED | rc=0 >>
Changing password for user devops.
passwd: all authentication tokens updated successfully.
[devops@ansible .ansible]$ ansible 172.25.254.210 -m  shell -a 'echo "devops ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' -k -u root
SSH password: 
172.25.254.210 | CHANGED | rc=0 >>

[devops@ansible .ansible]$ 
[devops@ansible .ansible]$ vim ansible.cfg 
[defaults]
inventory      = ~/.ansible/inventory
host_key_checking = False
remote_user = devops
module_name = shell

[privilege_escalation]                ##After the comment, the login uses devops
#become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False
[devops@ansible .ansible]$ ansible westos -m shell -a 'whoami' -k 
SSH password: 
172.25.254.211 | CHANGED | rc=0 >>
devops
172.25.254.210 | CHANGED | rc=0 >>
devops

[devops@ansible .ansible]$ vim ansible.cfg 
[defaults]
inventory      = ~/.ansible/inventory
host_key_checking = False
remote_user = devops
module_name = shell

[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
[devops@ansible .ansible]$ ansible westos -m shell -a 'whoami' -k  ##Remove the comments and log in to Devops sudo to root 
SSH password: 
172.25.254.210 | CHANGED | rc=0 >>
root
172.25.254.211 | CHANGED | rc=0 >>
root
[devops@ansible .ansible]$ ansible 172.25.254.210 -m shell -a 'mkdir -p /home/devops/.ssh' -k    ##Create a directory for the client
SSH password: 
[WARNING]: Consider using the file module with state=directory rather than running
'mkdir'.  If you need to use command because file is insufficient you can add 'warn:
false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of
this message.
172.25.254.210 | CHANGED | rc=0 >>

[devops@ansible .ansible]$ ansible 172.25.254.210 -m shell -a 'chown devops.devops /home/devops/.ssh' -k       ##Modify owner and all groups
SSH password: 
[WARNING]: Consider using the file module with owner rather than running 'chown'.  If you
need to use command because file is insufficient you can add 'warn: false' to this
command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
172.25.254.210 | CHANGED | rc=0 >>

[devops@ansible .ansible]$ ansible 172.25.254.210 -m shell -a 'chmod 700 /home/devops/.ssh' -k
SSH password: 
[WARNING]: Consider using the file module with mode rather than running 'chmod'.  If you
need to use command because file is insufficient you can add 'warn: false' to this
command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
172.25.254.210 | CHANGED | rc=0 >>

[devops@ansible .ansible]$ 
[devops@ansible .ansible]$ ssh-keygen    ##Generate key

[devops@ansible .ansible]$ ansible 172.25.254.210 -m copy -a 'src=/home/devops/.ssh/id_rsa.pub dest=/home/devops/.ssh/authorized_keys mode=0600 owner=devops group=devops' -k
SSH password:
172.25.254.210 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": true,
    "checksum": "880b6c072bc8663a1c81ebdfe683ff9cceddf539",
    "dest": "/home/devops/.ssh/authorized_keys",
    "gid": 1001,
    "group": "devops",
    "md5sum": "49741185aa9e2f68c3d9fec822196c38",
    "mode": "0600",
    "owner": "devops",
    "secontext": "unconfined_u:object_r:ssh_home_t:s0",
    "size": 579,
    "src": "/home/devops/.ansible/tmp/ansible-tmp-1637913963.6558049-34674-55602837977237/source",
    "state": "file",
    "uid": 1001
}
[devops@ansible .ansible]$ ansible 172.25.254.210 -m ping   ##Test, the module can be executed without a password
172.25.254.210 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}

Tags: Linux Operation & Maintenance network

Posted on Mon, 29 Nov 2021 15:39:54 -0500 by firedrop84