ansible是新出现的自动化运维工具,基于Python开发,集合了众多运维工具(puppet、cfengine、chef、func、fabric)的优点,实现了批量系统配置、批量程序部署、批量运行命令等功能。 ansible是基于模块工作的,本身没有批量部署的能力。真正具有批量部署的是ansible所运行的模块,ansible只是提供一种框架。主要包括: (1)、连接插件connection plugins:负责和被监控端实现通信; (2)、host inventory:指定操作的主机,是一个配置文件里面定义监控的主机; (3)、各种模块核心模块、command模块、自定义模块; (4)、借助于插件完成记录日志邮件等功能; (5)、playbook:剧本执行多个任务时,非必需可以让节点一次性运行多个任务。
masterserver1172.25.46.1node1server2172.25.46.2node2server3172.25.46.3一.安装ansible的要求: 1.对管理主机的要求 目前,只要机器上安装了 Python 2.6 或 Python 2.7 (windows系统不可以做控制主机),都可以运行Ansible. 本机自带python2.7版本 2.对托管节点的要求 通常我们使用 ssh 与托管节点通信,默认使用 sftp.如果 sftp 不可用,可在 ansible.cfg 配置文件中配置成 scp 的方式. 在托管节点上也需要安装 Python 2.4 或以上的版本.如果版本低于 Python 2.5 ,还需要额外安装一个模块: python-simplejson
3.安装ansible管理主机通过Yum安装RHEL或CentOS用户,需要 配置 EPEL: [root@server1 ~]# yum install -y epel-release-latest-7.noarch.rpm 安装解决依赖性的包
[root@server1 ansible]# ls ansible-2.7.8-1.el7.noarch.rpm python2-crypto-2.6.1-13.el7.x86_64.rpm python-paramiko-2.1.1-0.9.el7.noarch.rpm ansible-tower-setup-bundle-3.4.2-1.el7.tar.gz python2-jmespath-0.9.0-1.el7.noarch.rpm roles libtomcrypt-1.17-25.el7.x86_64.rpm python-httplib2-0.9.2-0.1.el7.noarch.rpm sshpass-1.06-1.el7.x86_64.rpm libtommath-0.42.0-5.el7.x86_64.rpm python-keyczar-0.71c-2.el7.noarch.rpm [root@server1 ansible]# yum install -y * [root@server1 ~]# yum install -y epel-release-6-8.noarch.rpm二.编辑(或创建)/etc/ansible/hosts 并在其中加入一个或多个远程系统.public SSH key必须在这些系统的authorized_keys中:
[root@server1 ~]# cd /etc/ansible/ [root@server1 ansible]# ls ansible.cfg hosts roles [root@server1 ansible]# ll total 24 -rw-r--r-- 1 root root 20277 Feb 22 07:04 ansible.cfg ##主配置文件 -rw-r--r-- 1 root root 1016 Feb 22 07:04 hosts ##定义主机变量 drwxr-xr-x 2 root root 6 Feb 22 07:04 roles ##存放角色的文件 [root@server1 ansible]# vim /etc/ansible/hosts ## db01.intranet.mydomain.net ## db02.intranet.mydomain.net ## 10.25.1.56 ## 10.25.1.57 # Here's another example of host ranges, this time there are no # leading 0s: ## db-[99:101]-node.example.com 172.25.46.2 172.25.46.3 [root@server1 ansible]# vim /etc/ansible/ansible.cfg [accelerate] #accelerate_port = 5099 accelerate_port =1000 #accelerate_timeout = 30 #accelerate_connect_timeout = 5.0 # The daemon timeout is measured in minutes. This time is measured # from the last activity to the accelerate daemon. #accelerate_daemon_timeout = 30 # If set to yes, accelerate_multi_key will allow multiple # private keys to be uploaded to it, though each user must # have access to the system via SSH to add a new key. The default # is "no". accelerate_multi_key = yes使用密码连接:
[root@server1 ~]# cd /etc/ansible/ [root@server1 ansible]# ansible 172.25.46.2 -m ping #-m 调用模块连接172.25.46.2节点 The authenticity of host '172.25.46.2 (172.25.46.2)' can't be established. ECDSA key fingerprint is 4d:ac:36:4b:0e:c1:99:1a:e1:4e:39:4b:5e:44:1f:99. Are you sure you want to continue connecting (yes/no)? yes 172.25.46.2 | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.25.46.2' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", #Permission denied 权限限制,需要密码 "unreachable": true } [root@server1 ansible]# ansible 172.25.46.2 -m ping -k #-k 使用密码连接 SSH password: ##主机密码 172.25.46.2 | SUCCESS => { "changed": false, "ping": "pong" } [root@server1 ansible]# ansible 172.25.46.3 -m ping The authenticity of host '172.25.46.3 (172.25.46.3)' can't be established. ECDSA key fingerprint is 4c:37:c4:99:c2:a6:1b:9d:68:46:1e:d0:59:ef:f1:b8. Are you sure you want to continue connecting (yes/no)? yes 172.25.46.3 | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.25.46.3' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", "unreachable": true } [root@server1 ansible]# ansible 172.25.46.3 -m ping -k SSH password: 172.25.46.3 | SUCCESS => { "changed": false, "ping": "pong" }为了方便可以设置免密连接: [root@server1 ansible]# ssh-keygen 建立免密(将密钥给节点server2、server3):
[root@server1 ansible]# ssh-copy-id 172.25.46.2 /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@172.25.46.2's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '172.25.46.2'" and check to make sure that only the key(s) you wanted were added. [root@server1 ansible]# ssh-copy-id 172.25.46.3 /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@172.25.46.3's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '172.25.46.3'" and check to make sure that only the key(s) you wanted were added.测试免密连接: 三.用ansible部署远程服务 nginx环境部署: 给两台节点主机安装httpd服务
[root@server1 ansible]# ansible 172.25.46.2 -m yum -a "name=httpd state=present" [root@server1 ansible]# ansible 172.25.46.2 -m service -a "name=httpd state=started enabled=yes" [root@server1 ansible]# ansible 172.25.46.3 -m yum -a "name=httpd state=present" [root@server1 ansible]# ansible 172.25.46.3 -m service -a "name=httpd state=started enabled=yes"测试:server2:本来没安装httpd,现在查看httpd状态
关闭所有虚拟机防火墙和selinux(我的所有虚拟机封装时就关闭了,这里跳过)
[root@server1 ansible]# ansible all -m service -a "name=iptables state=stopped enabled=no" [root@server1 ansible]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux [root@server1 ansible]# ansible all -m shell -a "setenforce 0" [root@server1 ansible]# ansible all -m copy -a "src=/etc/sysconfig/selinux dest=/etc/sysconfig/selinux"二、下发nginx文件并编译安装 [root@server1 ~]# vim /etc/hosts #做域名解析 172.25.46.1 server1 172.25.46.2 server2 db-01 172.25.46.3 server3 db-02 [root@server1 ~]# vim /etc/ansible/hosts [dbserver] #主机组名 172.25.46.2 db-01 #主机ip 172.25.46.3 db-02
1.下发nginx包到每台主机/tmp目录下
[root@server1 ~]# ansible 172.25.46.2 -m copy -a "src=/root/nginx-1.15.8.tar.gz dest=/tmp/" 172.25.46.2 | CHANGED => { "changed": true, "checksum": "1816c7e3e96c7c76e1224d88436faf1b29ceb14b", "dest": "/tmp/nginx-1.15.8.tar.gz", "gid": 0, "group": "root", "md5sum": "49eecc51a45bdcc8cc147f6747ef8a4c", "mode": "0644", "owner": "root", "size": 1027862, "src": "/root/.ansible/tmp/ansible-tmp-1563475865.98-224737336441863/source", "state": "file", "uid": 0 } [root@server1 ~]# ansible 172.25.46.3 -m copy -a "src=/root/nginx-1.15.8.tar.gz dest=/tmp/" 172.25.46.3 | CHANGED => { "changed": true, "checksum": "1816c7e3e96c7c76e1224d88436faf1b29ceb14b", "dest": "/tmp/nginx-1.15.8.tar.gz", "gid": 0, "group": "root", "md5sum": "49eecc51a45bdcc8cc147f6747ef8a4c", "mode": "0644", "owner": "root", "size": 1027862, "src": "/root/.ansible/tmp/ansible-tmp-1563475879.38-158803960976722/source", "state": "file", "uid": 0 }查看节点/tmp/下是否有安装包 2.下发安装nginx脚本 编辑编译nginx的脚本:
[root@server1 tmp]# vim nginx.sh #!/bin/bash yum -y install zlib zlib-devel openssl openssl-devel pcre-devel gcc pcre cd /tmp tar zxvf nginx-1.15.8.tar.gz;cd nginx-1.15.8 ./configure --with-http_stub_status_module --prefix=/usr/local/nginx make && make install在管理主机上试运行脚本: [root@server1 tmp]# sh nginx.sh
由上图可知nginx编译成功,下发给节点主机;
[root@server1 tmp]# ansible 172.25.46.2 -m copy -a "src=/tmp/nginx.sh dest=/tmp" 172.25.46.2 | CHANGED => { "changed": true, "checksum": "162ea96542174760c848de6b45c2b7ab6fb477f4", "dest": "/tmp/nginx.sh", "gid": 0, "group": "root", "md5sum": "8d580a3f0ea2f7cc2162be679612b513", "mode": "0644", "owner": "root", "size": 228, "src": "/root/.ansible/tmp/ansible-tmp-1563476940.03-31729377135838/source", "state": "file", "uid": 0 } [root@server1 tmp]# ansible 172.25.46.3 -m copy -a "src=/tmp/nginx.sh dest=/tmp" 172.25.46.3 | CHANGED => { "changed": true, "checksum": "162ea96542174760c848de6b45c2b7ab6fb477f4", "dest": "/tmp/nginx.sh", "gid": 0, "group": "root", "md5sum": "8d580a3f0ea2f7cc2162be679612b513", "mode": "0644", "owner": "root", "size": 228, "src": "/root/.ansible/tmp/ansible-tmp-1563476949.97-188777294091282/source", "state": "file", "uid": 0 }172.25.46.1主机上执行安装脚本
[root@server1 ~]# ansible dbserver -m command -a "bash /tmp/nginx.sh"查看节点主机编译情况: 172.25.46.1主机上批量启动nginx服务 [root@server1 ~]# ansible dbserver -m command -a “/usr/local/nginx/sbin/nginx” 查看节点的端口和nginx是否开启:
访问nginx: 三、upstream实现负载均衡
1.在172.25.46.1主机上配置nginx.conf文件 [root@server1 conf]# vim /usr/local/nginx/conf/nginx.conf
upstream westos{ server 172.25.46.2:80 weight=1 max_fails=3 fail_timeout=10s; server 172.25.46.3:80 weight=2 max_fails=3 fail_timeout=10s; } server { listen 80; server_name westos.org; location / { proxy_pass http://westos.org; proxy_next_upstream http_500 http_502 http_503 error timeout invalid_header; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; root html; index index.html index.htm; } } [root@server1 conf]# /usr/local/nginx/sbin/nginx -s reload ##.重新加载nginx配置文件到此负载均衡配置成功 测试:
[root@foundation46 images]# curl westos.org server2 [root@foundation46 images]# curl westos.org server3 [root@foundation46 images]# curl westos.org server2 [root@foundation46 images]# curl westos.org server3 [root@foundation46 images]# curl westos.org server2 [root@foundation46 images]# curl westos.org server3