Ansible 配置
一、主机名配置
中控节点:sz-aliyun-ecs-1
$ hostname sz-aliyun-ecs-1
$ hostnamectl set-hostname sz-aliyun-ecs-1 被控节点:bj-huawei-hecs-1
$ hostname bj-huawei-hecs-1
$ hostnamectl set-hostname bj-huawei-hecs-1二、host 配置
主/被控节点
$ vim /ets/hosts
47.115.x.x sz-aliyun-ecs-1
114.115.x.x bj-huawei-hecs-1三、公钥互信配置
首先,Ansible 是集中式的远程管理软件,它的一切远程操作都需要基于 SSH 协议,为了方便后续的操作,这里需要配置所有节点信任中控节点
中控节点:生成公私钥
$ ssh-keygen
Generating public/private rsa key pair.
# ...拷贝 ~/.ssh/id_rsa.pub 公钥文件中的内容到主/被控节点(主控节点也纳入远程管理)的 ~/.ssh/authorized_keys 文件中
$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAxxxxx root@sz-aliyun-ecs-1被控节点:添加中控节点 SSH 公钥
$ cat ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAxxxxx root@sz-aliyun-ecs-1或者使用私钥登录
$ vim /ets/ansible/hosts
[all]
server1 ansible_host=47.115.x.x ansible_ssh_private_key_file=/root/.ssh/server1.pem
server2 ansible_host=47.114.x.x ansible_ssh_private_key_file=/root/.ssh/server2.pem四、配置 静态 inventory
Ansible 可同时操作属于一个组的多台主机,组和主机之间的关系通过 inventory 文件配置,默认的文件路径为 /etc/ansible/hosts
主控节点
$ egrep -v "#|^$" /etc/ansible/hosts
# [<group_name>]
[ecs]
# server list
sz-aliyun-ecs-1
bj-huawei-hecs-1
# 这里定义多个组是为了后续做 Patterns 规则的匹配实验
[bj_server]
bj-huawei-hecs-1
[sz_server]
sz-aliyun-ecs-1
[prod]
bj-huawei-hecs-1
[dev]
sz-aliyun-ecs-1
[web_server]
bj-huawei-hecs-1
[db_server]
sz-aliyun-ecs-1执行命令:ansible all -m ping
$ ansible all -m ping
sz-aliyun-ecs-1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
bj-huawei-hecs-1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}OK,配置基本完成,测试也已经通过~
五、配置 动态 inventory
当云环境主机变化比较频繁,例如部署测试、开发环境、扩缩容等场景,维护静态的 inventory 是一件挺繁琐的工作,这时可以采用云厂商提供的 动态 inventory 功能
1. 阿里云
以阿里云为例,首先安装 ansible_alicloud_module_utils 组件
$ pip install ansible_alicloud_module_utils configparser
# 升级依赖
$ pip install footmark --upgrade下载 alicloud.py 脚本
$ wget https://raw.githubusercontent.com/alibaba/ansible-provider/master/contrib/inventory/alicloud.py
# 地址被墙就用下面的
# wget http://download.yo-yo.fun/ansible/alicloud.py
$ chmod +x alicloud.py设置 AK、SK 认证信息
cat >> /etc/profile << EOF
export ALICLOUD_REGION="cn-huhehaote"
export ALICLOUD_ACCESS_KEY=""
export ALICLOUD_SECRET_KEY=""
EOF如果当前系统 Python 版本是 2.7,那么在开始使用前,需要处理下中文编码的问题
错误一:中文字符没使用 Unicode 编码
DefaultRegionName = '杭州'.encode("UTF-8")
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe6 in position 0: ordinal not in range(128)批量处理
$ for i in `grep -R "杭州" /usr/lib/python2.7/site-packages/footmark/*|grep -v "pyc"|awk -F ':' '{print $1}'`;
do
sed -r -i "s/'杭州'/u'杭州'/g" $i
done错误二:脚本开头未设置 源码文件默认编码 utf-8
File "/usr/lib/python2.7/site-packages/footmark/ros/connection.py", line 11
SyntaxError: Non-ASCII character '\xe6' in file /usr/lib/python2.7/site-packages/footmark/ros/connection.py on line 11, but no encoding declared; see http://www.python.org/peps/pep-0263.html for details首行插入
$ sed -r -i "1s/^/# coding: utf-8\n/" /usr/lib/python2.7/site-packages/footmark/ros/connection.py列出
$ ./alicloud.py --list
/usr/lib/python2.7/site-packages/aliyunsdkcore/auth/algorithm/sha_hmac256.py:20: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends import default_backend
{
"_meta": {
"hostvars": {
"i_hp3bv0ue4o6krvzjqron": {
"ansible_ssh_host": "39.104.14.149",
"auto_release_time": "",
"availability_zone": "cn-huhehaote-a",
"cpu": 2,
"cpu_options": {
"core_count": 1,
"numa": "",
"threads_per_core": 2
},
"creation_time": "2023-04-01T07:23Z",
"credit_specification": "Standard",
"dedicated_instance_attribute": {
"affinity": "",
"tenancy": ""
},
"deletion_protection": false,
"deployment_set_id": "",
"description": "",
"ecs_capacity_reservation_attr": {
"capacity_reservation_id": "",
"capacity_reservation_preference": ""
},
"eip": {
"allocation_id": "",
"internet_charge_type": "",
"ip_address": ""
},
"expired_time": "2099-12-31T15:59Z",
"gpu": {
"amount": 0,
"spec": "",
"specification": ""
},
"hibernation_options": {
"configured": false
},
"host_name": "node00001",
"id": "i-hp3bv0ue4o6krvzjqron",
"image_id": "m-hp3hpd5p321zdsbidyix",
"image_options": {},
"inner_ip_address": "",
"instance_charge_type": "PostPaid",
"instance_id": "i-hp3bv0ue4o6krvzjqron",
"instance_name": "node00001",
"instance_type": "ecs.t5-lc1m4.large",
"instance_type_family": "ecs.t5",
"internet_charge_type": "PayByTraffic",
"internet_max_bandwidth_in": 400,
"internet_max_bandwidth_out": 5,
"io_optimized": true,
"key_pair_name": "k8s",
"memory": 8192,
"metadata_options": {
"http_endpoint": "",
"http_tokens": ""
},
"network_interfaces": [
{
"mac_address": "00:16:3e:00:b3:38",
"network_interface_id": "eni-hp3asumvfp5efguuln2p",
"primary_ip_address": "172.16.0.4",
"private_ip_sets": {
"private_ip_set": [
{
"primary": true,
"private_ip_address": "172.16.0.4"
}
]
},
"type": "Primary"
}
],
"osname": "CentOS 7.6 64\u4f4d",
"osname_en": "CentOS 7.6 64 bit",
"ostype": "linux",
"private_ip_address": "172.16.0.4",
"public_ip_address": "39.104.14.149",
"resource_group_id": "",
"spot_duration": 1,
"status": "running",
"tags": {
"acs:ecs:payType": "spot"
},
"vpc_id": "vpc-hp3i5ldilxz4t493mdz0k",
"vswitch_id": "vsw-hp3s551yqg4qe0s14i58v"
}
}
},
"alicloud": [
"i_hp3bv0ue4o6krvzjqron"
],
"cn-huhehaote": [
"i_hp3bv0ue4o6krvzjqron"
],
"cn-huhehaote-a": [
"i_hp3bv0ue4o6krvzjqron"
],
"i-hp3bv0ue4o6krvzjqron": [
"i_hp3bv0ue4o6krvzjqron"
],
"m-hp3hpd5p321zdsbidyix": [
"i_hp3bv0ue4o6krvzjqron"
],
"security_group_sg_hp36ykxfeo42jjcmiksa": [
"i_hp3bv0ue4o6krvzjqron"
],
"subnet_vsw_hp3s551yqg4qe0s14i58v": [
"i_hp3bv0ue4o6krvzjqron"
],
"tag_acs_ecs_payType_spot": [
"i_hp3bv0ue4o6krvzjqron"
],
"type_ecs_t5_lc1m4_large": [
"i_hp3bv0ue4o6krvzjqron"
],
"vpc_id_vpc_hp3i5ldilxz4t493mdz0k": [
"i_hp3bv0ue4o6krvzjqron"
]
}动态 Inventory 执行结果会缓存, 可以更改 alicloud.ini 文件中的 cache_path 进行配置
$ grep "cache_path" alicloud.ini
cache_path = ~/.ansible/tmp执行时添加 --refresh-cache 可以显式刷新缓存
./alicloud.py --refresh-cache2. 华为云
所以,补充一下 如何在华为云平台使用 ansible 动态 inventry,基本上每个云平台都会向用户提供这个功能
下载相关脚本及配置文件
# 下载 动态 inventry 脚本
$ wget https://raw.githubusercontent.com/huaweicloud/huaweicloud-ansible-modules/master/contrib/inventory/hwc_ecs.py
# 下载 动态 inventry 配置文件
$ wget https://raw.githubusercontent.com/huaweicloud/huaweicloud-ansible-modules/master/contrib/inventory/hwc_ecs.ini安装依赖与基本配置
$ pip install huaweicloudsdkcore==3.0.50 huaweicloudsdkecs==3.0.50 PyYAML==5.4.1 urllib3==1.26.6
$ chmod +x hwc_ecs.py
$ cat > hwc_ecs.ini << EOF
access_key=xxx
secret_key=xxx
# 并非字面上的项目ID,类似于地区ID,查询路径:华为云控制台 → 我的凭证 → API 凭证 → 项目列表 → 项目ID
project_id=0d58621e5300f3052ff0c00e6ff0a42b
region=cn-north-1
EOF获取服务器列表
$ ./hwc_ecs.py --list准备私钥,前面我们是通过导入公钥到了 ecs 节点的 authorized_keys,所以这里用到对应的私钥登录
$ chmod 600 huaweicluod_ecs.rsa
$ mv huaweicluod_ecs.rsa ~/.ssh/使用 ansible 远程执行命令
$ ansible -i hwc_ecs.py "node*" -m ping --private-key=/root/.ssh/huaweicluod_ecs.rsa
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
node_0 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
node_1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}使用 ansible 远程执行剧本
---
- hosts: "node*"
remote_user: root
gather_facts: no
vars:
text: Hello, World!
tasks:
- name: debug demo
debug:
msg: "He say {{ text }}"执行剧本
$ ap -i hwc_ecs.py playbook-debug-demo1.yml --private-key=/root/.ssh/huaweicluod_ecs.rsa
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
PLAY [node*] ***************
TASK [debug demo] ***************
ok: [node_0] => {
"msg": "He say Hello, World!"
}
ok: [node_1] => {
"msg": "He say Hello, World!"
}
PLAY RECAP ***************
node_0 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node_1 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 使用 ansible 远程执行 role,操作思路是一样的,不再赘述
$ ap -i hwc_ecs.py --tags=initial,cri,kubernetes setup.yml
