-
Ansible运行临时命令及常用模块介绍
目录
14.Archive(打包压缩)/unarchive(解包解压)模块
一.运行临时命令
1.基本语法格式
ansible 主机/组 -m 模块名称 -a 模块参数 其他选项
- #使用ping模块来测试节点连通性
- [student@workstation ~]$ ansible servera -m ping
- servera | SUCCESS => {
- "ansible_facts": {
- "discovered_interpreter_python": "/usr/libexec/platform-python"
- },
- "changed": false,
- "ping": "pong"
- }
- [student@workstation ~]$ ansible servera -m ping -o #-o使输出在一行
- servera | SUCCESS => {"ansible_facts": {"discovered_interpreter_python": "/usr/libexec/platform-python"},"changed": false,"ping": "pong"}
2.查看当前版本已安装的所有模块
- [student@workstation ~]$ ansible-doc -l | wc -l
- 2834[student@workstation ~]$ ansible-doc ping
- #直接使用"ansible-doc 模块名"来获取模块使用帮助,可以在查看后搜索"/EXAMPLES"来查看示例
- [student@workstation ~]$ ansible-doc -s ping #查看模块用法和后接参数
二.ansible常见模块
1.command模块
(1)通过-a后面跟上需要运行的命令,直接执行,但命令行不能包含“<,>,|,&”不指定模块时默认执行command模块
- [student@workstation ~]$ ansible servera -m command -a 'free -m'
- servera | CHANGED | rc=0 >>
- total used free shared buff/cache available
- Mem: 821 222 366 11 232 464
- Swap: 0 0 0
(2)参数简介
chdir:切换目录
- [student@workstation ~]$ ansible servera -m command -a 'chdir=/etc pwd'
- servera | CHANGED | rc=0 >>
- /etc
creates:文件存在时,后方接的命令不会执行
- [student@workstation ~]$ ansible servera -m command -a 'creates=aaa.txt ls'
- #不存在aaa.txt,ls命令执行
- servera | CHANGED | rc=0 >>
- anaconda-ks.cfg
- original-ks.cfg
removes:文件不存在时,后方接的命令不会执行
- [student@workstation ~]$ ansible servera -m command -a 'removes=aaa.txt ls'
- #不存在aaa.txt,ls命令跳过执行
- servera | SUCCESS | rc=0 >>
- skipped, since aaa.txt does not exist
2.shell模块
同command,基于/bin/bash执行命令,可以支持“<,>,|,&”
- [student@workstation ~]$ ansible servera -m shell -a 'free -m | grep Swap'
- servera | CHANGED | rc=0 >>
- Swap: 0 0 0
free_form:要执行的linux命令
executable:切换执行shell绝对路径来执行命令
3.raw模块
同command和shell,可以执行含特殊符号的命令,但raw模块没有chdir,creates,removes等参数
- [student@workstation ~]$ ansible-doc -s raw
- - name: Executes a low-down and dirty command
- raw:
- executable: # Change the shell used to execute the command. Should be an absolute path to the executable. When using privilege escalation (`become') a default shell
- will be assigned if one is not provided as privilege escalation requires a shell.
- free_form: # (required) The raw module takes a free form command to run. There is no parameter actually named 'free form'; see the examples!
4.script模块
在受管节点上执行管理节点的shell(把shell从管理节点复制到受管节点再在受管节点上运行)
- [student@workstation ~]$ cat date.sh
- #!/bin/bash
- date > /date.txt
- [student@workstation ~]$ ansible servera -m script -a '/home/student/date.sh'
- #将管理节点的shell脚本文件复制到servera上执行,并查看是否执行成功
- servera | CHANGED => {
- "changed": true,
- "rc": 0,
- "stderr": "Shared connection to servera closed.\r\n",
- "stderr_lines": [
- "Shared connection to servera closed."
- ],
- "stdout": "",
- "stdout_lines": []
- }
-
- [student@workstation ~]$ ansible servera -m shell -a 'cat /date.txt'
- servera | CHANGED | rc=0 >>
- Sat Oct 14 04:09:17 GMT 2023 #执行成功
5.file模块
主要用于创建、删除文件或目录,修改权限等
参数列表:
path:必要参数,指定文件或目录,也可以使用dest或name(旧版本)替换
state:可以有touch(文件)、directory(目录)、link(软链接)、hard(硬链接)、absent(删除)几个可选项,主要用来进一步确认你操作的对象的文件属性
src:操作对象为link或hard并且state指定了link或hard时使用src来指定链接的来源
force:state=link时,使用force强制创建链接文件,使用于三种情况(src指向的源文件在创建链接前不存在,可以先强制创建链接文件;存放链接文件的目录内存在同名文件,可以使用force=yes实现删除同名文件再创建链接文件;前两种情况都有的情况下,使用force=yes会强制替换同名文件为创建的链接文件)
owner:指定文件拷贝到受管节点后的属主,前提是要先有这个用户
group:指定文件拷贝到受管节点后的属组,前提是要先有这个组
mode:指定文件拷贝到受管节点后的权限,一般多采用“mode=权限数值”方式
recurse:操作对象为目录时,会递归操作该目录
示例:
- [student@workstation ~]$ ansible servera -m file -a 'path=/tmp/abc.txt state=touch'
- servera | CHANGED => {
- "ansible_facts": {
- "discovered_interpreter_python": "/usr/libexec/platform-python"
- },
- "changed": true,
- "dest": "/tmp/abc.txt",
- "gid": 0,
- "group": "root",
- "mode": "0644",
- "owner": "root",
- "secontext": "unconfined_u:object_r:user_tmp_t:s0",
- "size": 0,
- "state": "file",
- "uid": 0
- }
- [student@workstation ~]$ ansible servera -m shell -a 'ls /tmp | grep abc.txt'
- servera | CHANGED | rc=0 >>
- abc.txt
6.copy模块
主要用于将管理节点文件拷贝到受管节点
参数列表:
src:指定被copy的目录或文件
dest:指定被copy文件的目的目录(必要参数)
content:被copy内容非src指定文件时,使用content直接指定文件内容,src和content两者必要一个
force:受管节点路径下已经有同名文件但两者内容不同,选择是否强制覆盖,默认为yes
backup:受管节点路径下已经有同名文件但两者内容不同,选择是否对受管节点的该文件进行备份
owner:指定文件拷贝到受管节点后的属主,前提是要先有这个用户
group:指定文件拷贝到受管节点后的属组,前提是要先有这个组
mode:指定文件拷贝到受管节点后的权限,一般多采用“mode=权限数值”方式
示例:
- [student@workstation ~]$ cat list
- servera
- [student@workstation ~]$ ansible servera -m copy -a 'src=/home/student/list dest=/tmp/'
- servera | CHANGED => {
- "ansible_facts": {
- "discovered_interpreter_python": "/usr/libexec/platform-python"
- },
- "changed": true,
- "checksum": "8e723f6a40d561529bae71445d9a60fbd8185fc6",
- "dest": "/tmp/list",
- "gid": 0,
- "group": "root",
- "md5sum": "b891602b9b8b0a41ffd86c15b171ea56",
- "mode": "0644",
- "owner": "root",
- "secontext": "unconfined_u:object_r:admin_home_t:s0",
- "size": 8,
- "src": "/root/.ansible/tmp/ansible-tmp-1697267810.5263553-92157951653798/source",
- "state": "file",
- "uid": 0
- }
- [student@workstation ~]$ ansible servera -m shell -a 'cat /tmp/list'
- servera | CHANGED | rc=0 >>
- servera
-
- #注意:若是对目录进行拷贝操作,src接的路径最后没有/表示连同目录一起拷贝,路径最后有/表示只拷贝该目录下的文件并不拷贝目录
7.fetch模块
主要用于将受管节点的文件拷贝到管理节点
参数列表:
dest:拷贝到管理节点的路径
src:从受管节点的哪个路径拷贝
flat:选择是否拷贝受管节点上该文件的目录结构,yes为不拷贝结构
示例:
- #拷贝默认目录结构
- [student@workstation ~]$ ansible servera -m fetch -a 'src=/tmp/abc.txt dest=/home/student'
- servera | CHANGED => {
- "changed": true,
- "checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
- "dest": "/home/student/servera/tmp/abc.txt",
- "md5sum": "d41d8cd98f00b204e9800998ecf8427e",
- "remote_checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
- "remote_md5sum": null
- }
- [student@workstation ~]$ ll
- total 16
- -rw-rw-r--. 1 student student 238 Oct 12 13:27 ansible.cfg
- -rw-rw-r--. 1 student student 29 Oct 14 04:06 date.sh
- -rw-rw-r--. 1 student student 8 Oct 12 09:34 list
- -rw-rw-r--. 1 student student 105 Oct 12 13:33 myhosts1
- drwxrwxr-x. 3 student student 17 Oct 14 07:36 servera
- [student@workstation ~]$ tree servera
- servera
- └── tmp
- └── abc.txt
-
- 1 directory, 1 file
-
- #不拷贝目录结构,拷过来直接就是文件
- [student@workstation ~]$ ansible servera -m fetch -a 'src=/tmp/abc.txt dest=/home/student/ flat=yes'
- servera | CHANGED => {
- "changed": true,
- "checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
- "dest": "/home/student/abc.txt",
- "md5sum": "d41d8cd98f00b204e9800998ecf8427e",
- "remote_checksum": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
- "remote_md5sum": null
- }
- [student@workstation ~]$ ll
- total 16
- -rw-rw-r--. 1 student student 0 Oct 14 07:48 abc.txt
- -rw-rw-r--. 1 student student 238 Oct 12 13:27 ansible.cfg
- -rw-rw-r--. 1 student student 29 Oct 14 04:06 date.sh
- -rw-rw-r--. 1 student student 8 Oct 12 09:34 list
- -rw-rw-r--. 1 student student 105 Oct 12 13:33 myhosts1
-
- #注意一个报错:
- "msg": "dest is an existing directory, use a trailing slash if you want to fetch src into that directory"
- flat=yes时目录已存在,需要在目录后加个斜杠
8.yum/apt/dnf
主要用于软件包管理
参数列表:
name:进行操作的软件包名,可以是本地rpm包路径也可以是网络文件url地址
state:可选项present(安装),absent(删除),latest(更新)
示例:
- [student@workstation ~]$ ansible servera -m yum -a 'name="bind" state=present'
- servera | SUCCESS => {
- "ansible_facts": {
- "discovered_interpreter_python": "/usr/libexec/platform-python"
- },
- "changed": false,
- "msg": "Nothing to do",
- "rc": 0,
- "results": [
- "Installed: bind"
- ]
- }
-
- [student@workstation ~]$ ansible servera -m yum -a 'name="httpd" state=latest'
- #更新某个包
9.service模块
主要用于各种服务的设置
参数列表:
enabled:yes/no,是否开机自启动
name:服务名称
state:可选项started,stopped,restarted,reloaded
daemon_reload:yes/no,是否配置文件重载
示例:
[student@workstation ~]$ ansible servera -m service -a 'name=httpd state=started'10.systemd模块
主要用于服务配置文件变化后的服务管理
参数和用法同service模块
11.get_url
主要用于从http/https,ftp等服务器上下载资源,可以理解为linux上的wget命令
参数列表:
sha256sum:下载完成后进行完整性验证
timeout:超时时间,默认10秒
url:指定url地址,url=地址
urlpassword/urlusername:验证用户密码和名称
use_proxy:使用代理
owner:指定属主
group:指定属组
12.cron模块
主要用于计划任务管理
参数列表:
name:自定义名称,尽量贴近任务内容
minute:多少分钟,*/2表示每两分钟
hour:时
day:日
month:月
weekday:周几
state:可选项present(创建),absent(删除)
job:需要执行的具体任务,在state=present的前提下
backup:是否在做计划任务前对原本内容进行备份
user:以哪个用户的身份来执行
13.user模块
主要用于用户管理,user与group模块用法类似
参数列表:
name:指定用户名
uid:指定该用户uid
group:指定该用户所属组(私有组)
groups:指定该用户附加组
state:可选项present(创建),absent(删除)
remove:当state=absent时,remove表示将该用户的家目录一起删除
password:指定密码
home:家目录位置
createhome:yes/no,是否创建家目录
shell:shell类型
示例:
- [student@workstation ~]$ ansible servera -m user -a 'name=sulibao state=present password="slb123"'
-
- [student@workstation ~]$ ansible servera -m shell -a 'cat /etc/passwd | grep sulibao'
- servera | CHANGED | rc=0 >>
- sulibao:x:1002:1002::/home/sulibao:/bin/bash
-
- [student@workstation ~]$ ansible servera -m shell -a 'cat /etc/shadow | grep sulibao'
- servera | CHANGED | rc=0 >>
- sulibao:slb123:19645:0:99999:7:::
14.Archive(打包压缩)/unarchive(解包解压)模块
参数列表:
copy:yes/no,yes将管理节点上的压缩包传送到受管节点后解压至特定目录,no将受管节点的压缩包解压到指定路径下
src:原路径,若是受管节点的路径需要设置copy=no
dest:受管节点的目标路径
mode:压缩文件解压后权限设置
四.Ansible-vault作用
1.ansible的vault主要是为了方便进行密码或API密钥登敏感数据的访问,可以加密和解密任何通过ansible构建的结构化数据文件(清单变量、playbook的变量文件、playbook传递的参数变量文件、ansible角色定义的变量)
2.通过ansible-vault的命令行工具进行创建、编辑、加密、解密或查看,但不实施自有的加密函数,使用的外部python工具集
- [root@main ~]# ansible-vault --help
- usage: ansible-vault [-h] [--version] [-v]
- {create,decrypt,edit,view,encrypt,encrypt_string,rekey}
- ...
-
- encryption/decryption utility for Ansible data files
-
- positional arguments:
- {create,decrypt,edit,view,encrypt,encrypt_string,rekey}
- create Create new vault encrypted file
- decrypt Decrypt vault encrypted file
- edit Edit vault encrypted file
- view View vault encrypted file
- encrypt Encrypt YAML file
- encrypt_string Encrypt a string
- rekey Re-key a vault encrypted file
-
- optional arguments:
- --version show program's version number, config file location,
- configured module search path, module location,
- executable location and exit
- -h, --help show this help message and exit
- -v, --verbose verbose mode (-vvv for more, -vvvv to enable
- connection debugging)
-
- See 'ansible-vault <command> --help' for more information on a specific
- command.
五.常用的操作
1.create创建加密文件
需要指定加密文件的密码,后续对这个加密文件进行操作时需要用到这个密码
- [root@main ~]# ansible-vault create secretfile #创建加密文件
- New Vault password: #输入确认两次密码
- Confirm New Vault password:
- #写入内容
- name: su
- password: redhat
- #直接查看时已经被加密
- [root@main ~]# cat secretfile
- $ANSIBLE_VAULT;1.1;AES256
- 35336161343764376662613932656566636139373031663861623839386363396161616664313962
- 3539303532323266386435393039383638303263383363330a613064326632333666323739306563
- 65356661363239383535636136633934356437633735313938636166393734333637663165636630
- 3861653063636137300a306634323064386432393831353931306537363966373562313630356139
- 65353565336662333134326563346261396236396464656238303062336335386666
2.view查看加密文件
- [root@main ~]# ansible-vault view secretfile
- Vault password: #输入创建加密文件时的密码
- name: su
- password: redhat
3.交互输入密码和避免交互输入密码
(1)交互输出密码使用命令行表示出来应该是“--ask-vault-pass”
(2)将加密文件的密码放到文件内,进行操作加密文件时在命令行指定密码文件
- [root@main ~]# cat mysecret #这个密码文件同样需要谨慎保管,可以设置600权限避免滥用
- redhat
-
- [root@main ~]# ansible-vault view secretfile --vault-password-file=mysecret
- name: su
- password: redhat
(3)将密码文件指定到配置文件
- [root@main ~]# cat ansible.cfg | grep vault_password
- vault_password_file = /root/mysecret
4.edit修改加密文件
[root@main ~]# ansible-vault --vault-password-file=mysecret edit secretfile5.rekey修改加密文件的密码
新密码修改完成后需要使用新密码才能对加密文件进行操作
- [root@main ~]# ansible-vault rekey secretfile
- Vault password:
- New Vault password:
- Confirm New Vault password:
- Rekey successful #修改成功
6.encrypt对已有文件加密
- [root@main ~]# cat waitsecret
- hello
- [root@main ~]# ansible-vault encrypt waitsecret
- New Vault password:
- Confirm New Vault password:
- Encryption successful
- [root@main ~]# cat waitsecret #加密完成
- $ANSIBLE_VAULT;1.1;AES256
- 63343934373833633035343763303163336538303363326137396362396365323538613062613436
- 6331633533383465333034653962613062616330363964630a616532313364343061353362376631
- 34346430373739636235323666333033386637633431313966626136306336306534396136326161
- 3933333463613235310a393432396663396533376161613166303534656638306564373532353234
- 3162
7.decrypt解密加密文件
- [root@main ~]# cat waitsecret
- $ANSIBLE_VAULT;1.1;AES256
- 63343934373833633035343763303163336538303363326137396362396365323538613062613436
- 6331633533383465333034653962613062616330363964630a616532313364343061353362376631
- 34346430373739636235323666333033386637633431313966626136306336306534396136326161
- 3933333463613235310a393432396663396533376161613166303534656638306564373532353234
- 3162
- [root@main ~]# ansible-vault decrypt waitsecret
- Vault password:
- Decryption successful
- [root@main ~]# cat waitsecret
- hello
六.ansible-vault创建用户案例
1.准备用户的名称和hash后的密码文件并加密
- [root@main ~]# vim user.yaml
- username: "sulibao"
- pwdhash: "$6$xJ7udt0hon8ACTGd$nRo7zGW89KII60I4eFrGGtCPbWgY4ErvOALdndlFJSQnmkBURxswxoJK4KruuB3T6SykTyKivHpwusKeyvz.G0"
- [root@main ~]# ansible-vault encrypt user.yaml
- New Vault password:
- Confirm New Vault password:
- Encryption successful
- [root@main ~]# cat user.yaml
- $ANSIBLE_VAULT;1.1;AES256
- 64316439306661616264663962653739626665326161663161613234613932323630346561306534
- 6266623364666131376464316463383265326562383764380a613930363161626339316634316436
- 63303939376331313665613334383666323165323562326135383765643663633334363361653939
- 3438306135663964390a386638396566643634643635393039623732623861646664313361336330
- 63363733633363393563396131363333333065323131643965383139626236623635333537356162
- 65626163303136306466316662323939343837663665333961343838616234353961643565316466
- 31393332656162313966663835643464383838626331356235333437653565353738366165313264
- 36643637386163333030393162376162393439396166323932646238623637323666313533626438
- 33616535663333386635366432323335376434646137366130626137396538303464376531376231
- 66353933303332626635613236353363306431363438623935353235303833373062343665636332
- 633532613263646463613864613132623561
2.剧本文件
(1)编写剧本文件
- [root@main ~]# cat createuser.yaml
- ---
- - hosts: servera
- vars_files:
- - user.yaml
- tasks:
- - name: create user sulibao
- user:
- name: "{{ username }}"
- password: "{{ pwdhash }}"
(2)运行剧本文件
- [root@main ~]# ansible-playbook createuser.yaml --syntax-check
- ERROR! Attempting to decrypt but no vault secrets found
这样可以选择创建一个文件存放user.yaml文件的密码从而执行脚剧本,也可以声明直接交互输入密码
- [root@main ~]# ansible-playbook createuser.yaml --vault-password-file=useryamlmima
- #或者
- #[root@main ~]# ansible-playbook createuser.yaml --ask-vault-pass
- #Vault password:
-
- PLAY [servera] **********************************************************************************************************************************
-
- TASK [create user sulibao] **********************************************************************************************************************
- changed: [servera]
-
- PLAY RECAP **************************************************************************************************************************************
- servera : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
-
- [root@main ~]# ansible servera -m shell -a 'grep sulibao /etc/passwd'
- servera | CHANGED | rc=0 >>
- sulibao:x:1001:1001::/home/sulibao:/bin/bash
3.登录验证
- [root@main ~]# ssh sulibao@servera
- sulibao@servera's password:
- [sulibao@localhost ~]$
-
相关阅读:
C#Regex正则表达式(Regular Expression)
Linux安装 swoole
短信删了怎样找回信息
DNS的原理介绍
【重识云原生】第四章云网络4.9.5.1节下一代智能网卡——DPU综述
【JAVA程序设计】(C00087)基于Servlet+jsp的学生成绩管理系统
Principled Instructions Are All You Need for Questioning LLaMA-1/2, GPT-3.5/4
pycharm如何远程连接服务器上的docker容器
linux下安装mysql客户端client
Unity 场景烘培 ——unity Post-Processing后处理1(四)
- 原文地址:https://blog.csdn.net/weixin_64334766/article/details/133842774