Day38

作者：孫鵬鵬

歸檔：課后筆記

時間：2019/4/23

快捷鍵：

Ctrl + 1??? 標(biāo)題1

Ctrl + 2??? 標(biāo)題2

Ctrl + 3??? 標(biāo)題3

Ctrl + 4??? 標(biāo)題4

Ctrl + 5??? 程序代碼

Ctrl + 6??? 正文

Ctrl + 7??? 實例1-1

格式說明：

藍(lán)色字體：注釋

黃色背景：重要

綠色背景：注意

老男孩教育教學(xué)核心思想6重：重目標(biāo)稍浆、重思路碳胳、重方法、重實踐嵌赠、重習(xí)慣、重總結(jié)

學(xué)無止境撵颊，老男孩教育成就你人生的起點问慎！

聯(lián)系方式:

網(wǎng)站運(yùn)維QQ交流群：

Linux?385168604架構(gòu)師390642196

Python 29215534大數(shù)據(jù)421358633

官方網(wǎng)站:

http://www.oldboyedu.com?

目? 錄

第一章：

SSH批量管理項目如何一鍵一秒鐘完成：一秒完成型雳。

#1.ssh-keygen非交互式創(chuàng)建秘鑰對：

具體命令：ssh-keygen -f~/.ssh/id_rsa? -P '' -q

參數(shù)講解：

ssh-keygen：密鑰對創(chuàng)建工具

????? [-P old_passphrase]? 密碼

????? [-f output_keyfile]? 輸出的秘鑰文件

??? [-q]??????不輸出信息?????

????? [-t dsa ]?指定秘鑰類型当凡。

????? #2.ssh-copy-id不需要提示yes/no分發(fā)秘鑰

具體命令：ssh-copy-id -f -i~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no 172.16.1.8

##參數(shù)講解：

ssh-copy-id? -f?? -i~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no root172.16.1.8

ssh-copy-id[-f] [-i [identity_file]] [-p port] [[-o ] ...][user@]hostname

##說明：

-f:

force mode 強(qiáng)制

[-i

[identity_file]] 指定秘鑰文件

[[-o

<ssh -o options>] ...] 指定ssh參數(shù)選項。

#3.sshpass工具：指定密碼非人工交互分發(fā)秘鑰

sshpass-p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no"172.16.1.7

[root@web02~]# sshpass -help

Usage:sshpass [-f|-d|-p|-e] [-hV] command parameters

sshpass-p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-oStrictHostKeyChecking=no" 172.16.1.7

sshpass[-f|-d|-p|-e] [-hV] command parameters

##參數(shù)講解：

-ppassword?? Provide password as argument(security unwise)??? #指定用戶密碼操作

#4.一鍵配置實踐

把web02作為分發(fā)服務(wù)器：

web02（8）-->m01（61）

web02（8）-->web01（7）

ssh-keygen-f ~/.ssh/id_rsa? -P '' -q

ssh-copy-id-f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.7

sshpass-p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no"172.16.1.7

#!/bin/bash

#yuminstall sshpass -y

ssh-keygen-f ~/.ssh/id_rsa? -P '' -q

forip in 7 61

do

? sshpass -p123456 ssh-copy-id -f -i~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip

done

#test

ssh172.16.1.7 "ifconfig eth0"

ssh172.16.1.61 "ifconfig eth0"

##老男孩Linux58期-ansible自動化管理實踐

##運(yùn)維發(fā)展歷史???????????????????????? ?

#1.ansible介紹

ssh秘鑰認(rèn)證+腳本批量管理纠俭，特點：簡單沿量、實用，

但是看起來比較LOW冤荆，需要人工寫腳本朴则，類似實時復(fù)制的inotify工具。

2013以前這種方式很普遍钓简。

MySQL高可用 MHA集群乌妒，要求所有機(jī)器互相秘鑰認(rèn)證。

大數(shù)據(jù)集群也需要外邓。

#2.批量管理工具歷史

SSH+腳本 CFEngine撤蚊、Puppet、saltstack?????????????? 损话、ansible

08年以前 07-08年?? 10-13年?14-17（python開發(fā)）????? 16-（python開發(fā)）

???????? sina網(wǎng)

#3.為什么用ansible侦啸？

簡單、方便丧枪、容易學(xué)習(xí)光涂、功能同樣強(qiáng)大。

ansible有配置文件拧烦，可以多線程直接實現(xiàn)忘闻。不需要寫腳本，類似實時復(fù)制的sersync恋博。

#4.什么是ansible齐佳？

Ansible是一個用來遠(yuǎn)程管理服務(wù)器的工具軟件葵蒂。

Ansible是一個用來批量部署遠(yuǎn)程主機(jī)上服務(wù)的工具。這里“遠(yuǎn)程主機(jī)（Remote Host）”是指任

何可以通過SSH登錄的主機(jī)重虑，所以它既可以是遠(yuǎn)程虛擬機(jī)或物理機(jī)践付，也可以是本地主機(jī)。

Ansible通過SSH協(xié)議實現(xiàn)管理節(jié)點與遠(yuǎn)程節(jié)點之間的通信缺厉。理論上來說永高，只要能通過SSH登錄到

遠(yuǎn)程主機(jī)來完成的操作，都可以通過Ansible實現(xiàn)批量自動化操作提针。

涉及管理操作：復(fù)制文件命爬、安裝服務(wù)、服務(wù)啟動停止管理辐脖、配置管理等等饲宛。

#5.為什么要用批量管理工具運(yùn)維？

提高效率嗜价，百度幾萬臺服務(wù)器艇抠，阿里幾十萬臺服務(wù)器。

如何省錢久锥？

SSD+SATA熱點存儲15 15 7

#6.Ansible特點

Ansible基于Python語言實現(xiàn)家淤，由Paramiko和PyYAML兩個關(guān)鍵模塊構(gòu)建。

Shell瑟由、Python是Linux運(yùn)維學(xué)員必會的兩門語言絮重。

##1）安裝部署過程特別簡單，學(xué)習(xí)曲線很平坦歹苦。

##2）不需要單獨安裝客戶端青伤，只是利用現(xiàn)有的SSHD服務(wù)（協(xié)議）即可。

##3）不需要服務(wù)端(no servers)殴瘦。

##4）ansible playbook狠角，采用yaml配置，提前編排自動化任務(wù)痴施。

##5）ansible功能模塊較多擎厢，對于自動化的場景支持豐富。

官方：http://docs.ansible.com

#7.Ansible架構(gòu)介紹（見圖說明）

##1辣吃、連接插件connectior plugins用于連接主機(jī) 用來連接被管理端

##2动遭、核心模塊 core modules 連接主機(jī)實現(xiàn)操作， 它依賴于具體的模塊來做具體的事情

##3神得、自定義模塊 custom modules厘惦，根據(jù)自己的需求編寫具體的模塊

##4、插件 plugins，完成模塊功能的補(bǔ)充

##5宵蕉、劇本 playbooks酝静，ansible的配置文件,將多個任務(wù)定義在劇本中，由ansible自動執(zhí)行

##6羡玛、主機(jī)清單 inventor别智，定義ansible需要操作主機(jī)的范圍

最重要的一點是 ansible是模塊化的 它所有的操作都依賴于模塊

（懂Python可以二次開發(fā)）

#7.ansible實踐環(huán)境準(zhǔn)備

61（m01）====>31(nfs01)

61（m01）====>41(backup)

#8.安裝ansible

m01管理機(jī)：

yuminstall epel-release -y

yuminstall ansible -y

#如果有l(wèi)ibselinux-python就不執(zhí)行下面的命令了。

#rpm-qa |grep libselinux-python

#yuminstall libselinux-python -y

其他所有機(jī)器：

#rpm-qa |grep libselinux-python

#yuminstall libselinux-python -y

#10.主機(jī)列表配置

ssh列表實現(xiàn)方法：

forn? in 7 8

do

?echo 172.16.1.$n

done

/etc/ansible/hosts主機(jī)資產(chǎn)清單文件稼稿，用于定義被管理主機(jī)的認(rèn)證信息薄榛，

例如ssh登錄用戶名、密碼以及key相關(guān)信息让歼。如何配置Inventory文件

##1.主機(jī)支持主機(jī)名通配以及正則表達(dá)式敞恋，例如web[1:3].oldboy.com代表三臺主機(jī)

##2.主機(jī)支持基于非標(biāo)準(zhǔn)的ssh端口，例如web1.oldboyedu.com:6666

##3.主機(jī)支持指定變量谋右，可對個別主機(jī)的特殊配置硬猫，如登陸用戶\密碼

##4.主機(jī)組支持指定變量[group_name:vars]，同時支持嵌套組[game:children]

實踐：

cp/etc/ansible/hosts{,.ori}

cat>/etc/ansible/hosts<

[oldboy]

172.16.1.31

172.16.1.41

[oldgirl]

172.16.1.31

172.16.1.41

172.16.1.51

EOF

cat/etc/ansible/hosts

/etc/ansible/ansible.cfg

#ansible的配置文件

#11.小試牛刀

直接執(zhí)行如下命令或報錯

ansibleoldboy -m command -a "free -m"

基于SSH秘鑰認(rèn)證的前提下：

如果沒有做SSH秘鑰認(rèn)證改执，可以把用戶名密碼寫到

/etc/ansible/hosts

[oldboy_pass]

172.16.1.7ansible_ssh_user=root ansible_ssh_pass=123456

172.16.1.8ansible_ssh_user=root ansible_ssh_pass=123456

ansible

oldboy -m command -a "free -m" 要想成功啸蜜，先解決yes/no的問題。

##1天梧、ssh連接一遍盔性。

##2、ssh -o 參數(shù)

上述命令就是sshpass的封裝

==========================================

ansible關(guān)閉ssh首次連接時yes/no提示

使用ssh連接時呢岗，可以使用-o參數(shù)將StrictHostKeyChecking設(shè)置為no，

避免使用ssh連接時避免首次連接時讓輸入yes/no部分的提示蛹尝。

方法1：修改 /etc/ansible/ansible.cfg中的374行

369[ssh_connection]

370

371# ssh arguments to use

372# Leaving off ControlPersist will result in poor performance, so use

373# paramiko on older platforms rather than removing it, -C controls compressionuse

374#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s

374行改為：

ssh_args= -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no

方法2：修改 /etc/ansible/ansible.cfg中的71行

?70 # uncomment this to disable SSH key hostchecking

?71 #host_key_checking = False

71行的注釋取消：host_key_checking = False

==========================================

[root@m01/server/scripts]# > ~/.ssh/known_hosts

[root@m01/server/scripts]# ssh 172.16.1.31

Theauthenticity of host '172.16.1.31 (172.16.1.31)' can't be established.

ECDSAkey fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.

ECDSAkey fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.

Areyou sure you want to continue connecting (yes/no)? ^C

[root@m01/server/scripts]# ansible oldboy -m command -a "free -m"

172.16.1.31| CHANGED | rc=0 >>

?????????????total??????? used??????? free????? shared?buff/cache?? available

Mem:??????????? 972????????? 88???????? 592????????? 13???????? 291???????? 708

Swap:?????????? 767?????????? 0???????? 767

172.16.1.41| CHANGED | rc=0 >>

????????????? total???????used??????? free????? shared?buff/cache?? available

Mem:??????????? 972????????? 89???????? 572????????? 13???????? 310???????? 706

Swap:?????????? 767?????????? 0???????? 767

目標(biāo)：ansible是不是需要免秘鑰認(rèn)證(ssh免秘鑰認(rèn)證)后豫？yes

[root@m01~]# cat /etc/ansible/hosts

[oldboy]

172.16.1.31

172.16.1.7

還原ansible.cfg配置，重啟服務(wù)器

[root@m01~]# ansible oldboy -m command -a "free -m"

Theauthenticity of host '172.16.1.7 (172.16.1.7)' can't be established.

ECDSAkey fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.

ECDSAkey fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.

Areyou sure you want to continue connecting (yes/no)? The authenticity of host'172.16.1.31 (172.16.1.31)' can't be established.

ECDSAkey fingerprint is SHA256:qZSBkrmOv7xO/63qOU1uLXkPyNVHdkqvrNAcAmXqNEk.

ECDSAkey fingerprint is MD5:23:d0:cb:a9:f4:7c:0b:eb:2d:07:00:e1:a3:12:d8:33.

Areyou sure you want to continue connecting (yes/no)?

解決yes/no不需要輸入問題：

修改ansible.cfg 374行：

ssh_args= -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no

在執(zhí)行報錯：

[root@m01~]# ansible oldboy -m command -a "free -m"

172.16.1.7| UNREACHABLE! => {

??? "changed": false,

??? "msg": "Failed to connect tothe host via ssh: Warning: Permanently added '172.16.1.7' (ECDSA) to the listof known hosts.\r\nPermission denied (publickey,password).",

??? "unreachable": true

}

172.16.1.31| UNREACHABLE! => {

??? "changed": false,

??? "msg": "Failed to connect tothe host via ssh: Warning: Permanently added '172.16.1.31' (ECDSA) to the listof known hosts.\r\nPermission denied(publickey,gssapi-keyex,gssapi-with-mic,password).",

??? "unreachable": true

}

解決公鑰問題：

ssh-keygen-f ~/.ssh/id_rsa? -P '' -q

forip in 7

do

? sshpass -p123456 ssh-copy-id -f -i~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip

done

#test

ssh172.16.1.7 "ifconfig eth0"

執(zhí)行ansible命令：

[root@m01~]# ansible oldboy -m command -a "free -m"

172.16.1.31| UNREACHABLE! => {

??? "changed": false,

??? "msg": "Failed to connect tothe host via ssh: Permission denied(publickey,gssapi-keyex,gssapi-with-mic,password).",

??? "unreachable": true

}

172.16.1.7| CHANGED | rc=0 >>

????????????? total??????? used???????free????? shared?buff/cache?? available

Mem:??????????? 972????????? 69???????? 807?????????? 7????????? 95???????? 771

Swap:?????????? 767?????????? 0???????? 767

forip in 31

do

? sshpass -p123456 ssh-copy-id -f -i~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip

done

#test

ssh172.16.1.31 "ifconfig eth0"

[root@m01~]# ansible oldboy -m command -a "free -m"

172.16.1.7| CHANGED | rc=0 >>

????????????? total??????? used??????? free????? shared?buff/cache?? available

Mem:??????????? 972????????? 69???????? 807?????????? 7????????? 95???????? 771

Swap:?????????? 767?????????? 0???????? 767

172.16.1.31| CHANGED | rc=0 >>

????????????? total??????? used??????? free????? shared?buff/cache?? available

Mem:??????????? 972????????? 71???????? 804?????????? 7????????? 96???????? 768

Swap:?????????? 767?????????? 0???????? 767

驗證：刪除公鑰突那，是不是不可以了挫酿？

重啟后，不行愕难，重啟前可以

[root@m01~]# ansible oldboy -m command -a "free -m"

172.16.1.7| UNREACHABLE! => {

??? "changed": false,

??? "msg": "Failed to connect tothe host via ssh: Warning: Permanently added '172.16.1.7' (ECDSA) to the listof known hosts.\r\nPermission denied (publickey,password).",

??? "unreachable": true

}

172.16.1.31| UNREACHABLE! => {

??? "changed": false,

??? "msg": "Failed to connect tothe host via ssh: Could not create directory '/root/.ssh'.\r\nWarning:Permanently added '172.16.1.31' (ECDSA) to the list of knownhosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",

??? "unreachable": true

}

修改Host增加用戶和密碼：

[root@m01~]# cat /etc/ansible/hosts

#[oldboy]

#172.16.1.31

#172.16.1.7

[oldboy_pass]

172.16.1.31ansible_ssh_user=root ansible_ssh_pass=123456

172.16.1.7ansible_ssh_user=root ansible_ssh_pass=123456

結(jié)果：

[root@m01~]# ansible oldboy_pass -m command -a "free -m"

172.16.1.31| CHANGED | rc=0 >>

????????????? total??????? used??????? free????? shared?buff/cache?? available

Mem:??????????? 972???? ?????79????????791?????????? 7???????? 101???????? 758

Swap:?????????? 767?????????? 0???????? 767

172.16.1.7| CHANGED | rc=0 >>

????????????? total??????? used??????? free????? shared?buff/cache?? available

Mem:??????????? 972????????? 69???????? 806??????????7????????? 95???????? 771

Swap:?????????? 767?????????? 0???????? 767

結(jié)論：使用SSH連接：

密碼認(rèn)證 host里主機(jī)后面加密碼???????? Paramiko模塊 重點：

秘鑰認(rèn)證：提前發(fā)公鑰早龟，才能用ansible.? SSHPASS工具

http://docs.ansible.com/ansible/latest/intro_inventory.html#list-of-behavioral-inventory-parameters

特殊端口：

[oldboy]

172.16.1.7? ansible_port=52113? ansible_user=root ansible_ssh_pass=123456

172.16.1.8? ansible_port=52113? ansible_user=root ansible_ssh_pass=123456

#12.基于SSH秘鑰認(rèn)證的實踐

一鍵創(chuàng)建及分發(fā)秘鑰：

#!/bin/bash

ssh-keygen-f ~/.ssh/id_rsa? -P '' -q

forip in 7 8 41 31

do

? sshpass -p123456 ssh-copy-id -i~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.$ip

done

[root@m01~]# cat /etc/ansible/hosts

[oldboy]

172.16.1.31

172.16.1.41

172.16.1.7

[root@m01

~]# ansible oldboy -m command -a "free -m" #和前面sh cmd.sh "free-m"

#11.ansible命令參數(shù)

-m

MODULE_NAME, 模塊名字，默認(rèn)command

-a

MODULE_ARGS, 模塊參數(shù)

-fFORKS???? ??? 并發(fā)進(jìn)程數(shù)猫缭，默認(rèn)5個葱弟。

-i

INVENTORY（default=/etc/ansible/hosts）指定主機(jī)列表文件

===================

ansible

ansible-doc

ansible-playbook

ansible-galaxy

===================

#12.ansible模塊查看和幫助*****

查找模塊

ansible-doc-l????????? #模塊就Linux命令了。

查看某個模塊的具體參數(shù)幫助

ansible-doc-s command? #Linux命令參數(shù)

?

#12.1 command模塊*****

##1）功能說明：

command? Executes a command on a remote node

功能說明：執(zhí)行一個命令在遠(yuǎn)程節(jié)點上

操作實踐：

ansibleoldboy -m command -a "free -m"

ansibleoldboy -m command -a "df -h"

ansibleoldboy -m command -a "ls /root"

ansibleoldboy -m command -a "cat redhat-release"

ansibleoldboy -m command -a "cat /etc/redhat-release"

最通用的功能猜丹。

[root@m01~]# ansible oldboy -m command -a "cat /etc/redhat-release"

172.16.1.7| CHANGED | rc=0 >>

CentOSLinux release 7.6.1810 (Core)

172.16.1.31| CHANGED | rc=0 >>

CentOSLinux release 7.6.1810 (Core)

172.16.1.41| CHANGED | rc=0 >>

CentOSLinux release 7.6.1810 (Core)

[root@m01~]# cat /server/scripts/cmd.sh

forn in 31 41

do

?? echo "=====172.16.1.$n======"

?? ssh 172.16.1.$n "$1"

done

[root@m01~]# sh /server/scripts/cmd.sh "cat /etc/redhat-release"

=====172.16.1.31======

CentOSLinux release 7.6.1810 (Core)

=====172.16.1.41======

CentOSLinux release 7.6.1810 (Core)

特殊：不支持的東西芝加，例如 > < | &等 $HOME，替代方案用shell模塊

ansibleoldboy -m shell -a "ps -ef|grep ssh"

ansibleoldboy -m shell -a "echo oldboy >/tmp/a.log"

##2）常用參數(shù)說明及實踐

[root@m01~]# ansible-doc -s command

-name: Executes a command on a remote node

? command:

????? argv:????????????????? # Allows the user to providethe command as a list vs. a string.? Onlythe

?????????????????????????????? string or thelist form can be provided, not

?????????????????????????????? both.? One or the other must be provided.

?? ???chdir:???????????????? # Change into this directorybefore running the command.

????? creates:?????????????? # A filename or (since 2.0) globpattern. If it already exists, this step

?????????????????????????????? *won't* be run.

????? free_form:?????? ??????# (required) The command module takes afree form command to run.? There is no

?????????????????????????????? parameteractually named 'free form'. See the

?????????????????????????????? examples!

????? removes:?????????????? # A filename or (since 2.0) globpattern. If it already exists, this step *will*?be run.

????? stdin:???????????????? # Set the stdin of the commanddirectly to the specified value.

????? warn:????????????????? # If command_warnings are onin ansible.cfg, do not warn about this particular

?????????????????????????????? line if set to`no'.???????????????????????????????? ??

參數(shù)：chdir=/tmp配置相當(dāng)于cd /tmp

[root@m01~]# ansible oldboy? -m command -a"pwd chdir=/etc"

ansibleoldboy? -m shell -a "cd/etc/;pwd"

參數(shù)：creates=/etc? 相當(dāng)于條件測試?[ -e /etc ]||pwd和下面removes相反

[root@m01~]# ansible oldboy? -m command -a"pwd creates=/etc"

參數(shù)：removes=/root 相當(dāng)于條件測試[ -e /root ]&&ls/root

ansibleoldboy? -m command -a "ls /rootremoves=/root"

ansibleoldboy? -m shell -a "[ -d /etc]||pwd"

[root@m01~]# ansible oldboy? -m command -a"cat /etc/hosts removes=/etc/hosts"

參數(shù)：warn=False 忽略警告

[root@m01~]# ansible oldboy? -m command -a "chmod000 /etc/hosts warn=False"

更多官方鏈接：http://docs.ansible.com/ansible/latest/command_module.html或ansible-doc -s command