①ansible-playbook的循环:
重复执行某任务;对迭代项的引用,固定变量名为“item”,而后要在task中使用with_items给定要迭代的元素列表,列表方法:字符串/字典(类似json)
- hosts: all remote_user: root tasks: - name: add some groups group: name={{ item }} state=present with_items: - demo1 - demo2 - demo3 - name: add some users user: name={{ item.name }} group={{ item.group }} state=present //模块中调用的相关参数赋值时前后均无空格 with_items: - { name: 'user1',group: 'demo1'} - { name: 'user2',group: 'demo2'} - { name: 'user3',group: 'demo3'} ////此处key后面的:与value之间要有一个空格,否则为语法错误
②ansible-playbook的条件判断:
相当于编程语言中的if语句,不过在ansible中要使用when语句,且要定义在tasks中
- hosts: all remote_user: root tasks: - name: Install httpd conf file to httpd2.2 template: src=file/httpd.conf.c6.j2 dest=/etc/httpd/conf/httpd.conf when: ansible_distribution_major_version == "6" - name: Install httpd conf file to httpd2.4 template: src=file/httpd.conf.c7.j2 dest=/etc/httpd/conf/httpd.conf when: ansible_distribution_major_version == "7" - name: Start httpd service: name=httpd state=started enabled=true
③ansible-playbook限定执行范围:
当playbook指定的一批主机中有个别主机需进行变更时,不用修改playbook本身,可通过一些命令选项直接进行限定ansible-playbook的命令执行范围。
--limit选项:
ansible-playbook test1.yaml --limit node2 //此时,ansbile-playbook中的hosts即便定义了all,也不会在node2这个组上执行playbook
或者直接在playbook的yaml文件中显式定义hosts要执行的主机,如:
指定单台主机:www.a.com
指定多台主机:www.a.com,www,b.com
指定一组主机:dbserver
也可以在执行playbook前先查看受影响的主机有哪些:
[root@node1 work]# ansible-playbook test2.yaml --list-hosts playbook: test2.yaml play #1 (all): all TAGS: [] pattern: [u'all'] hosts (2): node3 node2
④ansible加密模块Vault
在执行某些任务时,难免会触及到一些密码或敏感数据,此时需要对相关任务进行加密,ansible自带的Vault可满足大部分需求。
使用ansible-vault命令给文件加密:
[root@node1 work]# ansible-vault encrypt test5.yaml //加密命令 New Vault password: Confirm New Vault password: Encryption successful
此时查看test5.yaml的内容则显示:
[root@node1 work]# cat test5.yaml $ANSIBLE_VAULT;1.1;AES256 32366237663533633838613431653433653061396630346633396232393265376138626630646633 6635646462346665613963303061323164623265303331610a633537393239633832383334386338 39393932633163303136353934343061363330313663633535626138613537633465326232383663 3036336337333163390a623733323635653536316335323663363736303733303362353839356164 38643665363131316631646166396634616131343835366261356130343061356438363530636364 61353764383636386438636662373665613031623366396364306262396536656362336161313630 33323437623435646133643831656433653061316439323931326134386263653665633037393037 62303865383165336362
且直接使用ansible-playbook执行此文件会报错,需要先解密。这里列出ansible-vault命令的几个常用的选项:
ansible-vault命令的其他几个常用选项: edit:用于编辑ansible-vault加密过的文件 rekey:重新修改已被加密文件的密码 create:创建一个新文件,并直接对其进行加密 view:查看经过加密的文件 decrypt:解密文件
也可以在当前登录用户的家目录下的.ansible目录中创建一个文件用于存储密码,修改这些文件的权限为600,在运行时,使用如下命令进行:
ansible-playbook test5.yaml --vault-password-file /root/.ansible/vault_pass.txt // --vault-password-file PATH/TO/PASSWD_FILE
⑤简单基于roles来一键部署LAMP环境
首先看一下php的角色目录结构:
[root@node1 roles]# tree php/ php/ ├── default ├── files │ └── php-fpm.conf ├── handlers │ └── main.yaml ├── meta ├── tasks │ └── main.yaml ├── templates │ └── www.conf.j2 └── vars 7 directories, 4 files
如果使用yum安装的php-fpm的话,其配置文件被切分成了两部分默认的话,如果基于默认配置的话,则无需修改php-fpm.conf,直接修改www.conf即可。
tasks/main.yaml的内容如下:
- name: install php yum: name=php,php-fpm state=present - name: create php-fpm group group: name=www state=present - name: create php-fpm user user: name=www group=www state=present - name: install conf file1 copy: src=php-fpm.conf dest=/etc/php-fpm.conf - name: install conf file template: src=www.conf.j2 dest=/etc/php-fpm.d/www.conf notify: restart php-fpm tags: init conf file - name: start php-fpm service: name=php-fpm state=started
handlers/main.yaml的内容如下:
- name: restart php-fpm
service: name=php-fpm state=restarted
templates/www.conf.j2的内容如下:
listen = {{ ansible_eno16777736.ipv4.address }}:9000
//仅做测试演示的话,只修改此项即可。
再来看下httpd的角色目录结构:
[root@node1 httpd]# tree . ├── default ├── files │ └── index.php //php测试页 ├── handlers │ └── main.yaml ├── meta ├── tasks │ └── main.yaml ├── templates │ ├── httpd.conf.j2 //httpd的主配置文件 │ └── php.conf.j2 //此处是基于虚拟主机的php配置 └── vars └── main.yaml 7 directories, 6 files
tasks/main.yaml的内容如下:
- name: install htppd yum: name=httpd state=present - name: install conf file template: src=httpd.conf.j2 dest=/etc/httpd/conf/httpd.conf src=php.conf.j2 dest=/etc/httpd/conf.d/php.conf.j2 notify: restart httpd tags: change conf file - name: init index.php copy: src=index.php dest=/var/www/html/index.php - name: start httpd service: name=httpd state=started enabled=true
templates/php.conf.j2的内容如下(基于httpd2.4的配置):
DirectoryIndex index.php <VirtualHost *:80> ServerName www.phptest.com DocumentRoot "/var/www/html" ProxyRequests Off ProxyPassMatch ^/(.*.php)$ fcgi://localhost:9000/var/www/html/$1 <Directory "/var/www/html"> Options None AllowOverride None Require all granted </Directory> </VirtualHost>
mysql的角色目录结构大同小异,可自行基于rpm包安装或者其他安装方式定义角色文件即可。
写好角色后,再定义一个任务,跑一下即可,此处任务文件为/etc/ansible/work/role_lamp.yaml,内容如下:
- hosts: two remote_user: root roles: - httpd - php - mysql
跑完后,如无报错,且测试页能访问即可。本例只是简单的陈述了下大体的角色架构,里面还有很多需要细细雕琢之处,还需各位多多阅读官方文档或其他相关ansible的书籍,深入学习。