本文介绍Ansible基础概念、安装配置、常用模块,以及实战批量部署案例。
前言
管理1台服务器,手工操作没问题。
管理10台服务器,写脚本能应付。
管理100台服务器,必须用自动化工具。
Ansible是最流行的自动化运维工具之一,无需在目标机器安装Agent,基于SSH即可工作。
今天来入门Ansible。
一、Ansible简介
1.1 为什么选择Ansible
| 特点 | 说明 |
|---|---|
| 无Agent | 基于SSH,目标机器无需安装客户端 |
| YAML语法 | Playbook易读易写 |
| 幂等性 | 多次执行结果一致 |
| 模块丰富 | 几千个现成模块 |
| 推送模式 | 从控制机推送到目标机 |
1.2 Ansible架构
┌─────────────────┐ │ 控制机 │ │ (Ansible) │ └────────┬────────┘ │ SSH ┌────────┴────────┐ │ │ ↓ ↓ ┌─────────┐ ┌─────────┐ │ 目标机1 │ │ 目标机2 │ │ (被管理) │ │ (被管理) │ └─────────┘ └─────────┘核心组件:
- Inventory:主机清单
- Module:执行模块
- Playbook:剧本(任务编排)
- Role:角色(可复用的Playbook集合)
二、安装配置
2.1 安装Ansible
# Ubuntu/Debianaptupdateaptinstallansible# CentOS/RHELyuminstallepel-release yuminstallansible# pip安装(推荐,版本更新)pipinstallansible# 验证ansible --version2.2 配置SSH免密登录
# 生成密钥(如果没有)ssh-keygen -t rsa -b4096# 复制公钥到目标机器ssh-copy-id user@192.168.1.10 ssh-copy-id user@192.168.1.11 ssh-copy-id user@192.168.1.12# 测试sshuser@192.168.1.102.3 配置Inventory
# /etc/ansible/hosts 或 ./inventory # 单个主机 192.168.1.10 # 主机组 [webservers] 192.168.1.10 192.168.1.11 192.168.1.12 [dbservers] 192.168.1.20 ansible_user=mysql # 带变量 [webservers:vars] ansible_user=deploy ansible_port=22 # 组嵌套 [production:children] webservers dbservers2.4 ansible.cfg配置
# ./ansible.cfg 或 /etc/ansible/ansible.cfg [defaults] inventory = ./inventory remote_user = deploy private_key_file = ~/.ssh/id_rsa host_key_checking = False timeout = 30 [privilege_escalation] become = True become_method = sudo become_user = root become_ask_pass = False三、Ad-Hoc命令
3.1 基本语法
ansible<主机/组>-m<模块>-a"<参数>"3.2 常用示例
# 测试连通性ansible all -mping# 执行命令ansible webservers -m shell -a"uptime"# 查看内存ansible webservers -m shell -a"free -h"# 复制文件ansible webservers -m copy -a"src=/tmp/file.txt dest=/tmp/file.txt"# 安装软件ansible webservers -mapt-a"name=nginx state=present"--become# 管理服务ansible webservers -mservice-a"name=nginx state=started"--become# 创建用户ansible webservers -m user -a"name=deploy state=present"--become四、常用模块
4.1 文件操作
# copy - 复制文件-copy:src:/local/filedest:/remote/fileowner:rootmode:'0644'# file - 文件/目录管理-file:path:/data/appstate:directoryowner:deploymode:'0755'# template - 模板渲染-template:src:nginx.conf.j2dest:/etc/nginx/nginx.conf# lineinfile - 修改文件行-lineinfile:path:/etc/hostsline:"192.168.1.100 myserver"state:present4.2 软件管理
# apt - Debian系-apt:name:nginxstate:presentupdate_cache:yes# yum - RedHat系-yum:name:nginxstate:present# pip - Python包-pip:name:flaskstate:presentvirtualenv:/opt/app/venv4.3 服务管理
# service/systemd-systemd:name:nginxstate:startedenabled:yesdaemon_reload:yes4.4 用户管理
# user-user:name:deploygroups:sudoshell:/bin/bashstate:present# authorized_key-authorized_key:user:deploykey:"{{ lookup('file', '~/.ssh/id_rsa.pub') }}"五、Playbook编写
5.1 基本结构
# deploy.yml----name:Deploy Web Applicationhosts:webserversbecome:yesvars:app_name:myappapp_port:8080tasks:-name:Install required packagesapt:name:-nginx-python3-python3-pipstate:presentupdate_cache:yes-name:Create app directoryfile:path:/opt/{{app_name}}state:directoryowner:deploymode:'0755'-name:Copy application filescopy:src:./app/dest:/opt/{{app_name}}/owner:deploy-name:Start nginxsystemd:name:nginxstate:startedenabled:yes5.2 执行Playbook
# 执行ansible-playbook deploy.yml# 检查语法ansible-playbook deploy.yml --syntax-check# 预演(不真正执行)ansible-playbook deploy.yml --check# 指定主机ansible-playbook deploy.yml --limit webservers# 显示详细信息ansible-playbook deploy.yml -v# -vv, -vvv更详细5.3 变量
# 在Playbook中定义vars:http_port:80app_name:myapp# 在变量文件中vars_files:-vars/main.yml# 命令行传入ansible-playbook deploy.yml-e "http_port=8080"# 使用变量tasks:-name:Configure porttemplate:src:config.j2dest:/etc/app/configvars:port:"{{ http_port }}"5.4 条件判断
tasks:-name:Install nginx on Debianapt:name:nginxwhen:ansible_os_family == "Debian"-name:Install nginx on RedHatyum:name:nginxwhen:ansible_os_family == "RedHat"5.5 循环
tasks:-name:Install packagesapt:name:"{{ item }}"state:presentloop:-nginx-vim-git-name:Create usersuser:name:"{{ item.name }}"groups:"{{ item.groups }}"loop:-{name:'user1',groups:'sudo'}-{name:'user2',groups:'docker'}5.6 Handler
tasks:-name:Update nginx configtemplate:src:nginx.conf.j2dest:/etc/nginx/nginx.confnotify:Restart nginxhandlers:-name:Restart nginxsystemd:name:nginxstate:restarted六、实战案例
6.1 批量初始化服务器
# init_server.yml----name:Initialize Servershosts:allbecome:yestasks:-name:Update apt cacheapt:update_cache:yescache_valid_time:3600-name:Install basic packagesapt:name:-vim-curl-wget-htop-git-net-toolsstate:present-name:Set timezonetimezone:name:Asia/Shanghai-name:Configure sysctlsysctl:name:"{{ item.key }}"value:"{{ item.value }}"sysctl_set:yesloop:-{key:'net.core.somaxconn',value:'65535'}-{key:'vm.swappiness',value:'10'}-name:Create deploy useruser:name:deploygroups:sudoshell:/bin/bash-name:Set up SSH key for deploy userauthorized_key:user:deploykey:"{{ lookup('file', '~/.ssh/id_rsa.pub') }}"6.2 部署Nginx + 应用
# deploy_app.yml----name:Deploy Applicationhosts:webserversbecome:yesvars:app_name:myappapp_port:8080tasks:-name:Install Nginxapt:name:nginxstate:present-name:Configure Nginxtemplate:src:templates/nginx.conf.j2dest:/etc/nginx/sites-available/{{app_name}}notify:Restart nginx-name:Enable sitefile:src:/etc/nginx/sites-available/{{app_name}}dest:/etc/nginx/sites-enabled/{{app_name}}state:link-name:Deploy applicationcopy:src:app/dest:/opt/{{app_name}}/-name:Install dependenciespip:requirements:/opt/{{app_name}}/requirements.txtvirtualenv:/opt/{{app_name}}/venvhandlers:-name:Restart nginxsystemd:name:nginxstate:restarted6.3 组网批量部署
如果你的服务器分布在不同地点,可以先用组网软件(如星空组网)连接起来,然后通过组网的虚拟IP进行Ansible管理:
# inventory [remote_servers] 10.10.0.1 ansible_host=10.10.0.1 # 组网虚拟IP 10.10.0.2 ansible_host=10.10.0.2 10.10.0.3 ansible_host=10.10.0.3 [remote_servers:vars] ansible_user=deploy这样即使服务器没有公网IP,也能通过组网进行批量管理,非常方便。
七、Role组织
7.1 Role结构
roles/ └── nginx/ ├── tasks/ │ └── main.yml ├── handlers/ │ └── main.yml ├── templates/ │ └── nginx.conf.j2 ├── files/ ├── vars/ │ └── main.yml └── defaults/ └── main.yml7.2 使用Role
# site.yml----hosts:webserversbecome:yesroles:-nginx-php-mysql7.3 Ansible Galaxy
# 搜索Roleansible-galaxy search nginx# 安装Roleansible-galaxyinstallgeerlingguy.nginx# 列出已安装ansible-galaxy list八、最佳实践
8.1 目录结构
project/ ├── ansible.cfg ├── inventory/ │ ├── production │ └── staging ├── group_vars/ │ ├── all.yml │ └── webservers.yml ├── host_vars/ │ └── 192.168.1.10.yml ├── roles/ │ ├── common/ │ └── nginx/ ├── playbooks/ │ ├── deploy.yml │ └── init.yml └── templates/8.2 安全建议
# 使用Ansible Vault加密敏感信息ansible-vault create secrets.yml ansible-vault edit secrets.yml# 使用加密变量ansible-playbook deploy.yml --ask-vault-pass# 或使用密码文件ansible-playbook deploy.yml --vault-password-file ~/.vault_pass8.3 调试技巧
# 打印变量-debug:var:ansible_facts# 打印消息-debug:msg:"The value is {{ my_var }}"# 注册结果-shell:whoamiregister:result-debug:var:result.stdout九、总结
Ansible入门要点:
- 基础概念:Inventory、Module、Playbook、Role
- SSH免密:Ansible基于SSH,先配置好免密登录
- Ad-Hoc:简单任务用命令行
- Playbook:复杂任务用YAML编排
- 幂等性:多次执行结果一致
- 模块化:用Role组织可复用的配置
常用命令速查:
# 测试连通性ansible all -mping# 执行命令ansible all -m shell -a"uptime"# 执行Playbookansible-playbook deploy.yml# 检查语法ansible-playbook deploy.yml --syntax-check# 预演ansible-playbook deploy.yml --check参考资料
- Ansible官方文档:https://docs.ansible.com/
- Ansible Galaxy:https://galaxy.ansible.com/
- 《Ansible权威指南》
💡建议:从简单的Ad-Hoc命令开始,熟练后再写Playbook。不要一开始就追求完美的Role结构。
