本文共 21437 字,大约阅读时间需要 71 分钟。
ansible权威指南
is a modern configuration management tool that facilitates the task of setting up and maintaining remote servers.
是一种现代的配置管理工具,可简化设置和维护远程服务器的任务。
This cheat sheet-style guide provides a quick reference to commands and practices commonly used when working with Ansible. For an overview of Ansible and how to install and configure it, please check our guide on .
该备忘单样式指南提供了使用Ansible时常用的命令和实践的快速参考。 有关Ansible的概述以及如何安装和配置它,请查看有关指南。
How to Use This Guide:
如何使用本指南:
When you see highlighted text
in this guide’s commands, keep in mind that this text should refer to hosts, usernames and IP addresses from your own inventory.
当您在本指南的命令中看到highlighted text
时,请记住,该文本应指代您自己清单中的主机,用户名和IP地址。
Ansible Glossary
Ansible词汇表
The following Ansible-specific terms are largely used throughout this guide:
本指南中广泛使用以下Ansible专用术语:
Control Machine / Node: a system where Ansible is installed and configured to connect and execute commands on nodes.
控制机/节点 :安装并配置了Ansible的系统,可在节点上连接并执行命令。
Node: a server controlled by Ansible.
节点 :由Ansible控制的服务器。
Inventory File: a file that contains information about the servers Ansible controls, typically located at /etc/ansible/hosts
.
库存文件 :包含有关服务器Ansible控件的信息的文件,通常位于/etc/ansible/hosts
。
Playbook: a file containing a series of tasks to be executed on a remote server.
Playbook :包含一系列要在远程服务器上执行的任务的文件。
Role: a collection of playbooks and other files that are relevant to a goal such as installing a web server.
作用 :与目标(例如安装Web服务器)相关的剧本和其他文件的集合。
Play: a full Ansible run. A play can have several playbooks and roles, included from a single playbook that acts as entry point.
播放 :完整的Ansible运行。 一部剧可以有多个剧本和角色,包括在充当入口点的单个剧本中。
If you’d like to practice the commands used in this guide with a working Ansible playbook, you can use from our guide on . You’ll need at least one remote server to use as node.
如果您想在可以使用的Ansible剧本中练习本指南中使用的命令,则可以在我们的指南中使用 。 您至少需要一台远程服务器作为节点。
To test that Ansible is able to connect and run commands and playbooks on your nodes, you can use the following command:
要测试Ansible是否可以在节点上连接并运行命令和剧本,可以使用以下命令:
The ping
module will test if you have valid credentials for connecting to the nodes defined in your inventory file, in addition to testing if Ansible is able to run Python scripts on the remote server. A pong reply back means Ansible is ready to run commands and playbooks on that node.
ping
模块除了测试Ansible是否能够在远程服务器上运行Python脚本之外,还将测试您是否具有用于连接到清单文件中定义的节点的有效凭据。 乓应答回装置Ansible准备在该节点上运行的命令和剧本。
By default, Ansible tries to connect to the nodes as your current system user, using its corresponding SSH keypair. To connect as a different user, append the command with the -u
flag and the name of the intended user:
默认情况下,Ansible尝试使用其相应的SSH密钥对以当前系统用户身份连接到节点。 要以其他用户身份连接,请在命令后附加-u
标志和目标用户的名称:
ansible all -m ping -u sammy
ansible all -m ping -u sammy
The same is valid for ansible-playbook
:
这对于ansible-playbook
同样有效:
ansible-playbook myplaybook.yml -u sammy
ansible -playbook myplaybook.yml -u sammy
If you’re using a custom SSH key to connect to the remote servers, you can provide it at execution time with the --private-key
option:
如果您使用自定义SSH密钥连接到远程服务器,则可以在执行时使用--private-key
选项提供它:
ansible all -m ping --private-key=~/.ssh/custom_id
ansible all -m ping --private-key = 〜/ .ssh / custom_id
This option is also valid for ansible-playbook
:
此选项对ansible-playbook
也有效:
ansible-playbook myplaybook.yml --private-key=~/.ssh/custom_id
ansible -playbook myplaybook.yml --private-key = 〜/ .ssh / custom_id
If you need to use password-based authentication in order to connect to the nodes, you need to append the option --ask-pass
to your Ansible command.
如果需要使用基于密码的身份验证才能连接到节点,则需要在Ansible命令中附加--ask-pass
选项。
This will make Ansible prompt you for the password of the user on the remote server that you’re attempting to connect as:
这将使Ansible提示您输入尝试以以下方式连接的远程服务器上的用户密码:
This option is also valid for ansible-playbook
:
此选项对ansible-playbook
也有效:
ansible-playbook myplaybook.yml --ask-pass
ansible -playbook myplaybook.yml-询问
sudo
密码 (Providing the sudo
Password)If the remote user needs to provide a password in order to run sudo
commands, you can include the option --ask-become-pass
to your Ansible command. This will prompt you to provide the remote user sudo password:
如果远程用户需要提供密码才能运行sudo
命令,则可以在--ask-become-pass
命令中包括--ask-become-pass
选项。 这将提示您提供远程用户sudo密码:
This option is also valid for ansible-playbook
:
此选项对ansible-playbook
也有效:
ansible-playbook myplaybook.yml --ask-become-pass
ansible -playbook myplaybook.yml --ask-become-pass
The default inventory file is typically located at /etc/ansible/hosts
, but you can also use the -i
option to point to custom inventory files when running Ansible commands and playbooks. This is useful for setting up per-project inventories that can be included in version control systems such as Git:
默认清单文件通常位于/etc/ansible/hosts
,但是在运行Ansible命令和剧本时,也可以使用-i
选项指向自定义清单文件。 这对于设置可以包含在版本控制系统(例如Git)中的按项目的清单很有用:
ansible all -m ping -i my_custom_inventory
ansible all -m ping -i my_custom_inventory
The same option is valid for ansible-playbook
:
相同选项对ansible-playbook
有效:
ansible-playbook myplaybook.yml -i my_custom_inventory
ansible -playbook myplaybook.yml -i my_custom_inventory
Ansible supports inventory scripts for building dynamic inventory files. This is useful if your inventory fluctuates, with servers being created and destroyed often.
Ansible支持用于创建动态清单文件的清单脚本 。 如果您的库存波动,并且经常创建和销毁服务器,这将很有用。
You can find a number of on the official Ansible GitHub repository. After downloading the desired script to your Ansible control machine and setting up any required information — such as API credentials — you can use the executable as custom inventory with any Ansible command that supports this option.
您可以在官方的Ansible GitHub存储库中找到许多 。 将所需的脚本下载到Ansible控制机器并设置任何必需的信息(例如API凭据)后,您可以将可执行文件用作支持此选项的任何Ansible命令的自定义清单。
The following command uses Ansible’s with a ping
command to check connectivity to all current active servers:
以下命令使用Ansible的和ping
命令来检查与所有当前活动服务器的连接:
ansible all -m ping -i digital_ocean.py
ansible all -m ping -i digital_ocean.py
For more details on how to use dynamic inventory files, please refer to the .
有关如何使用动态清单文件的更多详细信息,请参阅 。
To execute a command on a node, use the -a
option followed by the command you want to run, in quotes.
要在节点上执行命令,请在引号中使用-a
选项和要运行的命令。
This will execute uname -a
on all the nodes in your inventory:
这将在清单中的所有节点上执行uname -a
:
ansible all -a "uname -a"
ansible all -a“ uname -a”
It is also possible to run Ansible modules with the option -m
. The following command would install the package vim
on server1
from your inventory:
也可以使用-m
选项运行Ansible模块。 以下命令将从您的清单中将软件包vim
安装在server1
:
ansible server1 -m apt -a "name=vim"
ansible server1的 -m容易-a “NAME = VIM”
Before making changes to your nodes, you can conduct a dry run to predict how the servers would be affected by your command. This can be done by including the --check
option:
在对节点进行更改之前,您可以进行空运行以预测命令将如何影响服务器。 这可以通过添加--check
选项来完成:
ansible server1 -m apt -a "name=vim" --check
ansible server1的 -m容易-a “NAME = VIM” --check
To run a playbook and execute all the tasks defined within it, use the ansible-playbook
command:
要运行剧本并执行其中定义的所有任务,请使用ansible-playbook
命令:
ansible-playbook myplaybook.yml
ansible -playbook myplaybook.yml
To overwrite the default hosts
option in the playbook and limit execution to a certain group or host, include the option -l
in your command:
要覆盖剧本中的默认hosts
选项并将执行限制为某个组或主机,请在命令中包括选项-l
:
ansible-playbook -l server1 myplaybook.yml
ansible-playbook -l server1 myplaybook.yml
The option --list-tasks
is used to list all tasks that would be executed by a play without making any changes to the remote servers:
选项--list-tasks
用于列出在不对远程服务器进行任何更改的情况下将由某个剧本执行的所有任务:
ansible-playbook myplaybook.yml --list-tasks
ansible -playbook myplaybook.yml --list-tasks
Similarly, it is possible to list all hosts that would be affected by a play, without running any tasks on the remote servers:
同样,可以列出可能会受到播放影响的所有主机,而无需在远程服务器上运行任何任务:
ansible-playbook myplaybook.yml --list-hosts
ansible -playbook myplaybook.yml-列表主机
You can use tags to limit the execution of a play. To list all tags available in a play, use the option --list-tags
:
您可以使用标签来限制播放的执行。 要列出播放中所有可用的标签,请使用--list-tags
选项:
ansible-playbook myplaybook.yml --list-tags
ansible -playbook myplaybook.yml --list-tags
You can use the option --start-at-task
to define a new entry point for your playbook. Ansible will then skip anything that comes before the specified task, executing the remaining of the play from that point on. This option requires a valid task name as argument:
您可以使用--start-at-task
选项为您的剧本定义一个新的入口点。 然后,Ansible将跳过指定任务之前的所有内容,并从该点开始执行剩余的播放。 此选项需要一个有效的任务名称作为参数:
ansible-playbook myplaybook.yml --start-at-task="Set Up Nginx"
ansible -playbook myplaybook.yml --start-at-task =“ 设置Nginx ”
To only execute tasks associated with specific tags, you can use the option --tags
. For instance, if you’d like to only execute tasks tagged as nginx
or mysql
, you can use:
要仅执行与特定标签关联的任务,可以使用--tags
选项。 例如,如果您只想执行标记为nginx
或mysql
任务,则可以使用:
ansible-playbook myplaybook.yml --tags=mysql,nginx
ansible -playbook myplaybook.yml --tags = mysql,nginx
If you want to skip all tasks that are under specific tags, use --skip-tags
. The following command would execute myplaybook.yml
, skipping all tasks tagged as mysql
:
如果要跳过特定标签下的所有任务,请使用--skip-tags
。 以下命令将执行myplaybook.yml
,跳过所有标记为mysql
任务:
ansible-playbook myplaybook.yml --skip-tags=mysql
ansible -playbook myplaybook.yml --skip-tags = mysql
If your Ansible playbooks deal with sensitive data like passwords, API keys, and credentials, it is important to keep that data safe by using an encryption mechanism. Ansible provides ansible-vault
to encrypt files and variables.
如果您的Ansible剧本处理诸如密码,API密钥和凭据之类的敏感数据,那么使用加密机制确保该数据的安全很重要。 Ansible提供ansible ansible-vault
来加密文件和变量。
Even though it is possible to encrypt any Ansible data file as well as binary files, it is more common to use ansible-vault
to encrypt variable files containing sensitive data. After encrypting a file with this tool, you’ll only be able to execute, edit or view its contents by providing the relevant password defined when you first encrypted the file.
即使可以加密任何Ansible数据文件和二进制文件,也更常见的是使用ansible-vault
加密包含敏感数据的变量文件 。 使用此工具加密文件后,您将只能通过提供首次加密文件时定义的相关密码来执行,编辑或查看其内容。
You can create a new encrypted Ansible file with:
您可以使用以下方法创建新的加密Ansible文件:
ansible-vault create credentials.yml
ansible-vault创建凭据
This command will perform the following actions:
该命令将执行以下操作:
Finally, when you’re done editing, ansible-vault
will save the file as encrypted data.
最后,完成编辑后, ansible-vault
会将文件另存为加密数据。
To encrypt an existing Ansible file, you can use the following syntax:
要加密现有的Ansible文件,可以使用以下语法:
ansible-vault encrypt credentials.yml
Ansible-Vault加密凭据
This will prompt you for a password that you’ll need to enter whenever you access the file credentials.yml
.
这将提示您输入一个密码,每当您访问文件credentials.yml
时都需要输入该密码。
If you want to view the contents of a file that was previously encrypted with ansible-vault
and you don’t need to change its contents, you can use:
如果要查看以前使用ansible-vault
加密的文件的内容,而无需更改其内容,则可以使用:
ansible-vault view credentials.yml
ansible-Vault视图凭据
This will prompt you to provide the password you selected when you first encrypted the file with ansible-vault
.
这将提示您提供首次使用ansible-vault
加密文件时选择的密码。
To edit the contents of a file that was previously encrypted with Ansible Vault, run:
要编辑以前使用Ansible Vault加密的文件的内容,请运行:
ansible-vault edit credentials.yml
Ansible-Vault编辑凭据 .yml
This will prompt you to provide the password you chose when first encrypting the file credentials.yml
with ansible-vault
. After password validation, your default command-line editor will open with the unencrypted contents of the file, allowing you to make your changes. When finished, you can save and close the file as you would normally, and the updated contents will be saved as encrypted data.
这将提示您提供您选择当第一加密文件的密码credentials.yml
与ansible-vault
。 密码验证后,默认的命令行编辑器将打开,其中包含文件的未加密内容,使您可以进行更改。 完成后,您可以照常保存和关闭文件,更新的内容将另存为加密数据。
If you wish to permanently revert a file that was previously encrypted with ansible-vault
to its unencrypted version, you can do so with this syntax:
如果您希望将以前使用ansible-vault
加密的文件永久还原为未加密的版本,则可以使用以下语法:
ansible-vault decrypt credentials.yml
ansible穹顶解密credentials.yml
This will prompt you to provide the same password used when first encrypting the file credentials.yml
with ansible-vault
. After password validation, the file contents will be saved to the disk as unencrypted data.
这将提示您提供与第一次使用ansible-vault
加密文件ansible-vault
credentials.yml
相同的密码。 密码验证后,文件内容将作为未加密的数据保存到磁盘。
Ansible supports multiple vault passwords grouped by different vault IDs. This is useful if you want to have dedicated vault passwords for different environments, such as development, testing, and production environments.
Ansible支持按不同文件库ID分组的多个文件库密码。 如果要为不同的环境(例如开发,测试和生产环境)使用专用的保管库密码,这将很有用。
To create a new encrypted file using a custom vault ID, include the --vault-id
option along with a label and the location where ansible-vault
can find the password for that vault. The label can be any identifier, and the location can either be prompt
, meaning that the command should prompt you to enter a password, or a valid path to a password file.
要使用自定义文件库ID创建新的加密文件,请包括--vault-id
选项以及标签和ansible-vault
可以找到该文件库密码的位置。 标签可以是任何标识符,位置可以是prompt
,这意味着命令应提示您输入密码或密码文件的有效路径。
ansible-vault create --vault-id dev@prompt credentials_dev.yml
ansible-vault创建--vault-id dev @提示 凭据 _dev.yml
This will create a new vault ID named dev that uses prompt
as password source. By combining this method with group variable files, you’ll be able to have separate ansible vaults for each application environment:
这将创建一个名为dev的新保管库ID,该文件使用prompt
作为密码源。 通过将此方法与组变量文件结合使用,您将能够为每个应用程序环境使用单独的ansible保管库:
ansible-vault create --vault-id prod@prompt credentials_prod.yml
ansible-vault创建--vault-id prod @prompt 凭据 _prod.yml
We used dev and prod as vault IDs to demonstrate how you can create separate vaults per environment, but you can create as many vaults as you want, and you can use any identifier of your choice as vault ID.
我们使用dev和prod作为保管库ID来演示如何在每个环境中创建单独的保管库,但是您可以根据需要创建任意数量的保管库,并且可以使用任意选择的标识符作为保管库ID。
Now to view, edit, or decrypt these files, you’ll need to provide the same vault ID and password source along with the ansible-vault
command:
现在,要查看,编辑或解密这些文件,您需要提供相同的文件库ID和密码源以及ansible-vault
命令:
ansible-vault edit credentials_dev.yml --vault-id dev@prompt
ansible-vault编辑凭据 _dev.yml --vault-id dev @提示
If you need to automate the process of provisioning servers with Ansible using a third-party tool, you’ll need a way to provide the vault password without being prompted for it. You can do that by using a password file with ansible-vault
.
如果您需要使用第三方工具自动使用Ansible来配置服务器,则需要一种方法来提供库密码而不提示您输入密码。 您可以通过使用带有ansible-vault
的密码文件来做到这一点。
A password file can be a plain text file or an executable script. If the file is an executable script, the output produced by this script will be used as the vault password. Otherwise, the raw contents of the file will be used as vault password.
密码文件可以是纯文本文件或可执行脚本。 如果文件是可执行脚本,则此脚本产生的输出将用作库密码。 否则,文件的原始内容将用作库密码。
To use a password file with ansible-vault
, you need to provide the path to a password file when running any of the vault commands:
要将密码文件与ansible-vault
,您需要在运行任何Vault命令时提供密码文件的路径:
ansible-vault create --vault-id dev@path/to/passfile credentials_dev.yml
ansible-vault创建--vault-id dev @ path / to / passfile 凭据 _dev.yml
Ansible doesn’t make a distinction between content that was encrypted using prompt
or a password file as password source, as long as the input password is the same. In practical terms, this means it is OK to encrypt a file using prompt
and then later use a password file to store the same password used with the prompt
method. The opposite is also true: you can encrypt content using a password file and later use the prompt
method, providing the same password when prompted by Ansible.
只要输入的密码相同,Ansible不会区分使用prompt
或密码文件作为密码源加密的内容。 实际上,这意味着可以使用prompt
对文件加密,然后再使用密码文件存储与prompt
方法相同的密码。 反之亦然:您可以使用密码文件加密内容,然后使用prompt
方法,在Ansible提示时提供相同的密码。
For extended flexibility and security, instead of having your vault password stored in a plain text file, you can use a Python script to obtain the password from other sources. The official Ansible repository contains that you can use for reference when creating a custom script that suits the particular needs of your project.
为了扩展灵活性和安全性,您可以使用Python脚本从其他来源获取密码,而不必将保险库密码存储在纯文本文件中。 官方的Ansible存储库包含 ,您可以在创建适合项目特殊需求的自定义脚本时参考这些 。
Whenever you run a playbook that uses data previously encrypted via ansible-vault
, you’ll need to provide the vault password to your playbook command.
每当您运行的剧本使用先前通过ansible-vault
加密的数据时,都需要向您的剧本命令提供Vault密码。
If you used default options and the prompt
password source when encrypting the data used in this playbook, you can use the option --ask-vault-pass
to make Ansible prompt you for the password:
如果在加密此剧本中使用的数据时使用了默认选项和prompt
密码来源,则可以使用--ask-vault-pass
选项使Ansible提示您输入密码:
ansible-playbook myplaybook.yml --ask-vault-pass
ansible -playbook myplaybook.yml --ask-vault-pass
If you used a password file instead of prompting for the password, you should use the option --vault-password-file
instead:
如果您使用密码文件而不是提示输入密码,则应使用--vault-password-file
选项:
ansible-playbook myplaybook.yml --vault-password-file my_vault_password.py
ansible -playbook myplaybook.yml --vault-password文件my_vault_password.py
If you’re using data encrypted under a vault ID, you’ll need to provide the same vault ID and password source you used when first encrypting the data:
如果您使用以库ID加密的数据,则需要提供与首次加密数据时相同的库ID和密码源:
ansible-playbook myplaybook.yml --vault-id dev@prompt
ansible -playbook myplaybook.yml --vault-id dev @prompt
If using a password file with your vault ID, you should provide the label followed by the full path to the password file as password source:
如果使用带有文件库ID的密码文件,则应提供标签,后跟密码文件的完整路径作为密码源:
ansible-playbook myplaybook.yml --vault-id dev@vault_password.py
ansible -playbook myplaybook.yml --vault-id dev @ vault_password.py
If your play uses multiple vaults, you should provide a --vault-id
parameter for each of them, in no particular order:
如果您的剧本使用多个文件库,则应为每个文件库提供--vault-id
参数,且顺序--vault-id
:
ansible-playbook myplaybook.yml --vault-id dev@vault_password.py --vault-id test@prompt --vault-id ci@prompt
ansible -playbook myplaybook.yml --vault-id 开发 @ vault_password.py --vault-id 测试 @prompt --vault-id ci @prompt
If you run into errors while executing Ansible commands and playbooks, it’s a good idea to increase output verbosity in order to get more information about the problem. You can do that by including the -v
option to the command:
如果在执行Ansible命令和剧本时遇到错误,则最好增加输出详细程度以获取有关该问题的更多信息。 您可以通过在命令中包含-v
选项来做到这一点:
ansible-playbook myplaybook.yml -v
ansible -playbook myplaybook.yml -v
If you need more detail, you can use -vvv
and this will increase verbosity of the output. If you’re unable to connect to the remote nodes via Ansible, use -vvvv
to get connection debugging information:
如果需要更多详细信息,可以使用-vvv
,这将增加输出的详细程度。 如果无法通过Ansible连接到远程节点,请使用-vvvv
获取连接调试信息:
ansible-playbook myplaybook.yml -vvvv
ansible -playbook myplaybook.yml -vvvv
This guide covers some of the most common Ansible commands you may use when provisioning servers, such as how to execute remote commands on your nodes and how to run playbooks using a variety of custom settings.
本指南介绍了在配置服务器时可能会使用的一些最常见的Ansible命令,例如如何在节点上执行远程命令以及如何使用各种自定义设置运行剧本。
There are other command variations and flags that you may find useful for your Ansible workflow. To get an overview of all available options, you can use the help command:
您可能还会发现其他命令变体和标志对于您的Ansible工作流程很有用。 要获得所有可用选项的概述,可以使用help命令:
If you want a more comprehensive view of Ansible and all its available commands and features, please refer to the .
如果您想更全面地了解Ansible及其所有可用命令和功能,请参阅 。
翻译自:
ansible权威指南
转载地址:http://vxhgb.baihongyu.com/