Ansible介绍
- ansible是一款为类unix系统开发的自由开源的配置和自动化工具。它用python写成,类似于saltstack和puppet,但是不同点是ansible不需要再节点中安装任何客户端。它使用ssh来通信。它基于python的paramiko开发,分布式,无需任何客户端,轻量级,配置语法使用ymal及jinja2模板语言,更强的远程命令执行操作。
Ansibe特性
- 部署简单,只需在主控端部署Ansible环境,被控端无需做任何操作。
- 默认使用SSH协议对设备进行管理。
- 有大量常规运维操作模块,可实现日常绝大部分操作。
- 配置简单、功能强大、扩展性强;
- 支持API及自定义模块,可通过Python轻松扩展。
- 通过Playbooks来定制强大的配置、状态管理。
- 轻量级,无需在客户端安装agent,更新时,只需在操作机上进行一次更新即可。
- 提供一个功能强大、操作性强的Web管理界面和REST API接口——AWX平台。
- 支持非root用户管理操作,支持sudo。
Ansible架构
核心组件构成:
- ansible(主体):ansible的核心程序,提供一个命令行接口给用户对ansible进行管理操作;
- Host Inventory(主机清单):为Ansible定义了管理主机的策略。一般小型环境下我们只需要在host文件中写入主机的IP地址即可,但是到了中大型环境我们有可能需要使用静态inventory或者动态主机清单来生成我们所需要执行的目标主机。
- Core Modules(核心模块):Ansible执行命令的功能模块,多数为内置的核心模块。
- Custom Modules(拓展模块):如何ansible自带的模块无法满足我么你的需求,用户可自定义相应的模块来满足自己的需求。
- Connection Plugins(连接插件):模块功能的补充,如连接类型插件、循环插件、变量插件、过滤插件等,该功能不常用
- Playbook(任务剧本):编排定义ansible任务集的配置文件,由ansible顺序依次执行,通常是JSON格式的* YML文件
- API:供第三方程序调用的应用程序编程接口
Ansible能做什么?
ansible可以帮助运维人员完成一些批量任务,或者完成一些需要经常重复的工作。
- 比如:同时在100台服务器上安装nginx服务,并在安装后启动服务。
- 比如:将某个文件一次性拷贝到100台服务器上。
- 比如:每当有新服务器加入工作环境时,运维人员都要为新服务器部署某个服务。
ansible的配置文件可以存放在任何位置,但配置文件有读取顺序。
- 最先查找$ANSIBLE_CONFIG变量对应的位置和文件
- 其次查找当前目录下ansible.cfg
- 然后查找用户家目录下的.ansible.cfg
- 最后查找/etc/ansible/ansible.cfg(默认)
ansible 命令执行过程。
- 加载自己的配置文件,默认路径为 /etc/ansible/ansible.cfg;
- 查找对应的主机配置文件,找到要执行的主机或者组;
- 加载自己对应的模块文件,如 command;
- 通过ansible将模块或命令生成对应的临时py文件(python脚本), 并将该文件传输至远程服务器;
- 对应执行用户的家目录的.ansible/tmp/XXX/XXX.py文件;
- 给文件 +x 执行权限;
- 执行并返回结果;
- 删除临时py文件,sleep 0退出;
其他详情见官方文档:【传送门】
环境准备:
属性 | 管理机 | 服务器-01 | 服务器-02 |
节点 | wenCheng | Server-01 | Server-02 |
系统 | CentOS Linux release 7.5.1804 (Minimal) | CentOS Linux release 7.5.1804 (Minimal) | CentOS Linux release 7.5.1804 (Minimal) |
内核 | 3.10.0-862.el7.x86_64 | 3.10.0-862.el7.x86_64 | 3.10.0-862.el7.x86_64 |
SELinux | setenforce 0 | disabled | setenforce 0 | disabled | setenforce 0 | disabled |
Firewlld | systemctl stop/disable firewalld | systemctl stop/disable firewalld | systemctl stop/disable firewalld |
IP地址 | 172.16.70.37 | 172.16.70.181 | 172.16.70.182 |
Ansible常用参数及语法。
ansible官方模块文档:【传送门】
ansible官方命令参数:【传送门】
Ansible常用模块
ping 模块: 检查指定节点机器是否还能连通,用法很简单,不涉及参数,主机如果在线,则回复pong 。
raw 模块: 执行原始的命令,而不是通过模块子系统。
yum 模块: RedHat和CentOS的软件包安装和管理工具。
apt 模块: Ubuntu /Debian 的软件包安装和管理工具。
pip 模块 : 用于管理Python库依赖项,为了使用pip模块,必须提供参数name或者requirements。
synchronize 模块: 使用 rsync 同步文件,将主控方目录推送到指定节点的目录下。
template 模块: 基于模板方式生成一个文件复制到远程主机(template使用Jinjia2格式作为文件模版,进行文档内变量的替换的模块。
copy 模块: 在远程主机执行复制操作文件。
user 模块 与 group 模块: user模块是请求的是 useradd , userdel, usermod 三个指令,goup模块请求的是groupadd, groupdel, groupmod 三个指令。
service 或 systemd 模块: 用于管理远程主机的服务。
get_url 模块: 该模块主要用于从http、 ftp 、https服务器上下载文件(类似于wget)。
fetch 模块: 它用于从远程机器获取文件,并将其本地存储在由主机名组织的文件树中。
file 模块: 主要用于远程主机上的文件操作。
lineinfile 模块: 远程主机上的文件编辑模块
unarchive模块: 用于解压文件。
command 模块 和 shell模块: 用于在各被管理节点运行指定的命令. shell和 command 的区别:shell模块可以特殊字符,而 command 是不支持
hostname 模块: 修改远程主机名的模块。
script模块: 在远程主机上执行主控端的脚本,相当于 scp +shell组合。
stat模块: 获取远程文件的状态信息,包括atime,ctime,mtime,md5,uid,gid等信息。
cron 模块: 远程主机 crontab 配置。
mount 模块: 挂载文件系统。
find 模块: 帮助在被管理主机中查找符合条件的文件,就像 find 命令一样。
selinux模块:远程管理受控节点的selinux的模块
Ansible语法及配置参数
语法格式:
ansible <pattern_goes_here> -m <module_name> -a <arguments>
也就是:
ansible 匹配模式 -m 模块 -a '需要执行的内容'
解释说明:
匹配模式:即哪些机器生效 (可以是某一台, 或某一组, 或all) , 默认模块为 command , 执行常规的shell命令.
-a MODULE_ARGS #模块的参数,如果执行默认COMMAND的模块,即是命令参数,如: “date”,“pwd”等等
-k,--ask-pass #ask for SSH password。登录密码,提示输入SSH密码而不是假设基于密钥的验证
--ask- su -pass #ask for su password。su切换密码
-K,--ask- sudo -pass #ask for sudo password。提示密码使用sudo,sudo表示提权操作
--ask-vault-pass #ask for vault password。假设我们设定了加密的密码,则用该选项进行访问
-B SECONDS #后台运行超时时间
-C #模拟运行环境并进行预运行,可以进行查错测试
-c CONNECTION #连接类型使用
-f FORKS #并行任务数,默认为5
-i INVENTORY #指定主机清单的路径,默认为/etc/ansible/hosts
--list-hosts #查看有哪些主机组
-m MODULE_NAME #执行模块的名字,默认使用 command 模块,所以如果是只执行单一命令可以不用 -m参数
-o #压缩输出,尝试将所有结果在一行输出,一般针对收集工具使用
-S #用 su 命令
-R SU_USER #指定 su 的用户,默认为 root 用户
-s #用 sudo 命令
-U SUDO_USER #指定 sudo 到哪个用户,默认为 root 用户
-T TIMEOUT #指定 ssh 默认超时时间,默认为10s,也可在配置文件中修改
-u REMOTE_USER #远程用户,默认为 root 用户
- v #查看详细信息,同时支持-vvv,-vvvv可查看更详细信息
ansible-doc 命令常用于获取模块信息及其使用帮助,一般用法如下:
ansible-doc -l #获取全部模块的信息
ansible-doc -s MOD_NAME #获取指定模块的使用帮助
示例
[root@wenCheng ~] # ansible-doc -l | grep authorized_key
authorized_key Adds or removes an SSH authorized key
[root@wenCheng ~] # ansible-doc -s authorized_key
[root@wenCheng ~] # ansible-doc authorized_key
情景一:Ansible安装部署及首次批量分发公钥(管理机)。
- command模块 和 shell模块: 用于在各被管理节点运行指定的命令.;shell和command的区别:shell模块可以特殊字符,而command是不支持。
[root@wenCheng ~] # yum install epel-release -y
[root@wenCheng ~] # yum install ansible -y
[root@wenCheng ~] # ansible --version
ansible 2.9.21
config file = /etc/ansible/ansible .cfg
configured module search path = [u '/root/.ansible/plugins/modules' , u '/usr/share/ansible/plugins/modules' ]
ansible python module location = /usr/lib/python2 .7 /site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Apr 11 2018, 07:36:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
[root@wenCheng ~] # rpm -qa | grep ansible
ansible-2.9.21-1.el7.noarch
[root@wenCheng ~] # rpm -ql ansible-2.9.21-1.el7.noarch | less
/etc/ansible/ansible .cfg #主配置文件,配置ansible工作特性
/etc/ansible/hosts #主机清单
/etc/ansible/roles/ #存放角色的目录
/usr/bin/ansible #主程序,临时命令执行工具
/usr/bin/ansible-doc #查看配置文档,模块功能查看工具
/usr/bin/ansible-galaxy #下载/上传优秀代码或Roles模块的官网平台
/usr/bin/ansible-playbook #定制自动化任务,编排剧本工具
/usr/bin/ansible-pull #远程执行命令的工具
/usr/bin/ansible-vault #文件加密工具
/usr/bin/ansible-console #基于Console界面与用户交互的执行工具
......
# 备份配置
[root@wenCheng ~] # cp /etc/ansible/hosts{,.bak}
[root@wenCheng ~] # cp /etc/ansible/ansible.cfg{,.bak}
[root@wenCheng ~] # vim /etc/ansible/hosts
......
# 末行添加内容
# 远程主机(根据实际情况):单IP/IP段 用户名 密码 端口;下面举例2类形式
[type1]
172.16.70.181
172.16.70.182
[type1:vars]
ansible_user= 'root'
ansible_pass= 'centos'
ansible_port= '22'
[type2]
172.16.70.[181:182] ansible_user= 'root' ansible_pass= 'centos' ansible_port= '22'
[root@wenCheng ~] # vim /etc/ansible/ansible.cfg
......
host_key_checking = False # 首次连接是否需要检查key认证,取消注释以禁用主机的ssh的密钥检查
......
/var/log/ansible .log # 取消注释以记录日志信息
# 新建yaml文件
[root@wenCheng ~] # cat /root/ssh_key.yml
---
- hosts: all # 远程主机组
tasks:
- name: send id_rsa.pub
authorized_key: user=root key= "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}" # 被控制的远程服务上的用户名 本机的公钥地址
# 执行批量公钥分发
[root@wenCheng ~] # ansible-playbook ssh_key.yml
PLAY [all] ********************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************
ok: [172.16.70.182]
ok: [172.16.70.181]
TASK [send id_rsa.pub] ********************************************************************************************************************
ok: [172.16.70.181]
ok: [172.16.70.182]
PLAY RECAP ********************************************************************************************************************************
172.16.70.181 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
172.16.70.182 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
# 验证结果
[root@wenCheng ~] # ansible all -m command -a "hostname"
172.16.70.182 | CHANGED | rc=0 >>
Server-02
172.16.70.181 | CHANGED | rc=0 >>
Server-01
[root@wenCheng ~] # ansible all -m shell -a "hostname"
172.16.70.182 | CHANGED | rc=0 >>
Server-02
172.16.70.181 | CHANGED | rc=0 >>
Server-01
# command模块不支持管道
[root@wenCheng ~] # ansible all -m command -a "cat /etc/passwd| grep centos"
172.16.70.181 | FAILED | rc=1 >>
cat : /etc/passwd |: No such file or directory
cat : grep : No such file or directory
cat : centos: No such file or directorynon-zero return code
172.16.70.182 | FAILED | rc=1 >>
cat : /etc/passwd |: No such file or directory
cat : grep : No such file or directory
cat : centos: No such file or directorynon-zero return code
[root@wenCheng ~] # ansible all -m shell -a "cat /etc/passwd| grep centos"
172.16.70.182 | CHANGED | rc=0 >>
centos:x:1000:1000:: /home/centos : /bin/bash
172.16.70.181 | CHANGED | rc=0 >>
centos:x:1000:1000:: /home/centos : /bin/bash
# 修改sshd_config文件,禁止使用密码登录
[root@wenCheng ~] # ansible all -m shell -a "sed -i.bak 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config"
[root@wenCheng ~] # ansible all -m shell -a "systemctl restart sshd"
情景二:管理机批量安装软件。
- yum 模块: RedHat和CentOS的软件包安装和管理工具。
参数:
config_file:yum的配置文件 (optional)
disable_gpg_check:关闭gpg_check (optional)
disablerepo:不启用某个源 (optional)
enablerepo:启用某个源(optional)
name:要进行操作的软件包的名字,默认最新的程序包,指明要安装的程序包,可以带上版本号,也可以传递一个url或者一个本地的rpm包的路径
state:表示是安装还是卸载的状态, 其中present、installed、latest 表示安装, absent 、removed表示卸载删除; present默认状态, laster表示安装最新版本.
安装 rsync :
[root@wenCheng ~] # ansible all -m yum -a "name=rsync state=present"
或
[root@wenCheng ~] # ansible all -m yum -a "name=http://mirror.centos.org/centos/7/os/x86_64/Packages/rsync-3.1.2-10.el7.x86_64.rpm state=present"
卸载 rsync :
[root@wenCheng ~] # ansible all -m yum -a "name=rsync state=removed"
情景三:管理机批量分发文件/目录。
- synchronize 模块: 使用rsync同步文件,将主控方目录推送到指定节点的目录下。
参数:
delete: 删除不存在的文件,delete= yes 使两边的内容一样(即以推送方为主),默认no
src: 要同步到目的地的源主机上的路径; 路径可以是绝对的或相对的。如果路径使用”/”来结尾,则只复制目录里的内容,如果没有使用”/”来结尾,则包含目录在内的整个内容全部复制
dest:目的地主机上将与源同步的路径; 路径可以是绝对的或相对的。
dest_port:默认目录主机上的端口 ,默认是22,走的 ssh 协议。
mode: push或pull,默认push,一般用于从本机向远程主机上传文件,pull 模式用于从远程主机上取文件。
rsync_opts:通过传递数组来指定其他 rsync 选项。
# 接情景二环境,并创建所需文件/目录
[root@wenCheng ~] # tree /tmp/
/tmp/
├── dir_ansible1
│ └── 1
├── dir_ansible2
│ └── 2
├── dir_ansible3
│ └── 3
├── dir_ansible4
│ └── 4
├── file_ansible1
├── file_ansible2
├── file_ansible3
└── file_ansible4
4 directories, 8 files
# 推送文件/tmp/file_ansible1到远程主机目录/tmp下
[root@wenCheng ~] # ansible all -m synchronize -a 'src=/tmp/file_ansible1 dest=/tmp'
# 推送文件/tmp/file_ansible2到远程主机目录并覆盖原文件/tmp/file_ansible1
[root@wenCheng ~] # ansible all -m synchronize -a 'src=/tmp/file_ansible2 dest=/tmp/file_ansible1'
# 推送目录/tmp/dir_ansible1到远程主机目录/tmp下(保留远程主机原/tmp内容不变再新增dir_ansible1目录)
[root@wenCheng ~] # ansible all -m synchronize -a 'src=/tmp/dir_ansible1 dest=/tmp'
# 推送目录/tmp/的所有文件或目录到远程主机目录/tmp下,使内容一致,默认delete=no(删除远程主机原/tmp内容再同步推送的目录)
[root@wenCheng ~] # ansible all -m synchronize -a "src=/tmp/ dest=/tmp delete=yes"
# 拉取远程主机文件/etc/hostname到本地目录/tmp
[root@wenCheng ~] # ansible all -m synchronize -a "src=/etc/hostname dest=/tmp rsync_opts='-a' mode=pull"
- copy 模块: 在远程主机执行复制操作文件。
把主控节点本地的文件上传同步到远程受控节点上, 该模块不支持从远程受控节点拉取文件到主控节点上
参数:
src:指定源文件路径,可以是相对路径,也可以是绝对路径,可以是目录(并非是必须的,可以使用content,直接生成文件内容). src即是要复制到远程主机的文件在本地的地址,可以是绝对路径,也可以是相对路径。
如果路径是一个目录,它将递归复制。在这种情况下,如果路径使用”/”来结尾,则只复制目录里的内容,如果没有使用”/”来结尾,则包含目录在内的整个内容全部复制,类似于 rsync 。
dest:指定目标文件路径,只能是绝对路径,如果src是目录,此项必须是目录. 这个是必选项!
owner:指定属主;
group:指定属组;
mode:指定权限,可以以数字指定比如0644;
content:代替src,直接往dest文件中写内容,可以引用变量,也可以直接使用inventory中的主机变量. 写后会覆盖原文件内容!
backup:在覆盖之前将原文件备份,备份文件包含时间信息。有两个选项: yes |no
force: 如果目标主机包含该文件,但内容不同,如果设置为 yes ,则强制覆盖,如果为no,则只有当目标主机的目标位置不存在该文件时,才复制。默认为 yes ;
directory_mode:递归的设定目录的权限,默认为系统默认权限;
others:所有的 file 模块里的选项都可以在这里使用;
特别注意: src和content不能同时使用。
# 拷贝本地目录/tmp/dir_ansible1至远程主机目录/tmp
[root@wenCheng ~] # ansible all -m copy -a 'src=/tmp/dir_ansible1 dest=/tmp backup=yes'
# 拷贝本地文件/tmp/file_ansible1至远程主机目录/tmp,并修改属组为centos,权限为400
[root@wenCheng ~] # ansible all -m copy -a 'src=/tmp/file_ansible1 dest=/tmp group=centos mode=400'
synchronize模块与copy模块区别:
- copy 模块不支持从远端到本地的拉去操作,fetch 模块支持,但是 src 参数不支持目录递归,只能回传具体文件;
- copy 模块的 remote_src 参数是指定从远端服务器上往远端服务器上复制,相当于在 shell 模块中执行 copy 命令;
- synchronize 则支持文件下发和回传,分别对应的 push 和 pull 模式。synchronize 模块的功能依赖于 rsync,但是功能不依赖于 rsync 配置文件中定义的模块;
- copy 模块适用于小规模文件操作,synchronize 支持大规模文件操作
附: Ansible默认配置解析:
[root@wenCheng ~] # cat /etc/ansible/ansible.cfg
......
[defaults]
# some basic default values...
#inventory = /etc/ansible/hosts # 资源清单inventory文件的位置,脚本或连接管理主机列表
#library = /usr/share/my_modules/ # 库文件存放目录
#module_utils = /usr/share/my_module_utils/ # 模块存放目录
#remote_tmp = ~/.ansible/tmp # 临时文件远程主机存放目录
#local_tmp = ~/.ansible/tmp # 临时文件本地存放目录
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml # 拒绝模块的配置文件
#forks = 5 # 默认开启的并发数
#poll_interval = 15 # 默认轮询的时间间隔
#sudo_user = root # 默认sudo用户
#ask_sudo_pass = True # 是否需要sudo密码
#ask_pass = True # 是否需要密码
#transport = smart # 默认执行智能模式
#remote_port = 22 # 默认ssh远程端口
#module_lang = C # 默认模块和系统之间通信的计算机语言,默认为'C'语言
#module_set_locale = False # 默认设置本地环境变量
# plays will gather facts by default, which contain information about
# the remote system.
#
# smart - gather by default, but don't regather if already gathered
# implicit - gather by default, turn off with gather_facts: False
# explicit - do not gather by default, must say gather_facts: True
#gathering = implicit
# This only affects the gathering done by a play's gather_facts directive,
# by default gathering retrieves all facts subsets
# all - gather all subsets
# network - gather min and network facts
# hardware - gather hardware facts (longest facts to retrieve)
# virtual - gather min and virtual facts
# facter - import facts from facter
# ohai - import facts from ohai
# You can combine them using comma (ex: network,virtual)
# You can negate them using ! (ex: !hardware,!facter,!ohai)
# A minimal set of facts is always gathered.
#gather_subset = all
# some hardware related facts are collected
# with a maximum timeout of 10 seconds. This
# option lets you increase or decrease that
# timeout to something more suitable for the
# environment.
# gather_timeout = 10 # 收集一些与硬件相关的信息,允许根据系统情况来设置超时时间
# Ansible facts are available inside the ansible_facts.* dictionary
# namespace. This setting maintains the behaviour which was the default prior
# to 2.5, duplicating these variables into the main namespace, each with a
# prefix of 'ansible_'.
# This variable is set to True by default for backwards compatibility. It
# will be changed to a default of 'False' in a future release.
# ansible_facts.
# inject_facts_as_vars = True # 设置为True是为了向后兼容,为了维护2.5之前的默认行为
# additional paths to search for roles in, colon separated
#roles_path = /etc/ansible/roles # 搜索角色的其它路径,冒号分隔
# uncomment this to disable SSH key host checking
#host_key_checking = False # 首次连接是否需要检查key认证,取消注释以禁用主机的ssh的密钥检查
# change the default callback, you can only have one 'stdout' type enabled at a time.
#stdout_callback = skippy # 更改默认回调的类型
## Ansible ships with some plugins that require whitelisting,
## this is done to avoid running all of a type by default.
## These setting lists those that you want enabled for your system.
## Custom plugins should not need this unless plugin author specifies it.
# enable callback plugins, they can output to stdout but cannot be 'stdout' type.
#callback_whitelist = timer, mail # 回调插件白名单,限制默认插件自动调用。如果是自定义插件则不需要
# Determine whether includes in tasks and handlers are "static" by
# default. As of 2.0, includes are dynamic by default. Setting these
# values to True will make includes behave more like they did in the
# 1.x versions. # 默认情况下,tasks和handlers是静态。从2.0开始默认是动态
#task_includes_static = False
#handler_includes_static = False
# Controls if a missing handler for a notification event is an error or a warning
#error_on_missing_handler = True # 如果处理程序丢失是错误还是警告
# change this for alternative sudo implementations
#sudo_exe = sudo
# What flags to pass to sudo
# WARNING: leaving out the defaults might create unexpected behaviours
#sudo_flags = -H -S -n # 传递给sudo的标志,这里如果省略默认值可能会报错
# SSH timeout
#timeout = 10 # 默认SSH超时时间
# default user to use for playbooks if user is not specified
# (/usr/bin/ansible will use current user as default)
#remote_user = root # /usr/bin/Ansible属于哪个用户,如果没有给定,那么属于playbook
# logging is off by default unless this path is defined
# if so defined, consider logrotate
#log_path = /var/log/ansible.log # 执行日志存放目录
# default module name for /usr/bin/ansible
#module_name = command # 默认执行的模块
# use this shell for commands executed under sudo
# you may need to change this to bin/bash in rare instances
# if sudo is constrained
#executable = /bin/sh
# if inventory variables overlap, does the higher precedence one win
# or are hash values merged together? The default is 'replace' but
# this can also be set to 'merge'.
#hash_behaviour = replace # 如果inventory变量重叠,优先级越高的会被使用
# by default, variables from roles will be visible in the global variable
# scope. To prevent this, the following option can be enabled, and only
# tasks and handlers within the role will see the variables there
#private_role_vars = yes # 默认情况下,角色中的变量将在全局变量中可见
# list any Jinja2 extensions to enable here:
#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n # Jinjia2所有可用的扩展名
# if set, always use this private key file for authentication, same as
# if passing --private-key to ansible or ansible-playbook
#private_key_file = /path/to/file # 使用私钥文件进行身份验证,私钥的存储位置
# If set, configures the path to the Vault password file as an alternative to
# specifying --vault-password-file on the command line.
#vault_password_file = /path/to/vault_password_file # 如果设置,则配置Vault密码文件的路径,以替代在命令行上指定--vault-password-file
# format of string {{ ansible_managed }} available within Jinja2
# templates indicates to users editing templates files will be replaced.
# replacing {file}, {host} and {uid} and strftime codes with proper values.
#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence
# in some situations so the default is a static string:
#ansible_managed = Ansible managed
# by default, ansible-playbook will display "Skipping [host]" if it determines a task
# should not be run on a host. Set this to "False" if you don't want to see these "Skipping"
# messages. NOTE: the task header will still be shown regardless of whether or not the
# task is skipped.
#display_skipped_hosts = True
# 默认情况下,如果确定不应该在主机上运行任务,则ansible-playbook将显示Skipping [host],如果你不想看到这条消息,将其设置为False
# by default, if a task in a playbook does not include a name: field then
# ansible-playbook will construct a header that includes the task's action but
# not the task's args. This is a security feature because ansible cannot know
# if the *module* considers an argument to be no_log at the time that the
# header is printed. If your environment doesn't have a problem securing
# stdout from ansible-playbook (or you have manually specified no_log in your
# playbook on all of the tasks where you have secret information) then you can
# safely set this to True to get more informative messages.
#display_args_to_stdout = False
# by default (as of 1.3), Ansible will raise errors when attempting to dereference
# Jinja2 variables that are not set in templates or action lines. Uncomment this line
# to revert the behavior to pre-1.3.
#error_on_undefined_vars = False
# by default (as of 1.6), Ansible may display warnings based on the configuration of the
# system running ansible itself. This may include warnings about 3rd party packages or
# other conditions that should be resolved if possible.
# to disable these warnings, set the following value to False:
#system_warnings = True
# by default (as of 1.4), Ansible may display deprecation warnings for language
# features that should no longer be used and will be removed in future versions.
# to disable these warnings, set the following value to False:
#deprecation_warnings = True
# (as of 1.8), Ansible can optionally warn when usage of the shell and
# command module appear to be simplified by using a default Ansible module
# instead. These warnings can be silenced by adjusting the following
# setting or adding warn=yes or warn=no to the end of the command line
# parameter string. This will for example suggest using the git module
# instead of shelling out to the git command.
# command_warnings = False
# set plugin path directories here, separate with colons # 插件的存储位置,ansible将会自动执行下面的插件
#action_plugins = /usr/share/ansible/plugins/action
#become_plugins = /usr/share/ansible/plugins/become
#cache_plugins = /usr/share/ansible/plugins/cache
#callback_plugins = /usr/share/ansible/plugins/callback
#connection_plugins = /usr/share/ansible/plugins/connection
#lookup_plugins = /usr/share/ansible/plugins/lookup
#inventory_plugins = /usr/share/ansible/plugins/inventory
#vars_plugins = /usr/share/ansible/plugins/vars
#filter_plugins = /usr/share/ansible/plugins/filter
#test_plugins = /usr/share/ansible/plugins/test
#terminal_plugins = /usr/share/ansible/plugins/terminal
#strategy_plugins = /usr/share/ansible/plugins/strategy
# by default, ansible will use the 'linear' strategy but you may want to try
# another one
#strategy = free # 默认情况下,ansible将使用“linear”策略
# by default callbacks are not loaded for /bin/ansible, enable this if you
# want, for example, a notification or logging callback to also apply to
# /bin/ansible runs
#bin_ansible_callbacks = False
# 默认情况下没有为/bin/ansible加载回调,如果你想要启用它将其设置为True
# don't like cows? that's unfortunate.
# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
#nocows = 1 # 如果您不想要cowsay支持或导出ANSIBLE_NOCOWS = 1,则设置为1
# set which cowsay stencil you'd like to use by default. When set to 'random',
# a random stencil will be selected for each task. The selection will be filtered
# against the `cow_whitelist` option below.
#cow_selection = default
#cow_selection = random
# when using the 'random' option for cowsay, stencils will be restricted to this list.
# it should be formatted as a comma-separated list with no spaces between names.
# NOTE: line continuations here are for formatting purposes only, as the INI parser
# in python does not support them.
#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
# hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
# stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
# don't like colors either?
# set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
#nocolor = 1
# if set to a persistent type (not 'memory', for example 'redis') fact values
# from previous runs in Ansible will be stored. This may be useful when
# wanting to use, for example, IP information from one group of servers
# without having to talk to them in the same playbook run to get their
# current IP information.
#fact_caching = memory # fact缓存的存储类型。如果存储在memory那么只是暂时的,你可以将其存储在文件或者数据库中
#This option tells Ansible where to cache facts. The value is plugin dependent.
#For the jsonfile plugin, it should be a path to a local directory.
#For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0
#fact_caching_connection=/tmp # fact缓存的存储路径
# retry files
# When a playbook fails a .retry file can be created that will be placed in ~/
# You can enable this feature by setting retry_files_enabled to True
# and you can change the location of the files by setting retry_files_save_path
#retry_files_enabled = False
#retry_files_save_path = ~/.ansible-retry # 默认情况下,当playbook执行失败时,将在~/创建.retry文件
# squash actions
# Ansible can optimise actions that call modules with list parameters
# when looping. Instead of calling the module once per with_ item, the
# module is called once with all items at once. Currently this only works
# under limited circumstances, and only with parameters named 'name'.
#squash_actions = apk,apt,dnf,homebrew,pacman,pkgng,yum,zypper
# prevents logging of task data, off by default
#no_log = False # Ansible可以优化在循环时使用列表参数调用模块的操作
# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
#no_target_syslog = False # 防止记录任务,但仅在目标上,数据仍记录在主/控制器上
# controls whether Ansible will raise an error or warning if a task has no
# choice but to create world readable temporary files to execute a module on
# the remote machine. This option is False by default for security. Users may
# turn this on to have behaviour more like Ansible prior to 2.1.x. See
# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
# for more secure ways to fix this than enabling this option.
#allow_world_readable_tmpfiles = False
# 控制Ansible是否会引发错误或警告,如果任务别无选择,只能创建可读的临时文件来执行远程计算机上的模块。对于安全性,默认情况下此选项为False
# controls the compression level of variables sent to
# worker processes. At the default of 0, no compression
# is used. This value must be an integer from 0 to 9.
#var_compression_level = 9 # 控制发送到工作进程的变量的压缩级别。 默认值为0时,不使用压缩。 该值必须是0到9之间的整数
# controls what compression method is used for new-style ansible modules when
# they are sent to the remote system. The compression types depend on having
# support compiled into both the controller's python and the client's python.
# The names should match with the python Zipfile compression types:
# * ZIP_STORED (no compression. available everywhere)
# * ZIP_DEFLATED (uses zlib, the default)
# These values may be set per host via the ansible_module_compression inventory
# variable
#module_compression = 'ZIP_DEFLATED' # 控制将ansible模块发送到远程系统时使用的压缩方法
# This controls the cutoff point (in bytes) on --diff for files
# set to 0 for unlimited (RAM may suffer!).
#max_diff_size = 1048576
# 这将控制文件的--diff的截止点(以字节为单位),设置为0表示无限制(RAM可能会受损!)
# This controls how ansible handles multiple --tags and --skip-tags arguments
# on the CLI. If this is True then multiple arguments are merged together. If
# it is False, then the last specified argument is used and the others are ignored.
# This option will be removed in 2.8.
#merge_multiple_cli_flags = True
# 这将控制ansible如何在CLI上处理多个--tags和--skip-tags参数。如果这是True,则将多个参数合并在一起。如果为False,则使用最后指定的参数,并忽略其他参数
# Controls showing custom stats at the end, off by default
#show_custom_stats = True # 最后显示自定义统计信息的控件,默认情况下已关闭
# Controls which files to ignore when using a directory as inventory with
# possibly multiple sources (both static and dynamic)
#inventory_ignore_extensions = ~, .orig, .bak, .ini, .cfg, .retry, .pyc, .pyo
# 控制将目录用作具有可能多个源(静态和动态)的库存时要忽略的文件
# This family of modules use an alternative execution path optimized for network appliances
# only update this setting if you know how this works, otherwise it can break module execution
#network_group_modules=eos, nxos, ios, iosxr, junos, vyos
# 此系列模块使用针对网络设备优化的替代执行路径,只有在您了解其工作原理的情况下才更新此设置,否则会破坏模块执行
# When enabled, this option allows lookups (via variables like {{lookup('foo')}} or when used as
# a loop with `with_foo`) to return data that is not marked "unsafe". This means the data may contain
# jinja2 templating language which will be run through the templating engine.
# ENABLING THIS COULD BE A SECURITY RISK
#allow_unsafe_lookups = False
#启用时,此选项允许查找(通过{{lookup('foo')}}之类的变量或当用作带有“with_foo”的循环时)返回未标记为“不安全”的数据
# set default errors for all plays
#any_errors_fatal = False # 为所有的操作设置默认错误
[inventory]
# enable inventory plugins, default: 'host_list', 'script', 'auto', 'yaml', 'ini', 'toml'
#enable_plugins = host_list, virtualbox, yaml, constructed # 默认启动的插件
# ignore these extensions when parsing a directory as inventory source
#ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry # 在将目录解析为库存源时忽略这些扩展
# ignore files matching these patterns when parsing a directory as inventory source
#ignore_patterns= # 在将目录解析为库存源时忽略与这些模式匹配的文件
# If 'true' unparsed inventory sources become fatal errors, they are warnings otherwise.
#unparsed_is_failed=False # 如果'true'未解析的库存来源成为致命错误,则会发出警告
[privilege_escalation] # 权限提升设置
#become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False
[paramiko_connection] # 该部分功能不常用,了解即可。
# uncomment this line to cause the paramiko connection plugin to not record new host
# keys encountered. Increases performance on new host additions. Setting works independently of the
# host key checking setting above.
#record_host_keys=False # 不记录新主机的Key,以提示效率
# by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this
# line to disable this behaviour.
#pty=False # 禁用sudo功能, 取消注释此行以禁用此行为
# paramiko will default to looking for SSH keys initially when trying to
# authenticate to remote devices. This is a problem for some network devices
# that close the connection after a key failure. Uncomment this line to
# disable the Paramiko look for keys function
#look_for_keys = False # 默认初始查找SSH密钥,取消注释此行以禁用Paramiko查找键功能
# When using persistent connections with Paramiko, the connection runs in a
# background process. If the host doesn't already have a valid SSH key, by
# default Ansible will prompt to add the host key. This will cause connections
# running in background processes to fail. Uncomment this line to have
# Paramiko automatically add host keys.
#host_key_auto_add = True # 默认提示首次添加主机密钥,取消注释此行以使Paramiko自动添加主机密钥
[ssh_connection] # Ansible默认使用SSH协议连接对端主机,该部署是主要是SSH连接的一些配置,但配置项较少,多数默认即可。
# ssh arguments to use
# Leaving off ControlPersist will result in poor performance, so use
# paramiko on older platforms rather than removing it, -C controls compression use
#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
# 要使用的ssh参数离开ControlPersist会导致性能不佳,所以在较旧的平台上使用paramiko而不是删除它,-C控制压缩使用
# The base directory for the ControlPath sockets.
# This is the "%(directory)s" in the control_path option
#
# Example:
# control_path_dir = /tmp/.ansible/cp
#control_path_dir = ~/.ansible/cp
# The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname,
# port and username (empty string in the config). The hash mitigates a common problem users
# found with long hostnames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format.
# In those cases, a "too long for Unix domain socket" ssh error would occur.
#
# Example:
# control_path = %(directory)s/%%h-%%r # 用于ControlPath套接字的路径。 默认为主机名,端口和用户名的散列字符串(配置中为空字符串)
#control_path =
# Enabling pipelining reduces the number of SSH operations required to
# execute a module on the remote server. This can result in a significant
# performance improvement when enabled, however when using "sudo:" you must
# first disable 'requiretty' in /etc/sudoers
#
# By default, this option is disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default on many distros).
#
#pipelining = False # 默认情况下,禁用此选项以保持兼容性,sudoers配置requiretty(许多发行版的默认设置)。
# Control the mechanism for transferring files (old)
# * smart = try sftp and then try scp [default]
# * True = use scp only
# * False = use sftp only
#scp_if_ssh = smart # 控制传输文件的机制(旧)smart|True|False
# Control the mechanism for transferring files (new)
# If set, this will override the scp_if_ssh option
# * sftp = use sftp to transfer files
# * scp = use scp to transfer files
# * piped = use 'dd' over SSH to transfer files
# * smart = try sftp, scp, and piped, in that order [default]
#transfer_method = smart # 控制传输文件的机制(新) sftp|scp|piped|smart
# if False, sftp will not use batch mode to transfer files. This may cause some
# types of file transfer failures impossible to catch however, and should
# only be disabled if your sftp version has problems with batch mode
#sftp_batch_mode = False # False为sftp将不使用批处理模式传输文件,并且只有在sftp版本的批处理模式出现问题时才应禁用
# The -tt argument is passed to ssh when pipelining is not enabled because sudo
# requires a tty by default.
#usetty = True # 未启用管道传输时,-tt参数将传递给ssh,因为默认情况下sudo需要tty
# Number of times to retry an SSH connection to a host, in case of UNREACHABLE.
# For each retry attempt, there is an exponential backoff,
# so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max).
#retries = 3 # 重试与主机的SSH连接的次数
[persistent_connection]
# Configures the persistent connection timeout value in seconds. This value is
# how long the persistent connection will remain idle before it is destroyed.
# If the connection doesn't receive a request before the timeout value
# expires, the connection is shutdown. The default value is 30 seconds.
#connect_timeout = 30 # 持久连接超时时间,单位秒
# The command timeout value defines the amount of time to wait for a command
# or RPC call before timing out. The value for the command timeout must
# be less than the value of the persistent connection idle timeout (connect_timeout)
# The default value is 30 second.
#command_timeout = 30 # 命令超时时间,必须小持于久连接空闲超时的时间,单位秒
[accelerate] # 该配置项在提升Ansibile连接速度时会涉及,多数保持默认即可。
#accelerate_port = 5099 # 加速连接端口
#accelerate_timeout = 30 # 命令执行超时时间,单位秒
#accelerate_connect_timeout = 5.0 # 连接超时时间,单位秒
# The daemon timeout is measured in minutes. This time is measured
# from the last activity to the accelerate daemon.
#accelerate_daemon_timeout = 30 # 上一个活动连接的时间,单位分钟
# If set to yes, accelerate_multi_key will allow multiple
# private keys to be uploaded to it, though each user must
# have access to the system via SSH to add a new key. The default
# is "no".
#accelerate_multi_key = yes # 允许通过SSH使用多个私钥
[selinux] # 关于selinux的相关配置几乎不会涉及,保持默认配置即可。
# file systems that require special treatment when dealing with security context
# the default behaviour that copies the existing context or uses the user default
# needs to be changed to use the file system dependent context.
#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p,vfat
# Set this to yes to allow libvirt_lxc connections to work without SELinux.
#libvirt_lxc_noseclabel = yes
[colors] # Ansible对于输出结果的颜色也进行了详尽的定义且可配置,该选项对日常功能应用影响不大,几乎不用修改
#highlight = white
#verbose = blue
#warn = bright purple
#error = red
#debug = dark gray
#deprecate = purple
#skip = cyan
#unreachable = red
#ok = green
#changed = yellow
#diff_add = green
#diff_remove = red
#diff_lines = cyan
[ diff ]
# Always print diff when running ( same as always running with -D/--diff )
# always = no # 在运行时始终打印diff(与使用-D / - diff 运行相同)
# Set how many context lines to show in diff
# context = 3 # 设置要在diff中显示的上下文行数