Ansible随记:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
(未显示同一用户的22个中间版本) | |||
第3行: | 第3行: | ||
<br /> | <br /> | ||
=== | ===Hosts config=== | ||
[cluster1_controller] | |||
10.219.235.210 | |||
10.219.235.213 | |||
10.219.235.214 | |||
[cluster1_compute] | |||
10.219.235.[215:219] | |||
[cluster1_nodes:children] | |||
cluster1_controller | |||
cluster1_compute | |||
[cluster1_nodes:vars] | |||
ansible_ssh_user=guest2admin | |||
ansible_ssh_pass=@users | |||
ansible_python_interpreter=/usr/bin/python | |||
ansible_ssh_common_args=-c aes256-cbc -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null | |||
ansible_connection=ssh | |||
ansible_become_password=root@root@su | |||
ansible_become_method=su | |||
ansible_become_exe=sudo su - | |||
############################################# | |||
[k8s] | [k8s] | ||
k8s-node-1 ansible_ssh_host=172.16.139.102 | k8s-node-1 ansible_ssh_host=172.16.139.102 | ||
第12行: | 第36行: | ||
192.168.1.250 ansible_ssh_port=1234 | 192.168.1.250 ansible_ssh_port=1234 | ||
192.168.1.251 ansible_ssh_user=xxx ansible_ssh_pass=yyy | 192.168.1.251 ansible_ssh_user=xxx ansible_ssh_pass=yyy | ||
[other-test] | |||
192.168.1.250:1234 | |||
<br /> | <br /> | ||
=== | ===Ansible command parameters=== | ||
-f 'FORKS', --forks 'FORKS' | |||
specify number of parallel processes to use (default=5) | |||
<br /> | |||
===Module=== | |||
====authorized_key 模块实现节点批量免密==== | |||
===== module 简要参数说明: ===== | |||
user=root : 将密钥推送到远程主机的哪个用户下 | |||
key=’<nowiki>{{ lookup('file', '/root/.ssh/authorized_keys')}}</nowiki>’ : 指定要推送的公钥文件所在的路径(常用应该是 id_rsa.pub ) | |||
path=’/root/.ssh/authorized_keys’ : 将密钥推送到远程主机的哪个目录下并重命名 [Default: (user home dir)+/.ssh/authorized_keys] | |||
manage_dir=no : 指定模块是否应该管理 authorized key 文件所在的目录。如果设置为 yes,模块会创建目录,以及设置一个已存在目录的拥有者和权限。如果通过 path 选项,重新指定了一个 authorized key 文件所在目录,那么应该将该选项设置为 no | |||
exclusive : 是否移除 authorized_keys 文件中其它非指定 key [default: no] | |||
state (Choices: present, absent) : present 添加指定 key 到 authorized_keys 文件中;absent 从 authorized_keys 文件中移除指定 key [Default: present] | |||
-k : 本次操作通过密码认证节点 | |||
ps: 如果是第一次ssh连接对端节点,可以考虑 ssh-keyscan -H ${node_ip} >> ~/.ssh/known_hosts 批量添加节点ssh指或者直接将ansible host_key_checking 设置为False (ssh-keyscan 中 -H参数代表将相关指纹和主机名结果都进行哈希化加密) | |||
===== command line example: ===== | |||
ansible all -m authorized_key -a "user=root key='<nowiki>{{ lookup('file', '/root/.ssh/authorized_keys')}}</nowiki>' path='/root/.ssh/authorized_keys' manage_dir=no" -k | |||
<br /> | |||
====selinux==== | ====selinux==== | ||
ansible k8s -m selinux -m selinux -a state=disabled | ansible k8s -m selinux -m selinux -a state=disabled | ||
https://my.oschina.net/ozakilsc/blog/693023 | https://my.oschina.net/ozakilsc/blog/693023 | ||
<br /> | <br /> | ||
====shell==== | ====shell==== | ||
ansible k8s -m shell -a getenforce | ansible k8s -m shell -a getenforce | ||
ansible k8s -m shell -a hostname | |||
ansible k8s -m shell -a "iptables -F && iptables -X && iptables -F -t nat && iptables -t nat -X && iptables -t raw -F && iptables -t raw -X && iptables -t mangle -F && iptables -t mangle -X" | |||
ansible k8s -m shell -a "modprobe bridge && modprobe br_netfilter && sysctl -p /etc/sysctl.d/kubernetes.conf" | |||
ansible k8s -m shell -a "timedatectl set-timezone Asia/Shanghai && timedatectl status" | |||
ansible | ansible all -m shell -a "rpm -Uvh <nowiki>http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm</nowiki>" | ||
ansible | ansible all -m shell -a "yum --enablerepo=elrepo-kernel install -y kernel-lt" | ||
ansible all -m shell -a "grub2-set-default 0" | |||
自动切到root用户(-b) | |||
ansible all -b -m shell -a "cat <<< \$(jq '. + {\"bip\": \"192.168.0.1/28\"}' /etc/docker/daemon.json) > /etc/docker/daemon.json" | |||
====ping==== | ====ping==== | ||
(用于判断远程客户端是否在线) | (用于判断远程客户端是否在线) | ||
ansible k8s -m ping | |||
ansible k8s -m ping | |||
第42行: | 第107行: | ||
====yum==== | ====yum==== | ||
(default state:installed) | (default state:installed) | ||
ansible k8s -m yum -a 'name=vim state=installed' | |||
ansible k8s -m yum -a 'name=vim | ansible k8s -m yum -a 'name=vim' | ||
ansible k8s -m yum -a 'name=vim' | ansible k8s -m yum -a 'name=vim, httpd' | ||
ansible k8s - | ansible k8s -km yum -a "name=yum-utils,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git" | ||
ansible k8s - | ansible k8s -m yum -a 'name=vsftpd state=removed' | ||
ansible k8s -m yum -a "name=bridge-utils" | |||
ansible k8s -m yum -a "name=bridge-utils" | |||
ansible all -m yum -a "name=epel-release,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git,bind-utils state=installed" | |||
<br /> | <br /> | ||
====service==== | ====service==== | ||
ansible k8s -m service -a " name='nginx' enabled=yes" | ansible k8s -m service -a " name='nginx' enabled=yes" | ||
ansible k8s -m service -a "name=httpd state=started" | ansible k8s -m service -a "name=httpd state=started" | ||
ansible k8s -m service -a "name=firewalld state=stopped enabled=no" | ansible k8s -m service -a "name=firewalld state=stopped enabled=no" | ||
ansible k8s -km service -a "name=postfix state=stopped enabled=no" | ansible k8s -km service -a "name=postfix state=stopped enabled=no" | ||
ansible k8s -m service -a "name=chronyd enabled=yes state=started" | |||
====copy==== | ====copy==== | ||
ansible k8s -m copy -a "src=./kubernetes.conf dest=/etc/sysctl.d/" | ansible k8s -m copy -a "src=./kubernetes.conf dest=/etc/sysctl.d/" | ||
ansible all -m copy -a "src=./authorized_keys dest=~/.ssh/authorized_keys mode=600" -k | |||
====file==== | |||
ansible k8s -m file -a "path=/opt/k8s/bin state=directory" | |||
ansible k8s -m file -a "path=/opt/k8s/work state=directory" | |||
ansible k8s -m file -a "path=/opt/k8s/work state=absent" | |||
====others==== | ====others==== | ||
ansible k8s -m shell -a "rpm --import file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"< | ansible k8s -m shell -a "rpm --import file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7" | ||
[[分类:Linux]] | |||
===Playbook=== | |||
====copy==== | |||
--- | |||
- hosts: all | |||
<nowiki> </nowiki> tasks: | |||
<nowiki> </nowiki> - name: copy kubernetes server executeable file to master node | |||
<nowiki> </nowiki> copy: | |||
<nowiki> </nowiki> src: '<nowiki>{{ item.src }}</nowiki>' | |||
<nowiki> </nowiki> dest: '<nowiki>{{item.dest}}</nowiki>' | |||
<nowiki> </nowiki> mode: '0744' | |||
<nowiki> </nowiki> with_items: | |||
<nowiki> </nowiki> - {src: './apiextensions-apiserver', dest: '/opt/k8s/bin/'} | |||
<nowiki> </nowiki> - {src: './kubeadm', dest: '/opt/k8s/bin/'} | |||
<nowiki> </nowiki> - {src: './kube-apiserver', dest: '/opt/k8s/bin/'} | |||
<nowiki> </nowiki> - {src: './kube-controller-manager', dest: '/opt/k8s/bin/'} | |||
<nowiki> </nowiki> - {src: './kubectl', dest: '/opt/k8s/bin/'} | |||
<nowiki> </nowiki> - {src: './kubelet', dest: '/opt/k8s/bin/'} | |||
<nowiki> </nowiki> - {src: './kube-proxy', dest: '/opt/k8s/bin/'} | |||
<nowiki> </nowiki> - {src: './kube-scheduler', dest: '/opt/k8s/bin/'} | |||
<nowiki> </nowiki> - {src: './mounter', dest: '/opt/k8s/bin/'} | |||
[[分类:Linux]] | |||
<br /> | |||
===Other operations=== | |||
====use the passphrase protected ssh private key without input the password==== | |||
使用带密码保护的私钥并且避免每次都要输入私钥密码(本次会话生效) | |||
$ eval `ssh-agent` # you might have agent already running so this might not be needed | |||
$ ssh-add ~/.ssh/id_rsa | |||
<br /> | |||
__无编辑段落__ | |||
__无新段落链接__ |
2024年11月12日 (二) 16:06的最新版本
For linux and kubernetes
Hosts config
[cluster1_controller] 10.219.235.210 10.219.235.213 10.219.235.214 [cluster1_compute] 10.219.235.[215:219] [cluster1_nodes:children] cluster1_controller cluster1_compute [cluster1_nodes:vars] ansible_ssh_user=guest2admin ansible_ssh_pass=@users ansible_python_interpreter=/usr/bin/python ansible_ssh_common_args=-c aes256-cbc -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ansible_connection=ssh ansible_become_password=root@root@su ansible_become_method=su ansible_become_exe=sudo su - ############################################# [k8s] k8s-node-1 ansible_ssh_host=172.16.139.102 k8s-node-2 ansible_ssh_host=172.16.139.103 k8s-node-3 ansible_ssh_host=172.16.139.104 [test] 192.168.1.250 ansible_ssh_port=1234 192.168.1.251 ansible_ssh_user=xxx ansible_ssh_pass=yyy [other-test] 192.168.1.250:1234
Ansible command parameters
-f 'FORKS', --forks 'FORKS' specify number of parallel processes to use (default=5)
Module
authorized_key 模块实现节点批量免密
module 简要参数说明:
user=root : 将密钥推送到远程主机的哪个用户下
key=’{{ lookup('file', '/root/.ssh/authorized_keys')}}’ : 指定要推送的公钥文件所在的路径(常用应该是 id_rsa.pub )
path=’/root/.ssh/authorized_keys’ : 将密钥推送到远程主机的哪个目录下并重命名 [Default: (user home dir)+/.ssh/authorized_keys]
manage_dir=no : 指定模块是否应该管理 authorized key 文件所在的目录。如果设置为 yes,模块会创建目录,以及设置一个已存在目录的拥有者和权限。如果通过 path 选项,重新指定了一个 authorized key 文件所在目录,那么应该将该选项设置为 no
exclusive : 是否移除 authorized_keys 文件中其它非指定 key [default: no]
state (Choices: present, absent) : present 添加指定 key 到 authorized_keys 文件中;absent 从 authorized_keys 文件中移除指定 key [Default: present]
-k : 本次操作通过密码认证节点
ps: 如果是第一次ssh连接对端节点,可以考虑 ssh-keyscan -H ${node_ip} >> ~/.ssh/known_hosts 批量添加节点ssh指或者直接将ansible host_key_checking 设置为False (ssh-keyscan 中 -H参数代表将相关指纹和主机名结果都进行哈希化加密)
command line example:
ansible all -m authorized_key -a "user=root key='{{ lookup('file', '/root/.ssh/authorized_keys')}}' path='/root/.ssh/authorized_keys' manage_dir=no" -k
selinux
ansible k8s -m selinux -m selinux -a state=disabled
https://my.oschina.net/ozakilsc/blog/693023
shell
ansible k8s -m shell -a getenforce
ansible k8s -m shell -a hostname
ansible k8s -m shell -a "iptables -F && iptables -X && iptables -F -t nat && iptables -t nat -X && iptables -t raw -F && iptables -t raw -X && iptables -t mangle -F && iptables -t mangle -X"
ansible k8s -m shell -a "modprobe bridge && modprobe br_netfilter && sysctl -p /etc/sysctl.d/kubernetes.conf"
ansible k8s -m shell -a "timedatectl set-timezone Asia/Shanghai && timedatectl status"
ansible all -m shell -a "rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm"
ansible all -m shell -a "yum --enablerepo=elrepo-kernel install -y kernel-lt"
ansible all -m shell -a "grub2-set-default 0"
自动切到root用户(-b)
ansible all -b -m shell -a "cat <<< \$(jq '. + {\"bip\": \"192.168.0.1/28\"}' /etc/docker/daemon.json) > /etc/docker/daemon.json"
ping
(用于判断远程客户端是否在线)
ansible k8s -m ping
command
(ansible default module)
yum
(default state:installed)
ansible k8s -m yum -a 'name=vim state=installed'
ansible k8s -m yum -a 'name=vim'
ansible k8s -m yum -a 'name=vim, httpd'
ansible k8s -km yum -a "name=yum-utils,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git"
ansible k8s -m yum -a 'name=vsftpd state=removed'
ansible k8s -m yum -a "name=bridge-utils"
ansible all -m yum -a "name=epel-release,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git,bind-utils state=installed"
service
ansible k8s -m service -a " name='nginx' enabled=yes"
ansible k8s -m service -a "name=httpd state=started"
ansible k8s -m service -a "name=firewalld state=stopped enabled=no"
ansible k8s -km service -a "name=postfix state=stopped enabled=no"
ansible k8s -m service -a "name=chronyd enabled=yes state=started"
copy
ansible k8s -m copy -a "src=./kubernetes.conf dest=/etc/sysctl.d/"
ansible all -m copy -a "src=./authorized_keys dest=~/.ssh/authorized_keys mode=600" -k
file
ansible k8s -m file -a "path=/opt/k8s/bin state=directory"
ansible k8s -m file -a "path=/opt/k8s/work state=directory"
ansible k8s -m file -a "path=/opt/k8s/work state=absent"
others
ansible k8s -m shell -a "rpm --import file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"
Playbook
copy
--- - hosts: all tasks: - name: copy kubernetes server executeable file to master node copy: src: '{{ item.src }}' dest: '{{item.dest}}' mode: '0744' with_items: - {src: './apiextensions-apiserver', dest: '/opt/k8s/bin/'} - {src: './kubeadm', dest: '/opt/k8s/bin/'} - {src: './kube-apiserver', dest: '/opt/k8s/bin/'} - {src: './kube-controller-manager', dest: '/opt/k8s/bin/'} - {src: './kubectl', dest: '/opt/k8s/bin/'} - {src: './kubelet', dest: '/opt/k8s/bin/'} - {src: './kube-proxy', dest: '/opt/k8s/bin/'} - {src: './kube-scheduler', dest: '/opt/k8s/bin/'} - {src: './mounter', dest: '/opt/k8s/bin/'}
Other operations
use the passphrase protected ssh private key without input the password
使用带密码保护的私钥并且避免每次都要输入私钥密码(本次会话生效)
$ eval `ssh-agent` # you might have agent already running so this might not be needed $ ssh-add ~/.ssh/id_rsa