Ansible随记:修订间差异

来自三线的随记
无编辑摘要
无编辑摘要
 
(未显示同一用户的22个中间版本)
第3行: 第3行:
<br />
<br />


===hosts===
===Hosts config===
[cluster1_controller]
10.219.235.210
10.219.235.213
10.219.235.214
[cluster1_compute]
10.219.235.[215:219]
[cluster1_nodes:children]
cluster1_controller
cluster1_compute
[cluster1_nodes:vars]
ansible_ssh_user=guest2admin
ansible_ssh_pass=@users
ansible_python_interpreter=/usr/bin/python
ansible_ssh_common_args=-c aes256-cbc -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
ansible_connection=ssh
ansible_become_password=root@root@su
ansible_become_method=su
ansible_become_exe=sudo su -
#############################################
  [k8s]
  [k8s]
  k8s-node-1 ansible_ssh_host=172.16.139.102
  k8s-node-1 ansible_ssh_host=172.16.139.102
第12行: 第36行:
  192.168.1.250 ansible_ssh_port=1234
  192.168.1.250 ansible_ssh_port=1234
  192.168.1.251 ansible_ssh_user=xxx ansible_ssh_pass=yyy
  192.168.1.251 ansible_ssh_user=xxx ansible_ssh_pass=yyy
[other-test]
192.168.1.250:1234
<br />
<br />


===module===
===Ansible command parameters===
-f 'FORKS', --forks 'FORKS'
          specify number of parallel processes to use (default=5)
<br />
===Module===


====authorized_key 模块实现节点批量免密====
===== module 简要参数说明: =====
user=root : 将密钥推送到远程主机的哪个用户下
key=’<nowiki>{{ lookup('file', '/root/.ssh/authorized_keys')}}</nowiki>’ : 指定要推送的公钥文件所在的路径(常用应该是 id_rsa.pub )
path=’/root/.ssh/authorized_keys’ : 将密钥推送到远程主机的哪个目录下并重命名 [Default: (user home dir)+/.ssh/authorized_keys]
manage_dir=no : 指定模块是否应该管理 authorized key 文件所在的目录。如果设置为 yes,模块会创建目录,以及设置一个已存在目录的拥有者和权限。如果通过 path 选项,重新指定了一个 authorized key 文件所在目录,那么应该将该选项设置为 no
exclusive : 是否移除 authorized_keys 文件中其它非指定 key [default: no]
state (Choices: present, absent) :  present 添加指定 key 到 authorized_keys 文件中;absent 从 authorized_keys 文件中移除指定 key [Default: present]
-k : 本次操作通过密码认证节点
ps: 如果是第一次ssh连接对端节点,可以考虑 ssh-keyscan -H ${node_ip} >> ~/.ssh/known_hosts 批量添加节点ssh指或者直接将ansible host_key_checking 设置为False (ssh-keyscan 中 -H参数代表将相关指纹和主机名结果都进行哈希化加密)
===== command line example: =====
ansible all -m authorized_key -a "user=root key='<nowiki>{{ lookup('file', '/root/.ssh/authorized_keys')}}</nowiki>' path='/root/.ssh/authorized_keys' manage_dir=no" -k
<br />
====selinux====
====selinux====
ansible k8s -m selinux -m selinux -a state=disabled
ansible k8s -m selinux -m selinux -a state=disabled
 
https://my.oschina.net/ozakilsc/blog/693023
https://my.oschina.net/ozakilsc/blog/693023
<br />
<br />
====shell====
====shell====
ansible k8s -m shell -a getenforce
ansible k8s -m shell -a getenforce
 
ansible k8s -m shell -a hostname
 
ansible k8s -m shell -a "iptables -F && iptables -X && iptables -F -t nat && iptables -t nat -X && iptables -t raw -F && iptables -t raw -X && iptables -t mangle -F && iptables -t mangle -X"
 
ansible k8s -m shell -a "modprobe bridge && modprobe br_netfilter && sysctl -p /etc/sysctl.d/kubernetes.conf"
 
ansible k8s -m shell -a "timedatectl set-timezone Asia/Shanghai && timedatectl status"


ansible k8s -m shell -a hostname
ansible all -m shell -a "rpm -Uvh <nowiki>http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm</nowiki>"


ansible k8s -m shell -a "iptables -F && iptables -X && iptables -F -t nat && iptables -t nat -X && iptables -t raw -F && iptables -t raw -X && iptables -t mangle -F && iptables -t mangle -X"
ansible all -m shell -a "yum --enablerepo=elrepo-kernel install -y kernel-lt"
 
ansible all -m shell -a "grub2-set-default 0"
自动切到root用户(-b)
ansible all -b -m shell -a "cat <<< \$(jq '. + {\"bip\": \"192.168.0.1/28\"}' /etc/docker/daemon.json) > /etc/docker/daemon.json"


ansible k8s -m shell -a "modprobe bridge && modprobe br_netfilter && sysctl -p /etc/sysctl.d/kubernetes.conf"
====ping====
====ping====
(用于判断远程客户端是否在线)
(用于判断远程客户端是否在线)
 
ansible k8s -m ping
ansible k8s -m ping




第42行: 第107行:
====yum====
====yum====
(default state:installed)
(default state:installed)
ansible k8s -m yum -a 'name=vim state=installed'


ansible k8s -m yum -a 'name=vim state=installed'
ansible k8s -m yum -a 'name=vim'


ansible k8s -m yum -a 'name=vim'
ansible k8s -m yum -a 'name=vim, httpd'


ansible k8s -m yum -a 'name=vim, httpd'
ansible k8s -km yum -a "name=yum-utils,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git"


ansible k8s -km yum -a "name=yum-utils,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git"
ansible k8s -m yum -a 'name=vsftpd  state=removed'


ansible k8s -m yum -a 'name=vsftpd  state=removed'
ansible k8s -m yum -a "name=bridge-utils"
 
ansible k8s -m yum -a "name=bridge-utils"<br />


ansible  all  -m yum -a "name=epel-release,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git,bind-utils state=installed"
<br />
<br />


====service====
====service====
ansible k8s -m service -a " name='nginx' enabled=yes"
ansible k8s -m service -a " name='nginx' enabled=yes"


ansible k8s -m service -a "name=httpd state=started"
ansible k8s -m service -a "name=httpd state=started"


ansible k8s -m service -a "name=firewalld state=stopped enabled=no"
ansible k8s -m service -a "name=firewalld state=stopped enabled=no"


ansible k8s -km service -a "name=postfix state=stopped enabled=no"
ansible k8s -km service -a "name=postfix state=stopped enabled=no"
 
ansible k8s -m service -a "name=chronyd enabled=yes state=started"




====copy====
====copy====
ansible k8s -m copy -a "src=./kubernetes.conf dest=/etc/sysctl.d/"
ansible k8s -m copy -a "src=./kubernetes.conf dest=/etc/sysctl.d/"
 
ansible all -m copy -a "src=./authorized_keys dest=~/.ssh/authorized_keys mode=600" -k
 
 
====file====
ansible k8s -m file -a "path=/opt/k8s/bin state=directory"
 
ansible k8s -m file -a "path=/opt/k8s/work state=directory"
 
ansible k8s -m file -a "path=/opt/k8s/work state=absent"




====others====
====others====
ansible k8s -m shell -a "rpm --import file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"<br />
ansible k8s -m shell -a "rpm --import file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"
[[分类:Linux]]
 
 
===Playbook===
 
====copy====
---
- hosts: all
<nowiki> </nowiki> tasks:
<nowiki> </nowiki>  - name: copy kubernetes server executeable file to master node
<nowiki> </nowiki>    copy:
<nowiki> </nowiki>      src: '<nowiki>{{ item.src }}</nowiki>'
<nowiki> </nowiki>      dest: '<nowiki>{{item.dest}}</nowiki>'
<nowiki> </nowiki>      mode: '0744'
<nowiki> </nowiki>    with_items:
<nowiki> </nowiki>      - {src: './apiextensions-apiserver', dest: '/opt/k8s/bin/'}
<nowiki> </nowiki>      - {src: './kubeadm', dest: '/opt/k8s/bin/'}
<nowiki> </nowiki>      - {src: './kube-apiserver', dest: '/opt/k8s/bin/'}
<nowiki> </nowiki>      - {src: './kube-controller-manager', dest: '/opt/k8s/bin/'}
<nowiki> </nowiki>      - {src: './kubectl', dest: '/opt/k8s/bin/'}
<nowiki> </nowiki>      - {src: './kubelet', dest: '/opt/k8s/bin/'}
<nowiki> </nowiki>      - {src: './kube-proxy', dest: '/opt/k8s/bin/'}
<nowiki> </nowiki>     - {src: './kube-scheduler', dest: '/opt/k8s/bin/'}
<nowiki> </nowiki>      - {src: './mounter', dest: '/opt/k8s/bin/'}
             
            [[分类:Linux]]
<br />
 
===Other operations===
 
====use the passphrase protected ssh private key without input the password====
使用带密码保护的私钥并且避免每次都要输入私钥密码(本次会话生效)
$ eval `ssh-agent`  # you might have agent already running so this might not be needed
$ ssh-add ~/.ssh/id_rsa
<br />
__无编辑段落__
__无新段落链接__

2024年11月12日 (二) 16:06的最新版本

For linux and kubernetes


Hosts config

[cluster1_controller]
10.219.235.210
10.219.235.213
10.219.235.214

[cluster1_compute]
10.219.235.[215:219]

[cluster1_nodes:children]
cluster1_controller
cluster1_compute

[cluster1_nodes:vars]
ansible_ssh_user=guest2admin
ansible_ssh_pass=@users
ansible_python_interpreter=/usr/bin/python
ansible_ssh_common_args=-c aes256-cbc -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
ansible_connection=ssh
ansible_become_password=root@root@su
ansible_become_method=su
ansible_become_exe=sudo su -

#############################################

[k8s]
k8s-node-1 ansible_ssh_host=172.16.139.102
k8s-node-2 ansible_ssh_host=172.16.139.103
k8s-node-3 ansible_ssh_host=172.16.139.104

[test]
192.168.1.250 ansible_ssh_port=1234
192.168.1.251 ansible_ssh_user=xxx ansible_ssh_pass=yyy


[other-test]
192.168.1.250:1234


Ansible command parameters

-f 'FORKS', --forks 'FORKS'
          specify number of parallel processes to use (default=5)


Module

authorized_key 模块实现节点批量免密

module 简要参数说明:

user=root : 将密钥推送到远程主机的哪个用户下

key=’{{ lookup('file', '/root/.ssh/authorized_keys')}}’ : 指定要推送的公钥文件所在的路径(常用应该是 id_rsa.pub )

path=’/root/.ssh/authorized_keys’ : 将密钥推送到远程主机的哪个目录下并重命名 [Default: (user home dir)+/.ssh/authorized_keys]

manage_dir=no : 指定模块是否应该管理 authorized key 文件所在的目录。如果设置为 yes,模块会创建目录,以及设置一个已存在目录的拥有者和权限。如果通过 path 选项,重新指定了一个 authorized key 文件所在目录,那么应该将该选项设置为 no

exclusive : 是否移除 authorized_keys 文件中其它非指定 key [default: no]

state (Choices: present, absent) : present 添加指定 key 到 authorized_keys 文件中;absent 从 authorized_keys 文件中移除指定 key [Default: present]

-k : 本次操作通过密码认证节点


ps: 如果是第一次ssh连接对端节点,可以考虑 ssh-keyscan -H ${node_ip} >> ~/.ssh/known_hosts 批量添加节点ssh指或者直接将ansible host_key_checking 设置为False (ssh-keyscan 中 -H参数代表将相关指纹和主机名结果都进行哈希化加密)

command line example:
ansible all -m authorized_key -a "user=root key='{{ lookup('file', '/root/.ssh/authorized_keys')}}' path='/root/.ssh/authorized_keys' manage_dir=no" -k


selinux

ansible k8s -m selinux -m selinux -a state=disabled

https://my.oschina.net/ozakilsc/blog/693023

shell

ansible k8s -m shell -a getenforce
ansible k8s -m shell -a hostname
ansible k8s -m shell -a "iptables -F && iptables -X && iptables -F -t nat && iptables -t nat -X && iptables -t raw -F && iptables -t raw -X && iptables -t mangle -F && iptables -t mangle -X"
ansible k8s -m shell -a "modprobe bridge && modprobe br_netfilter && sysctl -p /etc/sysctl.d/kubernetes.conf"
ansible k8s -m shell -a "timedatectl set-timezone Asia/Shanghai && timedatectl status"
ansible all -m shell -a "rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm"
ansible all -m shell -a "yum --enablerepo=elrepo-kernel install -y kernel-lt"
ansible all -m shell -a "grub2-set-default 0"

自动切到root用户(-b)

ansible all -b -m shell -a "cat <<< \$(jq '. + {\"bip\": \"192.168.0.1/28\"}' /etc/docker/daemon.json) > /etc/docker/daemon.json"

ping

(用于判断远程客户端是否在线)

ansible k8s -m ping


command

(ansible default module)


yum

(default state:installed)

ansible k8s -m yum -a 'name=vim state=installed'
ansible k8s -m yum -a 'name=vim'
ansible k8s -m yum -a 'name=vim, httpd'
ansible k8s -km yum -a "name=yum-utils,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git"
ansible k8s -m yum -a 'name=vsftpd  state=removed'
ansible k8s -m yum -a "name=bridge-utils"
ansible  all  -m yum -a "name=epel-release,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git,bind-utils state=installed"


service

ansible k8s -m service -a " name='nginx' enabled=yes"
ansible k8s -m service -a "name=httpd state=started"
ansible k8s -m service -a "name=firewalld state=stopped enabled=no"
ansible k8s -km service -a "name=postfix state=stopped enabled=no"
ansible k8s -m service -a "name=chronyd enabled=yes state=started"


copy

ansible k8s -m copy -a "src=./kubernetes.conf dest=/etc/sysctl.d/"
ansible all -m copy -a "src=./authorized_keys dest=~/.ssh/authorized_keys mode=600" -k


file

ansible k8s -m file -a "path=/opt/k8s/bin state=directory"
ansible k8s -m file -a "path=/opt/k8s/work state=directory"
ansible k8s -m file -a "path=/opt/k8s/work state=absent"


others

ansible k8s -m shell -a "rpm --import file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"


Playbook

copy

---
- hosts: all
  tasks:
    - name: copy kubernetes server executeable file to master node
      copy:
        src: '{{ item.src }}'
        dest: '{{item.dest}}'
        mode: '0744'
      with_items:
       - {src: './apiextensions-apiserver', dest: '/opt/k8s/bin/'}
       - {src: './kubeadm', dest: '/opt/k8s/bin/'}
       - {src: './kube-apiserver', dest: '/opt/k8s/bin/'}
       - {src: './kube-controller-manager', dest: '/opt/k8s/bin/'}
       - {src: './kubectl', dest: '/opt/k8s/bin/'}
       - {src: './kubelet', dest: '/opt/k8s/bin/'}
       - {src: './kube-proxy', dest: '/opt/k8s/bin/'}
       - {src: './kube-scheduler', dest: '/opt/k8s/bin/'}
       - {src: './mounter', dest: '/opt/k8s/bin/'}


Other operations

use the passphrase protected ssh private key without input the password

使用带密码保护的私钥并且避免每次都要输入私钥密码(本次会话生效)

$ eval `ssh-agent`  # you might have agent already running so this might not be needed
$ ssh-add ~/.ssh/id_rsa