Ansible随记:修订间差异
来自三线的随记
小无编辑摘要 |
小无编辑摘要 |
||
| 第25行: | 第25行: | ||
===Module=== | ===Module=== | ||
====authorized_key==== | ====authorized_key 模块实现节点批量免密==== | ||
===== module 简要参数说明: ===== | |||
user=root : 将密钥推送到远程主机的哪个用户下 | user=root : 将密钥推送到远程主机的哪个用户下 | ||
key=’<nowiki>{{ lookup('file', '/root/.ssh/authorized_keys')}}</nowiki>’ : | key=’<nowiki>{{ lookup('file', '/root/.ssh/authorized_keys')}}</nowiki>’ : 指定要推送的公钥文件所在的路径(常用应该是 id_rsa.pub ) | ||
path=’/root/.ssh/authorized_keys’ [Default: ( | path=’/root/.ssh/authorized_keys’ : 将密钥推送到远程主机的哪个目录下并重命名 [Default: (user home dir)+/.ssh/authorized_keys] | ||
manage_dir=no : 指定模块是否应该管理 authorized key 文件所在的目录。如果设置为 yes,模块会创建目录,以及设置一个已存在目录的拥有者和权限。如果通过 path 选项,重新指定了一个 authorized key 文件所在目录,那么应该将该选项设置为 no | manage_dir=no : 指定模块是否应该管理 authorized key 文件所在的目录。如果设置为 yes,模块会创建目录,以及设置一个已存在目录的拥有者和权限。如果通过 path 选项,重新指定了一个 authorized key 文件所在目录,那么应该将该选项设置为 no | ||
exclusive [default: no] : | exclusive : 是否移除 authorized_keys 文件中其它非指定 key [default: no] | ||
state (Choices: present, absent) : present 添加指定 key 到 authorized_keys 文件中;absent 从 authorized_keys 文件中移除指定 key [Default: present] | |||
-k : 本次操作通过密码认证节点 | |||
ps: 如果是第一次ssh连接对端节点,可以考虑 ssh-keyscan -H ${node_ip} >> ~/.ssh/known_hosts 批量添加节点ssh指或者直接将ansible host_key_checking 设置为False | |||
===== command line example: ===== | |||
ansible all -m authorized_key -a "user=root key='<nowiki>{{ lookup('file', '/root/.ssh/authorized_keys')}}</nowiki>' path='/root/.ssh/authorized_keys' manage_dir=no" -k | ansible all -m authorized_key -a "user=root key='<nowiki>{{ lookup('file', '/root/.ssh/authorized_keys')}}</nowiki>' path='/root/.ssh/authorized_keys' manage_dir=no" -k | ||
<br /> | <br /> | ||
2022年1月14日 (五) 16:26的版本
For linux and kubernetes
Hosts config
[k8s] k8s-node-1 ansible_ssh_host=172.16.139.102 k8s-node-2 ansible_ssh_host=172.16.139.103 k8s-node-3 ansible_ssh_host=172.16.139.104 [test] 192.168.1.250 ansible_ssh_port=1234 192.168.1.251 ansible_ssh_user=xxx ansible_ssh_pass=yyy [other-test] 192.168.1.250:1234
Ansible command parameters
-f 'FORKS', --forks 'FORKS'
specify number of parallel processes to use (default=5)
Module
authorized_key 模块实现节点批量免密
module 简要参数说明:
user=root : 将密钥推送到远程主机的哪个用户下
key=’{{ lookup('file', '/root/.ssh/authorized_keys')}}’ : 指定要推送的公钥文件所在的路径(常用应该是 id_rsa.pub )
path=’/root/.ssh/authorized_keys’ : 将密钥推送到远程主机的哪个目录下并重命名 [Default: (user home dir)+/.ssh/authorized_keys]
manage_dir=no : 指定模块是否应该管理 authorized key 文件所在的目录。如果设置为 yes,模块会创建目录,以及设置一个已存在目录的拥有者和权限。如果通过 path 选项,重新指定了一个 authorized key 文件所在目录,那么应该将该选项设置为 no
exclusive : 是否移除 authorized_keys 文件中其它非指定 key [default: no]
state (Choices: present, absent) : present 添加指定 key 到 authorized_keys 文件中;absent 从 authorized_keys 文件中移除指定 key [Default: present]
-k : 本次操作通过密码认证节点
ps: 如果是第一次ssh连接对端节点,可以考虑 ssh-keyscan -H ${node_ip} >> ~/.ssh/known_hosts 批量添加节点ssh指或者直接将ansible host_key_checking 设置为False
command line example:
ansible all -m authorized_key -a "user=root key='{{ lookup('file', '/root/.ssh/authorized_keys')}}' path='/root/.ssh/authorized_keys' manage_dir=no" -k
selinux
ansible k8s -m selinux -m selinux -a state=disabled
https://my.oschina.net/ozakilsc/blog/693023
shell
ansible k8s -m shell -a getenforce
ansible k8s -m shell -a hostname
ansible k8s -m shell -a "iptables -F && iptables -X && iptables -F -t nat && iptables -t nat -X && iptables -t raw -F && iptables -t raw -X && iptables -t mangle -F && iptables -t mangle -X"
ansible k8s -m shell -a "modprobe bridge && modprobe br_netfilter && sysctl -p /etc/sysctl.d/kubernetes.conf"
ansible k8s -m shell -a "timedatectl set-timezone Asia/Shanghai && timedatectl status"
ansible all -m shell -a "rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm"
ansible all -m shell -a "yum --enablerepo=elrepo-kernel install -y kernel-lt"
ansible all -m shell -a "grub2-set-default 0"
自动切到root用户(-b)
ansible all -b -m shell -a "cat <<< \$(jq '. + {\"bip\": \"192.168.0.1/28\"}' /etc/docker/daemon.json) > /etc/docker/daemon.json"
ping
(用于判断远程客户端是否在线)
ansible k8s -m ping
command
(ansible default module)
yum
(default state:installed)
ansible k8s -m yum -a 'name=vim state=installed'
ansible k8s -m yum -a 'name=vim'
ansible k8s -m yum -a 'name=vim, httpd'
ansible k8s -km yum -a "name=yum-utils,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git"
ansible k8s -m yum -a 'name=vsftpd state=removed'
ansible k8s -m yum -a "name=bridge-utils"
ansible all -m yum -a "name=epel-release,chrony,conntrack,ipvsadm,ipset,jq,iptables,curl,sysstat,libseccomp,wget,socat,git,bind-utils state=installed"
service
ansible k8s -m service -a " name='nginx' enabled=yes"
ansible k8s -m service -a "name=httpd state=started"
ansible k8s -m service -a "name=firewalld state=stopped enabled=no"
ansible k8s -km service -a "name=postfix state=stopped enabled=no"
ansible k8s -m service -a "name=chronyd enabled=yes state=started"
copy
ansible k8s -m copy -a "src=./kubernetes.conf dest=/etc/sysctl.d/"
ansible all -m copy -a "src=./authorized_keys dest=~/.ssh/authorized_keys mode=600" -k
file
ansible k8s -m file -a "path=/opt/k8s/bin state=directory"
ansible k8s -m file -a "path=/opt/k8s/work state=directory"
ansible k8s -m file -a "path=/opt/k8s/work state=absent"
others
ansible k8s -m shell -a "rpm --import file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7"
Playbook
copy
---
- hosts: all
tasks:
- name: copy kubernetes server executeable file to master node
copy:
src: '{{ item.src }}'
dest: '{{item.dest}}'
mode: '0744'
with_items:
- {src: './apiextensions-apiserver', dest: '/opt/k8s/bin/'}
- {src: './kubeadm', dest: '/opt/k8s/bin/'}
- {src: './kube-apiserver', dest: '/opt/k8s/bin/'}
- {src: './kube-controller-manager', dest: '/opt/k8s/bin/'}
- {src: './kubectl', dest: '/opt/k8s/bin/'}
- {src: './kubelet', dest: '/opt/k8s/bin/'}
- {src: './kube-proxy', dest: '/opt/k8s/bin/'}
- {src: './kube-scheduler', dest: '/opt/k8s/bin/'}
- {src: './mounter', dest: '/opt/k8s/bin/'}
Other operations
use the passphrase protected ssh private key without input the password
使用带密码保护的私钥并且避免每次都要输入私钥密码
$ eval `ssh-agent` # you might have agent already running so this might not be needed $ ssh-add ~/.ssh/id_rsa
