Baszarek Wiki

Narzędzia użytkownika

Narzędzia witryny

wiki:ansible

Ansible

Sprawdzanie, czy dzisiejszy, "cronowy" playbook wykonał się prawidłowo

cat ansible.log | grep -E "^$(date "+%Y-%m-%d").*failed" | grep -Ev "failed\=0" | wc -l

Zakładając, że powyższe polecenie jest w pliku check_failed.sh i ścieżka do pliku z logami jest poprawna, można wysłać raport raport na IRC: 

---
- name: Send status on IRC
  hosts: my-host.ping.local

  tasks:

  - name: Check failed tasks
    command: '/usr/bin/bash /home/lukasz/ansible/helpers/check_failed.sh'
    register: fails

  - name: Send a report to a fedora-pl channel
    irc:
      server: irc.libera.chat
      port: 6667
      nick: raport
      channel: '#fedora-pl'
      msg: "[ANSIBLE] Todays failed tasks: {{ fails['stdout_lines'][0] }}."

Plik konfiguracyjny

[defaults]                                                                                                                             
inventory=~/ansible/hosts
log_path=~/ansible/var/ansible.log
remote_user=ansemble
interpreter_python=auto_silent
[privilege_escalation]
become=True
become_ask_pass=False
become_method=sudo
[persistent_connection]
[connection]
[colors]
[selinux]
[diff]
[galaxy]
[inventory]
[netconf_connection]
[paramiko_connection]
[jinja2]
[tags]
[runas_become_plugin]
[su_become_plugin]
[sudo_become_plugin]
[callback_tree]
[ssh_connection]
ssh_args = -C -o ServerAliveInterval=33 -o ControlMaster=auto -o ControlPersist=66s
timeout=21
[winrm]
[inventory_plugins]
[inventory_plugin_script]
[inventory_plugin_yaml]
[url_lookup]
[powershell]
[vars_host_group_vars]

Ustawienie auto_silent usuwa ostrzeżenia o wersji Pythona z każdego przebiegu playbooków. Warto użyć nazwy użytkownika, która nie jest zbyt często zgadywana przez boty.

Pętle w playbookach oraz helpery

Przykład playbooka korzystącego z pętli: 

---
- name: Enable users
  hosts: all

  tasks:

  - name: Ensure that users exists and are in correct groups
    include_tasks: helpers/users_enable.yaml
    loop:
    - {username: lukasz, comment: Lukasz, sshkey: "{{ lookup('file', 'ssh_keys/lukasz') }}"}

#  - name: Ensure that users can not login
#    include_tasks: helpers/users_disable.yaml
#    loop:
#    - {username: qwerty, comment: QWERTY, sshkey: "{{ lookup('file', 'ssh_keys/QWERTY') }}"}

Plik helpers/user_enable.yaml: 

- debug:
    msg: user - {{ item.username }}


- name: Ensure user exists and is in correct groups on FreeBSD
  user:
    name: "{{ item.username }}" 
    comment: "{{ item.comment }}"
    shell: /usr/local/bin/bash
    groups: wheel
    append: yes
  when: ansible_os_family == 'FreeBSD'

- name: Ensure user exists and is in correct groups on Gentoo and RedHat-like hosts
  user:
    name: "{{ item.username }}" 
    comment: "{{ item.comment }}"
    shell: /bin/bash
    groups: wheel
    append: yes
  when: ansible_os_family == 'Gentoo' or ansible_os_family == 'RedHat'

- name: Ensure user exists and is in correct groups on Debian-like hosts
  user:
    name: "{{ item.username }}" 
    comment: "{{ item.comment }}"
    shell: /bin/bash
    groups: sudo
    append: yes
  when: ansible_os_family == 'Debian'

- name: Set authorized SSH keys for user
  authorized_key:
    user: "{{ item.username }}"
    key: "{{ item.sshkey }}"
    state: present
    exclusive: True

- name: Ensure user is able to log in
  user:
    name: "{{ item.username }}"
    password_lock: no

- name: Set permissions to home directory
  file:
    path: /home/{{ item.username }}
    owner: "{{ item.username }}"
    group: "{{ item.username }}"
    mode: '700'

Plik helpers/user_disable.yaml: 

- debug:
    msg: user - {{ item.username }}

- name: Ensure user is not able to log in
  user:
    name: "{{ item.username }}"
    password_lock: yes

- name: Unset authorized SSH keys for user
  authorized_key:
    user: "{{ item.username }}"
    key: "{{ item.sshkey }}"
    state: absent

- name: Set permissions to home directory on Linux
  file:
    owner: root
    group: root
    path: /home/{{ item.username }}
    mode: '700'
  when: ansible_os_family == 'Gentoo' or ansible_os_family == 'RedHat' or ansible_os_family == 'Debian'

- name: Set permissions to home directory on FreeBSD
  file:
    owner: root
    group: wheel
    path: /home/{{ item.username }}
    mode: '700'
  when: ansible_os_family == 'FreeBSD'

Plik w katalogu ssh_keys jest skopiowany z ~/.ssh/id_rsa.pub.

Ansible 2.9 na CentOS Stream 8

W repozytorium ósmego Streama pojawiły się pakiety ansible-core w nowych wersjach, niekompatybilne z playbookami pisanymi pod wersję 2.9. Stara wersja jest wciąż dostępna na EPEL-u: 

dnf install epel-release
dnf install ansible --exclude=ansible-core

Do pliku /etc/yum.conf warto dodać wyjątek, żeby nie musieć o nim ciągle pamiętać. 

exclude=ansible-core
wiki/ansible.txt · ostatnio zmienione: 2024/12/28 12:45 przez 127.0.0.1
Wszystkie treści w tym wiki, którym nie przyporządkowano licencji, podlegają licencji: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki