wiki:ansible
To jest stara wersja strony!
Ansible
Ansible 2.9 na CentOS Stream 8
W repozytorium ósmego Streama pojawiły się pakiety ansible-core w nowych wersjach, niekompatybilne z playbookami pisanymi pod wersję 2.9. Stara wersja jest wciąż dostępna na EPEL-u:
dnf install epel-release dnf install ansible --exclude=ansible-core
Do pliku /etc/yum.conf warto dodać wyjątek, żeby nie musieć o nim ciągle pamiętać.
exclude=ansible-core
Sprawdzanie, czy dzisiejszy, "cronowy" playbook wykonał się prawidłowo
cat ansible.log | grep -E "^$(date "+%Y-%m-%d").*failed" | grep -Ev "failed\=0" | wc -l
Zakładając, że powyższe polecenie jest w pliku check_failed.sh i ścieżka do pliku z logami jest poprawna, można wysłać raport raport na IRC:
---
- name: Send status on IRC
hosts: my-host.ping.local
tasks:
- name: Check failed tasks
command: '/usr/bin/bash /home/lukasz/ansible/helpers/check_failed.sh'
register: fails
- name: Send a report to a fedora-pl channel
irc:
server: irc.libera.chat
port: 6667
nick: raport
channel: '#fedora-pl'
msg: "[ANSIBLE] Todays failed tasks: {{ fails['stdout_lines'][0] }}."
Plik konfiguracyjny
[defaults] inventory = /root/ansible/hosts interpreter_python = auto_silent remote_user = root log_path = /root/ansible/var/ansible.log [inventory] [privilege_escalation] [paramiko_connection] [ssh_connection] [persistent_connection] [sudo_become_plugin] [selinux] [colors] [diff] [galaxy]
Ustawienie auto_silent usuwa ostrzeżenia o wersji Pythona z każdego przebiegu playbooków.
Pętle w playbookach oraz helpery
Przykład playbooka korzystącego z pętli:
---
- name: Enable users
hosts: all
tasks:
- name: Ensure that users exists and are in correct groups
include_tasks: helpers/users_enable.yaml
loop:
- {username: lukasz, comment: Lukasz, sshkey: "{{ lookup('file', 'ssh_keys/lukasz') }}"}
# - name: Ensure that users can not login
# include_tasks: helpers/users_disable.yaml
# loop:
# - {username: qwerty, comment: QWERTY, sshkey: "{{ lookup('file', 'ssh_keys/QWERTY') }}"}
Plik helpers/user_enable.yaml:
- debug:
msg: user - {{ item.username }}
- name: Ensure user exists and is in correct groups on FreeBSD
user:
name: "{{ item.username }}"
comment: "{{ item.comment }}"
shell: /usr/local/bin/bash
groups: wheel
append: yes
when: ansible_os_family == 'FreeBSD'
- name: Ensure user exists and is in correct groups on Gentoo and RedHat-like hosts
user:
name: "{{ item.username }}"
comment: "{{ item.comment }}"
shell: /bin/bash
groups: wheel
append: yes
when: ansible_os_family == 'Gentoo' or ansible_os_family == 'RedHat'
- name: Ensure user exists and is in correct groups on Debian-like hosts
user:
name: "{{ item.username }}"
comment: "{{ item.comment }}"
shell: /bin/bash
groups: sudo
append: yes
when: ansible_os_family == 'Debian'
- name: Set authorized SSH keys for user
authorized_key:
user: "{{ item.username }}"
key: "{{ item.sshkey }}"
state: present
exclusive: True
- name: Ensure user is able to log in
user:
name: "{{ item.username }}"
password_lock: no
- name: Set permissions to home directory
file:
path: /home/{{ item.username }}
owner: "{{ item.username }}"
group: "{{ item.username }}"
mode: '700'
Plik helpers/user_disable.yaml:
- debug:
msg: user - {{ item.username }}
- name: Ensure user is not able to log in
user:
name: "{{ item.username }}"
password_lock: yes
- name: Unset authorized SSH keys for user
authorized_key:
user: "{{ item.username }}"
key: "{{ item.sshkey }}"
state: absent
- name: Set permissions to home directory on Linux
file:
owner: root
group: root
path: /home/{{ item.username }}
mode: '700'
when: ansible_os_family == 'Gentoo' or ansible_os_family == 'RedHat' or ansible_os_family == 'Debian'
- name: Set permissions to home directory on FreeBSD
file:
owner: root
group: wheel
path: /home/{{ item.username }}
mode: '700'
when: ansible_os_family == 'FreeBSD'
Plik w katalogu ssh_keys jest skopiowany z ~/.ssh/id_rsa.pub.
wiki/ansible.1660815847.txt.gz · ostatnio zmienione: 2022/08/18 11:44 przez 127.0.0.1