Ansible Playbooks高级使用

文件操作

文件创建

• file

用于设置文件/链接/目录的属性，或者删除文件/链接/目录

### state如果是directory当目录不存在时会自动创建；如果是file当文件不存在时不会自动创建
- name: Create log dir
  file:
    path: "{{ item.src }}"
    state: directory
  with_items: "{{ log_dirs }}"
  when: is_metal | bool
  tags:
    - common-log
- name: Mask lxc-net systemd service
  file:
    src: /dev/null
    path: /etc/systemd/system/lxc-net.service
    state: link
  when:
    - ansible_service_mgr == 'systemd'
  tags:
    - lxc-files
    - lxc-net

修改文件

• lineinfile

用于检测文件是否存在特殊行或者使用后端正则表达式来替换匹配到的特殊行

- name: Extra lxc config
  lineinfile:
    dest: "/var/lib/lxc/{{ inventory_hostname }}/config"
    line: "{{ item.split('=')[0] }} = {{ item.split('=', 1)[1] }}"
    insertafter: "^{{ item.split('=')[0] }}"
    backup: "true"
  with_items: "{{ extra_container_config | default([]) }}"
  delegate_to: "{{ physical_host }}"
  register: _ec
  when: not is_metal | bool
  tags:
    - common-lxc

• replace

lineinfile的多行匹配版本，此模块会在文件中插入一段内容，并在内容开始和结束位置设置标签，后续可以使用标签可以对此块内容进行操作

### 在ml2_conf.ini文件的[ml2]和[ml2_type_vlan]字段之间插入一段内容
- name: Enable ovn in neutron-server
  replace:
    dest: "{{ node_config_directory }}/neutron-server/ml2_conf.ini"
    regexp: '\[ml2\][\S\s]*(?=\[ml2_type_vlan\])'
    replace: |+
      [ml2]
      type_drivers = local,flat,vlan,geneve
      tenant_network_types = geneve
      mechanism_drivers = ovn
      extension_drivers = port_security
      overlay_ip_version = 4
      [ml2_type_geneve]
      vni_ranges = 1:65536
      max_header_size = 38
      [ovn]
      ovn_nb_connection = tcp:{{ api_interface_address }}:{{ ovn_northdb_port }}
      ovn_sb_connection = tcp:{{ api_interface_address }}:{{ ovn_sourthdb_port }}
      ovn_l3_mode = False
      ovn_l3_scheduler = chance
      ovn_native_dhcp = True
      neutron_sync_mode = repair
    backup: yes
  when:
    - action == "deploy"
    - inventory_hostname in groups['network']
  notify:
    - Restart neutron-server container

• ini_file

ini后缀格式文件修改

### 设置l3_agent.ini文件[DEFAULT]字段的external_network_bridge选项值为br-ex
- name: Set the external network bridge
  vars:
      agent: "{{ 'neutron-vpnaas-agent' if enable_neutron_vpnaas | bool else 'neutron-l3-agent' }}"
  ini_file:
      dest: "{{ node_config_directory }}/{{ agent }}/l3_agent.ini"
      section: "DEFAULT"
      option: "external_network_bridge"
      value: "{{ neutron_bridge_name | default('br-ex') }}"
      backup: yes
  when:
      - action == "deploy"
      - inventory_hostname in ovn_central_address
  delegate_to: "{{ item }}"
  with_items: "{{ groups['neutron-server'] }}"
  notify:
      - Restart {{ agent }} container

• assemble

将多个文件聚合成一个文件

### 将/etc/haproxy/conf.d目录下的文件内容聚合成/etc/haproxy/haproxy.cfg文件
- name: Regenerate haproxy configuration
  assemble:
    src: "/etc/haproxy/conf.d"
    dest: "/etc/haproxy/haproxy.cfg"
  notify: Restart haproxy
  tags:
    - haproxy-general-config

循环控制

• with_items

标准循环，用于执行重复任务，{{ item }}类似宏展开

- name: add several users
  user:
    name: "{{ item.name }}"
    state: present
    groups: "{{ item.groups }}"
  with_items:
    - { name: 'testuser1', groups: 'wheel' }
    - { name: 'testuser2', groups: 'root' }

• with_nested

嵌套循环

### 修改neutron-server组所有主机的ml2_conf.ini文件的对应字段值
- name: Enable ovn in neutron-server
  vars:
    params:
      - { section: 'ml2', option: 'type_drivers', value: 'local,flat,vlan,geneve' }
      - { section: 'ml2', option: 'tenant_network_types', value: 'geneve' }
      - { section: 'ml2', option: 'mechanism_drivers', value: 'ovn' }
      - { section: 'ml2', option: 'extension_drivers', value: 'port_security' }
      - { section: 'ml2', option: 'overlay_ip_version', value: '4' }
      - { section: 'securitygroup', option: 'enable_security_group', value: 'True' }
  ini_file:
    dest: "{{ node_config_directory }}/neutron-server/ml2_conf.ini"
    section: "{{ item[0].section }}"
    option: "{{ item[0].option }}"
    value: "{{ item[0].value }}"
    backup: yes
  when:
    - action == "deploy"
    - inventory_hostname in ovn_central_address
  delegate_to: "{{ item[1] }}"
  with_nested:
    - "{{ params }}"
    - "{{ groups['neutron-server'] }}"
  notify:
    - Restart neutron-server container

流程控制

• tags

设置任务标签

tasks:
    - yum: name={{ item }} state=installed
      with_items:
         - httpd
         - memcached
      tags:
         - packages
    - template: src=templates/src.j2 dest=/etc/foo.conf
      tags:
         - configuration
### 执行playbook可以指定只执行标签对应任务或跳过标签对应任务
# ansible-playbook example.yml --tags "configuration,packages"
# ansible-playbook example.yml --skip-tags "notification"

• fail_when

用来控制playbook退出

- name: Check if firewalld is installed
  command: rpm -q firewalld
  register: firewalld_check
  failed_when: firewalld_check.rc > 1
  when: ansible_os_family == 'RedHat'

• pre_tasks/post_tasks

用来设置在执行roles模块之前和之后需要执行的任务

- name: Install the aodh components
  hosts: aodh_all
  gather_facts: "{{ gather_facts | default(True) }}"
  max_fail_percentage: 20
  user: root
  pre_tasks:
    - include: common-tasks/os-lxc-container-setup.yml
    - include: common-tasks/rabbitmq-vhost-user.yml
      static: no
      vars:
        user: "{{ aodh_rabbitmq_userid }}"
        password: "{{ aodh_rabbitmq_password }}"
        vhost: "{{ aodh_rabbitmq_vhost }}"
        _rabbitmq_host_group: "{{ aodh_rabbitmq_host_group }}"
      when:
        - inventory_hostname == groups['aodh_api'][0]
        - groups[aodh_rabbitmq_host_group] | length > 0
    - include: common-tasks/os-log-dir-setup.yml
      vars:
        log_dirs:
          - src: "/openstack/log/{{ inventory_hostname }}-aodh"
            dest: "/var/log/aodh"
    - include: common-tasks/mysql-db-user.yml
      static: no
      vars:
        user_name: "{{ aodh_galera_user }}"
        password: "{{ aodh_container_db_password }}"
        login_host: "{{ aodh_galera_address }}"
        db_name: "{{ aodh_galera_database }}"
      when: inventory_hostname == groups['aodh_all'][0]
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "os_aodh"
      aodh_venv_tag: "{{ openstack_release }}"
      aodh_venv_download_url: "{{ openstack_repo_url }}/venvs/{{ openstack_release }}/{{ ansible_distribution | lower }}/aodh-{{ openstack_release }}-{{ ansible_architecture | lower }}.tgz"
    - role: "openstack_openrc"
      tags:
        - openrc
    - role: "rsyslog_client"
      rsyslog_client_log_rotate_file: aodh_log_rotate
      rsyslog_client_log_dir: "/var/log/aodh"
      rsyslog_client_config_name: "99-aodh-rsyslog-client.conf"
      tags:
        - rsyslog
  vars:
    is_metal: "{{ properties.is_metal|default(false) }}"
    aodh_rabbitmq_userid: aodh
    aodh_rabbitmq_vhost: /aodh
    aodh_rabbitmq_servers: "{{ rabbitmq_servers }}"
    aodh_rabbitmq_port: "{{ rabbitmq_port }}"
    aodh_rabbitmq_use_ssl: "{{ rabbitmq_use_ssl }}"
  tags:
    - aodh

主机路由

• delegate_to

可以将当前任务放到其他hosts上执行

### 这是一段在容器中执行的playbook的一部分，这时候需要检测容器所在的宿主机上的对应目录是否存在，这时候就需要用到委托来跳出当前容器到宿主机上执行当前任务
- name: Ensure mount directories exists
  file:
    path: "{{ item['mount_path'] }}"
    state: "directory"
  with_items:
    - "{{ lxc_default_bind_mounts | default([]) }}"
    - "{{ list_of_bind_mounts | default([]) }}"
  delegate_to: "{{ physical_host }}"
  when:
    - not is_metal | bool
  tags:
    - common-lxc

• local_action

将任务放在ansible控制主机（运行ansible-playbook的主机）上执行

- name: Check if the git cache exists on deployment host
  local_action:
    module: stat
    path: "{{ repo_build_git_cache }}"
  register: _local_git_cache
  when: repo_build_git_cache is defined

用户和用户组控制

• group

创建用户组

### 创建系统管理员组haproxy，present表示不存在创建，absent表示存在删除
- name: Create the haproxy system group
  group:
    name: "haproxy"
    state: "present"
    system: "yes"
  tags:
    - haproxy-group

• user

创建用户

### 创建haproxy：haproxy用户，并创建home目录
- name: Create the haproxy system user
  user:
    name: "haproxy"
    group: "haproxy"
    comment: "haproxy user"
    shell: "/bin/false"
    system: "yes"
    createhome: "yes"
    home: "/var/lib/haproxy"
  tags:
    - haproxy-user

其他

• authorized_key

添加用户的SSH认证key

- name: Create authorized keys file from host vars
  authorized_key:
    user: "{{ repo_service_user_name }}"
    key: "{{ hostvars[item]['repo_pubkey'] | b64decode }}"
  with_items: "{{ groups['repo_all'] }}"
  when: hostvars[item]['repo_pubkey'] is defined
  tags:
    - repo-key
    - repo-key-store

• slurp

用来读取远程主机上文件内容是base64加密的文件

### 读取id_rsa.pub文件的内容，并设置到变量repo_pub中
- name: Get public key contents and store as var
  slurp:
    src: "{{ repo_service_home_folder }}/.ssh/id_rsa.pub"
  register: repo_pub
  changed_when: false
  tags:
    - repo-key
    - repo-key-create

• uri

web访问，类似执行curl命令

- name: test proxy URL for connectivity
  uri:
    url: "{{ repo_pkg_cache_url }}/acng-report.html"
    method: "HEAD"
  register: proxy_check
  failed_when: false
  tags:
    - common-proxy

• wait_for

等待一个端口变得可用或者等待一个文件变得可用

- name: Wait for container ssh
  wait_for:
    port: "22"
    delay: "{{ ssh_delay }}"
    search_regex: "OpenSSH"
    host: "{{ ansible_host }}"
  delegate_to: "{{ physical_host }}"
  register: ssh_wait_check
  until: ssh_wait_check | success
  retries: 3
  when:
    - (_mc is defined and _mc | changed) or (_ec is defined and _ec | changed)
    - not is_metal | bool
  tags:
    - common-lxc

• command

执行shell命令

### ignore_errors为true表示命令执行出错也不会退出playbook
- name: Check if clean is needed
  command: docker exec openvswitch_vswitchd ovs-vsctl br-exists br-tun
  register: result
  ignore_errors: True

切换用户

### 使用become会先切换成apache用户，再执行command命令，默认become_user用户为root（如果你ansible配置的就是root用户的免密码登入那就不需要become了）
- name: Run a command as the apache user
  command: somecommand
  become: true
  become_user: apache

检测链表是否为空

### pip_wheel_install为链表变量
- name: Install wheel packages
  shell: cd /tmp/wheels && pip install {{ item }}*
  with_items:
    - "{{ pip_wheel_install | default([]) }}"
  when: pip_wheel_install > 0