2、Ansible配置文件详解

0.配置文件

两个核心文件：ansible.cfg和hosts文件,默认都存放在/etc/ansible目录下。

ansible.cfg：主要设置一些ansible初始化的信息，比如日志存放路径、模块、插件等配置信息

hosts：机器清单，进行分组管理

1.ansible.cfg

# config file for ansible -- http://ansible.com/
# ==============================================

# nearly all parameters can be
overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
# finds first

[defaults]   --->通用默认配置

# some basic default
values...

inventory      = /etc/ansible/hosts     这个是默认库文件位置,脚本,或者存放可通信主机的目录
#library        =
/usr/share/my_modules/   Ansible默认搜寻模块的位置
remote_tmp     = $HOME/.ansible/tmp   Ansible 通过远程传输模块到远程主机,然后远程执行,执行后在清理现场.在有些场景下,你也许想使用默认路径希望像更换补丁一样使用
pattern        = *    如果没有提供“hosts”节点,这是playbook要通信的默认主机组.默认值是对所有主机通信
forks          = 5    在与主机通信时的默认并行进程数 ，默认是5d
poll_interval  = 15    当具体的poll interval 没有定义时,多少时间回查一下这些任务的状态, 默认值是5秒
sudo_user      = root   sudo使用的默认用户 ，默认是root
#ask_sudo_pass = True   用来控制Ansible playbook 在执行sudo之前是否询问sudo密码.默认为no
#ask_pass      = True    控制Ansible playbook 是否会自动默认弹出密码
transport      = smart   通信机制.默认 值为’smart’。如果本地系统支持 ControlPersist技术的话,将会使用(基于OpenSSH)‘ssh’,如果不支持讲使用‘paramiko’.其他传输选项包括‘local’, ‘chroot’,’jail’等等
#remote_port    = 22    远程SSH端口。 默认是22
module_lang    = C   模块和系统之间通信的计算机语言，默认是C语言

# plays will gather facts by default,
which contain information about
# the remote system.
#
# smart - gather by default, but don't regather
if already gathered
# implicit - gather by default, turn off
with gather_facts: False
# explicit - do not gather
by default, must say gather_facts: True
gathering = implicit  
控制默认facts收集（远程系统变量）. 默认值为’implicit’, 每一次play,facts都会被收集

# additional paths to search for
roles in, colon separated
#roles_path    = /etc/ansible/roles   roles 路径指的是’roles/’下的额外目录,用于playbook搜索Ansible
roles

# uncomment this
to disable SSH key host checking
#host_key_checking = False    检查主机密钥

# change this for
alternative sudo implementations
sudo_exe = sudo     如果在其他远程主机上使用另一种方式执sudu操作.可以使用该参数进行更换

# what flags to pass to
sudo   传递sudo之外的参数
#sudo_flags = -H

# SSH timeout    SSH超时时间
timeout = 10

# default
user to use for playbooks if
user is not specified
# (/usr/bin/ansible will use current user as default)
#remote_user = root   使用/usr/bin/ansible-playbook链接的默认用户名，如果不指定，会使用当前登录的用户名

# logging is
off by default unless this
path is defined
# if so defined, consider logrotate
#log_path = /var/log/ansible.log     日志文件存放路径

# default
module name for /usr/bin/ansible
#module_name = command     ansible命令执行默认的模块

# use this
shell for commands executed under sudo
# you may need to change this to bin/bash in
rare instances
# if sudo is constrained
#executable = /bin/sh     在sudo环境下产生一个shell交互接口.
用户只在/bin/bash的或者sudo限制的一些场景中需要修改

# if
inventory variables overlap, does the higher precedence one win
# or are hash values merged together? 
The default is 'replace'
but
# this can also be set to 'merge'.
#hash_behaviour = replace    特定的优先级覆盖变量

# list any Jinja2 extensions
to enable here:
#jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n      允许开启Jinja2拓展模块

# if set,
always use this private
key file for authentication, same as
# if passing --private-key to
ansible or ansible-playbook
#private_key_file = /path/to/file        
私钥文件存储位置

# format of string
{{ ansible_managed }} available within Jinja2
# templates indicates to users editing templates files will be replaced.
# replacing {file}, {host} and {uid} and strftime codes with proper values.
ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by
{uid} on {host}   这个设置可以告知用户,Ansible修改了一个文件,并且手动写入的内容可能已经被覆盖.

# by default,
ansible-playbook will display "Skipping [host]" if
it determines a task
# should not be run on a host.  Set this
to "False" if
you don't want to see these "Skipping"
# messages. NOTE: the task header will still be shown regardless of whether or
not the
# task is skipped.
#display_skipped_hosts = True     显示任何跳过任务的状态 ，默认是显示

# by default (as
of 1.3), Ansible will raise errors when attempting to
dereference
# Jinja2 variables that are not set in
templates or action lines. Uncomment this line
# to revert the behavior to pre-1.3.
#error_on_undefined_vars = False      如果所引用的变量名称错误的话, 将会导致ansible在执行步骤上失败

# by default (as
of 1.6), Ansible may display warnings based on the configuration
of the
# system running ansible itself. This may include warnings about 3rd party
packages or
# other conditions that should be resolved if
possible.
# to disable these warnings, set the
following value to False:
#system_warnings = True    允许禁用系统运行ansible相关的潜在问题警告

# by default (as
of 1.4), Ansible may display deprecation warnings for
language
# features that should no longer be used and will be removed in
future versions.
# to disable these warnings, set the
following value to False:
#deprecation_warnings = True     允许在ansible-playbook输出结果中禁用“不建议使用”警告

# (as
of 1.8), Ansible can optionally warn when usage of the shell and
# command module appear to be simplified by using a
default Ansible module
# instead.  These warnings can be
silenced by adjusting the following
# setting or adding warn=yes or warn=no to the end of the command line
# parameter string. 
This will for example suggest using
the git module
# instead of shelling out to the git
command.
# command_warnings = False    当shell和命令行模块被默认模块简化的时,Ansible 将默认发出警告

# set
plugin path directories here, separate with colons
action_plugins     = /usr/share/ansible_plugins/action_plugins 
callback_plugins   =
/usr/share/ansible_plugins/callback_plugins
connection_plugins = /usr/share/ansible_plugins/connection_plugins
lookup_plugins     =
/usr/share/ansible_plugins/lookup_plugins
vars_plugins       =
/usr/share/ansible_plugins/vars_plugins
filter_plugins     =
/usr/share/ansible_plugins/filter_plugins

# by default
callbacks are not loaded for
/bin/ansible, enable this if
you
# want, for example, a notification or logging
callback to also apply to
# /bin/ansible runs
#bin_ansible_callbacks = False    用来控制callback插件是否在运行 /usr/bin/ansible 的时候被加载. 这个模块将用于命令行的日志系统,发出通知等特性

# don't like
cows?  that's
unfortunate.
# set to 1 if
you don't want cowsay support or export ANSIBLE_NOCOWS=1
#nocows = 1   
默认ansible可以调用一些cowsay的特性   开启/禁用：0/1

# don't like
colors either?
# set to 1 if
you don't want colors, or export ANSIBLE_NOCOLOR=1
#nocolor = 1 
输出带上颜色区别， 开启/关闭：0/1

# the CA certificate path used
for validating SSL certs. This path
# should exist on the controlling node, not the target nodes
# common locations:
# RHEL/CentOS: /etc/pki/tls/certs/ca-bundle.crt
# Fedora     :
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Ubuntu     :
/usr/share/ca-certificates/cacert.org/cacert.org.crt
#ca_file_path =

# the http user-agent string
to use when fetching urls. Some web server
# operators block the default urllib user
agent as it is
frequently used
# by malicious attacks/scripts, so we set it to
something unique to
# avoid issues.
#http_user_agent = ansible-agent

# if set
to a persistent type (not 'memory', for
example 'redis') fact values
# from previous runs in Ansible will
be stored.  This may be useful when
# wanting to use, for example, IP information from
one group of servers
# without having to talk to them in the same
playbook run to get their
# current IP information.
fact_caching = memory

# retry files
#retry_files_enabled = False
#retry_files_save_path = ~/.ansible-retry

[privilege_escalation]
#become=True
#become_method=sudo
#become_user=root
#become_ask_pass=False

[paramiko_connection]

# uncomment this
line to cause the paramiko connection plugin to not record new
host
# keys encountered.  Increases
performance on new host additions.  Setting works independently of the
# host key checking setting above.
#record_host_keys=False

# by default,
Ansible requests a pseudo-terminal for commands
executed under sudo. Uncomment this
# line to disable this behaviour.
#pty=False

[ssh_connection]

# ssh arguments to use
# Leaving off ControlPersist will result in
poor performance, so use
# paramiko on older platforms rather than removing it
#ssh_args = -o ControlMaster=auto -o ControlPersist=60s

# The path to use for
the ControlPath sockets. This defaults to
# "%(directory)s/ansible-ssh-%%h-%%p-%%r",
however on some systems with
# very long hostnames or very long
path names (caused by long user names
or
# deeply nested home directories) this can exceed
the character limit on
# file socket names (108 characters for
most platforms). In that case, you
# may wish to shorten the string below.
#
# Example:
# control_path = %(directory)s/%%h-%%r
#control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r

# Enabling pipelining reduces
the number of SSH operations required to
# execute a module on the remote server. This can result in a
significant
# performance improvement when enabled, however when using "sudo:"
you must
# first disable 'requiretty' in
/etc/sudoers
#
# By default, this option is
disabled to preserve compatibility with
# sudoers configurations that have requiretty (the default
on many distros).
#
#pipelining = False

# if
True, make ansible use scp if the
connection type is ssh
# (default is sftp)
#scp_if_ssh = True

[accelerate]
accelerate_port = 5099
accelerate_timeout = 30
accelerate_connect_timeout = 5.0

# The daemon timeout is
measured in minutes. This time is
measured
# from the last activity to the accelerate daemon.
accelerate_daemon_timeout = 30

# If set
to yes, accelerate_multi_key will allow multiple
# private keys to be uploaded to it, though each user must
# have access to the system via SSH to add a new
key. The default
# is "no".
#accelerate_multi_key = yes

[selinux]
# file systems that require special treatment when dealing with security
context
# the default behaviour that copies the existing context
or uses the user default
# needs to be changed to use the file system dependant context.
#special_context_filesystems=nfs,vboxsf,fuse

简易配置：

[defaults]
inventory      = /etc/ansible/hosts
sudo_user=root
remote_port=22
host_key_checking=False
remote_user=root
log_path=/var/log/ansible.log
module_name=command
private_key_file=/root/.ssh/id_rsa
no_log:True

2.hosts

# This is
the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
#   - Comments begin with the '#'
character
#   - Blank lines are ignored
#   - Groups of hosts are delimited by
[header] elements
#   - You can enter hostnames or ip
addresses
#   - A hostname/ip can be a member of
multiple groups

# Ex 1:
Ungrouped hosts, specify before any group headers.

green.example.com
blue.example.com
192.168.100.1
192.168.100.10

# Ex 2:
A collection of hosts belonging to the 'webservers'
group

[webservers]
alpha.example.org
beta.example.org
192.168.1.100
192.168.1.110

# If you have multiple hosts
following a pattern you can specify
# them like this:

www[001:006].example.com

# Ex 3:
A collection of database servers in the 'dbservers'
group

[dbservers]

db01.intranet.mydomain.net
db02.intranet.mydomain.net
10.25.1.56
10.25.1.57

# Here's another
example of host ranges, this time there are no
# leading 0s:

db-[99:101]-node.example.com

ansible通过Inventory来定义主机和组，使用时通过-i指定读取，默认/etc/ansible/hosts。可以存在多个Inventory，支持动态生成。

1、定义主机和组

# vim /etc/ansible/hosts

192.168.12.22    #可以直接为IP地址

nfs.magedu.com    #可以是域名

ntp.magedu.com:2200    #可以:接ssh端口

[webserver]    #[]内为分组名，下面都是该组组员

web[1:10].magedu.com    #[1:10]表示1~10所有数字

db-[a:f].magedu.com    #[a:f]表示a~f所有字母

2、定义主机变量

定义的变量可以在playbook中使用，在playbook中设定的同名变量会优先于此处变量。

other1.example.com    ansible_connection=ssh    ansible_ssh_user=mpdehaan    #选择连接类型和连接用户

other2.example.com    http_port=8800    #定义http_port端口号8800

3、定义组变量

[test]

web1.example.com

web2.example.com

[test:vars]    #组变量，下面定义的变量test组内的所有主机通用

ntp_server=ntp.example.com

proxy=proxy.example.com

4、把一个组作为另一个组的子成员

[apache]

web1.example.com

[nginx]

web2.example.com

[webserver]

other1.example.com

[webserver:children]

apache

nginx

#上例中webserver包括web1.example.com、web2.example.com、other1.example.com

5、其他Inventory参数

ansible_ssh_host

将要连接的远程主机名.与你想要设定的主机的别名不同的话,可通过此变量设置.

ansible_ssh_port

ssh端口号.如果不是默认的端口号,通过此变量设置.

ansible_ssh_user

默认的 ssh 用户名

ansible_ssh_pass

ssh 密码(这种方式并不安全,我们强烈建议使用 --ask-pass 或 SSH 密钥)

ansible_sudo_pass

sudo 密码(这种方式并不安全,我们强烈建议使用 --ask-sudo-pass)

ansible_sudo_exe (new in version 1.8)

sudo 命令路径(适用于1.8及以上版本)

ansible_connection

与主机的连接类型.比如:local, ssh 或者 paramiko. Ansible 1.2 以前默认使用 paramiko.1.2 以后默认使用 'smart','smart' 方式会根据是否支持 ControlPersist, 来判断'ssh' 方式是否可行.

ansible_ssh_private_key_file

ssh 使用的私钥文件.适用于有多个密钥,而你不想使用 SSH 代理的情况.

ansible_shell_type

目标系统的shell类型.默认情况下,命令的执行使用 'sh' 语法,可设置为 'csh' 或 'fish'.

ansible_python_interpreter

目标主机的 python 路径.适用于的情况: 系统中有多个 Python, 或者命令路径不是"/usr/bin/python",比如  \*BSD, 或者 /usr/bin/python

不是 2.X 版本的 Python.我们不使用 "/usr/bin/env" 机制,因为这要求远程用户的路径设置正确,且要求 "python" 可执行程序名不可为 python以外的名字(实际有可能名为python26).

与 ansible_python_interpreter 的工作方式相同,可设定如 ruby 或 perl 的路径....

6、变量读取的四个位置

Inventory配置

Playbook中vars定义的区域

Roles中vars目录下的文件

Roles同级目录group_vars和hosts_vars目录下的文件

#设置变量时尽量沿用同一种方式。

7、ansible正则

(1)全量匹配 all与*功能相同，但*需引起来。

ansible all -m ping

ansible "*" -m ping

(2)逻辑或(or)匹配

多台主机或多个组同时执行

ansible "web1:web2" -m ping

(3)逻辑非(!)匹配

所有在web1组，但不在web2组的主机

web1:!web2

(4)逻辑与(&)匹配

web1和web2中同时存在的主机

web1:&web2

(5)模糊匹配

检查192.168.1.0/24网段所有主机存活状态。

ansible 192.168.1.* -m ping

test开头的所有组

ansible "test*" -m ping

(6)域切割，同python字符串域切割

例：

[webservers]

web1.example.com

web2.example.com

web3.example.com

webservers[0]    #==web1.example.com

webservers[-1]    #==web3.example.com

webservers[0:2]    #第一位到第三位==web1.example.com、web2.example.com、web3.example.com

webservers[1:]    #第二位到最后==web2.example.com、web3.example.com

(7)正则匹配，"~"开始表示正则匹配

ansible "~(web|data|test)\.example\.(com|org)" -m ping