HOME

初次使用 Ansible

Table of Contents

我发现需要把 VPS 磁盘空间不足时,发邮件提醒 中的设置部署到三台 VPS 上,为避免重复劳动,可以用 Ansible 自动化手工操作,并一次性部署到所有的 VPS。

1 安装

Mac 下使用 MacPorts 安装

sudo port -v install ansible

Ansible 是一只 Python 程序,也可从 Pip 安装。但是我不懂 Python,用 MacPorts 较为方便。

2 设置远程主机

Ansible 通过 SSH 管理远程主机,使用前需要把自己本地的 SSH Public Key 上传至 VPS,这一步是一般拿到 VPS 之后的第一个操作。

然后在 Inventory 文件加入需要管理的远程主机,在 /opt/local/etc/ansible/hosts (这是从 MacPorts 安装时 Ansible 所使用的系统配置) 中写入

[vps]
xuchunyang.me          ansible_user=root
elpa.emacs-china.org   ansible_user=root

如果使用非 root 账户的话,需要 root 权限时,就需要使用 sudo ,但是我并没有给 sudo 设置免密码,每次都需要输入密码有些烦人。因此我决定暂时直接使用 root 账户。我不清楚推荐的做法是什么。

Ansible 文档 (Introduction To Ad-Hoc Commands — Ansible Documentation) 中有这么一条 Note,我不明白什么意思。

Rarely, some users have security rules where they constrain their sudo/pbrun/doas environment to running specific command paths only. This does not work with ansible’s no-bootstrapping philosophy and hundreds of different modules. If doing this, use Ansible from a special account that does not have this constraint. One way of doing this without sharing access to unauthorized users would be gating Ansible with Ansible Tower, which can hold on to an SSH credential and let members of certain organizations use it on their behalf without having direct access.

之后,还可以测试下

ansible vps -a uptime
elpa.emacs-china.org | SUCCESS | rc=0 >>
 13:33:08 up 55 days, 13:08,  2 users,  load average: 0.00, 0.02, 0.02
xuchunyang.me | SUCCESS | rc=0 >>
 01:33:09 up 23:27,  2 users,  load average: 0.07, 0.02, 0.00

3 Ad-Hoc Commands & Modules

利用 Ansible 可以一次性在所有的 VPS 上执行一条命令

ansible vps -a hostname
elpa.emacs-china.org | SUCCESS | rc=0 >>
AY1309092152572985dfZ
xuchunyang.me | SUCCESS | rc=0 >>
FY-20170214153402

Ansible 封装了很多常用的操作,管理包、管理用户、管理 Service 等等,它们被称为 Modules 。缺省使用的 Module 是 command ,它不支持较为复杂的 Shell 命令,比如 Pipe 和重定向,这时可以使用 shell Module

ansible vps -m shell -a 'ps x | grep nginx'
xuchunyang.me | SUCCESS | rc=0 >>
 1139 ?        Ss     0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
18553 pts/0    S+     0:00 /bin/sh -c ps x | grep nginx
18555 pts/0    S+     0:00 grep nginx
elpa.emacs-china.org | SUCCESS | rc=0 >>
26883 ?        Ss     0:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
30353 pts/0    S+     0:00 /bin/sh -c ps x | grep nginx
30355 pts/0    S+     0:00 grep nginx

使用 ansible-doc(!) 可以查看本地的查看 Module 的文档如

ansible-doc command

Emacs 下的 ansible-doc.el 包提供了语法高亮,而且支持超链接,比命令行的美观和方便的多

M-x ansible-doc command

在所有的 VPS 上安装 GNU Hello

ansible vps -m apt -a name=hello

4 Playbooks

这是一个简单的 Playbook:如果 GNU Hello 还没有安装的话,用 Apt 安装之

---
- hosts: vps
  remote_user: root
  tasks:
  - name: Ensure GNU Hello is installed
    apt: name=hello state=present

运行这个 Playbook

ansible-playbook hello.yaml
 ____________ 
< PLAY [vps] >
 ------------ 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

 ______________ 
< TASK [setup] >
 -------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

ok: [elpa.emacs-china.org]
ok: [xuchunyang.me]
 ______________________________________ 
< TASK [Ensure GNU Hello is installed] >
 -------------------------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

ok: [elpa.emacs-china.org]
ok: [xuchunyang.me]
 ____________ 
< PLAY RECAP >
 ------------ 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

elpa.emacs-china.org       : ok=2    changed=0    unreachable=0    failed=0   
xuchunyang.me              : ok=2    changed=0    unreachable=0    failed=0

5 我的任务

VPS 磁盘空间不足时,发邮件提醒 可以分为两步

  1. 安装和配置 heirloom-mailx
  2. 添加一个 Cron 任务

完整的 Playbook (保存在 main.yaml)

---
- hosts: vps
  remote_user: root
  tasks:
  - name: install heirloom-mailx
    apt: name=heirloom-mailx state=present
  - name: write the heirloom-mailx config file (Ubuntu 14.04)
    copy: src=nail.rc dest=/etc/nail.rc
  - name: write the s-nail config (Ubuntu 16.04
    copy: src=nail.rc dest=/etc/s-nail.rc
  - name: setup cron
    cron:
      name: "check disk space usage"
      minute: "0"
      hour: "1"
      job: "[ $( df -hP --total | tail -1 | awk '{ print $5 }' | cut -d'%' -f1) -ge 85 ] && df -h | heirloom-mailx -v -s 'Warnning: Disk is nearly full' mail@xuchunyang.me"

heirloom-mailx/s-nail 的配置保存在 nail.rc

set smtp=smtp.exmail.qq.com:587       \
    smtp-use-starttls                 \
    smtp-auth=login                   \
    smtp-auth-user=mail@xuchunyang.me \
    smtp-auth-password="PASSWORD"     \
    ssl-verify=ignore

set from=mail@xuchunyang.me

运行这个 Playbook

ansible-playbook main.yaml
 ____________ 
< PLAY [vps] >
 ------------ 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

 ______________ 
< TASK [setup] >
 -------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

ok: [elpa.emacs-china.org]
ok: [xuchunyang.me]
 _______________________________ 
< TASK [install heirloom-mailx] >
 ------------------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

ok: [elpa.emacs-china.org]
ok: [xuchunyang.me]
 ____________________________________________________________ 
< TASK [write the heirloom-mailx config file (Ubuntu 14.04)] >
 ------------------------------------------------------------ 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

ok: [elpa.emacs-china.org]
ok: [xuchunyang.me]
 ______________________________________________ 
< TASK [write the s-nail config (Ubuntu 16.04] >
 ---------------------------------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

ok: [elpa.emacs-china.org]
ok: [xuchunyang.me]
 ___________________ 
< TASK [setup cron] >
 ------------------- 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

ok: [elpa.emacs-china.org]
ok: [xuchunyang.me]
 ____________ 
< PLAY RECAP >
 ------------ 
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

elpa.emacs-china.org       : ok=5    changed=0    unreachable=0    failed=0   
xuchunyang.me              : ok=5    changed=0    unreachable=0    failed=0

6 参考链接

Created: 2017-03-13 | Modified: 2017-03-17 | Org source | History

Author: Chunyang Xu <mail@xuchunyang.me>

Proudly Powered by Emacs & Org mode

Validate XHTML 1.0