Ansible 自动化运维
概述
Ansible 是 Red Hat 开发的自动化运维工具,用于配置管理、应用部署和任务自动化。它采用无 Agent 架构,通过 SSH 执行任务。
核心特点
- 无 Agent:不需要在目标主机安装额外软件
- 幂等性:多次执行结果一致
- YAML 语法:易读易写
- 模块化:丰富的内置模块
- 即席命令:无需编写 Playbook 即可执行
安装与配置
# 安装(Ubuntu)
sudo apt update
sudo apt install ansible
# 验证
ansible --version
# 配置文件层级
/etc/ansible/ansible.cfg # 全局配置
~/.ansible.cfg # 用户配置
./ansible.cfg # 项目配置
基本配置
# ansible.cfg
[defaults]
inventory = inventory.ini
host_key_checking = False
remote_user = ubuntu
private_key_file = ~/.ssh/id_rsa
gathering = smart
fact_caching = redis
fact_caching_timeout = 3600
清单 (Inventory)
静态清单
# inventory.ini
[webservers]
web1 ansible_host=10.0.0.1 ansible_user=admin
web2 ansible_host=10.0.0.2
[databases]
db1 ansible_host=10.0.0.10
db2 ansible_host=10.0.0.11
[production:children]
webservers
databases
# 变量
[all:vars]
ansible_python_interpreter=/usr/bin/python3
ntp_server=pool.ntp.org
动态清单
# inventory.yml
all:
children:
webservers:
hosts:
web1:
ansible_host: 10.0.0.1
web2:
ansible_host: 10.0.0.2
databases:
hosts:
db1:
ansible_host: 10.0.0.10
production:
children:
- webservers
- databases
即席命令
# Ping 测试
ansible all -m ping
# 执行命令
ansible webservers -m command -a "uptime"
# 复制文件
ansible all -m copy -a "src=/etc/hosts dest=/tmp/hosts"
# 安装包
ansible webservers -m apt -a "name=nginx state=present" -b
# 管理服务
ansible webservers -m systemd -a "name=nginx state=restarted" -b
# 收集信息
ansible all -m setup -a "filter=ansible_os_family"
Playbook
基本结构
---
- name: 配置 Web 服务器
hosts: webservers
become: yes
vars:
http_port: 80
max_clients: 200
tasks:
- name: 安装 Nginx
apt:
name: nginx
state: present
notify: Restart Nginx
- name: 配置 Nginx
template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
notify: Restart Nginx
- name: 启动 Nginx
systemd:
name: nginx
state: started
enabled: yes
handlers:
- name: Restart Nginx
systemd:
name: nginx
state: restarted
使用变量
---
- name: 部署应用
hosts: all
vars_files:
- vars/common.yml
- "vars/{{ env }}.yml"
tasks:
- name: 创建应用目录
file:
path: "{{ app_dir }}"
state: directory
owner: "{{ app_user }}"
mode: '0755'
- name: 渲染配置模板
template:
src: app.conf.j2
dest: "{{ app_dir }}/app.conf"
- name: 部署应用容器
docker_container:
name: myapp
image: "myapp:{{ version }}"
ports:
- "{{ app_port }}:8080"
env:
DB_HOST: "{{ db_host }}"
条件与循环
---
tasks:
# 条件执行
- name: 仅在 Debian 上执行
apt:
name: htop
when: ansible_os_family == "Debian"
- name: 仅在生产环境重启
systemd:
name: nginx
state: restarted
when: env == "production"
# 循环
- name: 安装多个包
apt:
name: "{{ item }}"
state: present
loop:
- git
- curl
- vim
- htop
- name: 创建多个用户
user:
name: "{{ item.username }}"
groups: "{{ item.groups }}"
loop:
- { username: alice, groups: "developers" }
- { username: bob, groups: "ops" }
Roles
目录结构
roles/
└── nginx/
├── defaults/ # 默认变量
│ └── main.yml
├── vars/ # 优先级更高的变量
│ └── main.yml
├── tasks/ # 主任务
│ └── main.yml
├── handlers/ # 处理器
│ └── main.yml
├── templates/ # Jinja2 模板
│ └── nginx.conf.j2
├── files/ # 静态文件
│ └── index.html
└── meta/ # 依赖信息
└── main.yml
使用 Role
---
- name: 配置 Web 服务器
hosts: webservers
roles:
- common
- role: nginx
vars:
nginx_port: 8080
- role: docker
when: use_docker
最佳实践
1. 目录结构
project/
├── ansible.cfg
├── inventory/
│ ├── production
│ └── staging
├── group_vars/
│ ├── all.yml
│ ├── webservers.yml
│ └── databases.yml
├── host_vars/
│ ├── web1.yml
│ └── db1.yml
├── roles/
├── playbooks/
│ ├── site.yml
│ ├── deploy.yml
│ └── security.yml
└── collections/
└── requirements.yml
2. 变量优先级
角色默认变量 < 组变量 < 主机变量 < Playbook 变量 < 额外变量 (-e)
3. 安全实践
- 使用 Ansible Vault 加密敏感数据
- 避免在 Playbook 中硬编码密码
- 使用
no_log: true保护敏感输出
4. 测试与验证
# 语法检查
ansible-playbook site.yml --syntax-check
# 空运行
ansible-playbook site.yml --check
# 输出详情
ansible-playbook site.yml -vvv
# 指定标签
ansible-playbook site.yml --tags "nginx,config"
总结
Ansible 的简洁性和无 Agent 架构使其成为自动化运维的理想选择。从即席命令快速上手,到 Playbook 实现复杂编排,再到 Roles 实现代码复用,循序渐进地构建完整的自动化运维体系。