Ansible playbook 使用介绍

发表于 上层目录 阅读次数:

环境信息

  • Centos 7
  • ansible 2.9.27

Playbook 语法示例

ansible playbook 使用的是 YAML 格式的语法。

---
- hosts: webservers
  vars:
    http_port: 80
    max_clients: 200
  remote_user: root
  tasks:
  - name: ensure apache is at the latest version
    yum: pkg=httpd state=latest
  - name: write the apache config file
    template: src=/srv/httpd.j2 dest=/etc/httpd.conf
    notify:
    - restart apache
  - name: ensure apache is running
    service: name=httpd state=started
  handlers:
    - name: restart apache
      service: name=httpd state=restarted

playbook 由一个或多个 play 组成。它的内容是一个以 play 为元素的列表。以上示例仅包含一个 play

playbook 基础

module

palybook 中的每个 task 都是为了运行某个 module。在 task 中配置 module,是以 module: options 的格式

- hosts: webservers
  tasks:
    - name: test connection
      ping:
    - name: make sure apache is running
      service: name=httpd state=running
    - name: disable selinux
      shell: setenforce 0

ansible playbook 常用模块参考

iptables

ansible iptables 模块官方文档

  • iptables 模块用于配置 Linux iptables 防火墙 [1]
  • iptables 模块只修改当前系统生效的 iptables 规则(动态),不会将规则写入 iptables 服务的配置文件以实现静态(持久)配置,它的行为和 iptables 命令相同

iptables 模块参数参考 [1]

参数 说明 示例
action rule 是被 append 到最后还是插入到最前面。
默认 append
如果 rule 已经存在,不会做变更
chain 要操作的 chain。
可以是自定义的 chain 或者默认存在的 chain 如 INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING, SECMARK or CONNSECMARK
table This option specifies the packet matching table which the command should operate on
chain_management If true and state is present, the chain will be created if needed.
If true and state is absent, the chain will be deleted if the only other parameter passed are chain and optionally table. 默认为 false
comment 规则的注释说明
ctstate
list / elements=string		 A list of the connection states to match in the conntrack module.
Possible values are INVALID, NEW, ESTABLISHED, RELATED, UNTRACKED, SNAT, DNAT.
Default: []
source Source specification
destination
string		 Destination specification.
Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address.
Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea.
The mask can be either a network mask or a plain number, specifying the number of 1’s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A ! argument before the address specification inverts the sense of the address.
destination_port
string		 Destination port or port range specification
destination_ports
list / elements=string		 This specifies multiple destination port numbers or port ranges to match in the multiport module
dst_range
string		 Specifies the destination IP range to match in the iprange module.
source_port Source port or port range specification.
flush
boolean		 Flushes the specified table and chain of all rules.
If no chain is specified then the entire table is purged.
默认值 false
jump This specifies the target of the rule
protocol The protocol of the rule or of the packet to check.
The specified protocol can be one of tcp, udp, udplite, icmp, ipv6-icmp or icmpv6, esp, ah, sctp or the special keyword all
rule_num Insert the rule as the given rule number.
This works only with action=insert.

lineinfile

lineinfile 用于以下场景:

  • 确定文件中存在特定的一行,替换存在的行
  • 修改文件中特定的一行

常用参数:

参数 说明 示例
state 指定的行是否应该存在。
- absent
- present 默认值
path
aliases: dest, destfile, name
required		 要修改的目标文件
line
aliases: value		 要插入或者替换修改的行
state=present 时为必须参数
如果 backrefs=true,可以使用 regexp 正则表达式捕获的值,使用 \g<1>\g<2> 的方式引用捕获到的内容
backup
boolean		 默认值 false 。是否创建备份文件

修改防火墙中某个 IP 示例

- name: Modify iptables rule in /etc/sysconfig/iptables
  hosts: nginx_1
  become: yes
  tasks:

    - name: Replace the IP address in iptables rule
      lineinfile:
        path: /etc/sysconfig/iptables
        regexp: (.*)18\.32\.100\.90(.*)
        line: \g<1>180.232.100.99\g<2>

        state: present
        backup: yes
        backrefs: true

参考链接

ansible 官方文档
Ansible中文权威指南

脚注