Differences

This shows you the differences between two versions of the page.

--- сервис_ansible [2022/09/22 10:52]
val [Использование модулей]
+++ сервис_ansible [2025/09/21 05:59] (current)
val [ansible-vault]
@@ Line 1: / Line 1: @@
 ====== Сервис Ansible ======
+  * [[https://www.goncharov.xyz/it/make-cm-not-bash-ru.html|Вот рассмотрим банальный пример. выбрать все файлы в текущей директории и скопировать в другое место]]
+  * Управление инфраструктурой на примере [[https://ru.wikipedia.org/wiki/Ansible|Аnsible - wikipedia]]
   * [[https://habrahabr.ru/company/express42/blog/254959/|Ansible — давайте попробуем]]
-  * [[https://habrahabr.ru/post/195048/|Ansible]]
   * [[https://habrahabr.ru/post/305400/|Пособие по Ansible]]
+  * [[https://habr.com/ru/post/508762/|Основы Ansible, без которых ваши плейбуки — комок слипшихся макарон]]
   * [[https://www.cisco.com/c/dam/m/ru_ru/training-events/2019/cisco-connect/pdf/introduction_automation_with_ansible_idrey.pdf|Введение в автоматизацию с помощью Ansible (Cisco)]]
   * [[https://nwmichl.net/2020/02/24/first-simple-ansible-playbooks/|First simple Ansible playbooks Cisco IOS]]
+  * [[https://r4ven.me/it-razdel/instrukcii/ansible-cmdb-strukturizacziya-i-vizualizacziya-ansible-facts/|ansible-cmdb — программа на Python, которая структуризирует собранные Ansible facts и визуализирует их с помощью HTML с красивым форматированием]]
@@ Line 28: / Line 34: @@
 debian11/ubuntu20# apt install python python3-apt
+debian12# apt install python3 python3-apt
 </code>
@@ Line 36: / Line 44: @@
 <code>
-debian11# mkdir /etc/ansible/
+deb11_12_ub24# mkdir /etc/ansible/
 node1# cat /etc/ansible/hosts
@@ Line 56: / Line 64: @@
 [sws]
-switch[1:3] ansible_ssh_user=root ansible_ssh_pass=cisco
+switch[1:3] ansible_ssh_user=root ansible_ssh_pass=cisco ansible_network_os=ios
 [nodes]
@@ Line 66: / Line 74: @@
 ansible_ssh_user=vagrant
 ansible_ssh_pass=strongpassword
+#ansible_sudo_pass=strongpassword
 ansible_become=yes
 </code>
@@ Line 77: / Line 86: @@
 </code><code>
 [defaults]
-...
+#...
 host_key_checking = False
-...
+#...
 </code>
@@ Line 101: / Line 110: @@
 node1# ansible all -m ping
 node1# ansible all -m ping -i inv_file.ini
-node1# ansible all -m ping -i node2:2222, -e "ansible_python_interpreter=/usr/bin/python3"
+node1# ansible all -m ping -i node2:2222,
 node1# ansible corpX -m command -a 'uname -a'
-node1# ansible corpX -a 'uname -a'
+(venv1) server# ansible all -a 'sed -i"" -e "/swap/s/^/#/" /etc/fstab' -i /root/kubespray/inventory/mycluster/hosts.yaml #--limit=kube4,kube5
+(venv1) server# ansible all -a 'swapoff -a' -i /root/kubespray/inventory/mycluster/hosts.yaml #--limit=kube4
 node1# ansible corpX -f 2 -m apt -a 'pkg=apache2 state=present update_cache=true'
-node1# ansible addnodes -vv -f 5 -m apt -a 'pkg=ceph,tgt-rbd state=present update_cache=true'
+node1# ansible addnodes -vv -f 5 -m apt -a 'pkg=ceph,tgt-rbd state=present update_cache=true' #-e 'https_proxy=http://radio.specialist.ru:3128/' -e 'http_proxy=http://radio.specialist.ru:3128/'
 server# ansible nodes -f 3 -m apt -a 'pkg=openvpn state=present update_cache=true'
-server# ansible nodes -f 3 -m apt -a 'pkg=docker.io state=absent update_cache=true'
+server# ansible nodes -f 3 -m apt -a 'pkg=docker.io state=present update_cache=true'
-ubuntu20# apt install python3-paramiko
+ubu20_24_deb12# apt install python3-paramiko
 server# ansible sws -m ios_command -a "commands='show cdp nei'" -c local
-server# ansible sws -m ios_command -a "commands='show cdp nei'" -c network_cli -e "ansible_network_os=ios"
+ubuntu24# ansible sws -m ios_command -a "commands='show cdp nei'" -c network_cli #-e "ansible_network_os=ios"
 </code>
@@ Line 133: / Line 143: @@
 <code>
-# cat provision_docker.yml
+server# cat provision_docker.yml
+  или
+λ touch provision_docker.yml
   или
-λ npp provision_docker.yml &
+student@node1:~$ cat /vagrant/provision_docker.yml
 </code><code>
 - hosts: "{{ variable_host | default('all') }}"
@@ Line 160: / Line 174: @@
     - name: Add Docker's repository into sources list
       apt_repository:
-#        repo: deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable
+#        repo: deb [arch=amd64] https://download.docker.com/linux/debian bookworm stable
-#        repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable
+#        repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu noble stable
         state: present
     - name: Install Docker
@@ Line 170: / Line 184: @@
           - containerd.io
           - docker-compose-plugin
+          - docker-buildx-plugin
         state: present
         update_cache: true
@@ Line 177: / Line 192: @@
 <code>
-gate# ansible-playbook provision_docker.yml
+server# ansible-playbook provision_docker.yml --syntax-check
-gate# ansible-playbook provision_docker.yml -i inv_file.ini
+server# ansible-playbook provision_docker.yml
-gate# ansible-playbook provision_docker.yml -e "ansible_python_interpreter=/usr/bin/python3" -i 192.168.X.1:2222,
+server# ansible-playbook provision_docker.yml --extra-vars "variable_host=nodes"
-gate# ansible-playbook provision_docker.yml --extra-vars "variable_host=corp"
+server# ansible-playbook provision_docker.yml -e "variable_host=localhost"
-gate# ansible-playbook provision_docker.yml --extra-vars "variable_host=localhost"
+server# ansible-playbook provision_docker.yml -i inv_file.ini
+server# ansible-playbook provision_docker.yml -e "ansible_python_interpreter=/usr/bin/python3" -i 192.168.X.1:2222,
 </code>
 ==== Пример 2 ====
@@ Line 193: / Line 210: @@
 </code><code>
 - hosts: corpX
+  # - hosts: all
+  name: Add Users
   tasks:
     - name: Add user1
@@ Line 201: / Line 220: @@
         comment: "Ivan Ivanovitch Ivanov,RA1,401,499-239-45-23"
         password: $6$3Gz1ZuH3yHckA$wQNZbfU/9G6bYx08owpn7CoFP//2WbB4cmDDOgwDYBbwEyHxB0QQyCuMrOiPOLv3JF5RFtIv/r/kxoPPYFCsx1
     - name: Add user2
-      user:
+      ansible.builtin.user:
         name: user2
         uid: 10002
@@ Line 212: / Line 230: @@
 </code><code>
+node1# ansible-playbook addusers.yml --syntax-check
+node1# apt install ansible-lint
+node1# ansible-lint addusers.yml
 node1# ansible-playbook addusers.yml
 </code>
@@ Line 223: / Line 246: @@
 </code><code>
 - hosts: sws
-  connection: local
+#  connection: local
+  connection: network_cli
+  gather_facts: no
   tasks:
     - name: configure top level configuration
       ios_config:
         lines:
-          - ip host server 192.168.X.10
-          - snmp-server host server writetrap
           - snmp-server community write RW
+#          - ip host server 192.168.X.10
+#          - snmp-server host server writetrap
 #          - snmp-server enable traps config
@@ Line 251: / Line 276: @@
 #          - enable secret cisco
 #          - aaa authorization console
 #          - aaa authentication login default local
 #          - aaa authorization exec default local
@@ Line 289: / Line 315: @@
 <code>
 node1# ansible -m setup corpX
+server# ansible all -m setup -i gate,
 node1# ansible -m setup corpX | grep ansible_fqdn
@@ Line 302: / Line 330: @@
 </html>
 </code><code>
-node1# cat inst_apache.yml
+node1# cat inst_http.yml
 </code><code>
 - hosts: corpX
+#- hosts: all
   tasks:
-    - name: Installs apache web server
+    - name: Install or remove web server
       apt: pkg=apache2 state=present update_cache=true
+#      apt: pkg=nginx state=absent update_cache=true
     - name: Create index.html file
       template: src=index.html.j2 dest=/var/www/html/index.html
 </code><code>
-node1# ansible-playbook inst_apache.yml
+node1# ansible-playbook inst_http.yml
-</code><code>
+server# ansible-playbook inst_http.yml -i gate,
+</code>
+==== Asterisk IAX конфигурация ====
+<code>
 # cat iax.conf.j2
 </code><code>
@@ Line 319: / Line 356: @@
 disallow=all
 allow=alaw
+{#
+Comment
+#}
 {% for Y in YS %}
@@ Line 347: / Line 388: @@
 </code><code>
 # ansible-playbook ast_iax_corps.yml --extra-vars '{"X":"{{ ansible_eth0.ipv4.address.split(\".\")[3] }}","YS":[1,2,3,4,5,6,7,8,9,10,11,12,13]}'
+</code>
+==== Провижининг IP телефонов ====
+<code>
+~/phone-prov# cat inventory.yml
+</code><code>
+all:
+  vars:
+    phones:
+      - [ '403', 'tpassword403', 'server.corp13.un', '000E08C190C2', 'spa' ]
+      - [ '404', 'tpassword404', 'server.corp13.un', 'BCC34221709A', 'kx-hdv' ]
+</code><code>
+~/phone-prov# cat kx-hdv.j2
+</code><code>
+# Panasonic SIP Phone Standard Format File #
+## SIP Settings
+PHONE_NUMBER_1="{{ pn }}"
+SIP_AUTHID_1="{{ pn }}"
+SIP_PASS_1="{{ secret }}"
+SIP_PRXY_ADDR_1="{{ sipproxy }}"
+SIP_RGSTR_ADDR_1="{{ sipproxy }}"
+DIAL_PLAN_1="*xx|[1-4]xx|0xxxxx|8xxxxxxxxxx"
+</code><code>
+~/phone-prov# cat spa.j2
+</code><code>
+<flat-profile>
+  <Proxy_1_>{{ sipproxy }}</Proxy_1_>
+  <User_ID_1_>{{ pn }}</User_ID_1_>
+  <Password_1_>{{ secret }}</Password_1_>
+  <Dial_Plan_1_>( xxx | 8xxxxxxxxxx | 0xxxxx | *xx )</Dial_Plan_1_>
+</flat-profile>
+</code><code>
+~/phone-prov# cat phone-prov.yml
+</code><code>
+- hosts: localhost
+  tasks:
+    - name: debug
+      debug:
+        msg: "{{ item.0 }} ... {{ item.4 }}"
+      loop: "{{ phones }}"
+    - name: Create phone conf
+      template:
+        src: "{{ model }}.j2"
+        dest: "/var/www/html/{{ model }}-{{ mac }}.cfg"
+      vars:
+        pn: "{{ item.0 }}"
+        secret: "{{ item.1 }}"
+        sipproxy: "{{ item.2 }}"
+        mac: "{{ item.3 }}"
+        model: "{{ item.4 }}"
+      loop: "{{ phones }}"
+</code><code>
+~/phone-prov# ansible-playbook phone-prov.yml -i inventory.yml
 </code>
 ===== Использование handlers =====
+==== Пример 4 ====
   * [[Сервис HTTP#Использование домашних каталогов]]
@@ Line 372: / Line 469: @@
 </code>
+==== Пример 5 ====
+  * [[Управление ПО в Linux#Список desktop приложений]]
+<code>
+server# cat za.conf
+</code><code>
+ListenIP=0.0.0.0
+StartAgents=0
+ServerActive=server
+UserParameter=listinstalledsoft,ls /usr/share/applications | awk -F '.desktop' ' { print $1}' -
+</code><code>
+server# cat za.yml
+</code><code>
+- hosts: lin_ws
+  tasks:
+    - name: Install zabbix agent
+      apt: pkg=zabbix-agent state=present update_cache=true
+    - name: Create conf file
+      copy: src=za.conf dest=/etc/zabbix/zabbix_agentd.conf.d/za.conf
+      notify:
+        - restart za
+  handlers:
+    - name: restart za
+      service: name=zabbix-agent state=restarted
+</code><code>
+server# ansible-playbook za.yml
+</code>
 ===== Использование ролей =====
   * [[https://rtfm.co.ua/ansible-roli-roles-primer/|Ansible: роли (roles) – пример]]
+  * [[https://andreyex.ru/linux/ansible-roli-v-ansible/|Ansible. Роли в Ansible]]
   * [[Настройка стендов слушателей#Ansible конфигурация]]
@@ Line 380: / Line 508: @@
 <code>
+# ###cd /root/conf/
+# ###git pull origin master
+# ###cd /root/conf/ansible/roles/
 # cat nodes.yml
 </code><code>
 - name: Network config for nodes
   hosts: addnodes
+#  hosts: kubes
+#  hosts: "{{ variable_host | default('addnodes') }}"
   roles:
     - node
@@ Line 392: / Line 526: @@
 </code><code>
 name_prefix: node
+#name_prefix: kube
 X: "{{ ansible_eth0.ipv4.address.split('.')[2] }}"
-N: "{{ ansible_eth0.ipv4.address.split('.')[3] }}"
+N: "{{ ansible_eth0.ipv4.address.split('.')[3][-1] }}"
 </code><code>
 # cat node/tasks/main.yml
@@ Line 437: / Line 572: @@
 </code><code>
 search corp{{ X }}.un
+{% if variable_host is defined %}
+nameserver 192.168.{{ X }}.10
+{% else %}
 nameserver 192.168.{{ X }}.1
 nameserver 192.168.{{ X }}.2
+{% endif %}
 </code><code>
 # cat node/templates/interfaces.j2
@@ Line 449: / Line 588: @@
         address {{ ansible_eth0.ipv4.address }}
         netmask 255.255.255.0
+{% if variable_host is defined %}
+        gateway 192.168.{{ X }}.1
+{% else %}
         gateway 192.168.{{ X }}.254
+{% endif %}
 </code><code>
 # ansible-playbook -f 5 nodes.yml
@@ Line 455: / Line 598: @@
   ИЛИ
-# ansible-playbook -f 5 conf/ansible/roles/nodes.yml
+# ansible-playbook -f 5 /root/conf/ansible/roles/nodes.yml
+  ИЛИ
+(venv1) server# ansible-playbook -f 5 /root/conf/ansible/roles/nodes.yml -i /root/kubespray/inventory/mycluster/hosts.yaml -e "variable_host=all name_prefix=kube" #--limit=kube4
 </code>
 ==== Роль OpenVPN сервера ====
+  * [[Пакет OpenVPN]]
 <code>
 server:~# mkdir openvpn1 && cd openvpn1
@@ Line 474: / Line 624: @@
 dh2048.pem  server.crt  server.key
 </code><code>
-server:~/openvpn1/openvpn1/files# cd -
+server:~/openvpn1/openvpn1/files# cd ../../
 server:~/openvpn1# cat openvpn1/templates/openvpn1.conf.j2
@@ Line 483: / Line 633: @@
 server {{node_nets[ansible_hostname]}} 255.255.255.0
-push "route 192.168.X.0 255.255.255.0"
+push "route 192.168.{{X}}.0 255.255.255.0"
-#push "dhcp-option DNS 192.168.X.10"
+#push "dhcp-option DNS 192.168.{{X}}.10"
 #push "block-outside-dns"
+#push "dhcp-option DOMAIN corp{{X}}.un"
 dh /etc/openvpn/dh2048.pem
@@ Line 534: / Line 685: @@
     name: openvpn@openvpn1
     enabled: yes
-    state: started
+#    state: started
 </code><code>
 server:~/openvpn1# cat openvpn1/handlers/main.yml
@@ Line 547: / Line 698: @@
 all:
   vars:
-    ansible_python_interpreter: "/usr/bin/python3"
+    X: "{{ ansible_eth1.ipv4.address.split('.')[2] }}"
     ansible_ssh_user: vagrant
     ansible_ssh_pass: strongpassword
@@ Line 573: / Line 724: @@
       when: node_nets[ansible_hostname] is defined
 </code><code>
+server:~# wget https://val.bmstu.ru/unix/conf.git/conf/ansible/roles/openvpn1.tgz && tar -xvzf openvpn1.tgz && cd openvpn1
+server:~/openvpn1# ansible -m ping -i inventory.yaml all
 server:~/openvpn1# ansible-playbook openvpn1.yaml -i inventory.yaml -e "variable_host=test_nodes"
-server:~/openvpn1# ansible-playbook openvpn1.yaml -i inventory.yaml
+server:~/openvpn1# ###ansible-playbook openvpn1.yaml -i inventory.yaml    # лучше через GitLab CI/CD
-server:~/openvpn1# ansible-playbook openvpn1.yaml -i inventory.yaml -e "variable_host=all"
+server:~/openvpn1# ###ansible-playbook openvpn1.yaml -i inventory.yaml -e "variable_host=all"
 </code>
+  * [[Сервисы Gateway и routing#Управление таблицей маршрутизации]]
+==== ansible-vault ====
+<code>
+~/openvpn1# less openvpn1/files/server.key
+~/openvpn1# ansible-vault encrypt openvpn1/files/server.key
+</code><code>
+New Vault password: 12345678
+Confirm New Vault password: 12345678
+Encryption successful
+</code><code>
+~/openvpn1# less openvpn1/files/server.key
+~/openvpn1# ansible-vault view openvpn1/files/server.key
+~/openvpn1# ansible-vault encrypt_string strongpassword
+</code><code>
+New vault password (default): 12345678
+...
+</code><code>
+Encryption successful
+!vault |
+          $ANSIBLE_VAULT;1.1;AES256
+...
+</code><code>
+~/openvpn1# cp inventory.yaml inventory2.yaml
+~/openvpn1# cat inventory2.yaml
+</code>
+!!! Никаких лишних пробелов в конце строк !!!
+<code>
+...
+    ansible_ssh_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+...
+...
+</code><code>
+~/openvpn1#  ANS_V_SEC=12345678
+~/openvpn1# echo $ANS_V_SEC | ansible-playbook openvpn1.yaml -i inventory2.yaml -e "variable_host=test_nodes" --vault-password-file=/bin/cat
+</code>
 ==== Фрагмент роли с условиями и отладкой ====
@@ Line 606: / Line 805: @@
   debug:
     msg: octet4 is {{ octet4 }}, X is {{ X }}, hostname is {{hostname}}
+#- meta: end_play
 ...
 </code>
+==== ansible-pull ====
+  * [[https://medium.com/splunkuserdeveloperadministrator/using-ansible-pull-in-ansible-projects-ac04466643e8|Using Ansible Pull In Ansible Projects]]
+  * [[Инсталяция системы в конфигурации Desktop]]
+  * [[Переменные окружения]]
+=== Вариант 1 ===
+  * [[https://habr.com/ru/articles/732736/|GPO для Linux из подручных материалов]] (help.desktop)
+<code>
+client1:~/ansible-pull-gpo# cat thunderbird/tasks/main.yml
+</code><code>
+- name: Install Thunderbird
+  apt: pkg=thunderbird state=present update_cache=true
+</code><code>
+client1:~/ansible-pull-gpo# cat proxy/files/etc/environment
+</code><code>
+#http_proxy=http://gate.corpX.un:3128
+https_proxy=http://gate.corpX.un:3128
+no_proxy=localhost,127.0.0.1,isp.un,corpX.un
+</code><code>
+client1:~/ansible-pull-gpo# cat proxy/tasks/main.yml
+</code><code>
+- name: Copy file environment
+  copy:
+    src: etc/environment
+    dest: /etc/environment
+</code><code>
+client1:~/ansible-pull-gpo# cat local.yml
+</code><code>
+- hosts: localhost
+  roles:
+    - role: proxy
+    - role: thunderbird
+</code><code>
+client1:~/ansible-pull-gpo# ansible-playbook local.yml
+</code>
+  * [[Инструмент GitLab]] (Создать публичный проект без readme и скопировать подсказки)
+<code>
+client3:~# ###ansible-pull -U http://gate.corpX.un/user1/ansible-pull-gpo.git
+</code><code>
+client1:~/ansible-pull-gpo# cat start.sh
+</code><code>
+#!/bin/bash
+apt update
+apt install -y git ansible
+echo -e "0 */2 * * * \
+/usr/bin/ansible-pull -s 120 -U http://gate.corpX.un/user1/ansible-pull-gpo.git -C $BR 2>&1 | /usr/bin/logger -t ansible-pull\n\
+@reboot sleep 1m; /usr/bin/ansible-pull -U http://gate.corpX.un/user1/ansible-pull-gpo.git -C $BR 2>&1 | /usr/bin/logger -t ansible-pull" | crontab -
+init 6
+</code>
+  * Инструмент GitLab [[Инструмент GitLab#Подключение через API]]
+=== Вариант 2 ===
+  * [[Средства программирования shell#Использование диалоговых окон]]
+<code>
+$ cat ansible-pull-gpo\local.yml
+</code><code>
+- hosts: localhost
+  tasks:
+    - name: Set timezone to Europe/Moscow
+      timezone:
+        name: Europe/Moscow
+    - name: Russian Interface
+      shell: |
+        echo 'ru_RU.UTF-8 UTF-8' > /etc/locale.gen
+        locale-gen
+        echo LANG=ru_RU.UTF-8 > /etc/default/locale
+      when: CONF_RUS_INT is defined
+    - name: Install Firefox in Debian
+      apt: pkg=firefox-esr state=present update_cache=true
+#      debug: msg="Install Firefox in Debian"
+      when: ansible_distribution == 'Debian'
+    - name: Install Firefox in Ubuntu
+      apt: pkg=firefox state=present update_cache=true
+#      debug: msg="Install Firefox in Ubuntu"
+      when: ansible_distribution == 'Ubuntu'
+    - name: Install Thunderbird
+      apt: pkg=thunderbird state=present update_cache=true
+      when: PROG_THBIRD is defined
+  roles:
+    - role: zabbix_agent
+      when: ROLE_ZAB_AG is defined
+    - role: openvpn1_client
+      when: ROLE_OVPN1_CL is defined
+</code><code>
+client1:~# cat /usr/local/etc/gpo_options.yml
+</code><code>
+CONF_RUS_INT:
+PROG_THBIRD:
+ROLE_ZAB_AG:
+</code><code>
+client1:~# /usr/bin/ansible-pull -U http://server.corp13.un/student/ansible-pull-gpo.git -C test -e @/usr/local/etc/gpo_options.yml
+</code>
+  * [[Планирование выполнения заданий в Linux#Сервис cron]]
 ====== Дополнительные материалы ======
+===== Вместо ansible =====
 <code>
-выполнение команд на цисках через ансибл
+for i in 1 2 3; do ssh node$i "apt update && apt install apache2; done
+</code>
+===== выполнение команд на цисках через ансибл =====
+<code>
 . добавить в /etc/ansible/group_vars/all.yml строки
 ansible_connection: network_cli

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools