Differences

This shows you the differences between two versions of the page.

--- сервис_ansible [2022/03/04 11:28]
val [Из репозитория дистрибутива]
+++ сервис_ansible [2024/03/25 06:40]
val [Роль настроенного через ifupdown узла сети]
@@ Line 1: / Line 1: @@
 ====== Сервис Ansible ======
+  * Управление инфраструктурой на примере [[https://ru.wikipedia.org/wiki/Ansible|Аnsible - wikipedia]]
   * [[https://habrahabr.ru/company/express42/blog/254959/|Ansible — давайте попробуем]]
-  * [[https://habrahabr.ru/post/195048/|Ansible]]
   * [[https://habrahabr.ru/post/305400/|Пособие по Ansible]]
+  * [[https://habr.com/ru/post/508762/|Основы Ansible, без которых ваши плейбуки — комок слипшихся макарон]]
   * [[https://www.cisco.com/c/dam/m/ru_ru/training-events/2019/cisco-connect/pdf/introduction_automation_with_ansible_idrey.pdf|Введение в автоматизацию с помощью Ansible (Cisco)]]
   * [[https://nwmichl.net/2020/02/24/first-simple-ansible-playbooks/|First simple Ansible playbooks Cisco IOS]]
-  * [[https://www.opennet.ru/base/dev/yaml.txt.html|Знакомимся с YAML (yaml config lib perl python ruby)]]
-  * [[https://www.jeffgeerling.com/blog/yaml-best-practices-ansible-playbooks-tasks|YAML best practices for Ansible playbooks - tasks]]
-  * [[https://stackoverflow.com/questions/50788277/why-3-dashes-hyphen-in-yaml-file|why — (3 dashes/hyphen) in yaml file?]]
 ===== Установка на управляющей системе =====
@@ Line 47: / Line 47: @@
 #[corp]
 #server.corp13.un
-#server.corp[1:12].un ansible_ssh_user=root ansible_ssh_pass=123
+#server.corp[1:12].un ansible_ssh_user=root ansible_ssh_pass=strongpassword
-#mail.corp[1:12].un ansible_ssh_user=root ansible_ssh_pass=123
+#mail.corp[1:12].un ansible_ssh_user=root ansible_ssh_pass=strongpassword
 #192.168.[1:25].10
@@ Line 55: / Line 55: @@
 [addnodes]
-.168.X.[3:9] ansible_ssh_user=root ansible_ssh_pass=123
+.168.X.[3:9] ansible_ssh_user=root ansible_ssh_pass=strongpassword
 [sws]
@@ Line 61: / Line 61: @@
 [nodes]
+##192.168.X.[210:230:10]
+##192.168.X.[201:203]
 node[1:3]
 [nodes:vars]
 ansible_ssh_user=vagrant
-ansible_ssh_pass=123
+ansible_ssh_pass=strongpassword
+#ansible_sudo_pass=strongpassword
 ansible_become=yes
 </code>
@@ Line 77: / Line 80: @@
 </code><code>
 [defaults]
-...
+#...
 host_key_checking = False
-...
+#...
 </code>
@@ Line 98: / Line 101: @@
 node1# ansible corpX -m ping
+node1# ansible localhost -m ping
 node1# ansible all -m ping
 node1# ansible all -m ping -i inv_file.ini
@@ Line 103: / Line 107: @@
 node1# ansible corpX -m command -a 'uname -a'
-node1# ansible corpX -a 'uname -a'
+kube1# ansible kubes -a 'sed -i"" -e "/swap/s/^/#/" /etc/fstab'
+kube1# ansible kubes -a 'swapoff -a'
+  ИЛИ
+(venv1) server# ansible all -a 'sed -i"" -e "/swap/s/^/#/" /etc/fstab' -i /root/kubespray/inventory/mycluster/hosts.yaml #--limit=kube4
+(venv1) server# ansible all -a 'swapoff -a' -i /root/kubespray/inventory/mycluster/hosts.yaml #--limit=kube4
 node1# ansible corpX -f 2 -m apt -a 'pkg=apache2 state=present update_cache=true'
-node1# ansible addnodes -f 5 -m apt -a 'pkg=ceph state=present update_cache=true'
+node1# ansible addnodes -vv -f 5 -m apt -a 'pkg=ceph,tgt-rbd state=present update_cache=true'
-node1# ansible addnodes -m community.general.shutdown  !!!Зависает Vbox, попробовать в один поток
-node3# ansible addnodes -m copy -a 'src=/etc/ceph/ceph.conf dest=/etc/ceph/ceph.conf'
+server# ansible nodes -f 3 -m apt -a 'pkg=openvpn state=present update_cache=true'
+server# ansible nodes -f 3 -m apt -a 'pkg=docker.io state=present update_cache=true'
+ubuntu20# apt install python3-paramiko
 server# ansible sws -m ios_command -a "commands='show cdp nei'" -c local
-# apt install python3-paramiko
+server# ansible sws -m ios_command -a "commands='show cdp nei'" -c network_cli -e "ansible_network_os=ios"
-# ansible sws -m ios_command -a "commands='show cdp nei'" -c network_cli -e "ansible_network_os=ios" -e "ansible_python_interpreter=/usr/bin/python3"
 </code>
 ===== Использование playbook =====
-  * [[https://coderlessons.com/tutorials/raznoe/vyuchi-yaml/uchebnik-po-yaml|Учебник по YAML]]
+  * [[Формат YAML]]
   * [[https://stackoverflow.com/questions/17188147/how-to-run-ansible-without-specifying-the-inventory-but-the-host-directly|How to run Ansible without specifying the inventory but the host directly?]]
   * [[https://stackoverflow.com/questions/33222641/override-hosts-variable-of-ansible-playbook-from-the-command-line|Override hosts variable of Ansible playbook from the command line]]
 ==== Пример 1 ====
+  * [[Технология Docker]]
 <code>
-λ cat provision_docker.yml
+server# cat provision_docker.yml
+  или
+λ touch provision_docker.yml
+  или
+student@node1:~$ cat /vagrant/provision_docker.yml
 </code><code>
 - hosts: "{{ variable_host | default('all') }}"
@@ Line 144: / Line 166: @@
     - name: Add Docker's official GPG key
       apt_key:
-        url: https://download.docker.com/linux/debian/gpg
+#        url: https://download.docker.com/linux/debian/gpg
+#        url: https://download.docker.com/linux/ubuntu/gpg
         state: present
     - name: Add Docker's repository into sources list
       apt_repository:
-#        repo: deb [arch=amd64] https://download.docker.com/linux/debian buster stable
+#        repo: deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable
-        repo: deb [arch=amd64] https://download.docker.com/linux/debian bullseye stable
+#        repo: deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable
         state: present
     - name: Install Docker
-      apt: pkg=docker-ce state=present update_cache=true
+      apt:
-</code><code>
+        pkg:
-gate# ansible-playbook provision_docker.yml
+          - docker-ce
+          - docker-ce-cli
+          - containerd.io
+          - docker-compose-plugin
+        state: present
+        update_cache: true
+</code>
-gate# ansible-playbook provision_docker.yml -i inv_file.ini
+  * Технология Vagrant: [[Технология Vagrant#Provision с использованием ansible]]
-gate# ansible-playbook provision_docker.yml -e "ansible_python_interpreter=/usr/bin/python3" -i 192.168.X.1:2222,
+<code>
+server# ansible-playbook provision_docker.yml
-gate# ansible-playbook provision_docker.yml --extra-vars "variable_host=corp"
+server# ansible-playbook provision_docker.yml --extra-vars "variable_host=nodes"
-gate# ansible-playbook provision_docker.yml --extra-vars "variable_host=localhost"
+server# ansible-playbook provision_docker.yml --extra-vars "variable_host=localhost"
+server# ansible-playbook provision_docker.yml -i inv_file.ini
+server# ansible-playbook provision_docker.yml -e "ansible_python_interpreter=/usr/bin/python3" -i 192.168.X.1:2222,
 </code>
 ==== Пример 2 ====
@@ Line 189: / Line 223: @@
 </code><code>
+node1# ansible-playbook addusers.yml --syntax-check
+node1# apt install ansible-lint
+node1# ansible-lint addusers.yml
 node1# ansible-playbook addusers.yml
 </code>
 ==== Пример 3 ====
+  * [[https://docs.ansible.com/ansible/2.3/ios_config_module.html|ios_config - Manage Cisco IOS configuration sections]]
 <code>
@@ Line 199: / Line 240: @@
 - hosts: sws
   connection: local
+  gather_facts: no
   tasks:
-    - name: Change config on cisco device
+    - name: configure top level configuration
       ios_config:
         lines:
-          - logging facility local0
+          - snmp-server community write RW
-          - logging host server
-          - ip scp server enable
+#          - ip host server 192.168.X.10
 #          - snmp-server host server writetrap
-#          - snmp-server community write RW
 #          - snmp-server enable traps config
 #          - snmp-server enable traps config-copy
 #          - snmp-server enable traps snmp linkdown linkup
+#          - ip scp server enable
+#          - logging facility local0
+##          - logging host server
+#          - logging host server transport udp port 8514
+#          - ntp server server
+#          - clock timezone MSK 3
+#          - service timestamps log datetime localtime year
+#          - aaa new-model
+#          - aaa authentication login CONSOLE none
+#          - aaa authorization exec CONSOLE none
+#          - enable secret cisco
+#          - aaa authorization console
+#          - aaa authentication login default local
+#          - aaa authorization exec default local
+#          - username root privilege 15 secret cisco
+#          - radius-server host server auth-port 1812 acct-port 1813
+#          - radius-server key testing123
+#          - aaa authentication login default group radius enable
+#          - aaa authorization exec default group radius none
+#          - tacacs-server host server
+#          - tacacs-server key tackey123
+#          - aaa authentication login default group tacacs+ enable
+#          - aaa authorization exec default group tacacs+ none
+#          - aaa accounting commands 15 default start-stop group tacacs+
+#          - aaa authentication dot1x default group radius
+##          - aaa accounting dot1x default start-stop group radius
+#    - name: configure line con 0
+#      ios_config:
+#        lines:
+#          - login authentication CONSOLE
+#          - authorization exec CONSOLE
+#          - privilege level 15
+#        parents: line con 0
 </code><code>
 server# ansible-playbook cisco_change_conf.yml
@@ Line 231: / Line 315: @@
 <body>
 <h1>
-{{ ansible_fqdn }}
+Hello from {{ ansible_fqdn }}
 </h1>
 </body>
@@ Line 283: / Line 367: @@
 </code>
 ===== Использование handlers =====
+==== Пример 1 ====
+  * [[Сервис HTTP#Использование домашних каталогов]]
 <code>
@@ Line 304: / Line 392: @@
 </code>
+==== Пример 2 ====
+<code>
+server# cat za.conf
+</code><code>
+ListenIP=0.0.0.0
+StartAgents=0
+ServerActive=server
+UserParameter=listinstalledsoft,ls /usr/share/applications | awk -F '.desktop' ' { print $1}' -
+</code><code>
+node1# cat za.yml
+</code><code>
+- hosts: lin_ws
+  tasks:
+    - name: Install zabbix agent
+      apt: pkg=zabbix-agent state=present update_cache=true
+    - name: Create conf file
+      copy: src=za.conf dest=/etc/zabbix/zabbix_agentd.conf.d/za.conf
+      notify:
+        - restart za
+  handlers:
+    - name: restart za
+      service: name=zabbix-agent state=restarted
+</code><code>
+server# ansible-playbook za.yml
+</code>
 ===== Использование ролей =====
   * [[https://rtfm.co.ua/ansible-roli-roles-primer/|Ansible: роли (roles) – пример]]
+  * [[https://andreyex.ru/linux/ansible-roli-v-ansible/|Ansible. Роли в Ansible]]
   * [[Настройка стендов слушателей#Ansible конфигурация]]
+==== Роль настроенного через ifupdown узла сети ====
 <code>
+# ###cd /root/conf/
+# ###git pull origin master
+# ###cd /root/conf/ansible/roles/
 # cat nodes.yml
 </code><code>
 - name: Network config for nodes
   hosts: addnodes
+#  hosts: kubes
+#  hosts: all
   roles:
     - node
@@ Line 322: / Line 447: @@
 </code><code>
 name_prefix: node
+#name_prefix: kube
 X: "{{ ansible_eth0.ipv4.address.split('.')[2] }}"
-N: "{{ ansible_eth0.ipv4.address.split('.')[3] }}"
+N: "{{ ansible_eth0.ipv4.address.split('.')[3][-1] }}"
 </code><code>
 # cat node/tasks/main.yml
@@ Line 369: / Line 495: @@
 nameserver 192.168.{{ X }}.1
 nameserver 192.168.{{ X }}.2
+#nameserver 192.168.{{ X }}.10
 </code><code>
 # cat node/templates/interfaces.j2
@@ Line 380: / Line 507: @@
         netmask 255.255.255.0
         gateway 192.168.{{ X }}.254
+#        gateway 192.168.{{ X }}.1
 </code><code>
 # ansible-playbook -f 5 nodes.yml
+  ИЛИ
+# ansible-playbook -f 5 /root/conf/ansible/roles/nodes.yml
+  ИЛИ
+(venv1) server# ansible-playbook -f 5 /root/conf/ansible/roles/nodes.yml -i /root/kubespray/inventory/mycluster/hosts.yaml #--limit=kube4
+</code>
+==== Роль OpenVPN сервера ====
+<code>
+server:~# mkdir openvpn1 && cd openvpn1
+server:~/openvpn1# ansible-galaxy init openvpn1
+server:~/openvpn1# cd openvpn1/files/
+server:~/openvpn1/openvpn1/files#
+</code>
+  * В текущем каталоге выполняем и сохраняем файлы из тем [[Пакет OpenSSL#Создание параметра DH]] и [[Пакет OpenSSL#Создание самоподписанного сертификата]] (не указываем AltName, Common Name: server - достаточно)
+<code>
+server:~/openvpn1/openvpn1/files# ls
+</code><code>
+dh2048.pem  server.crt  server.key
+</code><code>
+server:~/openvpn1/openvpn1/files# cd ../../
+server:~/openvpn1# cat openvpn1/templates/openvpn1.conf.j2
+</code><code>
+dev tun
+keepalive 10 120
+server {{node_nets[ansible_hostname]}} 255.255.255.0
+push "route 192.168.{{X}}.0 255.255.255.0"
+#push "dhcp-option DNS 192.168.{{X}}.10"
+#push "block-outside-dns"
+#push "dhcp-option DOMAIN corp{{X}}.un"
+dh /etc/openvpn/dh2048.pem
+key /etc/ssl/private/server.key
+ca /etc/ssl/certs/server.crt
+cert /etc/ssl/certs/server.crt
+verify-client-cert none
+plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so login
+username-as-common-name
+#duplicate-cn
+status /var/log/openvpn1-status.log
+management 0.0.0.0 7505
+</code><code>
+server:~/openvpn1# cat openvpn1/tasks/main.yml
+</code><code>
+- name: Install OpenVPN
+  apt: pkg=openvpn state=present update_cache=true
+#  when: node_nets[ansible_hostname] is defined
+- name: Create openvpn1.conf file
+  template: src=openvpn1.conf.j2 dest=/etc/openvpn/openvpn1.conf
+  notify:
+    - restart openvpn1
+- name: Copy file server.key
+  copy:
+    src: server.key
+    dest: /etc/ssl/private/server.key
+    mode: '0600'
+  notify:
+    - restart openvpn1
+- name: Copy many files
+  copy:
+    src: '{{item.0}}'
+    dest: '{{item.1}}'
+  loop:
+    - [ 'dh2048.pem', '/etc/openvpn/dh2048.pem' ]
+    - [ 'server.crt', '/etc/ssl/certs/server.crt' ]
+  notify:
+    - restart openvpn1
+- name: Enable service OpenVPN
+  service:
+    name: openvpn@openvpn1
+    enabled: yes
+#    state: started
+</code><code>
+server:~/openvpn1# cat openvpn1/handlers/main.yml
+</code><code>
+- name: restart openvpn1
+  service:
+    name: openvpn@openvpn1
+    state: restarted
+</code><code>
+server:~/openvpn1# cat inventory.yaml
+</code><code>
+all:
+  vars:
+    X: "{{ ansible_eth1.ipv4.address.split('.')[2] }}"
+    ansible_python_interpreter: "/usr/bin/python3"
+    ansible_ssh_user: vagrant
+    ansible_ssh_pass: strongpassword
+    ansible_become: yes
+    node_nets:
+      node1: 192.168.110.0
+      node2: 192.168.120.0
+      node3: 192.168.130.0
+prod_nodes:
+  hosts:
+    node1:
+    node2:
+test_nodes:
+  hosts:
+    node3:
+</code><code>
+server:~/openvpn1# cat openvpn1.yaml
+</code><code>
+- name: Run openvpn1 on nodes
+  hosts: "{{ variable_host | default('prod_nodes') }}"
+  roles:
+    - role: openvpn1
+      when: node_nets[ansible_hostname] is defined
+</code><code>
+server:~# wget https://val.bmstu.ru/unix/conf.git/conf/ansible/roles/openvpn1.tgz && tar -xvzf openvpn1.tgz && cd openvpn1
+server:~/openvpn1# ansible-playbook openvpn1.yaml -i inventory.yaml -e "variable_host=test_nodes"
+server:~/openvpn1# ansible-playbook openvpn1.yaml -i inventory.yaml    # можно через GitLab CI/CD
+server:~/openvpn1# ansible-playbook openvpn1.yaml -i inventory.yaml -e "variable_host=all"
+</code>
+  * [[Сервисы Gateway и routing#Управление таблицей маршрутизации]]
+==== Фрагмент роли с условиями и отладкой ====
+<code>
+# cat conf/ansible/roles/host/vars/main.yml
+</code><code>
+...
+octet4: "{{ ansible_eth0.ipv4.address.split('.')[3] }}"
+...
+</code><code>
+# cat conf/ansible/roles/host/tasks/main.yml
+</code><code>
+- name: set vars for server
+  set_fact:
+    hostname: "mail"
+    X: "{{ octet4 | int - 100 }}"
+  when: octet4 | int >= 100
+- name: set vars for mail
+  set_fact:
+    hostname: "server"
+    X: "{{ octet4 }}"
+  when: octet4 | int < 100
+- name: echo variables
+  debug:
+    msg: octet4 is {{ octet4 }}, X is {{ X }}, hostname is {{hostname}}
+#- meta: end_play
+...
+</code>
+==== ansible-pull ====
+  * [[https://medium.com/splunkuserdeveloperadministrator/using-ansible-pull-in-ansible-projects-ac04466643e8|Using Ansible Pull In Ansible Projects]]
+  * [[Инсталяция системы в конфигурации Desktop]]
+  * [[Переменные окружения]]
+=== Вариант 1 ===
+<code>
+client1:~/ansible-pull-gpo# cat thunderbird/tasks/main.yml
+</code><code>
+- name: Install Thunderbird
+  apt: pkg=thunderbird state=present update_cache=true
+</code><code>
+client1:~/ansible-pull-gpo# cat proxy/files/etc/environment
+</code><code>
+#http_proxy=http://gate.corpX.un:3128
+https_proxy=http://gate.corpX.un:3128
+no_proxy=localhost,127.0.0.1,isp.un,corpX.un
+</code><code>
+client1:~/ansible-pull-gpo# cat proxy/tasks/main.yml
+</code><code>
+- name: Copy file environment
+  copy:
+    src: etc/environment
+    dest: /etc/environment
+</code><code>
+client1:~/ansible-pull-gpo# cat local.yml
+</code><code>
+- hosts: localhost
+  roles:
+    - role: proxy
+    - role: thunderbird
+</code><code>
+client1:~/ansible-pull-gpo# ansible-playbook local.yml
+</code>
+  * [[Инструмент GitLab]] (Создать публичный проект без readme и скопировать подсказки)
+<code>
+client3:~# ###ansible-pull -U http://gate.corpX.un/user1/ansible-pull-gpo.git
+</code><code>
+client1:~/ansible-pull-gpo# cat start.sh
+</code><code>
+#!/bin/bash
+apt update
+apt install -y git ansible
+echo -e "0 */2 * * * \
+/usr/bin/ansible-pull -s 120 -U http://gate.corpX.un/user1/ansible-pull-gpo.git -C $BR 2>&1 | /usr/bin/logger -t ansible-pull\n\
+@reboot sleep 1m; /usr/bin/ansible-pull -U http://gate.corpX.un/user1/ansible-pull-gpo.git -C $BR 2>&1 | /usr/bin/logger -t ansible-pull" | crontab -
+init 6
+</code>
+  * Инструмент GitLab [[Инструмент GitLab#Подключение через API]]
+=== Вариант 2 ===
+  * [[Средства программирования shell#Использование диалоговых окон]]
+<code>
+$ cat ansible-pull-gpo\local.yml
+</code><code>
+- hosts: localhost
+  tasks:
+    - name: Set timezone to Europe/Moscow
+      timezone:
+        name: Europe/Moscow
+    - name: Russian Interface
+      shell: |
+        echo 'ru_RU.UTF-8 UTF-8' > /etc/locale.gen
+        locale-gen
+        echo LANG=ru_RU.UTF-8 > /etc/default/locale
+      when: CONF_RUS_INT is defined
+    - name: Install Firefox in Debian
+      apt: pkg=firefox-esr state=present update_cache=true
+#      debug: msg="Install Firefox in Debian"
+      when: ansible_distribution == 'Debian'
+    - name: Install Firefox in Ubuntu
+      apt: pkg=firefox state=present update_cache=true
+#      debug: msg="Install Firefox in Ubuntu"
+      when: ansible_distribution == 'Ubuntu'
+    - name: Install Thunderbird
+      apt: pkg=thunderbird state=present update_cache=true
+      when: PROG_THBIRD is defined
+  roles:
+    - role: zabbix_agent
+      when: ROLE_ZAB_AG is defined
+    - role: openvpn1_client
+      when: ROLE_OVPN1_CL is defined
+</code><code>
+client1:~# cat /usr/local/etc/gpo_options.yml
+</code><code>
+CONF_RUS_INT:
+PROG_THBIRD:
+ROLE_ZAB_AG:
+</code><code>
+client1:~# /usr/bin/ansible-pull -U http://server.corp13.un/student/ansible-pull-gpo.git -C test -e @/usr/local/etc/gpo_options.yml
+</code>
+  * [[Планирование выполнения заданий в Linux#Сервис cron]]
+====== Дополнительные материалы ======
+<code>
+выполнение команд на цисках через ансибл
+. добавить в /etc/ansible/group_vars/all.yml строки
+ansible_connection: network_cli
+ansible_network_os: ios
+. создать файл playbook формата
+- name: Run show commands on routers
+  hosts: cisco-routers
+  tasks:
+    - name: run show commands
+      ios_command:
+        commands: # перечисление команд
+          - show ip int br
+          - sh ip route
+      register: show_result
 </code>

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools