티스토리 뷰
복습
# 자동화는 비대화식
[devops@control ~]$ ssh node1.example.com 'hostname'
node1.example.com
[devops@control ~]$ ssh node2.example.com 'hostname'
node2.example.com
[devops@control ~]$ ssh node3.example.com 'hostname'
node3.example.com
[devops@control ~]$
▷ vagrant 로는 기록이 없으므로 공개키 생성
[vagrant@control .ssh]$ ll
total 8
-rw-------. 1 vagrant vagrant 89 Feb 6 05:52 authorized_keys
-rw-r--r--. 1 vagrant vagrant 176 Feb 6 06:48 known_hosts
[vagrant@control .ssh]$ cat authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtsXqs9QmJbtDZGNP3BwtHwR30v794DkKmKadqTjVoM vagrant
[vagrant@control .ssh]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vagrant/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/vagrant/.ssh/id_rsa.
Your public key has been saved in /home/vagrant/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:jTDQgt9EFAYQTlK7PBhJUn+U2G9nRs2SldavcSlB+fE vagrant@control.example.com
The key's randomart image is:
+---[RSA 2048]----+
|o+*+oB*o =o+. |
|o=.oo+= + =o.. |
|o o..++. . o o.+|
| + ....ooo+ ..oE|
|. + .S+. .+ |
| . . |
| |
| |
| |
+----[SHA256]-----+
[vagrant@control .ssh]$ ll
total 16
-rw-------. 1 vagrant vagrant 89 Feb 6 05:52 authorized_keys
-rw-------. 1 vagrant vagrant 1679 Feb 7 04:18 id_rsa
-rw-r--r--. 1 vagrant vagrant 409 Feb 7 04:18 id_rsa.pub
-rw-r--r--. 1 vagrant vagrant 176 Feb 6 06:48 known_hosts
[vagrant@control .ssh]$ ssh-copy-id node1.example.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/vagrant/.ssh/id_rsa.pub"
The authenticity of host 'node1.example.com (192.168.110.20)' can't be established.
ECDSA key fingerprint is SHA256:dJUzL1q0e45rkPCjG9Gvii2kqv9JNMsSSlSUzpoh1Ts.
ECDSA key fingerprint is MD5:90:fd:e8:8b:48:a2:74:2e:10:33:43:2f:53:1c:4a:ed.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
vagrant@node1.example.com's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'node1.example.com'"
and check to make sure that only the key(s) you wanted were added.
▶ sudo 권한이 필요하다
[root@control sudoers.d]# ls
opuser vagrant
[root@control sudoers.d]# pwd
/etc/sudoers.d
[root@control sudoers.d]# cat opuser
opuser ALL=(ALL) NOPASSWD: ALL
[root@control sudoers.d]# cat vagrant
%vagrant ALL=(ALL) NOPASSWD: ALL
[root@control sudoers.d]#
devops 계정에서
echo a > /etc/a.txt
가 안되는 이유는
파일부터 만들고 echo 로 내용을 넣으므로,
본인 권한으로 만들어서 안만들어 지는 것
▶ 추가 설치
[devops@control etc]$ sudo yum install ansible
[devops@control etc]$ ansible --version
ansible 2.9.27
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/devops/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Apr 2 2020, 13:16:51) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
▷ 설정파일
[devops@control ansible]$ pwd
/etc/ansible
[devops@control ansible]$ cp ansible.cfg ansible.cfg.org
cp: cannot create regular file ‘ansible.cfg.org’: Permission denied
[devops@control ansible]$ sudo cp ansible.cfg ansible.cfg.org
[devops@control ansible]$ ll
total 44
-rw-r--r--. 1 root root 19985 Oct 14 2021 ansible.cfg
-rw-r--r--. 1 root root 19985 Feb 7 06:16 ansible.cfg.org
-rw-r--r--. 1 root root 1016 Oct 14 2021 hosts
drwxr-xr-x. 2 root root 6 Oct 14 2021 roles
▷설정파일 디렉터리 위치들 확인
>> [privilege_escalation]
>> become = true 만 넣어줘도 된다
>> 나머지 항목은 모두 default 이다
>> become_ask_pass = false 도 default
>> escaltion 은 오타이니 항상 주의
>> 오타로 인한 root 권한 사용 안됨
## rc = 0 는 제대로 작동 했다는 뜻
## echo $? 의 값이라고 생각하자
[opuser@control sample]$ echo $?
0
▷ 마지막에 node1..3 등록
[ /etc/ansible/hosts ]
[devops@control ansible]$ cat hosts
# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the '#' character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
## green.example.com
## blue.example.com
## 192.168.100.1
## 192.168.100.10
# Ex 2: A collection of hosts belonging to the 'webservers' group
## [webservers]
## alpha.example.org
## beta.example.org
## 192.168.1.100
## 192.168.1.110
# If you have multiple hosts following a pattern you can specify
# them like this:
## www[001:006].example.com
# Ex 3: A collection of database servers in the 'dbservers' group
## [dbservers]
##
## db01.intranet.mydomain.net
## db02.intranet.mydomain.net
## 10.25.1.56
## 10.25.1.57
# Here's another example of host ranges, this time there are no
# leading 0s:
## db-[99:101]-node.example.com
node1.example.com
node2.example.com
node3.example.com
▶ ping module을 사용한다
>> SUCCESS가 뜨면 성공
>> 앤서블로 관리 가능하다는 뜻
>> all 은 모든 장비와 모든 그룹을 의미한다
[devops@control ~]$ ansible all -m ping
node3.example.com | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
node1.example.com | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
node2.example.com | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
>> 본격적인 시작
[devops@control test]$ vim inventory
[devops@control test]$ cat inventory
node3
[webserver]
# [] 는 장비 그룹을 의미
node1
node2
#[dbserver]
#node4
#node5
https://medium.com/@wintonjkt/ansible-101-getting-started-1daaff872b64
한번에 뿌리지만, 먼저 처리한 것부터 보여주므로 차례대로 node 123으로 뜨지 않는다
▷ 설정파일 참조 순서는 현재 디렉토리의 ansible.cfg 를 가장 먼저 참조
>> 두번째는 $HOME/.ansible.cfg
## 히든파일 속성으로 되어있다 >> . 을 붙인다
>>>> 마지막으로 /etc/ansible/ansible.cfg 를 참조한다
[devops@control test]$ vim ansible.cfg
[devops@control test]$ cat ansible.cfg
[defaults]
inventory = ./inventory
[devops@control test]$ ll
total 8
-rw-rw-r--. 1 devops devops 36 Feb 7 06:46 ansible.cfg
-rw-rw-r--. 1 devops devops 92 Feb 7 06:44 inventory
>> fingerprint(지문) 저장이 안되어있기 때문에 안된다
>> ssh node1..3 을 접속하고 저장시키고 진행해야 한다
[devops@control test]$ ansible all -m ping
The authenticity of host 'node2 (192.168.110.30)' can't be established.
ECDSA key fingerprint is SHA256:8cKvJKEsqrG5ZOKFr8N8o/sA+RyEh8BezGjiesyKm2Y.
ECDSA key fingerprint is MD5:cc:a5:23:eb:d2:50:c9:2d:1a:81:45:94:86:e2:63:a4.
Are you sure you want to continue connecting (yes/no)? The authenticity of host 'node3 (192.168.110.40)' can't be established.
ECDSA key fingerprint is SHA256:CiiP+eUwXwhc5qegjmiFdnoGXkVgbLLz6zmFwfLy5hk.
ECDSA key fingerprint is MD5:68:9f:f6:03:a8:52:42:90:67:19:f6:3e:5b:93:fb:18.
Are you sure you want to continue connecting (yes/no)? The authenticity of host 'node1 (192.168.110.20)' can't be established.
ECDSA key fingerprint is SHA256:dJUzL1q0e45rkPCjG9Gvii2kqv9JNMsSSlSUzpoh1Ts.
ECDSA key fingerprint is MD5:90:fd:e8:8b:48:a2:74:2e:10:33:43:2f:53:1c:4a:ed.
Are you sure you want to continue connecting (yes/no)? yes
node2 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
node3 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Host key verification failed.",
"unreachable": true
}
node1 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Host key verification failed.",
"unreachable": true
}
▷ ansible.cfg 를 참조했다
[devops@control test]$ ansible all -m ping
node1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
node2 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
node3 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
▷ ping 커맨드가 아닌 ping module 이다
>> module 도움말 보는 명령어 ansible-doc
>> ping module의 소스 파일 위치 확인 가능
>> 리턴 관련해서 적혀있다
[devops@control test]$ ansible-doc ping
> PING (/usr/lib/python2.7/site-packages/ansible/modules/system/ping.py)
.........
......
RETURN VALUES:
ping:
description: value provided with the data parameter
returned: success
type: str
sample: pong
▷ 셀스크립트 짤 필요 없이 내가 쓸 리눅스 command 사용 가능하다
>> - a : argument
>> 성공하면 CHANGED 가 발생한다
( command 모듈은 멱등성이 없으므로, 잘 사용 안한다 )
( 그저 출력한 것 뿐인데 CHANGED라고 출력 )
[devops@control test]$ ansible all -m command -a 'hostname'
node3 | CHANGED | rc=0 >>
node3.example.com
node2 | CHANGED | rc=0 >>
node2.example.com
node1 | CHANGED | rc=0 >>
node1.example.com
>> command module은 디폴트이므로 생략 가능
[devops@control test]$ ansible all -a 'whoami'
node3 | CHANGED | rc=0 >>
devops
node2 | CHANGED | rc=0 >>
devops
node1 | CHANGED | rc=0 >>
devops
▷ devops 권한으로 커맨드 모듈이 실행된다
>> 되기는 하지만, 불편하므로 ansible은 sudo로 사용 안한다
[devops@control test]$ ansible all -a 'useradd auser1'
node2 | FAILED | rc=2 >>
[Errno 2] No such file or directory
node1 | FAILED | rc=2 >>
[Errno 2] No such file or directory
node3 | FAILED | rc=2 >>
[Errno 2] No such file or directory
[devops@control test]$ ansible all -a 'sudo useradd auser1'
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather
than running sudo
node1 | CHANGED | rc=0 >>
node2 | CHANGED | rc=0 >>
node3 | CHANGED | rc=0 >>
[devops@control test]$ ansible all -a 'ls /home'
node3 | CHANGED | rc=0 >>
auser1
devops
vagrant
node2 | CHANGED | rc=0 >>
auser1
devops
vagrant
node1 | CHANGED | rc=0 >>
auser1
devops
kdhong
vagrant
▷ 권한 상승 ( - - become )
[devops@control test]$ ansible all -a 'useradd auser2' --become --become-method=sudo
node2 | CHANGED | rc=0 >>
node3 | CHANGED | rc=0 >>
node1 | CHANGED | rc=0 >>
▶ ansible.cfg 내용 추가
>> root 권한으로 나온다 >> privelege_escalation >> become = true
[devops@control test]$ ansible all -a 'whoami'
node2 | CHANGED | rc=0 >>
root
node1 | CHANGED | rc=0 >>
root
node3 | CHANGED | rc=0 >>
root
▦ 커맨드 모듈은 멱등성을 보장 못한다
▶ user 모드가 따로 있다
>> ansible-doc 를 보고 명령어를 입력해야 한다
>> mandatory 같은 필수 조건은 빠지면 안된다
>> webserver 는 그룹명 / 그룹명이 안되면 all 사용
>>>> node3이 안만들어진 이유
>> 멱등성 때문에 create가 아닌 present라고 입력해야 한다
[devops@control test]$ ansible-doc user
[devops@control test]$ ansible webserver -m user -a 'name=auser5 shell=/bin/cssstate=present'
>> 다시 입력하면 그냥 성공으로 뜬다
>> 멱등성으로 인해서 이미 존재하므로 성공
>>> 생략해도 필수 요소인 name을 넣었으므로 만들어진다
'Ansible' 카테고리의 다른 글
Ansible 환경 변수 / DB 연동 (0) | 2024.02.08 |
---|---|
yaml syntax (0) | 2024.02.07 |
공개키 옛날처럼 전달 / PGP,GPG (0) | 2024.02.07 |
Ansible 시작 [ 공개키 / 개인키 ] (0) | 2024.02.06 |
직접 Vagrant file 만들기 (0) | 2024.02.06 |