티스토리 뷰

Ansible

Ansible 의 기본 동작

looeon 2024. 2. 7. 13:59

 

복습

# 자동화는 비대화식

[devops@control ~]$ ssh node1.example.com 'hostname'
node1.example.com
[devops@control ~]$ ssh node2.example.com 'hostname'
node2.example.com
[devops@control ~]$ ssh node3.example.com 'hostname'
node3.example.com
[devops@control ~]$

 

 

▷ vagrant 로는 기록이 없으므로 공개키 생성

[vagrant@control .ssh]$ ll
total 8
-rw-------. 1 vagrant vagrant  89 Feb  6 05:52 authorized_keys
-rw-r--r--. 1 vagrant vagrant 176 Feb  6 06:48 known_hosts
[vagrant@control .ssh]$ cat authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtsXqs9QmJbtDZGNP3BwtHwR30v794DkKmKadqTjVoM vagrant
[vagrant@control .ssh]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vagrant/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/vagrant/.ssh/id_rsa.
Your public key has been saved in /home/vagrant/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:jTDQgt9EFAYQTlK7PBhJUn+U2G9nRs2SldavcSlB+fE vagrant@control.example.com
The key's randomart image is:
+---[RSA 2048]----+
|o+*+oB*o   =o+.  |
|o=.oo+=   + =o.. |
|o o..++. . o  o.+|
| + ....ooo+  ..oE|
|. +    .S+.   .+ |
|   .          .  |
|                 |
|                 |
|                 |
+----[SHA256]-----+
[vagrant@control .ssh]$ ll
total 16
-rw-------. 1 vagrant vagrant   89 Feb  6 05:52 authorized_keys
-rw-------. 1 vagrant vagrant 1679 Feb  7 04:18 id_rsa
-rw-r--r--. 1 vagrant vagrant  409 Feb  7 04:18 id_rsa.pub
-rw-r--r--. 1 vagrant vagrant  176 Feb  6 06:48 known_hosts
[vagrant@control .ssh]$ ssh-copy-id node1.example.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/vagrant/.ssh/id_rsa.pub"
The authenticity of host 'node1.example.com (192.168.110.20)' can't be established.
ECDSA key fingerprint is SHA256:dJUzL1q0e45rkPCjG9Gvii2kqv9JNMsSSlSUzpoh1Ts.
ECDSA key fingerprint is MD5:90:fd:e8:8b:48:a2:74:2e:10:33:43:2f:53:1c:4a:ed.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
vagrant@node1.example.com's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'node1.example.com'"
and check to make sure that only the key(s) you wanted were added.

 

▶ sudo 권한이 필요하다

[root@control sudoers.d]# ls
opuser  vagrant
[root@control sudoers.d]# pwd
/etc/sudoers.d
[root@control sudoers.d]# cat opuser
opuser ALL=(ALL) NOPASSWD: ALL
[root@control sudoers.d]# cat vagrant
%vagrant ALL=(ALL) NOPASSWD: ALL
[root@control sudoers.d]#
devops 계정에서
echo a > /etc/a.txt
가 안되는 이유는

파일부터 만들고 echo 로 내용을 넣으므로,
본인 권한으로 만들어서 안만들어 지는 것

 

 

 

▶ 추가 설치

[devops@control etc]$ sudo yum install ansible
[devops@control etc]$ ansible --version
ansible 2.9.27
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/devops/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Apr  2 2020, 13:16:51) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

 

▷ 설정파일

[devops@control ansible]$ pwd
/etc/ansible
[devops@control ansible]$ cp ansible.cfg ansible.cfg.org
cp: cannot create regular file ‘ansible.cfg.org’: Permission denied
[devops@control ansible]$ sudo cp ansible.cfg ansible.cfg.org
[devops@control ansible]$ ll
total 44
-rw-r--r--. 1 root root 19985 Oct 14  2021 ansible.cfg
-rw-r--r--. 1 root root 19985 Feb  7 06:16 ansible.cfg.org
-rw-r--r--. 1 root root  1016 Oct 14  2021 hosts
drwxr-xr-x. 2 root root     6 Oct 14  2021 roles

 

▷설정파일 디렉터리 위치들 확인

 

>> [privilege_escalation] 

>> become = true 만 넣어줘도 된다

>> 나머지 항목은 모두 default 이다

>> become_ask_pass = false 도 default

>> escaltion 은 오타이니 항상 주의

오타 escalation

 

>> 오타로 인한 root 권한 사용 안됨

정상 작동

## rc = 0 는 제대로 작동 했다는 뜻

## echo $? 의 값이라고 생각하자

[opuser@control sample]$ echo $?
0

 

 

▷ 마지막에 node1..3 등록

[ /etc/ansible/hosts ]

[devops@control ansible]$ cat hosts
# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
#   - Comments begin with the '#' character
#   - Blank lines are ignored
#   - Groups of hosts are delimited by [header] elements
#   - You can enter hostnames or ip addresses
#   - A hostname/ip can be a member of multiple groups

# Ex 1: Ungrouped hosts, specify before any group headers.

## green.example.com
## blue.example.com
## 192.168.100.1
## 192.168.100.10

# Ex 2: A collection of hosts belonging to the 'webservers' group

## [webservers]
## alpha.example.org
## beta.example.org
## 192.168.1.100
## 192.168.1.110

# If you have multiple hosts following a pattern you can specify
# them like this:

## www[001:006].example.com

# Ex 3: A collection of database servers in the 'dbservers' group

## [dbservers]
##
## db01.intranet.mydomain.net
## db02.intranet.mydomain.net
## 10.25.1.56
## 10.25.1.57

# Here's another example of host ranges, this time there are no
# leading 0s:

## db-[99:101]-node.example.com
node1.example.com
node2.example.com
node3.example.com

 

▶ ping module을 사용한다

>> SUCCESS가 뜨면 성공 

>> 앤서블로 관리 가능하다는 뜻

>> all 은 모든 장비와 모든 그룹을 의미한다

[devops@control ~]$ ansible all -m ping
node3.example.com | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
node1.example.com | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
node2.example.com | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

 

>> 본격적인 시작

[devops@control test]$ vim inventory
[devops@control test]$ cat inventory
node3

[webserver]
# [] 는 장비 그룹을 의미
node1
node2

#[dbserver]

#node4
#node5

https://medium.com/@wintonjkt/ansible-101-getting-started-1daaff872b64

 

Ansible 101 Getting Started

Ansible is an agentless automation that automates deployment, configuration management (maintain infrastructure consistency) and…

medium.com

한번에 뿌리지만, 먼저 처리한 것부터 보여주므로 차례대로 node 123으로 뜨지 않는다

 

 

▷ 설정파일 참조 순서는 현재 디렉토리의 ansible.cfg 를 가장 먼저 참조

>> 두번째는 $HOME/.ansible.cfg 

## 히든파일 속성으로 되어있다 >> . 을 붙인다

>>>> 마지막으로 /etc/ansible/ansible.cfg 를 참조한다

[devops@control test]$ vim ansible.cfg
[devops@control test]$ cat ansible.cfg
[defaults]
inventory = ./inventory

[devops@control test]$ ll
total 8
-rw-rw-r--. 1 devops devops 36 Feb  7 06:46 ansible.cfg
-rw-rw-r--. 1 devops devops 92 Feb  7 06:44 inventory

 

>> fingerprint(지문) 저장이 안되어있기 때문에 안된다

>> ssh node1..3 을 접속하고 저장시키고 진행해야 한다

[devops@control test]$ ansible all -m ping
The authenticity of host 'node2 (192.168.110.30)' can't be established.
ECDSA key fingerprint is SHA256:8cKvJKEsqrG5ZOKFr8N8o/sA+RyEh8BezGjiesyKm2Y.
ECDSA key fingerprint is MD5:cc:a5:23:eb:d2:50:c9:2d:1a:81:45:94:86:e2:63:a4.
Are you sure you want to continue connecting (yes/no)? The authenticity of host 'node3 (192.168.110.40)' can't be established.
ECDSA key fingerprint is SHA256:CiiP+eUwXwhc5qegjmiFdnoGXkVgbLLz6zmFwfLy5hk.
ECDSA key fingerprint is MD5:68:9f:f6:03:a8:52:42:90:67:19:f6:3e:5b:93:fb:18.
Are you sure you want to continue connecting (yes/no)? The authenticity of host 'node1 (192.168.110.20)' can't be established.
ECDSA key fingerprint is SHA256:dJUzL1q0e45rkPCjG9Gvii2kqv9JNMsSSlSUzpoh1Ts.
ECDSA key fingerprint is MD5:90:fd:e8:8b:48:a2:74:2e:10:33:43:2f:53:1c:4a:ed.
Are you sure you want to continue connecting (yes/no)? yes
node2 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

node3 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Host key verification failed.",
    "unreachable": true
}

node1 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Host key verification failed.",
    "unreachable": true
}

 

▷ ansible.cfg 를 참조했다

[devops@control test]$ ansible all -m ping
node1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
node2 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
node3 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

 

▷ ping 커맨드가 아닌 ping module 이다

>> module 도움말 보는 명령어 ansible-doc

>> ping module의 소스 파일 위치 확인 가능

>> 리턴 관련해서 적혀있다

[devops@control test]$ ansible-doc ping
> PING    (/usr/lib/python2.7/site-packages/ansible/modules/system/ping.py)
.........
......
RETURN VALUES:

ping:
    description: value provided with the data parameter
    returned: success
    type: str
    sample: pong

 

▷ 셀스크립트 짤 필요 없이 내가 쓸 리눅스 command 사용 가능하다

>> - a  :  argument

>> 성공하면 CHANGED 가 발생한다

( command 모듈은 멱등성이 없으므로, 잘 사용 안한다 )

( 그저 출력한 것 뿐인데 CHANGED라고 출력 )

[devops@control test]$ ansible all -m command -a 'hostname'
node3 | CHANGED | rc=0 >>
node3.example.com
node2 | CHANGED | rc=0 >>
node2.example.com
node1 | CHANGED | rc=0 >>
node1.example.com

 

>> command module은 디폴트이므로 생략 가능

[devops@control test]$ ansible all -a 'whoami'
node3 | CHANGED | rc=0 >>
devops
node2 | CHANGED | rc=0 >>
devops
node1 | CHANGED | rc=0 >>
devops

 

▷ devops 권한으로 커맨드 모듈이 실행된다

>> 되기는 하지만, 불편하므로 ansible은 sudo로 사용 안한다

[devops@control test]$ ansible all -a 'useradd auser1'
node2 | FAILED | rc=2 >>
[Errno 2] No such file or directory
node1 | FAILED | rc=2 >>
[Errno 2] No such file or directory
node3 | FAILED | rc=2 >>
[Errno 2] No such file or directory
[devops@control test]$ ansible all -a 'sudo useradd auser1'
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather
than running sudo
node1 | CHANGED | rc=0 >>

node2 | CHANGED | rc=0 >>

node3 | CHANGED | rc=0 >>

[devops@control test]$ ansible all -a 'ls /home'
node3 | CHANGED | rc=0 >>
auser1
devops
vagrant
node2 | CHANGED | rc=0 >>
auser1
devops
vagrant
node1 | CHANGED | rc=0 >>
auser1
devops
kdhong
vagrant

 

▷ 권한 상승 ( - - become )

[devops@control test]$ ansible all -a 'useradd auser2' --become --become-method=sudo
node2 | CHANGED | rc=0 >>

node3 | CHANGED | rc=0 >>

node1 | CHANGED | rc=0 >>

 

▶ ansible.cfg 내용 추가

 

>> root 권한으로 나온다 >> privelege_escalation  >> become = true

[devops@control test]$ ansible all -a 'whoami'
node2 | CHANGED | rc=0 >>
root
node1 | CHANGED | rc=0 >>
root
node3 | CHANGED | rc=0 >>
root

 

 

▦ 커맨드 모듈은 멱등성을 보장 못한다

 

▶ user 모드가 따로 있다

>> ansible-doc 를 보고 명령어를 입력해야 한다

>> mandatory 같은 필수 조건은 빠지면 안된다

>> webserver 는 그룹명 / 그룹명이 안되면 all 사용

>>>> node3이 안만들어진 이유

>> 멱등성 때문에 create가 아닌 present라고 입력해야 한다

[devops@control test]$ ansible-doc user
[devops@control test]$ ansible webserver -m user -a 'name=auser5 shell=/bin/cssstate=present'

 

>> 다시 입력하면 그냥 성공으로 뜬다

>> 멱등성으로 인해서 이미 존재하므로 성공

 

>>> 생략해도 필수 요소인 name을 넣었으므로 만들어진다

 

 

저작자표시 비영리 변경금지

'Ansible' 카테고리의 다른 글

Ansible 환경 변수 / DB 연동  (0) 2024.02.08
yaml syntax  (0) 2024.02.07
공개키 옛날처럼 전달 / PGP,GPG  (0) 2024.02.07
Ansible 시작 [ 공개키 / 개인키 ]  (0) 2024.02.06
직접 Vagrant file 만들기  (0) 2024.02.06
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today
Yesterday
링크
TAG
more
«   2024/09   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30
글 보관함