Ansible Playbooks高級使用

文件操作

文件創建

• file

用於設置文件/鏈接/目錄的屬性，或者刪除文件/鏈接/目錄

### state如果是directory當目錄不存在時會自動創建；如果是file當文件不存在時不會自動創建
- name: Create log dir
  file:
    path: "{{ item.src }}"
    state: directory
  with_items: "{{ log_dirs }}"
  when: is_metal | bool
  tags:
    - common-log

- name: Mask lxc-net systemd service
  file:
    src: /dev/null
    path: /etc/systemd/system/lxc-net.service
    state: link
  when:
    - ansible_service_mgr == 'systemd'
  tags:
    - lxc-files
    - lxc-net

修改文件

• lineinfile

用於檢測文件是否存在特殊行或者使用后端正則表達式來替換匹配到的特殊行

- name: Extra lxc config
  lineinfile:
    dest: "/var/lib/lxc/{{ inventory_hostname }}/config"
    line: "{{ item.split('=')[0] }} = {{ item.split('=', 1)[1] }}"
    insertafter: "^{{ item.split('=')[0] }}"
    backup: "true"
  with_items: "{{ extra_container_config | default([]) }}"
  delegate_to: "{{ physical_host }}"
  register: _ec
  when: not is_metal | bool
  tags:
    - common-lxc

• replace

lineinfile的多行匹配版本，此模塊會在文件中插入一段內容，並在內容開始和結束位置設置標簽，后續可以使用標簽可以對此塊內容進行操作

### 在ml2_conf.ini文件的[ml2]和[ml2_type_vlan]字段之間插入一段內容
- name: Enable ovn in neutron-server
  replace:
    dest: "{{ node_config_directory }}/neutron-server/ml2_conf.ini"
    regexp: '\[ml2\][\S\s]*(?=\[ml2_type_vlan\])'
    replace: |+
      [ml2]
      type_drivers = local,flat,vlan,geneve
      tenant_network_types = geneve
      mechanism_drivers = ovn
      extension_drivers = port_security
      overlay_ip_version = 4

      [ml2_type_geneve]
      vni_ranges = 1:65536
      max_header_size = 38

      [ovn]
      ovn_nb_connection = tcp:{{ api_interface_address }}:{{ ovn_northdb_port }}
      ovn_sb_connection = tcp:{{ api_interface_address }}:{{ ovn_sourthdb_port }}
      ovn_l3_mode = False
      ovn_l3_scheduler = chance
      ovn_native_dhcp = True
      neutron_sync_mode = repair
    backup: yes
  when:
    - action == "deploy"
    - inventory_hostname in groups['network']
  notify:
    - Restart neutron-server container

• ini_file

ini后綴格式文件修改

### 設置l3_agent.ini文件[DEFAULT]字段的external_network_bridge選項值為br-ex
- name: Set the external network bridge
  vars:
      agent: "{{ 'neutron-vpnaas-agent' if enable_neutron_vpnaas | bool else 'neutron-l3-agent' }}"
  ini_file:
      dest: "{{ node_config_directory }}/{{ agent }}/l3_agent.ini"
      section: "DEFAULT"
      option: "external_network_bridge"
      value: "{{ neutron_bridge_name | default('br-ex') }}"
      backup: yes
  when:
      - action == "deploy"
      - inventory_hostname in ovn_central_address
  delegate_to: "{{ item }}"
  with_items: "{{ groups['neutron-server'] }}"
  notify:
      - Restart {{ agent }} container

• assemble

將多個文件聚合成一個文件

### 將/etc/haproxy/conf.d目錄下的文件內容聚合成/etc/haproxy/haproxy.cfg文件
- name: Regenerate haproxy configuration
  assemble:
    src: "/etc/haproxy/conf.d"
    dest: "/etc/haproxy/haproxy.cfg"
  notify: Restart haproxy
  tags:
    - haproxy-general-config

循環控制

• with_items

標准循環，用於執行重復任務，{{ item }}類似宏展開

- name: add several users
  user:
    name: "{{ item.name }}"
    state: present
    groups: "{{ item.groups }}"
  with_items:
    - { name: 'testuser1', groups: 'wheel' }
    - { name: 'testuser2', groups: 'root' }

• with_nested

嵌套循環

### 修改neutron-server組所有主機的ml2_conf.ini文件的對應字段值
- name: Enable ovn in neutron-server
  vars:
    params:
      - { section: 'ml2', option: 'type_drivers', value: 'local,flat,vlan,geneve' }
      - { section: 'ml2', option: 'tenant_network_types', value: 'geneve' }
      - { section: 'ml2', option: 'mechanism_drivers', value: 'ovn' }
      - { section: 'ml2', option: 'extension_drivers', value: 'port_security' }
      - { section: 'ml2', option: 'overlay_ip_version', value: '4' }
      - { section: 'securitygroup', option: 'enable_security_group', value: 'True' }
  ini_file:
    dest: "{{ node_config_directory }}/neutron-server/ml2_conf.ini"
    section: "{{ item[0].section }}"
    option: "{{ item[0].option }}"
    value: "{{ item[0].value }}"
    backup: yes
  when:
    - action == "deploy"
    - inventory_hostname in ovn_central_address
  delegate_to: "{{ item[1] }}"
  with_nested:
    - "{{ params }}"
    - "{{ groups['neutron-server'] }}"
  notify:
    - Restart neutron-server container

流程控制

• tags

設置任務標簽

tasks:
    - yum: name={{ item }} state=installed
      with_items:
         - httpd
         - memcached
      tags:
         - packages

    - template: src=templates/src.j2 dest=/etc/foo.conf
      tags:
         - configuration

### 執行playbook可以指定只執行標簽對應任務或跳過標簽對應任務
# ansible-playbook example.yml --tags "configuration,packages"
# ansible-playbook example.yml --skip-tags "notification"

• fail_when

用來控制playbook退出

- name: Check if firewalld is installed
  command: rpm -q firewalld
  register: firewalld_check
  failed_when: firewalld_check.rc > 1
  when: ansible_os_family == 'RedHat'

• pre_tasks/post_tasks

用來設置在執行roles模塊之前和之后需要執行的任務

- name: Install the aodh components
  hosts: aodh_all
  gather_facts: "{{ gather_facts | default(True) }}"
  max_fail_percentage: 20
  user: root
  pre_tasks:
    - include: common-tasks/os-lxc-container-setup.yml
    - include: common-tasks/rabbitmq-vhost-user.yml
      static: no
      vars:
        user: "{{ aodh_rabbitmq_userid }}"
        password: "{{ aodh_rabbitmq_password }}"
        vhost: "{{ aodh_rabbitmq_vhost }}"
        _rabbitmq_host_group: "{{ aodh_rabbitmq_host_group }}"
      when:
        - inventory_hostname == groups['aodh_api'][0]
        - groups[aodh_rabbitmq_host_group] | length > 0
    - include: common-tasks/os-log-dir-setup.yml
      vars:
        log_dirs:
          - src: "/openstack/log/{{ inventory_hostname }}-aodh"
            dest: "/var/log/aodh"
    - include: common-tasks/mysql-db-user.yml
      static: no
      vars:
        user_name: "{{ aodh_galera_user }}"
        password: "{{ aodh_container_db_password }}"
        login_host: "{{ aodh_galera_address }}"
        db_name: "{{ aodh_galera_database }}"
      when: inventory_hostname == groups['aodh_all'][0]
    - include: common-tasks/package-cache-proxy.yml
  roles:
    - role: "os_aodh"
      aodh_venv_tag: "{{ openstack_release }}"
      aodh_venv_download_url: "{{ openstack_repo_url }}/venvs/{{ openstack_release }}/{{ ansible_distribution | lower }}/aodh-{{ openstack_release }}-{{ ansible_architecture | lower }}.tgz"
    - role: "openstack_openrc"
      tags:
        - openrc
    - role: "rsyslog_client"
      rsyslog_client_log_rotate_file: aodh_log_rotate
      rsyslog_client_log_dir: "/var/log/aodh"
      rsyslog_client_config_name: "99-aodh-rsyslog-client.conf"
      tags:
        - rsyslog
  vars:
    is_metal: "{{ properties.is_metal|default(false) }}"
    aodh_rabbitmq_userid: aodh
    aodh_rabbitmq_vhost: /aodh
    aodh_rabbitmq_servers: "{{ rabbitmq_servers }}"
    aodh_rabbitmq_port: "{{ rabbitmq_port }}"
    aodh_rabbitmq_use_ssl: "{{ rabbitmq_use_ssl }}"
  tags:
    - aodh

主機路由

• delegate_to

可以將當前任務放到其他hosts上執行

### 這是一段在容器中執行的playbook的一部分，這時候需要檢測容器所在的宿主機上的對應目錄是否存在，這時候就需要用到委托來跳出當前容器到宿主機上執行當前任務
- name: Ensure mount directories exists
  file:
    path: "{{ item['mount_path'] }}"
    state: "directory"
  with_items:
    - "{{ lxc_default_bind_mounts | default([]) }}"
    - "{{ list_of_bind_mounts | default([]) }}"
  delegate_to: "{{ physical_host }}"
  when:
    - not is_metal | bool
  tags:
    - common-lxc

• local_action

將任務放在ansible控制主機（運行ansible-playbook的主機）上執行

- name: Check if the git cache exists on deployment host
  local_action:
    module: stat
    path: "{{ repo_build_git_cache }}"
  register: _local_git_cache
  when: repo_build_git_cache is defined

用戶和用戶組控制

• group

創建用戶組

### 創建系統管理員組haproxy，present表示不存在創建，absent表示存在刪除
- name: Create the haproxy system group
  group:
    name: "haproxy"
    state: "present"
    system: "yes"
  tags:
    - haproxy-group

• user

創建用戶

### 創建haproxy：haproxy用戶，並創建home目錄
- name: Create the haproxy system user
  user:
    name: "haproxy"
    group: "haproxy"
    comment: "haproxy user"
    shell: "/bin/false"
    system: "yes"
    createhome: "yes"
    home: "/var/lib/haproxy"
  tags:
    - haproxy-user

其他

• authorized_key

添加用戶的SSH認證key

- name: Create authorized keys file from host vars
  authorized_key:
    user: "{{ repo_service_user_name }}"
    key: "{{ hostvars[item]['repo_pubkey'] | b64decode }}"
  with_items: "{{ groups['repo_all'] }}"
  when: hostvars[item]['repo_pubkey'] is defined
  tags:
    - repo-key
    - repo-key-store

• slurp

用來讀取遠程主機上文件內容是base64加密的文件

### 讀取id_rsa.pub文件的內容，並設置到變量repo_pub中
- name: Get public key contents and store as var
  slurp:
    src: "{{ repo_service_home_folder }}/.ssh/id_rsa.pub"
  register: repo_pub
  changed_when: false
  tags:
    - repo-key
    - repo-key-create

• uri

web訪問，類似執行curl命令

- name: test proxy URL for connectivity
  uri:
    url: "{{ repo_pkg_cache_url }}/acng-report.html"
    method: "HEAD"
  register: proxy_check
  failed_when: false
  tags:
    - common-proxy

• wait_for

等待一個端口變得可用或者等待一個文件變得可用

- name: Wait for container ssh
  wait_for:
    port: "22"
    delay: "{{ ssh_delay }}"
    search_regex: "OpenSSH"
    host: "{{ ansible_host }}"
  delegate_to: "{{ physical_host }}"
  register: ssh_wait_check
  until: ssh_wait_check | success
  retries: 3
  when:
    - (_mc is defined and _mc | changed) or (_ec is defined and _ec | changed)
    - not is_metal | bool
  tags:
    - common-lxc

• command

執行shell命令

### ignore_errors為true表示命令執行出錯也不會退出playbook
- name: Check if clean is needed
  command: docker exec openvswitch_vswitchd ovs-vsctl br-exists br-tun
  register: result
  ignore_errors: True

切換用戶

### 使用become會先切換成apache用戶，再執行command命令，默認become_user用戶為root（如果你ansible配置的就是root用戶的免密碼登入那就不需要become了）
- name: Run a command as the apache user
  command: somecommand
  become: true
  become_user: apache

檢測鏈表是否為空

### pip_wheel_install為鏈表變量
- name: Install wheel packages
  shell: cd /tmp/wheels && pip install {{ item }}*
  with_items:
    - "{{ pip_wheel_install | default([]) }}"
  when: pip_wheel_install > 0