3. Ansible配置文件管理

配置文件优先级

ansible的配置文件名为ansible.cfg，它一般会存在于四个地方：

ANSIBLE_CONFIG：首先，Ansible命令会检查该环境变量，及这个环境变量将指向的配置文件
./ansible.cfg：当前工作目录，即当前执行ansible指令的目录，如果ANSIBEL_CONFIG环境变量未定义，则优先使用该配置文件
~/.ansible.cfg：当前用户家目录下的一个隐藏文件，如果当前工作目录下不存在ansible.cfg配置文件，则会查找用户家目录下的该隐藏文件
/etc/ansible/ansible.cfg：默认配置文件，如果上面两个路径下的ansible.cfg都不存在，则使用该文件

需要说明的是，配置文件中所有的配置项都可以通过环境变量的方式来定义，而环境变量定义的配置项具有最高优先级，会覆盖掉所有配置文件中的配置项

配置文件详解

配置文件分段说明

ansible.cfg的配置默认分为十段：

[defaults]：通用配置项
[inventory]：与主机清单相关的配置项
[privilege_escalation]：特权升级相关的配置项
[paramiko_connection]：使用paramiko连接的相关配置项，Paramiko在RHEL6以及更早的版本中默认使用的ssh连接方式
[ssh_connection]：使用OpenSSH连接的相关配置项，OpenSSH是Ansible在RHEL6之后默认使用的ssh连接方式
[persistent_connection]：持久连接的配置项
[accelerate]：加速模式配置项
[selinux]：selinux相关的配置项
[colors]：ansible命令输出的颜色相关的配置项
[diff]：定义是否在运行时打印diff（变更前与变更后的差异）

配置参数说明

 [default]
inventory      = /etc/ansible/hosts
remote_user    = root
ask_pass       = false
log_path       = ./ansible.log
 
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
 
[ssh_connection]
ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s 
host_key_checking = False

配置项说明：

inventory：定义默认使用的主机清单
remote_user： ansible在操作远程主机时，使用远程主机上的哪个用户身份，默认是root
ask_pass：ansible在操作远程主机时，获取远程主机上的用户身份，是否交互提示密码验证，默认为true。如果使用密钥认证的话，建议将其设置为false
log_path：默认ansible 执行的时候，并不会输出日志到文件，打开该配置项，所有的命令执行后，都会将日志输出到/var/log/ansible.log文件。
become：如果ansible在操作远程主机时，使用的是远程主机上的普通用户，该普通用户是否允许提权
become_method：如果允许提权，使用何种提权方式，默认是sudo
become_user：提权到哪个用户身份，默认是root
become_ask_pass：提权时，是否交互提示密码验证，默认为False
ssh_args：ansible通过ssh连接远程被管理机，这里用于定义一些ssh连接时的参数，如-C启用压缩传输，ControlPersist用于提升性能。
private_key_file：指定本地私钥路径
host_key_checking：通过ssh首次连接远程主机时，由于在本机的~/.ssh/known_hosts文件中并有fingerprint key串，ssh第一次连接的时候一般会提示输入yes/no进行确认将key字符串加入到~/.ssh/known_hosts文件中。将此项设置为False将跳过该确认过程。

提权配置

在ansible.cfg中配置提权是针对所有的playbook和任务，如果需要针对某个playbook和task设置提权操作，则需要以下配置参数：

配置参数	变量	命令行参数
become	ansible_become	—become or -b
become_method	ansible_become_method	—become-method=sudo
become_user	ansible_become_user	—become-user=root
become_password	ansible_become_password	—ask-become-pass or -K

在playbook中定义提权

 ---
- name: Become the user "manager"
 hosts: webservers
 become: true
 tasks:
 - name: Show the user used by this play
 debug:
 var: ansible_user_id
- name: Do not use privilege escalation
 hosts: webservers
 become: false
 tasks:
 - name: Show the user used by this play
 debug:
 var: ansible_user_id

在task中定义提权

 ---
- name: Become the user "manager"
  hosts: webservers
  become: true
  tasks:
   - name: Show the user used by this play
     debug:
     var: ansible_user_id #打印被控端是哪个用户执行操作
- name: Do not use privilege escalation
   hosts: webservers
   become: false
   tasks:
   - name: Show the user used by this play
     debug:
     var: ansible_user_id

在tasks中定义提权

 ---
- name: Play with two tasks, one uses privilege escalation
   hosts: all
   become: false
   tasks:
     - name: This task needs privileges
       yum:
         name: perl
         state: installed
       become: true

在block中定义提权

 ---
- name: Deploy web services
   hosts: webservers
   become: false
   tasks:
     - block:
       become: true
       - name: Ensure httpd is installed
         yum:
           name: httpd
           state: installed
       - name: Start and enable webserver
         service:
           name: httpd
           state: started
           enabled: yes

在role中定义提权

 - name: Example play with one role
   hosts: localhost
   roles:
   - role: role-name
     become: true

定义变量设置提权

 # 主机组定义变量
webservers:
 hosts:
   servera.lab.example.com:
   serverb.lab.example.com:
 vars:
   ansible_become: true
 
# 主机定义变量 
webservers:
 hosts:
   servera.lab.example.com:
     ansible_become: true
   serverb.lab.example.com:
 
# playbook中定义变量
---
- name: Example play using connection variables
  hosts: webservers
     vars:
       ansible_become: true
  tasks:
     - name: Play will use privilege escalation even if inventory says no
       yum:
         name: perl
         state: installed

	[default]
	inventory = /etc/ansible/hosts
	remote_user = root
	ask_pass = false
	log_path = ./ansible.log

	[privilege_escalation]
	become=True
	become_method=sudo
	become_user=root
	become_ask_pass=False

	[ssh_connection]
	ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
	host_key_checking = False

	---
	- name: Become the user "manager"
	hosts: webservers
	become: true
	tasks:
	- name: Show the user used by this play
	debug:
	var: ansible_user_id
	- name: Do not use privilege escalation
	hosts: webservers
	become: false
	tasks:
	- name: Show the user used by this play
	debug:
	var: ansible_user_id

	---
	- name: Play with two tasks, one uses privilege escalation
	hosts: all
	become: false
	tasks:
	- name: This task needs privileges
	yum:
	name: perl
	state: installed
	become: true

	---
	- name: Deploy web services
	hosts: webservers
	become: false
	tasks:
	- block:
	become: true
	- name: Ensure httpd is installed
	yum:
	name: httpd
	state: installed
	- name: Start and enable webserver
	service:
	name: httpd
	state: started
	enabled: yes

	- name: Example play with one role
	hosts: localhost
	roles:
	- role: role-name
	become: true

	# 主机组定义变量
	webservers:
	hosts:
	servera.lab.example.com:
	serverb.lab.example.com:
	vars:
	ansible_become: true

	# 主机定义变量
	webservers:
	hosts:
	servera.lab.example.com:
	ansible_become: true
	serverb.lab.example.com:

	# playbook中定义变量
	---
	- name: Example play using connection variables
	hosts: webservers
	vars:
	ansible_become: true
	tasks:
	- name: Play will use privilege escalation even if inventory says no
	yum:
	name: perl
	state: installed

RHCA447-Ansible-3-配置文件管理

3. Ansible配置文件管理

目录

配置文件优先级

配置文件详解

配置文件分段说明

配置参数说明

提权配置