Ansible核心模块(下)
cron 模块
计划任务
支持时间:minute,hour,day,month,weekday
参数
| Parameter | Comments |
|---|---|
| backup boolean | If set, create a backup of the crontab before it is modified. Default choice is falseThe location of the backup is returned in the backup_file variable by this module. |
| name string / required | Description of a crontab entry or, if env is set, the name of environment variable.This parameter is always required as of ansible-core 2.12. |
| job aliases: valuestring | The command to execute or, if env is set, the value of environment variable.The command should not contain line breaks.Required if state=present. |
| disabled boolean | If the job should be disabled (commented out) in the crontab.Only has effect if state=present.Default choice is false |
| state string | Whether to ensure the job or environment variable is present or absent.Choices:"absent","present" (default) |
| env boolean | If set, manages a crontab’s environment variable.New variables are added on top of crontab.[name] and [value] parameters are the name and the value of environment variable.Default choice is false |
| insertafter string | Used with state=present and [env].If specified, the environment variable will be inserted after the declaration of specified environment variable. |
| insertbefore string | Used with state=present and [env].If specified, the environment variable will be inserted before the declaration of specified environment variable. |
| minute string | Minute when the job should run (0-59, *, */2, and so on).Default: "*" |
| hour string | Hour when the job should run (0-23, *, */2, and so on).Default: "*" |
| day aliases: domstring | Day of the month the job should run (1-31, *, */2, and so on).Default: "*" |
| month string | Month of the year the job should run (1-12, *, */2, and so on).Default: "*" |
| weekday aliases: dowstring | Day of the week that the job should run (0-6 for Sunday-Saturday, *, and so on).Default: "*" |
| special_time string | Special time specification nickname.Choices:"annually"``"daily"``"hourly"``"monthly"``"reboot"``"weekly"``"yearly" |
| user string | The specific user whose crontab should be modified.When unset, this parameter defaults to the current user. |
ad-hoc
格式:ansible 主机名 -m corn -a "cmd"
1 | # 创建计划任务,周一到周五的两点半执行/opt/mysql_backup.sh脚本,计划任务的名称是backup mysql |
yum 模块
管理软件包,只支持RHEL,CentOS,fedora,不支持Ubuntu其它版本
参数
| Parameter | Comments |
|---|---|
| conf_file string | The remote yum configuration file to use for the transaction. |
| disablerepo list / elements=string | Repoid of repositories to disable for the install/update operation. These repos will not persist beyond the transaction. When specifying multiple repos, separate them with a ",".As of Ansible 2.7, this can alternatively be a list instead of "," separated stringDefault: [] |
| enablerepo list / elements=string | Repoid of repositories to enable for the install/update operation. These repos will not persist beyond the transaction. When specifying multiple repos, separate them with a ",".As of Ansible 2.7, this can alternatively be a list instead of "," separated string. Default: [] |
| exclude list / elements=string | Package name(s) to exclude when state=present, or latestDefault: [] |
| name aliases: pkglist / elements=string | A package name or package specifier with version, like name-1.0.Comparison operators for package version are valid here >, <, >=, <=. Example - name>=1.0If a previous version is specified, the task also needs to turn [allow_downgrade] on. See the [allow_downgrade] documentation for caveats with downgrading packages.When using state=latest, this can be '*' which means run yum -y update.You can also pass a url or a local path to an rpm file (using state=present). To operate on several packages this can accept a comma separated string of packages or (as of 2.0) a list of packages.Default: [] |
| list string | Package name to run the equivalent of yum list --show-duplicates <package> against. In addition to listing packages, use can also list the following: installed, updates, available and repos.This parameter is mutually exclusive with [name]. |
| state string | Whether to install (present or installed, latest), or remove (absent or removed) a package.present and installed will simply ensure that a desired package is installed.latest will update the specified package if it’s not of the latest available version.absent and removed will remove the specified package.Default is None. Choices:"absent"``"installed"``"latest"``"present"``"removed" |
ad-hoc
格式:ansible 主机名 -m yum -a "cmd"
1 | # 安装软件包,安装多个用逗号隔开,present可以省略 |
yum_repository模块
管理yum源
参数
| Parameter | Comments |
|---|---|
| baseurl list / elements=string | URL to the directory where the yum repository’s ‘repodata’ directory lives.It can also be a list of multiple URLs.This, the [metalink] or [mirrorlist] parameters are required if [state] is set to present. |
| description string | A human readable string describing the repository. This option corresponds to the “name” property in the repo file.This parameter is only required if [state] is set to present. |
| enabled boolean | This tells yum whether or not use this repository.Yum default value is true.Choices:false,true |
| file string | File name without the .repo extension to save the repo in. Defaults to the value of [name]. |
| gpgcakey string | A URL pointing to the ASCII-armored CA key file for the repository. |
| gpgcheck boolean | Tells yum whether or not it should perform a GPG signature check on packages.No default setting. If the value is not set, the system setting from /etc/yum.conf or system default of false will be used.Choices:false,true |
| gpgkey list / elements=string | A URL pointing to the ASCII-armored GPG key file for the repository.It can also be a list of multiple URLs. |
| include string | Include external configuration file. Both, local path and URL is supported. Configuration file will be inserted at the position of the include= line. Included files may contain further include lines. Yum will abort with an error if an inclusion loop is detected. |
| keepcache string | Either 1 or 0. Determines whether or not yum keeps the cache of headers and packages after successful installation.This parameter is deprecated and will be removed in version 2.20.Choices:"0","1" |
| metalink string | Specifies a URL to a metalink file for the repomd.xml, a list of mirrors for the entire repository are generated by converting the mirrors for the repomd.xml file to a [baseurl].This, the [baseurl] or [mirrorlist] parameters are required if [state] is set to present. |
| mirrorlist string | Specifies a URL to a file containing a list of baseurls.This, the [baseurl] or [metalink] parameters are required if **[state] is set to present. |
| name string / required | Unique repository ID. This option builds the section name of the repository in the repo file.This parameter is only required if [state] is set to present or absent. |
| priority string | Enforce ordered protection of repositories. The value is an integer from 1 to 99.This option only works if the YUM Priorities plugin is installed. |
| state string | State of the repo file.Choices:"absent","present" ← (default) |
ad-hoc
格式:ansible 主机名 -m yum_repository -a "cmd"
1 | ansible all -m yum_repository -a 'file=nginx name=nginx description="nginx repo" baseurl="http://nginx.org/packages/centos/$releasever/$basearch/" state=present enabled=yes gpgcheck=no' |
service 模块
管理服务
参数
| Parameter | Comments |
|---|---|
| name string / (required) | Name of the service. |
| enabled boolean | Whether the service should start on boot.**At least one of state and enabled are required.**Choices:false,true |
| state string | started/stopped are idempotent actions that will not run commands unless necessary.restarted will always bounce the service.reloaded will always reload.At least one of state and enabled are required.Note that reloaded will start the service if it is not already started, even if your chosen init system wouldn’t normally. Choices: "reloaded","restarted","started","stopped" |
| sleep integer | If the service is being restarted then sleep this many seconds between the stop and start command.This helps to work around badly-behaving init scripts that exit immediately after signaling a process to stop.Not all service managers support sleep, i.e when using systemd this setting will be ignored. |
ad-hoc
格式:ansible 主机名 -m service -a "cmd"
1 | # 启动服务,设置自启 |
user 模块
管理用户
参数
| Parameter | Comments |
|---|---|
| name aliases: userstring /(required) | Name of the user to create, remove or modify. |
| comment string | Optionally sets the description (aka GECOS) of user account.On macOS, this defaults to the [name] option. |
| uid integer | Optionally sets the UID of the user. |
| group string | Optionally sets the user’s primary group (takes a group name).On macOS, this defaults to 'staff' |
| create_home aliases: createhome boolean | Unless set to false, a home directory will be made for the user when the account is created or if the home directory does not exist. Default choice is true |
| home path | Optionally set the user’s home directory. |
| force boolean | This only affects state=absent, it forces removal of the user and associated directories on supported platforms.The behavior is the same as userdel --force.When used with generate_ssh_key=yes this forces an existing key to be overwritten.Default choice is false |
| generate_ssh_key boolean | Whether to generate a SSH key for the user in question.This will not overwrite an existing SSH key unless used with force=yes.Default choice is false |
| non_unique boolean | Optionally when used with the -u option, this option allows to change the user ID to a non-unique value. Default choice is false |
| system boolean | When creating an account state=present, setting this to true makes the user a system account.This setting cannot be changed on existing users. Default choice is false |
| password string | If provided, set the user’s password to the provided encrypted hash (Linux) or plain text password (macOS).Linux/Unix/POSIX: Enter the hashed password as the value. |
| remove boolean | This only affects state=absent, it attempts to remove directories associated with the user.The behavior is the same as userdel --remove, check the man page for details and support.Default choice is false |
| shell string | Optionally set the user’s shell. |
| state string | Whether the account should exist or not, taking action if the state is different from what is stated.See this FAQ entry for additional requirements when removing users on macOS systems. Choices: "absent","present" ← (default) |
ad-hoc
格式:ansible 主机名 -m user -a "cmd"
1 | # 创建用户,指定用户名、描述、uid、家目录、所属组 |
Group 模块
管理组
参数
| Parameter | Comments |
|---|---|
| name string / required | Name of the group to manage. |
| gid integer | Optional GID to set for the group. |
| force booleanadded in ansible-core 2.15 | Whether to delete a group even if it is the primary group of a user.Only applicable on platforms which implement a –force flag on the group deletion command. Default choice is false |
| non_unique boolean added in Ansible 2.8 | This option allows to change the group ID to a non-unique value. Requires [gid].Not supported on macOS or BusyBox distributions. Default choice is false |
| state string | Whether the group should be present or not on the remote host. Choices: "absent","present" ← (default) |
| system boolean | If yes, indicates that the group created is a system group. Default choice is false |
ad-hoc
格式:ansible 主机名 -m group -a "cmd"
1 | # 创建组 |
Setup 模块
setup 模块来收集主机的系统信息,这些 facts 信息可以直接以变量的形式使用,但是如果主机较多,会影响执行速度,可以使用gather_facts: no 来禁止 Ansible 收集 facts 信息
参数
| Parameter | Comments |
|---|---|
| filter list / elements=string | If supplied, only return facts that match one of the shell-style (fnmatch) pattern. An empty list basically means ‘no filter’. As of Ansible 2.11, the type has changed from string to list and the default has became an empty list. A simple string is still accepted and works as a single pattern. The behaviour prior to Ansible 2.11 remains.Default: [] |
ad-hoc
格式:ansible 主机名 -m setup -a "cmd"
1 | ansible all -m setup #收集服务器详细信息 |
mount模块
磁盘挂载相关
参数
| 参数 | 作用 |
|---|---|
| fstype | 指定文件系统类型,如nfs,xfs,ext4等 |
| src | 挂载源,如src=172.16.1.31:/data/zh |
| path | 在目标主机的挂载路径,如path=/mnt/new-lidao-mount |
| state | 状态 present :仅修改配置,开机挂载,仅将挂载配置写入/etc/fstab mounted:挂载+修改配置,挂载设备,并将配置写入/etc/fstab unmounted:卸载设备,不会清除/etc/fstab写入的配置 absent: 卸载设备,会清理/etc/fstab写入的配置 remounted:重新挂载 |
ad-hoc
格式:ansible 主机名 -m mount -a "cmd"
1 | # 挂载nfs,如果要挂载点目录不存在,则会自动创建目录 |
iptables模块
设置防火墙
参数
| Parameter | Comments |
|---|---|
| table string | This option specifies the packet matching table which the command should operate on. Choices: "filter" ← (default),"nat","mangle","raw","security" |
| chain string | Specify the iptables chain to modify.This could be a user-defined chain or one of the standard iptables chains, like INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING, SECMARK or CONNSECMARK. |
| action string | Whether the rule should be appended at the bottom or inserted at the top. If the rule already exists the chain will not be modified. Choices: "append" ← (default),"insert" |
| comment string | This specifies a comment that will be added to the rule. |
| protocol string | The protocol of the rule or of the packet to check.The specified protocol can be one of tcp, udp, udplite, icmp, ipv6-icmp or icmpv6, esp, ah, sctp or the special keyword all, or it can be a numeric value, representing one of these protocols or a different one.A protocol name from /etc/protocols is also allowed.A ! argument before the protocol inverts the test.The number zero is equivalent to all.all will match with all protocols and is taken as default when this option is omitted. |
| source string | Source specification. Address can be a network name, a hostname, a network IP address (with /mask), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The mask can be either a network mask or a plain number, specifying the number of 1’s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A ! argument before the address specification inverts the sense of the address. |
| src_range stringadded in Ansible 2.8 | Specifies the source IP range to match in the iprange module. |
| destination string | Destination specification. Address can be a network name, a hostname, a network IP address (with /mask), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The mask can be either a network mask or a plain number, specifying the number of 1’s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A ! argument before the address specification inverts the sense of the address. |
| dst_range stringadded in Ansible 2.8 | Specifies the destination IP range to match in the iprange module. |
| source_port string | Source port or port range specification.This can either be a service name or a port number. An inclusive range can also be specified, using the format first:last.If the first port is omitted, 0 is assumed; if the last is omitted, 65535 is assumed.If the first port is greater than the second one they will be swapped. |
| destination_port string | Destination port or port range specification. This can either be a service name or a port number. An inclusive range can also be specified, using the format first:last. If the first port is omitted, ‘0’ is assumed; if the last is omitted, ‘65535’ is assumed. If the first port is greater than the second one they will be swapped. This is only valid if the rule also specifies one of the following protocols: tcp, udp, dccp or sctp. |
| destination_ports list / elements=string | This specifies multiple destination port numbers or port ranges to match in the multiport module. It can only be used in conjunction with the protocols tcp, udp, udplite, dccp and sctp.Default: [] |
| jump string | This specifies the target of the rule; i.e., what to do if the packet matches it. |
| state string | Whether the rule should be absent or present.Choices:"absent","present" ← (default) |
| flush boolean | Flushes the specified table and chain of all rules.If no chain is specified then the entire table is purged. Ignores all other parameters. Default choice is false |
| out_interface string | Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains).When the ! argument is used before the interface name, the sense is inverted.If the interface name ends in a +, then any interface which begins with this name will match.If this option is omitted, any interface name will match. |
| policy string | Set the policy for the chain to the given target.Only built-in chains can have policies.This parameter requires the [chain] parameter.If you specify this parameter, all other parameters will be ignored.This parameter is used to set default policy for the given [chain]. Don’t confuse with [jump] parameter.Choices: "ACCEPT","DROP","QUEUE","RETURN" |
| to_destination string | This specifies a destination address to use with DNAT.Without this, the destination address is never altered. |
| to_source string | This specifies a source address to use with SNAT.Without this, the source address is never altered. |
| to_ports string | This specifies a destination port or range of ports to use, without this, the destination port is never altered. This is only valid if the rule also specifies one of the protocol tcp, udp, dccp or sctp. |
ad-hoc
格式:ansible 主机名 -m iptables -a "cmd"
1 | # 新增一条防火墙策略 |
注意
除了以上模块以外,还有其他的常用模块不再赘述。更多模块介绍详见官方文档: 模块参考
这些模块功能有些使用shell模块直接运行命令也可以实现,但是并不推荐,因为使用ansible模块具有
- Idempotency(幂等性):即无论运行多少次,都会确保所需的状态被应用。相反,使用shell模块执行命令时,需要手动编写逻辑来确保这种状态的达成。
- 可读性和维护性:使用专门的模块可以使Playbook更易于阅读和维护。mount模块和iptables模块提供了清晰的抽象,可以让操作更易于理解,并且减少了对特定命令语法的依赖。
- 安全性:使用专门的模块可以提高安全性,因为它们通常会提供内置的错误检查和安全性措施,以确保正确的参数和配置。
总的来说,首选应该是使用Ansible提供的专门模块,尤其是对于常见的系统管理任务,因为这样更易于编写、理解和维护。