ansible
Scannednpx machina-cli add skill chaterm/terminal-skills/ansible --openclawFiles (1)
SKILL.md
7.1 KB
Ansible 自动化运维
概述
Playbook 编写、角色管理、动态 inventory 等技能。
基础命令
Ad-hoc 命令
# 测试连通性
ansible all -m ping
ansible webservers -m ping
# 执行命令
ansible all -m command -a "uptime"
ansible all -m shell -a "df -h | grep /dev"
# 复制文件
ansible all -m copy -a "src=/local/file dest=/remote/file"
# 安装软件
ansible all -m apt -a "name=nginx state=present" --become
ansible all -m yum -a "name=nginx state=present" --become
# 管理服务
ansible all -m service -a "name=nginx state=started" --become
# 收集信息
ansible all -m setup
ansible all -m setup -a "filter=ansible_distribution*"
常用参数
-i inventory # 指定 inventory
-m module # 指定模块
-a arguments # 模块参数
-b, --become # 提权
-K # 询问 sudo 密码
-u user # 指定用户
-k # 询问 SSH 密码
--limit host # 限制主机
-v, -vv, -vvv # 详细输出
--check # 检查模式(不执行)
--diff # 显示差异
Inventory
静态 inventory
# inventory/hosts
[webservers]
web1.example.com
web2.example.com ansible_host=192.168.1.10
[dbservers]
db1.example.com ansible_user=admin
db2.example.com
[production:children]
webservers
dbservers
[all:vars]
ansible_python_interpreter=/usr/bin/python3
YAML 格式
# inventory/hosts.yml
all:
children:
webservers:
hosts:
web1.example.com:
web2.example.com:
ansible_host: 192.168.1.10
dbservers:
hosts:
db1.example.com:
ansible_user: admin
vars:
ansible_python_interpreter: /usr/bin/python3
动态 inventory
# 使用脚本
ansible-inventory -i inventory.py --list
# AWS EC2
ansible-inventory -i aws_ec2.yml --list
# 示例 aws_ec2.yml
plugin: amazon.aws.aws_ec2
regions:
- us-east-1
filters:
tag:Environment: production
keyed_groups:
- key: tags.Role
prefix: role
Playbook
基础结构
# playbook.yml
---
- name: Configure web servers
hosts: webservers
become: yes
vars:
http_port: 80
tasks:
- name: Install nginx
apt:
name: nginx
state: present
update_cache: yes
- name: Start nginx
service:
name: nginx
state: started
enabled: yes
- name: Copy config
template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
notify: Restart nginx
handlers:
- name: Restart nginx
service:
name: nginx
state: restarted
执行 Playbook
# 执行
ansible-playbook playbook.yml
# 指定 inventory
ansible-playbook -i inventory/hosts playbook.yml
# 限制主机
ansible-playbook playbook.yml --limit web1
# 检查模式
ansible-playbook playbook.yml --check --diff
# 指定标签
ansible-playbook playbook.yml --tags "install,config"
ansible-playbook playbook.yml --skip-tags "test"
# 传递变量
ansible-playbook playbook.yml -e "version=1.0"
ansible-playbook playbook.yml -e "@vars.yml"
条件与循环
tasks:
# 条件
- name: Install on Debian
apt:
name: nginx
when: ansible_os_family == "Debian"
- name: Install on RedHat
yum:
name: nginx
when: ansible_os_family == "RedHat"
# 循环
- name: Install packages
apt:
name: "{{ item }}"
state: present
loop:
- nginx
- git
- curl
# 字典循环
- name: Create users
user:
name: "{{ item.name }}"
groups: "{{ item.groups }}"
loop:
- { name: 'user1', groups: 'admin' }
- { name: 'user2', groups: 'developers' }
变量与模板
# vars/main.yml
http_port: 80
server_name: example.com
workers: 4
# templates/nginx.conf.j2
server {
listen {{ http_port }};
server_name {{ server_name }};
{% for upstream in upstreams %}
upstream {{ upstream.name }} {
{% for server in upstream.servers %}
server {{ server }};
{% endfor %}
}
{% endfor %}
}
Roles
角色结构
roles/
└── nginx/
├── tasks/
│ └── main.yml
├── handlers/
│ └── main.yml
├── templates/
│ └── nginx.conf.j2
├── files/
├── vars/
│ └── main.yml
├── defaults/
│ └── main.yml
└── meta/
└── main.yml
创建角色
# 创建角色骨架
ansible-galaxy init roles/nginx
使用角色
# playbook.yml
---
- hosts: webservers
become: yes
roles:
- nginx
- { role: app, tags: ['app'] }
- role: database
vars:
db_name: mydb
Ansible Galaxy
# 安装角色
ansible-galaxy install geerlingguy.nginx
ansible-galaxy install -r requirements.yml
# requirements.yml
roles:
- name: geerlingguy.nginx
version: 3.1.0
- name: geerlingguy.mysql
collections:
- name: community.general
常见场景
场景 1:部署应用
---
- name: Deploy application
hosts: appservers
become: yes
vars:
app_version: "1.0.0"
tasks:
- name: Pull code
git:
repo: https://github.com/user/app.git
dest: /opt/app
version: "{{ app_version }}"
- name: Install dependencies
pip:
requirements: /opt/app/requirements.txt
virtualenv: /opt/app/venv
- name: Copy systemd service
template:
src: app.service.j2
dest: /etc/systemd/system/app.service
notify: Restart app
handlers:
- name: Restart app
systemd:
name: app
state: restarted
daemon_reload: yes
场景 2:滚动更新
---
- name: Rolling update
hosts: webservers
serial: 1 # 每次更新一台
max_fail_percentage: 0
tasks:
- name: Remove from load balancer
# ...
- name: Update application
# ...
- name: Add back to load balancer
# ...
场景 3:密钥管理
# 创建加密文件
ansible-vault create secrets.yml
# 编辑加密文件
ansible-vault edit secrets.yml
# 加密现有文件
ansible-vault encrypt vars.yml
# 解密
ansible-vault decrypt vars.yml
# 使用加密变量
ansible-playbook playbook.yml --ask-vault-pass
ansible-playbook playbook.yml --vault-password-file=.vault_pass
故障排查
| 问题 | 排查方法 |
|---|---|
| SSH 连接失败 | 检查 inventory、SSH 配置 |
| 权限不足 | 使用 --become、检查 sudo |
| 模块错误 | 使用 -vvv 查看详情 |
| 变量未定义 | 检查变量文件、优先级 |
# 调试模式
ansible-playbook playbook.yml -vvv
# 检查语法
ansible-playbook playbook.yml --syntax-check
# 列出任务
ansible-playbook playbook.yml --list-tasks
# 列出主机
ansible-playbook playbook.yml --list-hosts
Source
git clone https://github.com/chaterm/terminal-skills/blob/main/devops/ansible/SKILL.mdView on GitHub Overview
你将用 Ansible 来编排基础设施的配置与部署。此技能覆盖从快速的 Ad-hoc 操作到结构化的 Playbook、Role,以及对动态 Inventory 的全面支持,帮助你以可重复、可审计的方式管理多主机环境。
How This Skill Works
Ansible 通过 SSH 与目标主机通信,避免在目标上安装代理。你用 YAML 编写 Playbook,描述目标、任务、处理程序和变量,Ansible 会以幂等方式应用对应的模块(如 apt、yum、service、copy、setup 等)并在执行结束时汇总结果。你还可以使用静态 Inventory(INI 或 YAML)或动态 Inventory(如 amazon.aws.aws_ec2 插件)来定义目标主机集合,Playbook 可以调用 Roles、Templates,以及 Vault 来处理密钥。
When to Use It
- 快速验证主机连通性与执行简单任务(Ad-hoc)
- 部署应用、配置服务与编排多主机任务
- 实现跨主机的滚动更新、灰度发布与故障控制
- 在多环境/云环境中管理主机,使用静态或动态 Inventory
- 通过 Roles、Galaxy 组件化复用配置,并使用 Vault 管理机密
Quick Start
- 1) 安装并验证版本:pip install ansible 或使用操作系统包管理器安装(如 sudo apt-get install ansible)并执行 ansible --version 以确认版本。
- 2) 准备一个简单的 Inventory(如 inventory/hosts.ini),定义 webservers 组: [webservers] web1.example.com web2.example.com ansible_host=192.168.1.10
- 3) 编写最小 Playbook(playbook.yml)以在 web 服务器上安装 Nginx: --- - hosts: webservers become: yes tasks: - name: Install nginx apt: name: nginx state: present update_cache: yes
- 4) 执行 Playbook:ansible-playbook -i inventory/hosts.ini playbook.yml,必要时使用 --check --diff 进行预测性检查。
Best Practices
- 将 inventory 放在版本控制中,按环境组织为独立的 inventory/目录
- 使用 Roles 将重复的配置拆分成可重用的组件,并为变量设置默认值
- 在生产环境中先进行 --check 和 --diff 的测试再执行变更
- 使用 --become 提权并按最小权限原则配置 sudo/权限策略
- 对敏感信息使用 ansible-vault,结合 vault_password_file 或交互式输入来管理密钥
- 优先使用幂等的模块与明确的错误处理,减少不必要的改动
Example Use Cases
- 场景 1:部署 Web 服务栈。通过一个 playbook 在 webservers 上安装 Nginx、部署站点配置,并确保 Nginx 服务持续运行。
- 场景 2:滚动更新应用。对 webservers 使用 serial: 1 的设置,逐台投产,遇到问题立即回滚并从负载均衡中移除异常节点。
- 场景 3:动态云环境的主机编排。使用 AWS EC2 动态 Inventory 插件,根据标签分组并对新实例自动应用配置。
- 场景 4:密钥管理与配置注入。使用 ansible-vault 加密数据库凭证,并在 playbook 中注入到应用配置或模板中。
- 场景 5:基于模板的分发配置。使用 Jinja2 模板(如 nginx.conf.j2)将变量渲染到目标服务器,并在变更时自动重载服务。
Frequently Asked Questions
Add this skill to your agents
Related Skills
configuration
chaterm/terminal-skills
OpenClaw 配置管理
cron
chaterm/terminal-skills
定时任务管理
CI/CD Pipeline Security Expert
martinholovsky/claude-skills-generator
Expert in CI/CD pipeline design with focus on secret management, code signing, artifact security, and supply chain protection for desktop application builds
workflow-setup
athola/claude-night-market
Configure GitHub Actions CI/CD workflows for automated testing, linting, and deployment. Use for CI/CD setup and quality automation. Skip if CI/CD configured or using different platform.
calendly-automation
davepoon/buildwithclaude
Automate Calendly scheduling, event management, invitee tracking, availability checks, and organization administration via Rube MCP (Composio). Always search tools first for current schemas.
make-automation
davepoon/buildwithclaude
Automate Make (Integromat) tasks via Rube MCP (Composio): operations, enums, language and timezone lookups. Always search tools first for current schemas.
