====== 運用 Ansible 進行多主機管理 ======
  * 管理端環境 :
    * CT - Ubuntu 20.04 LTS (2 vCore/ 2G RAM / 20G SSD)
    * 預計使用 git 管理 ansible 的定義檔

===== 安裝程序 =====
  * <cli>
sudo apt install ansible git sshpass
</cli>確認版本<cli>
jonathan@ct-ansible:~$ ansible --version
ansible 2.9.6
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/jonathan/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0]
</cli>
  * 設定自動寫入第一次 ssh 登入主機的 host key <cli>
sudo vi /etc/ansible/ansible.cfg
</cli><file>
[defaults]
:
:
# uncomment this to disable SSH key host checking
#host_key_checking = False
host_key_checking = False
:
</file>
===== 建立主機清單檔 inventory.yaml =====
  * Exp. <file>
servers:
  hosts:
    aac:
      ansible_host: 192.168.11.249
      ansible_port: 22
      ansible_user: root
      ansible_ssh_pass: "mypassword"
    h470:
      ansible_host: 192.168.11.252
      ansible_port: 22
      ansible_connection: ssh
      ansible_user: root
      ansible_ssh_pass: "mypassword"
</file>
  * 簡單驗證 <cli>
$ ansible all -i inventory.yaml --list-hosts
  hosts (2):
    aac
    h470
</cli>

===== 撰寫 playbook =====
==== 1. upgrade.yaml ====
  * 對 servers 群組主機指定安裝套件, 並針對以安裝套件進行更新, 如果有更新 Kernel 更新後自動重新開機<file>
- hosts: servers
  become: true
  become_user: root
  tasks:
    - name: Ansible apt to install multiple packages - LAMP
      register: updatesys
      apt:
        update_cache: yes
        name:
          - python3-apt
          - snmp
          - libsasl2-modules
        state: present
        
    - name: Update apt repo and cache on all Debian/Ubuntu boxes
      apt: update_cache=yes force_apt_get=yes cache_valid_time=3600

    - name: Upgrade all packages on servers
      apt: upgrade=dist force_apt_get=yes

    - name: Check if a reboot is needed on all servers
      register: reboot_required_file
      stat: path=/var/run/reboot-required get_md5=no

    - name: Reboot the box if kernel updated
      reboot:
        msg: "Reboot initiated by Ansible for kernel updates"
        connect_timeout: 5
        reboot_timeout: 300
        pre_reboot_delay: 0
        post_reboot_delay: 30
        test_command: uptime
      when: reboot_required_file.stat.exists
</file>
  * 驗證執行命令(**加上 --check**) <cli>
ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check
</cli>執行結果<cli>
$ ansible-playbook -i inventory.yaml upgrade.yaml -e ansible_python_interpreter=/usr/bin/python --check

PLAY [servers] ******************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************
ok: [aac]
ok: [h470]

TASK [Ansible apt to install multiple packages - LAMP] **************************************************************************************************************************************
changed: [h470]
changed: [aac]

TASK [Update apt repo and cache on all Debian/Ubuntu boxes] *********************************************************************************************************************************
ok: [h470]
ok: [aac]

TASK [Upgrade all packages on servers] ******************************************************************************************************************************************************
ok: [h470]
ok: [aac]

TASK [Check if a reboot is needed on all servers] *******************************************************************************************************************************************
ok: [h470]
ok: [aac]

TASK [Reboot the box if kernel updated] *****************************************************************************************************************************************************
skipping: [aac]
skipping: [h470]

PLAY RECAP **********************************************************************************************************************************************************************************
aac                        : ok=5    changed=1    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0
h470                       : ok=5    changed=1    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0
</cli>

===== 常見問題 =====
==== 1. 如何對 ansible_ssh_pass 這類登入密碼進行加密 ====
  * 使用 ansible-vault encrypt_string 登入密碼 --ask-vault-pass 方式來對要保護的密碼 Exp. MyPassword 產生加密, 並以 KeyPass 當解密密碼<cli>
$ ansible-vault encrypt_string MyPassword --ask-vault-pass
New Vault password: KeyPass
Confirm New Vault password: KeyPass
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          63613230353861653733633761663630643564323330613263343061656163383731386364666366
          3430303131616563616634386130613461636433383730360a663130653463313465623837373335
          61336333643663343535396339633165653334336236363032613130636537336664646535666666
          3863306137663763610a313034383233626563336365303431313564316338653363636432386438
          3736
Encryption successful
</cli>
  * 將這加密後的內容取代 ansible_ssh_pass 原本的明碼部分 Exp. <file>
:
  hosts:
    aac:
      ansible_host: 192.168.11.249
      ansible_ssh_pass: "MyPassword"
:
</file>改成<file>
:
  hosts:
    aac:
      ansible_host: 192.168.11.249
      ansible_ssh_pass: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          63613230353861653733633761663630643564323330613263343061656163383731386364666366
          3430303131616563616634386130613461636433383730360a663130653463313465623837373335
          61336333643663343535396339633165653334336236363032613130636537336664646535666666
          3863306137663763610a313034383233626563336365303431313564316338653363636432386438
          3736
:
</file>
  * 然後執行 ansible-playbook 後面必須加上 **--ask-vault-pass** 才會彈出讓你輸入解密密碼 Exp. KeyPass<cli>
$ ansible-playbook -i inventory.yaml upgrade.yaml --ask-vault-pass
Vault password: KeyPass

PLAY [servers] ******************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************
ok: [nuc]
:
</cli>
  * 也可以執行 ansible-playbook 後面加上 **--vault-password-file** 指定解密密碼檔案 Exp. .vault_pass<cli>
$ ansible-playbook -i inventory.yaml upgrade.yaml --vault-password-file ./.vault_pass
</cli>
===== 參考網址 =====
  * https://docs.ansible.com/ansible/latest/inventory_guide/intro_inventory.html
  * https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/
  * https://blog.yowko.com/ansible-bypass-fingerprint-check/
  * https://stackoverflow.com/questions/51622712/ansible-requires-python-apt-but-its-already-installed
  * https://stackoverflow.com/questions/21870083/specify-sudo-password-for-ansible
  * https://stackoverflow.com/questions/51771994/how-do-i-use-an-encrypted-variable-ansible-ssh-pass-in-an-ini-file
  * https://stackoverflow.com/questions/30209062/ansible-how-to-encrypt-some-variables-in-an-inventory-file-in-a-separate-vault
  * https://www.digitalocean.com/community/tutorials/how-to-use-vault-to-protect-sensitive-ansible-data

{{tag>ansible 自動化 大量部署}}