超级会员免费看
Ansible自动化:多平台云环境管理指南
1. 容器管理模块
1.1 Kubernetes管理模块
Ansible提供了多个模块用于管理Kubernetes集群:
- kubernetes.core.k8s :可管理任何类型的Kubernetes对象。
- kubernetes.core.k8s_auth :用于对需要显式登录步骤的Kubernetes集群进行身份验证。
- kubernetes.core.k8s_facts :可检查Kubernetes对象。
- kubernetes.core.k8s_scale :能为Deployment、ReplicaSet、Replication Controller或Job设置新的规模。
- kubernetes.core.k8s_service :用于管理Kubernetes上的服务。
1.2 LXC和LXD管理模块
LXC和LXD是可在Linux中运行容器的系统,Ansible通过以下模块支持它们:
- community.general.lxc_container :管理LXC容器。
- community.general.lxd_container :管理LXD容器。
- community.general.lxd_profile :管理LXD配置文件。
2. 使用Ansible自动化AWS操作
2.1 安装
要使用Ansible自动化AWS操作,需安装boto3库:
$ pip install boto3
同时,需要安装两个与AWS服务交互的集合:
$ ansible-galaxy collection install community.aws amazon.aws
2.2 身份验证
boto库会在 ~/.aws/credentials 文件中查找必要的凭证,可通过以下两种方式正确配置该文件:
- 使用AWS CLI工具。
- 使用文本编辑器创建具有以下结构的文件:
[default]
aws_access_key_id = [YOUR_KEY_HERE]
aws_secret_access_key = [YOUR_SECRET_ACCESS_KEY_HERE]
2.3 创建第一台机器
步骤如下:
1. 创建 aws.yaml 剧本,内容如下:
---
- hosts: localhost
tasks:
- name: Ensure key pair is present
amazon.aws.ec2_key:
name: fale
key_material: "{{ lookup('file', '~/.ssh/fale.pub') }}"
- name: Gather information of the EC2 VPC net in eu-west-1
amazon.aws.ec2_vpc_net_info:
region: eu-west-1
register: aws_simple_net
- name: Gather information of the EC2 VPC subnet in eu-west-1
amazon.aws.ec2_vpc_subnet_info:
region: eu-west-1
filters:
vpc-id: '{{ aws_simple_net.vpcs.0.id }}'
register: aws_simple_subnet
- name: Ensure wssg Security Group is present
amazon.aws.ec2_security_group:
name: wssg
description: Web Security Group
region: eu-west-1
vpc_id: '{{ aws_simple_net.vpcs.0.id }}'
rules:
- proto: tcp
from_port: 22
to_port: 22
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 443
to_port: 443
cidr_ip: 0.0.0.0/0
rules_egress:
- proto: all
cidr_ip: 0.0.0.0/0
register: aws_simple_wssg
- name: Setup instance
amazon.aws.ec2_instance:
assign_public_ip: true
image: ami-3548444c
region: eu-west-1
exact_count: 1
key_name: fale
count_tag:
Name: ws01.ansible2cookbook.com
instance_tags:
Name: ws01.ansible2cookbook.com
instance_type: t2.micro
group_id: '{{ aws_simple_wssg.group_id }}'
vpc_subnet_id: '{{ aws_simple_subnet.subnets.0.id }}'
volumes:
- device_name: /dev/sda1
volume_type: gp2
volume_size: 10
delete_on_termination: True
- 运行剧本:
$ ansible-playbook aws.yaml
运行命令后,输出大致如下:
PLAY [localhost] ***********************************************
***********************************
TASK [Gathering Facts] *****************************************
***********************************
ok: [localhost]
TASK [Ensure key pair is present] ******************************
***********************************
ok: [localhost]
TASK [Gather information of the EC2 VPC net in eu-west-1] ******
***********************************
ok: [localhost]
TASK [Gather information of the EC2 VPC subnet in eu-west-1]
**************************************
ok: [localhost]
TASK [Ensure wssg Security Group is present] *******************
***********************************
ok: [localhost]
TASK [Setup instance] ******************************************
***********************************
changed: [localhost]
PLAY RECAP *****************************************************
***********************************
localhost : ok=6 changed=1 unreachable=0 failed=0 skipped=0
rescued=0 ignored=0
在AWS控制台中,可看到一台机器已启动并运行。启动AWS虚拟机需要以下条件:
- SSH密钥对
- 网络
- 子网
- 安全组
默认情况下,账户中已有网络和子网,但需要获取它们的ID。
2.4 流程总结
graph LR
A[安装boto3和集合] --> B[配置身份验证]
B --> C[创建aws.yaml剧本]
C --> D[运行剧本]
D --> E[检查AWS控制台]
3. 使用Ansible自动化GCP操作
3.1 安装
在使用Ansible与GCP交互前,需安装Python的 requests 和 google-auth 模块:
$ pip install requests google-auth
然后安装Google Cloud集合:
$ ansible-galaxy collection install google.cloud
3.2 身份验证
在GCP中获取有效凭证有三种方法:
- 使用环境变量的服务账户。
- 使用JSON文件的服务账户。
- 机器账户。
前两种方法在大多数情况下是推荐的,因为第三种仅适用于在GCP环境中直接运行Ansible的情况。
- 使用环境变量的服务账户:创建服务账户后,设置以下环境变量:
- GCP_AUTH_KIND
- GCP_SERVICE_ACCOUNT_EMAIL
- GCP_SERVICE_ACCOUNT_FILE
- GCP_SCOPES
- 使用JSON文件的服务账户:可直接从GCP界面下载服务账户文件,保存为 ~/sa.json 。
- 机器账户:在GCP实例中运行Ansible时,它可自动检测机器账户。
3.3 创建第一台机器
步骤如下:
1. 创建 gce.yaml 剧本,内容如下:
---
- hosts: localhost
tasks:
- name: create a instance
google.cloud.gcp_compute_instance:
name: TestMachine
machine_type: n1-standard-1
disks:
- auto_delete: 'true'
boot: 'true'
initialize_params:
source_image: family/centos-stream-9
disk_size_gb: 10
zone: eu-west1-c
auth_kind: serviceaccount
service_account_file: "~/sa.json"
state: present
- 运行剧本:
$ ansible-playbook gce.yaml
运行命令后,输出大致如下:
PLAY [localhost] ***********************************************
***********************************
TASK [Gathering Facts] *****************************************
***********************************
ok: [localhost]
TASK [create a instance] ***************************************
***********************************
changed: [localhost]
PLAY RECAP *****************************************************
***********************************
localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0
rescued=0 ignored=0
在GCE中,无需预先设置网络,GCE默认设置会提供一个可用的机器。
3.4 流程总结
graph LR
A[安装依赖和集合] --> B[配置身份验证]
B --> C[创建gce.yaml剧本]
C --> D[运行剧本]
4. 使用Ansible自动化Azure操作
4.1 安装
要让Ansible管理Azure云,需安装Azure SDK for Python:
$ pip install -r ~/.ansible/collections/ansible_collections/azure/azcollection/requirements-azure.txt
然后安装Azure集合:
$ ansible-galaxy collection install azure.azcollection
4.2 身份验证
根据Azure账户的设置方式,有多种方法确保Ansible能够管理Azure,这些方法都可在 ~/.azure/credentials 文件中配置:
- 使用Azure账户的主要凭证:创建如下文件:
[default]
subscription_id = [YOUR_SUBSCIRPTION_ID_HERE]
client_id = [YOUR_CLIENT_ID_HERE]
secret = [YOUR_SECRET_HERE]
tenant = [YOUR_TENANT_HERE]
- 使用带有用户名和密码的Active Directory:
[default]
ad_user = [YOUR_AD_USER_HERE]
password = [YOUR_AD_PASSWORD_HERE]
- 使用带有ADFS的Active Directory登录:
[default]
ad_user = [YOUR_AD_USER_HERE]
password = [YOUR_AD_PASSWORD_HERE]
client_id = [YOUR_CLIENT_ID_HERE]
tenant = [YOUR_TENANT_HERE]
adfs_authority_url = [YOUR_ADFS_AUTHORITY_URL_HERE]
这些参数也可作为参数或环境变量传递。
4.3 创建第一台机器
步骤如下:
1. 创建 azure.yaml 剧本,内容如下:
---
- hosts: localhost
tasks:
- name: Ensure the Storage Account is present
azure.azcollection.azure_rm_storageaccount:
resource_group: Testing
name: mysa
account_type: Standard_LRS
- name: Ensure the Virtual Network is present
azure.azcollection.azure_rm_virtualnetwork:
resource_group: Testing
name: myvn
address_prefixes: "10.10.0.0/16"
- name: Ensure the Subnet is present
azure.azcollection.azure_rm_subnet:
resource_group: Testing
name: mysn
address_prefix: "10.10.0.0/24"
virtual_network: myvn
- name: Ensure that the Public IP is set
azure.azcollection.azure_rm_publicipaddress:
resource_group: Testing
allocation_method: Static
name: myip
- name: Ensure a Security Group allowing SSH is present
azure.azcollection.azure_rm_securitygroup:
resource_group: Testing
name: mysg
rules:
- name: SSH
protocol: Tcp
destination_port_range: 22
access: Allow
priority: 101
direction: Inbound
- name: Ensure the NIC is present
azure.azcollection.azure_rm_networkinterface:
resource_group: Testing
name: mynic
virtual_network: myvn
subnet: mysn
public_ip_name: myip
security_group: mysg
- name: Ensure the Virtual Machine is present
azure.azcollection.azure_rm_virtualmachine:
resource_group: Testing
name: myvm01
vm_size: Standard_D1
storage_account: mysa
storage_container: myvm01
storage_blob: myvm01.vhd
admin_username: admin
admin_password: Password!
network_interfaces: mynic
image:
offer: CentOS
publisher: OpenLogic
sku: '8.4'
version: latest
- 运行剧本:
$ ansible-playbook azure.yaml
运行命令后,输出大致如下:
PLAY [localhost] ***********************************************
***********************************
TASK [Gathering Facts] *****************************************
***********************************
ok: [localhost]
TASK [Ensure the Storage Account is present] *******************
***********************************
changed: [localhost]
TASK [Ensure the Virtual Network is present] *******************
***********************************
changed: [localhost]
TASK [Ensure the Subnet is present] ****************************
***********************************
changed: [localhost]
TASK [Ensure that the Public IP is set] ************************
***********************************
changed: [localhost]
TASK [Ensure a Security Group allowing SSH is present] *********
***********************************
changed: [localhost]
TASK [Ensure the NIC is present] *******************************
***********************************
changed: [localhost]
TASK [Ensure the Virtual Machine is present] *******************
***********************************
changed: [localhost]
PLAY RECAP *****************************************************
***********************************
localhost : ok=8 changed=7 unreachable=0 failed=0 skipped=0
rescued=0 ignored=0
在Azure中,需要先准备好所有资源,才能创建虚拟机。
4.4 流程总结
graph LR
A[安装依赖和集合] --> B[配置身份验证]
B --> C[创建azure.yaml剧本]
C --> D[运行剧本]
5. 使用Ansible编排OpenStack
5.1 安装
要使用Ansible控制OpenStack集群,首先需安装 openstacksdk :
$ pip install openstacksdk
然后安装OpenStack集合:
$ ansible-galaxy collection install openstack.cloud
5.2 身份验证
由于Ansible使用 openstacksdk 作为后端,需确保 openstacksdk 能连接到OpenStack集群。可修改 ~/.config/openstack/clouds.yaml 文件,确保有要使用的云的配置。一个正确的OpenStack凭证集示例如下:
clouds:
test_cloud:
region_name: MyRegion
auth:
auth_url: http://[YOUR_AUTH_URL_HERE]:5000/v2.0/
username: [YOUR_USERNAME_HERE]
password: [YOUR_PASSWORD_HERE]
project_name: myProject
也可通过导出 OS_CLIENT_CONFIG_FILE 环境变量来设置不同的配置文件位置。
5.3 创建第一台机器
由于OpenStack非常灵活,其许多组件可能有不同的实现,管理OpenStack的Ansible模块抽象级别相对较低。创建机器的步骤如下:
1. 创建 openstack.yaml 文件,内容如下:
---
- hosts: localhost
tasks:
- name: Ensure the SSH key is present on OpenStack
openstack.cloud.keypair:
state: present
name: ansible_key
public_key_file: "{{ '~' | expanduser }}/.ssh/id_rsa.pub"
- name: Ensure we have a CentOS image
ansible.builtin.get_url:
url: http://cloud.centos.org/centos/9-stream/x86_64/images/CentOS-Stream-GenericCloud-9-20230424.0.x86_64.qcow2
dest: /tmp/CentOS-Stream-GenericCloud-9-20230424.0.x86_64.qcow2
- name: Ensure the CentOS image is in OpenStack
openstack.cloud.image:
name: centos
container_format: bare
disk_format: qcow2
state: present
filename: /tmp/CentOS-Stream-GenericCloud-9-20230424.0.x86_64.qcow2
- name: Ensure the Network is present
openstack.cloud.network:
state: present
name: mynet
external: False
shared: False
register: net_out
- name: Ensure the Subnetwork is present
openstack.cloud.subnet:
state: present
network_name: "{{ net_out.id }}"
name: mysubnet
ip_version: 4
cidr: 192.168.0.0/24
gateway_ip: 192.168.0.1
enable_dhcp: yes
dns_nameservers:
- 8.8.8.8
- name: Ensure the Router is present
openstack.cloud.router:
state: present
name: myrouter
network: nova
external_fixed_ips:
- subnet: nova
interfaces:
- mysubnet
- name: Ensure the Security Group is present
openstack.cloud.security_group:
state: present
name: mysg
- name: Ensure the Security Group allows ICMP traffic
openstack.cloud.security_group_rule:
security_group: mysg
protocol: icmp
remote_ip_prefix: 0.0.0.0/0
- name: Ensure the Security Group allows SSH traffic
openstack.cloud.security_group_rule:
security_group: mysg
protocol: tcp
port_range_min: 22
port_range_max: 22
remote_ip_prefix: 0.0.0.0/0
- name: Ensure the Instance exists
openstack.cloud.server:
state: present
name: myInstance
image: centos
flavor: m1.small
security_groups: mysg
key_name: ansible_key
nics:
- net-id: "{{ net_out.id }}"
- 运行剧本:
$ ansible-playbook openstack.yaml
运行命令后,输出如下:
PLAY [localhost] *****************************************************
*****************************
TASK [Gathering Facts] ***********************************************
*****************************
ok: [localhost]
TASK [Ensure the SSH key is present on OpenStack] ********************
*****************************
changed: [localhost]
TASK [Ensure we have a CentOS image] *********************************
*****************************
changed: [localhost]
TASK [Ensure the CentOS image is in OpenStack] ***********************
*****************************
changed: [localhost]
TASK [Ensure the Network is present] *********************************
*****************************
changed: [localhost]
TASK [Ensure the Subnetwork is present] ******************************
*****************************
changed: [localhost]
TASK [Ensure the Router is present] **********************************
*****************************
changed: [localhost]
TASK [Ensure the Security Group is present] **************************
*****************************
changed: [localhost]
TASK [Ensure the Security Group allows ICMP traffic] *****************
*****************************
changed: [localhost]
TASK [Ensure the Security Group allows SSH traffic] ******************
*****************************
changed: [localhost]
TASK [Ensure the Instance exists] ************************************
*****************************
changed: [localhost]
PLAY RECAP ***********************************************************
*****************************
localhost : ok=11 changed=10 unreachable=0 failed=0 skipped=0
rescued=0 ignored=0
该过程比公共云的过程更长,但可以上传想要运行的镜像。
5.4 流程总结
graph LR
A[安装openstacksdk和集合] --> B[配置身份验证]
B --> C[创建openstack.yaml剧本]
C --> D[运行剧本]
6. 总结
通过上述内容,我们学习了如何使用Ansible自动化管理容器和云环境的任务,具体总结如下:
| 云平台 | 安装步骤 | 身份验证方式 | 创建机器步骤 |
| ---- | ---- | ---- | ---- |
| AWS | 安装boto3库和 community.aws 、 amazon.aws 集合 | 配置 ~/.aws/credentials 文件 | 创建 aws.yaml 剧本并运行 |
| GCP | 安装 requests 和 google-auth 模块以及 google.cloud 集合 | 服务账户(环境变量或JSON文件)、机器账户 | 创建 gce.yaml 剧本并运行 |
| Azure | 安装Azure SDK for Python和 azure.azcollection 集合 | 配置 ~/.azure/credentials 文件 | 创建 azure.yaml 剧本并运行 |
| OpenStack | 安装 openstacksdk 和 openstack.cloud 集合 | 配置 ~/.config/openstack/clouds.yaml 文件 | 创建 openstack.yaml 剧本并运行 |
总之,Ansible为管理不同的云环境提供了强大而灵活的自动化解决方案,无论是公共云还是私有云,都能通过Ansible实现高效的资源管理和自动化部署。
扫一扫
765
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
