220602_2_앤서블_기초_앤서블 코어 설치 및 확인

앤서블 기본 구성 요소

---

1. /etc/ansible/ansible.cfg

- 환경 설정 파일

 

2. /etc/ansible/hosts

- 앤서블이 접속하는 호스트들에 대한 정보

 

3. 옵션 값

 

옵션	설명
-i (--inventory-file)	적용될 호스트들에 대한 파일
-m (--module-name)	모듈을 선택할 수 있도록
-k (--ask-pass)	패스워드를 물어보도록 설정
-K (--ask-become-pass)	관리자로 권한 상승
--list-hosts	적용되는 호스트들 확인

 

-i : 특정 노드들에 대해 명령어 실행을 원할 경우 자유로운 인벤토리 사용 가능

 1) 임의의 파일: test

# 테스트를 위해 test 파일 생성
[root@Ansible-Server ~]# vi test
      1 172.30.1.11
      2 172.30.1.12
    
# test 파일에 입력한 두 개의 노드에 대해서만 통신    
[root@Ansible-Server ~]# ansible all -i test -m ping -k
SSH password:
172.30.1.11 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
172.30.1.12 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

 

 2) /etc/ansible/hosts 파일

# /etc/ansible/hosts 파일 설정
     43 ## db-[99:101]-node.example.com
     44 [nginx] # 그룹 이름과 같은 역할
     45 172.30.1.11
     46 172.30.1.12
     47 172.30.1.13

# nginx에 해당하는 노드들에 명령어 적용
[root@Ansible-Server ~]# ansible nginx -m ping -k
SSH password:
172.30.1.11 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
172.30.1.12 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
172.30.1.13 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

 

-k: 해당 옵션이 없으면 퍼블릭 키 교환이 이루어지지 않아 로그인을 할 수 없음

[root@Ansible-Server ~]# ansible nginx -m ping
172.30.1.11 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}
172.30.1.12 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}
172.30.1.13 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}

 

-K: 루트 사용자 권한을 가져옴

[root@Ansible-Server ~]# ansible nginx -m ping -k -K
SSH password:
BECOME password[defaults to SSH password]:
172.30.1.11 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
172.30.1.12 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
172.30.1.13 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

 

--list-hosts

# /etc/ansible/hosts 파일에 설정된 호스트
[root@Ansible-Server ~]# ansible nginx -m ping --list-hosts
  hosts (3):
    172.30.1.11
    172.30.1.12
    172.30.1.13

# test 파일에 설정된 호스트
[root@Ansible-Server ~]# ansible all -i test -m ping --list-hosts
  hosts (2):
    172.30.1.11
    172.30.1.12

 

---

Ansible-Server에 앤서블 코어 설치

---

ansible 설치

에러 확인: dns 서버가 설정되지 않아 발생

 

[root@Ansible-Server ~]# yum install -y ansible
Loaded plugins: fastestmirror
Determining fastest mirrors
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock error was
14: curl#6 - "Could not resolve host: mirrorlist.centos.org; Unknown error"


 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=<repoid> ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>
        or
            subscription-manager repos --disable=<repoid>

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

Cannot find a valid baseurl for repo: base/7/x86_64

 

해결: DNS 서버 설정

 

[root@Ansible-Server ~]# vi /etc/resolv.conf

nameserver 168.126.63.1

 

DNS 서버가 제대로 설정되었는지 확인

[root@Ansible-Server ~]# ping google.com
PING google.com (172.217.175.46) 56(84) bytes of data.
64 bytes from nrt20s19-in-f14.1e100.net (172.217.175.46): icmp_seq=1 ttl=114 time=32.0 ms
64 bytes from nrt20s19-in-f14.1e100.net (172.217.175.46): icmp_seq=2 ttl=114 time=31.9 ms

 

레포지토리 리스트 확인

- 앤서블 설치 패키지가 없기 때문에 앤서블 설치 시 에러 발생

 

[root@Ansible-Server ~]# yum repolist

repo id                             repo name                             status
base/7/x86_64                       CentOS-7 - Base                       10,072
extras/7/x86_64                     CentOS-7 - Extras                        512
updates/7/x86_64                    CentOS-7 - Updates                     3,842
repolist: 14,426

 

앤서블 설치 패키지를 다운로드할 수 있는 공간 설정

# epel 패키지 설치
[root@Ansible-Server ~]# yum install -y epel-release

 

앤서블 설치 패키지 다운로드 및 확인

# ansible 패키지 설치
[root@Ansible-Server ~]# yum install -y ansible

# ansible 명령어 확인
[root@Ansible-Server ~]# ansible
usage: ansible [-h] [--version] [-v] [-b] [--become-method BECOME_METHOD]
               [--become-user BECOME_USER] [-K] [-i INVENTORY] [--list-hosts]
               [-l SUBSET] [-P POLL_INTERVAL] [-B SECONDS] [-o] [-t TREE] [-k]
               [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER]
               [-c CONNECTION] [-T TIMEOUT]
               [--ssh-common-args SSH_COMMON_ARGS]
               [--sftp-extra-args SFTP_EXTRA_ARGS]
               [--scp-extra-args SCP_EXTRA_ARGS]
               [--ssh-extra-args SSH_EXTRA_ARGS] [-C] [--syntax-check] [-D]
               [-e EXTRA_VARS] [--vault-id VAULT_IDS]
               [--ask-vault-pass | --vault-password-file VAULT_PASSWORD_FILES]
               [-f FORKS] [-M MODULE_PATH] [--playbook-dir BASEDIR]
               [-a MODULE_ARGS] [-m MODULE_NAME]
               pattern
ansible: error: too few arguments

 

통신 확인

앤서블 명령어 입력 시 호스트 리스트가 비어있다는 에러 확인

[root@Ansible-Server ~]# ansible all -m ping -k
SSH password:
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'

 

/etc/ansible/hosts 파일에 ansible 노드들의 IP 주소 입력

[root@Ansible-Server ~]# vi /etc/ansible/hosts


     43 ## db-[99:101]-node.example.com
     44 [nginx] # 그룹 이름과 같은 역할
     45 172.30.1.11
     46 172.30.1.12
     47 172.30.1.13

 

 

ansible all -m ping 명령어 입력 후 퍼블릭 키 교환을 위해 yes 입력

[root@Ansible-Server ~]# ansible all -m ping

The authenticity of host '172.30.1.12 (172.30.1.12)' can't be established.
ECDSA key fingerprint is SHA256:eh7uTCrpcvLAs0DeHsU/ue9UXGxxjaqudmhQVhg0juI.
ECDSA key fingerprint is MD5:e1:59:5e:93:ba:f3:ef:2a:c6:6b:8a:56:b9:90:62:cd.
Are you sure you want to continue connecting (yes/no)? The authenticity of host '172.30.1.13 (172.30.1.13)' can't be established.
ECDSA key fingerprint is SHA256:eh7uTCrpcvLAs0DeHsU/ue9UXGxxjaqudmhQVhg0juI.
ECDSA key fingerprint is MD5:e1:59:5e:93:ba:f3:ef:2a:c6:6b:8a:56:b9:90:62:cd.
Are you sure you want to continue connecting (yes/no)? The authenticity of host '172.30.1.11 (172.30.1.11)' can't be established.
ECDSA key fingerprint is SHA256:eh7uTCrpcvLAs0DeHsU/ue9UXGxxjaqudmhQVhg0juI.
ECDSA key fingerprint is MD5:e1:59:5e:93:ba:f3:ef:2a:c6:6b:8a:56:b9:90:62:cd.
Are you sure you want to continue connecting (yes/no)? yes
172.30.1.12 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.30.1.12' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}
yes
172.30.1.13 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.30.1.13' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}
yes
172.30.1.11 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Warning: Permanently added '172.30.1.11' (ECDSA) to the list of known hosts.\r\nPermission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}

 

퍼블릭 키 교환이 완료되어 노드들과 정상적으로 통신이 되었음을 확인 

[root@Ansible-Server ~]# ansible all -m ping -k
SSH password: #1234
172.30.1.11 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
172.30.1.13 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
172.30.1.12 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}