19.3.7 配置管理工具选型与集成(Ansible/SaltStack等)
配置管理工具选型应围绕标准化、可扩展、可审计与易集成四个核心目标展开。评估维度包括:支持的操作系统与中间件覆盖面、执行模式(推/拉)、幂等与状态管理能力、模块/插件生态、与CMDB/工单/发布系统的集成便利性、权限与审计能力、学习与维护成本。通用场景可优先考虑Ansible(SSH无代理),SaltStack适合大规模并发与事件驱动,Puppet/Chef适合声明式配置与复杂依赖。
原理草图(配置源唯一、执行入口统一、审计闭环):
一、工具安装与最小可用示例(Ansible)
1)安装与版本验证:
# CentOS/RHEL
sudo yum install -y epel-release
sudo yum install -y ansible
# Ubuntu/Debian
sudo apt update
sudo apt install -y ansible
ansible --version
2)目录结构与示例清单:
mkdir -p /opt/cm/ansible/{inventories,roles,playbooks,group_vars,logs}
cat >/opt/cm/ansible/inventories/prod.ini <<'EOF'
[web]
10.0.1.10
10.0.1.11
[db]
10.0.2.10
[all:vars]
ansible_user=ops
ansible_ssh_private_key_file=/home/ops/.ssh/id_rsa
EOF
3)最小剧本(Nginx安装与配置):
# /opt/cm/ansible/playbooks/nginx.yml
- name: Install and configure Nginx
hosts: web
become: yes
vars:
nginx_port: 80
tasks:
- name: Install nginx
yum:
name: nginx
state: present
- name: Configure nginx
copy:
dest: /etc/nginx/conf.d/default.conf
content: |
server {
listen {{ nginx_port }};
server_name _;
location / {
return 200 "nginx ok\n";
}
}
- name: Ensure nginx started
service:
name: nginx
state: started
enabled: yes
4)执行与干跑:
cd /opt/cm/ansible
ansible -i inventories/prod.ini web -m ping
ansible-playbook -i inventories/prod.ini playbooks/nginx.yml --check
ansible-playbook -i inventories/prod.ini playbooks/nginx.yml
预期效果:访问 http://10.0.1.10/ 返回 nginx ok。
二、工具安装与最小可用示例(SaltStack)
1)安装Master/Minion:
# Master
sudo yum install -y salt-master
sudo systemctl enable --now salt-master
# Minion
sudo yum install -y salt-minion
sudo sed -i 's/#master: salt/master: 10.0.0.10/' /etc/salt/minion
sudo systemctl enable --now salt-minion
2)接受Minion并下发配置:
# Master
sudo salt-key -L
sudo salt-key -A
# 测试连通
sudo salt '*' test.ping
3)最小状态(nginx.sls):
# /srv/salt/nginx.sls
nginx_pkg:
pkg.installed:
- name: nginx
nginx_conf:
file.managed:
- name: /etc/nginx/conf.d/default.conf
- contents: |
server {
listen 80;
server_name _;
location / {
return 200 "nginx ok\n";
}
}
- require:
- pkg: nginx_pkg
nginx_service:
service.running:
- name: nginx
- enable: True
- require:
- file: nginx_conf
4)执行:
sudo salt '*' state.apply nginx
三、集成示例(CMDB动态清单 + Git)
1)动态清单脚本(示意):
# /opt/cm/ansible/inventories/cmdb.py
#!/usr/bin/env python3
import json
data = {
"web": {"hosts": ["10.0.1.10", "10.0.1.11"]},
"db": {"hosts": ["10.0.2.10"]},
"_meta": {"hostvars": {"10.0.1.10": {"ansible_user": "ops"}}}
}
print(json.dumps(data))
2)调用动态清单:
chmod +x /opt/cm/ansible/inventories/cmdb.py
ansible -i /opt/cm/ansible/inventories/cmdb.py web -m ping
3)Git版本化与回滚:
cd /opt/cm/ansible
git init
git add .
git commit -m "init ansible config"
# 回滚到上一个版本
git log --oneline
git reset --hard HEAD~1
四、执行策略示例(基线 + 应用配置)
基线角色示例(SSH、时区、内核参数):
# /opt/cm/ansible/roles/baseline/tasks/main.yml
- name: Set timezone
command: timedatectl set-timezone Asia/Shanghai
- name: Ensure sshd config
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitRootLogin'
line: 'PermitRootLogin no'
- name: Reload sshd
service:
name: sshd
state: reloaded
应用配置示例(MySQL端口按环境变量覆盖):
# /opt/cm/ansible/group_vars/prod.yml
mysql_port: 3306
# /opt/cm/ansible/group_vars/staging.yml
mysql_port: 3307
五、常见排错(含命令)
1)SSH不可达:
ansible -i inventories/prod.ini web -m ping -vvv
# 检查主机连通
ssh -i /home/ops/.ssh/id_rsa ops@10.0.1.10 "hostname"
2)权限不足:
# 使用become提升权限
ansible-playbook -i inventories/prod.ini playbooks/nginx.yml -b
3)模块不可用或依赖缺失:
ansible-doc -l | grep nginx
python3 -m pip install --upgrade ansible
4)SaltStack密钥未接受:
sudo salt-key -L
sudo salt-key -A
sudo salt '*' test.ping
六、架构与安全边界示例(密钥/审计)
七、练习(可操作)
1)在两台虚拟机上完成Ansible与SaltStack的最小部署,并对比执行时间。
2)为Nginx增加变量 nginx_port,在prod与staging环境验证端口差异。
3)将动态清单改为从API读取(可用本地JSON文件模拟),并通过CI触发一次Playbook。
4)模拟漂移检测:手工修改目标机Nginx配置,使用 --check 验证差异并回滚。