开发/生产中的 Ansible 服务器/组 [英] Ansible servers/groups in development/production

问题描述

我无法看到正确的使用方法.我有多个服务器分配了不同的角色，分布在多个组中.与生产/登台环境相比，我在本地 Vagrant 环境中使用 group_vars 时遇到了一些困难.在生产中，有更多的服务器，分配的组更少.在我的 Vagrant 环境中，我有更少的机器，每个机器分配了更多的角色/组.我有一台机器，它是一组组的成员，每个组都有自己的变量tcp_ports"，它列出了应该在我的 iptables 角色中为该组成员的服务器打开的端口.当然，问题是 Ansible 不会自动将这个变量合并到所有 group_vars 中.

I'm in a situation where I can't see the proper approach to use. I have multiple servers assigned various roles, distributed across several groups. I'm experiencing some difficulty with group_vars in my local Vagrant environment when contrasted with the production/staging environments. In production, there are a bunch more servers, that are assigned fewer groups. In my Vagrant environment, I have fewer machines that are assigned more roles/groups each. I have one machine in particular that is member of a bunch of groups, and each group has its own variable, "tcp_ports", which lists the ports that should be opened in my iptables role for servers that are members of that group. The problem is, of course, that Ansible will not automatically merge this variable across all group_vars.

到目前为止，我的解决方案是重命名变量 tcp_ports_ 然后，在我的 iptables 角色中，我有以下任务:

My solution so far has been to rename the variable tcp_ports_<group name> and then, in my iptables role, I have the following task:

- name: Combine tcp_ports_<group> into tcp_ports
  set_fact:
    tcp_ports: "{{ tcp_ports|default([])|union(hostvars[inventory_hostname]['tcp_ports_' + item]|default([])) }}"
  with_items: "{{ group_names }}"

...将 tcp_vars_ 组变量聚合到 tcp_ports 中，用于当前机器所属的所有组.这有效......但感觉很脏.我知道在 ansible.cfg 中启用合并模式，但这个项目是巨大的，我不想对 Ansible 的操作进行如此根本的改变，因为确保事情不会中断的耗时测试阶段.我也读过一句口头禅摆弄 group_vars 意味着你做错了"，我相信我是......我只是不知道如何做到这一点案件.

...which aggregates the tcp_vars_<group> group vars into tcp_ports for all the groups the current machine is member of. This works... but it feels dirty. I know about enabling merge mode in ansible.cfg, but this project is enormous, and I don't want to make such a fundamental change to Ansible's operation, because of the time consuming test phase of making sure things don't break. I've also read the mantra "fiddling with group_vars means you're doing it wrong," which I'm convinced I am... I just don't know how to do it right in this case.

有没有人用更合适的方式解决这个问题?

Anyone out there fixed this in a more appropriate way?

推荐答案

您可以创建 iptables_config 角色并定义支持的服务组，如下所示:

You can make iptables_config role and define supported service groups there like this:

service_ports:
  web:
    - 80
    - 443
  node:
    - 3000
  mysql:
    - 3128

并制定如下规则:

- debug: msg="allow port {{ item }}"
  with_items: "{{ group_names | intersect(service_ports.keys()) | map('extract',service_ports) | sum(start=[]) }}"

因此，当您应用角色 iptables_config 时，会生成当前主机组名称和已知服务名称的交集，并循环为这些服务定义的端口.

So when you apply role iptables_config, intersection of current host groups names and known services names is made and ports defined for these services are looped.

这篇关于开发/生产中的 Ansible 服务器/组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！