开发/生产中的Ansible服务器/组 [英] Ansible servers/groups in development/production

问题描述

我处在无法使用正确方法的情况下.我为多个服务器分配了各种角色，分布在多个组中.与生产/登台环境相比，我在本地Vagrant环境中使用group_vars遇到一些困难.在生产中，有一堆更多的服务器，它们被分配了更少的组.在我的Vagrant环境中，我的机器数量较少，而每台机器都分配了更多的角色/组.我有一台机器特别是一组组的成员，每个组都有其自己的变量"tcp_ports"，其中列出了应为该组成员的服务器以iptables角色打开的端口.问题是，当然，Ansible不会在所有group_vars中自动合并此变量.

I'm in a situation where I can't see the proper approach to use. I have multiple servers assigned various roles, distributed across several groups. I'm experiencing some difficulty with group_vars in my local Vagrant environment when contrasted with the production/staging environments. In production, there are a bunch more servers, that are assigned fewer groups. In my Vagrant environment, I have fewer machines that are assigned more roles/groups each. I have one machine in particular that is member of a bunch of groups, and each group has its own variable, "tcp_ports", which lists the ports that should be opened in my iptables role for servers that are members of that group. The problem is, of course, that Ansible will not automatically merge this variable across all group_vars.

到目前为止，我的解决方案是重命名变量tcp_ports_<group name>，然后以iptables角色执行以下任务:

My solution so far has been to rename the variable tcp_ports_<group name> and then, in my iptables role, I have the following task:

- name: Combine tcp_ports_<group> into tcp_ports
  set_fact:
    tcp_ports: "{{ tcp_ports|default([])|union(hostvars[inventory_hostname]['tcp_ports_' + item]|default([])) }}"
  with_items: "{{ group_names }}"

...将当前计算机所属的所有组的tcp_vars_<group>组var汇总为tcp_ports.可以...但是感觉很脏.我知道在ansible.cfg中启用合并模式，但是这个项目非常庞大，并且我不想对Ansible的操作进行如此根本的更改，因为要确保状态不会中断，这是非常耗时的测试阶段.我还读过不喜欢group_vars意味着您做错了"的口头禅，我确信我是……我只是不知道如何正确地做到这一点案子.

...which aggregates the tcp_vars_<group> group vars into tcp_ports for all the groups the current machine is member of. This works... but it feels dirty. I know about enabling merge mode in ansible.cfg, but this project is enormous, and I don't want to make such a fundamental change to Ansible's operation, because of the time consuming test phase of making sure things don't break. I've also read the mantra "fiddling with group_vars means you're doing it wrong," which I'm convinced I am... I just don't know how to do it right in this case.

外面有人以更合适的方式解决此问题吗?

Anyone out there fixed this in a more appropriate way?

推荐答案

您可以扮演iptables_config角色并在其中定义受支持的服务组，如下所示:

You can make iptables_config role and define supported service groups there like this:

service_ports:
  web:
    - 80
    - 443
  node:
    - 3000
  mysql:
    - 3128

并制定如下规则:

- debug: msg="allow port {{ item }}"
  with_items: "{{ group_names | intersect(service_ports.keys()) | map('extract',service_ports) | sum(start=[]) }}"

因此，当您应用角色iptables_config时，将使用当前主机组名称和已知服务名称的交集，并为这些服务定义的端口被循环.

So when you apply role iptables_config, intersection of current host groups names and known services names is made and ports defined for these services are looped.

这篇关于开发/生产中的Ansible服务器/组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！