文章总结: 本文深度解析AnsibleInventory配置,涵盖静态与动态格式及云平台插件。重点阐述多环境架构、变量继承与AnsibleVault加密等最佳实践,提供自动化生成与验证脚本。建议通过规范化Inventory管理提升运维效率与基础设施安全性,确保自动化部署的可靠性与扩展性。 综合评分: 92 文章分类: 安全建设,安全工具,云安全,安全运营
Ansible Inventory 文件深度解析
原创
刘军军 刘军军
运维星火燎原
2026年2月5日 00:01 天津
Inventory 架构全景
- 静态Inventory文件
1.1 INI格式Inventory
# inventory.ini - 基础示例
[webservers]
web1.example.com ansible_host=192.168.1.10
web2.example.com ansible_host=192.168.1.11
[dbservers]
db1.example.com ansible_host=192.168.1.20
db2.example.com ansible_host=192.168.1.21
# 端口和用户配置
[production:children]
webservers
dbservers
[production:vars]
ansible_user=deploy
ansible_port=22
ansible_private_key_file=~/.ssh/deploy_key
# 特定主机变量
[webservers:vars]
nginx_version=1.18
app_env=production
[dbservers:vars]
mysql_version=8.0
database_name=myapp_prod
1.2 YAML格式Inventory
# inventory.yml-YAML格式
all:
children:
webservers:
hosts:
web1.example.com:
ansible_host: 192.168.1.10
nginx_version: 1.18
web2.example.com:
ansible_host: 192.168.1.11
nginx_version: 1.18
vars:
app_env: production
service_port: 80
dbservers:
hosts:
db1.example.com:
ansible_host: 192.168.1.20
mysql_version: 8.0
db2.example.com:
ansible_host: 192.168.1.21
mysql_version: 8.0
vars:
database_name: myapp_prod
replication: enabled
production:
children:
webservers
dbservers
vars:
ansible_user: deploy
environment: production
development:
hosts:
dev1.example.com:
ansible_host: 192.168.2.10
dev2.example.com:
ansible_host: 192.168.2.11
vars:
environment: development
ansible_user: developer
- 动态Inventory
2.1 动态Inventory脚本示例
#!/usr/bin/env python3
# dynamic_inventory.py
"""
企业级动态Inventory脚本
支持多数据源、缓存、故障转移
"""
import json
import argparse
import os
import requests
from cachetools import TTLCache
from typing import Dict, List, Any
class DynamicInventory:
def __init__(self):
self.cache = TTLCache(maxsize=1000, ttl=300)
def get_inventory(self) -> Dict[str, Any]:
"""获取完整的Inventory数据"""
parser = argparse.ArgumentParser()
parser.add_argument('--list', action='store_true')
parser.add_argument('--host')
args = parser.parse_args()
if args.list:
return self._get_all_hosts()
elif args.host:
return self._get_host_vars(args.host)
else:
return {}
def _get_all_hosts(self) -> Dict[str, Any]:
"""获取所有主机和组"""
try:
# 从CMDB或云平台获取数据
inventory = {
'_meta': {'hostvars': {}},
'all': {'children': ['ungrouped']},
'webservers': {'hosts': []},
'dbservers': {'hosts': []},
'production': {'children': ['webservers', 'dbservers']}
}
# 模拟从API获取数据
hosts_data = self._fetch_hosts_from_api()
for host in hosts_data:
hostname = host['name']
groups = self._determine_groups(host)
# 添加主机变量
inventory['_meta']['hostvars'][hostname] = {
'ansible_host': host['ip'],
'ansible_user': host.get('user', 'ubuntu'),
'ansible_port': host.get('port', 22),
'environment': host['environment'],
'role': host['role']
}
# 添加到组
for group in groups:
if group notin inventory:
inventory[group] = {'hosts': []}
inventory[group]['hosts'].append(hostname)
return inventory
except Exception as e:
# 故障转移:返回空Inventory
return {'_meta': {'hostvars': {}}}
def _get_host_vars(self, hostname: str) -> Dict[str, Any]:
"""获取特定主机的变量"""
# 这里可以实现从数据库或API获取主机特定变量
return {}
def _fetch_hosts_from_api(self) -> List[Dict]:
"""从API获取主机数据(示例)"""
return [
{'name': 'web1', 'ip': '192.168.1.10', 'environment': 'production', 'role': 'web'},
{'name': 'web2', 'ip': '192.168.1.11', 'environment': 'production', 'role': 'web'},
{'name': 'db1', 'ip': '192.168.1.20', 'environment': 'production', 'role': 'db'},
{'name': 'db2', 'ip': '192.168.1.21', 'environment': 'production', 'role': 'db'}
]
if __name__ == '__main__':
inventory = DynamicInventory()
print(json.dumps(inventory.get_inventory(), indent=2))
2.2 使用云平台Inventory插件
AWS EC2 Inventory
# ansible.cfg 配置
[inventory]
enable_plugins = aws_ec2
# inventory/ec2.ini
[default]
regions = us-east-1, us-west-2
regions_exclude =
destination_variable = private_ip_address
vpc_destination_variable = private_ip_address
hostname_variable = private_ip_address
[credentials]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
[ec2]
filters = tag:Environment=production
group_by_tag_keys = Environment, Role
Azure RM Inventory
# azure_rm.yml
plugin: azure.azcollection.azure_rm
include_vm_resource_groups:
- my-production-rg
- my-staging-rg
auth_source: auto
keyed_groups:
- key: tags.Environment
prefix: env
- key: tags.Role
prefix: role
hostvar_expressions:
ansible_host: private_ip
- 企业级Inventory架构
3.1 多环境Inventory结构
inventory/
├── production/
│ ├── hosts # 生产环境主机
│ ├── group_vars/
│ │ ├── all.yml # 全局变量
│ │ ├── webservers.yml # Web服务器变量
│ │ └── dbservers.yml # 数据库变量
│ └── host_vars/
│ ├── web1.yml # 特定主机变量
│ └── db1.yml
├── staging/
│ ├── hosts
│ └── group_vars/
└── development/
├── hosts
└── group_vars/
3.2 分组变量配置
# inventory/production/group_vars/all.yml
---
# 全局变量
ansible_user: deploy
ansible_ssh_private_key_file: ~/.ssh/deploy_key
environment: production
timezone: UTC
domain: example.com
# 网络配置
dns_servers:
- 8.8.8.8
- 1.1.1.1
# 软件版本
nginx_version: 1.18.0
mysql_version: 8.0.26
python_version: 3.8
# inventory/production/group_vars/webservers.yml
---
# Web服务器组变量
web_port:80
ssl_port:443
app_name: myapp_production
log_level: info
nginx_config:
worker_processes: auto
worker_connections:1024
keepalive_timeout:65
# inventory/production/host_vars/web1.yml
---
# 特定主机变量
hostname: web1-prod
ip_address:192.168.1.10
rack: A
position: 1
nginx:
sites:
- name: main_site
domain: example.com
root: /var/www/html
- 高级Inventory特性
4.1 模式匹配和范围
# 使用模式匹配
[webservers]
web[01:10].example.com # web01 到 web10
[databases]
db-[a:c].example.com # db-a, db-b, db-c
# 使用别名
web1 ansible_host=192.168.1.10 ansible_user=deploy
web2 ansible_host=192.168.1.11 ansible_user=deploy
# 端口和连接设置
[all:vars]
ansible_port=22
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
ansible_ssh_extra_args='-o ConnectTimeout=30'
4.2 变量优先级和继承
# 变量继承顺序(从高到低):
# 1. 主机变量 (host_vars/)
# 2. 组变量 (group_vars/)
# 3. Inventory变量
# 4. 全局变量
# 使用变量继承
all:
vars:
common_packages: [curl, wget, vim]
children:
base_servers:
vars:
base_packages: [htop, iotop]
children:
webservers:
hosts:
web1:
vars:
specific_packages: [nginx]
4.3 条件分组
# 基于标签的条件分组
[tag_environment_production:children]
webservers
dbservers
[tag_role_web:children]
webservers
[tag_role_db:children]
dbservers
# 基于自定义条件的组
[multi_zone:children]
us_east_1a
us_east_1b
[us_east_1a]
host1 zone=us-east-1a
[us_east_1b]
host2 zone=us-east-1b
- Inventory管理最佳实践
5.1 版本控制和审计
# Git仓库结构
inventory/
├── .gitignore
├── README.md
├── production/
├── staging/
└── development/
# 使用Ansible Vault加密敏感数据
ansible-vault create inventory/production/group_vars/vault.yml
# vault.yml内容
---
db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
366664653...
api_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
633833323...
5.2 自动化Inventory生成
#!/usr/bin/env python3
# generate_inventory.py
"""
自动化生成Inventory文件
从CMDB、云平台、数据库等多数据源聚合
"""
import yaml
import json
from datetime import datetime
class InventoryGenerator:
def __init__(self, sources):
self.sources = sources
def generate_inventory(self):
"""生成完整的Inventory"""
inventory = {
'all': {
'children': {},
'vars': self._get_global_vars()
}
}
# 从各数据源收集主机信息
all_hosts = {}
for source in self.sources:
hosts = self._fetch_from_source(source)
all_hosts.update(hosts)
# 构建分组结构
groups = self._build_groups(all_hosts)
inventory['all']['children'] = groups
return inventory
def save_to_file(self, filename):
"""保存到文件"""
inventory = self.generate_inventory()
with open(filename, 'w') as f:
yaml.dump(inventory, f, default_flow_style=False)
print(f"Inventory generated: {filename}")
5.3 验证和测试
# tests/test_inventory.yml
---
- name: Test Inventory Configuration
hosts: localhost
tasks:
- name: Validate inventory syntax
command: ansible-inventory -i inventory/production/ --list
register: inventory_output
changed_when: false
- name: Check for duplicate hosts
shell: |
ansible-inventory -i inventory/production/ --list |
jq '._meta.hostvars | keys | .[]' | sort | uniq -d
register: duplicates
failed_when: duplicates.stdout != ""
- name: Verify host connectivity
wait_for:
host:"{{ item }}"
port:22
timeout:30
loop: "{{ groups['all'] }}"
async: 45
poll: 0
- 常用Inventory命令
6.1 查看和验证命令
# 查看完整Inventory
ansible-inventory -i inventory/production/ --list
# 以图形方式显示
ansible-inventory -i inventory/production/ --graph
# 查看特定主机的变量
ansible-inventory -i inventory/production/ --host web1.example.com
# 检查语法
ansible-inventory -i inventory/production/ --list --yaml
# 导出为JSON
ansible-inventory -i inventory/production/ --list --output inventory.json
6.2 基于Inventory的执行
# 针对特定组执行
ansible webservers -i inventory/production/ -m ping
# 使用模式匹配
ansible 'web*' -i inventory/production/ -m shell -a 'hostname'
# 限制执行范围
ansible all -i inventory/production/ --limit 'webservers:!web1'
# 使用标签过滤
ansible all -i inventory/production/ --list-hosts --tag environment=production
Ansible Inventory指南涵盖了从基础到高级的所有方面,包括静态和动态Inventory、企业级架构、最佳实践和实用命令。
免责声明:
本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。
任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。
本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我。
本文转载自:运维星火燎原 刘军军 刘军军《Ansible Inventory 文件深度解析》
版权声明
本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。
评论