HowHow
Categories Home Tags About RedHat-Certified
HowHow

Contents

Ansible - 使用 Role 測試 port 是否開通

 included in Ansible
   1144 words   3 minutes 

對於網管人員在防火牆設定後驗證是否生效,時常需要連線至該主機使用 telnet 或是 nc 方式檢查,有些作業系統沒有內建上述的套件也無法很快地安裝及為了使用更快速的方式檢查,我們會需要透過 Jump 主機(Bastion or Capsule)使用 Ansible 檢查。 此 Role 會依使用者所需產生一個檢測腳本,並避免 coreos 等輕量級作業系統缺少對應的 module 改用 synchronize 方式及執行腳本。

1. 基本需求

  • ansible 套件
  • rsync 套件

2. 安裝方式

1
2

git clone https://github.com/JeffWen0105/ansible_role_check_ports.git
cd ansible_role_check_ports
原始碼
原始碼請參閱 HowHow 的 Github Page.

3. 結構樹

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

[howhow@howhow-pc ansible_role_check_ports]$ tree -F .
./
├── ansible.cfg
├── check_file.yml
├── check_port.sh
├── inventory
├── LICENSE
├── playbook.yml
├── README.md
└── roles/
    └── JeffWen0105.check_ports/
        ├── defaults/
        │   └── main.yml
        ├── meta/
        │   └── main.yml
        ├── README.md
        ├── tasks/
        │   └── main.yml
        ├── templates/
        │   └── check_port.sh.j2
        └── vars/
            └── main.yml

7 directories, 13 files

4. 使用範例

範例以一般 Linux 與 CoreOS 操作說明。

4.1. Linux

  1. 定義四台受控端機器在 inventory 。
1
2
3
4
5

[server]
172.25.250.11
172.25.250.12
172.25.250.13
172.25.250.14
  1. 設置要檢查的主機、通訊埠及TCP/UDP通訊協定在 check_file.yml 內。

參數詳情請參閱最下方 Role Variables 說明。

Tip
可以設置多台主機及每台主機也能設置多個 port,不過請務必注意縮排 !!
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

servers:
  - host: 8.8.8.8
    protocol: udp
    ports:
      - 123
      - 53
  - host: 127.0.0.1
    protocol: tcp
    ports:
      - 22
      - 80
  - host: google.com
    protocol: tcp
    ports:
      - 22
      - 443
  1. 執行範例 playbook.yml

Ansible 最佳實踐直接將 JeffWen0105.check_ports 的 role 加入自定義 playbook內即可。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

[student@bastion 03-Ansible_Role_check_Ports]$ ansible-playbook playbook.yml
...output omitted...
TASK [JeffWen0105.check_ports : summary result] *******************************************************
ok: [172.25.250.11] => {
    "msg": [
        "📝 Test port on servera:",
        " 👍 Success at 8.8.8.8:123",
        " 👍 Success at 8.8.8.8:53",
        " 👍 Success at 127.0.0.1:22",
        " 📛 Failure at 127.0.0.1:80",
        " 📛 Failure at google.com:22",
        " 👍 Success at google.com:443"
    ]
}
ok: [172.25.250.12] => {
    "msg": [
        "📝 Test port on serverb:",
        " 👍 Success at 8.8.8.8:123",
        " 👍 Success at 8.8.8.8:53",
        " 👍 Success at 127.0.0.1:22",
        " 📛 Failure at 127.0.0.1:80",
        " 📛 Failure at google.com:22",
        " 👍 Success at google.com:443"
    ]
}
...output omitted...

4.2. CoreOS

  1. 設定執行參數

囿於 CoreOS 與一般 Linux 有些許差異,需設定下列參數至 ansible.cfg

1
2
3
4

### for coreos example
remote_user        = core
ansible_python_interpreter="PATH=/home/core/bin:$PATH python3"
private_key_file=./<ssh to coreos private key>
  1. coreos 執行結果
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

[howhow@ocp4 ansible_role_check_ports]$ oc get no
NAME                         STATUS   ROLES                  AGE     VERSION
master-1.ocp4.how64bit.com   Ready    control-plane,master   5h40m   v1.25.4+a34b9e9
worker-1.ocp4.how64bit.com   Ready    worker                 5h25m   v1.25.4+a34b9e9
worker-2.ocp4.how64bit.com   Ready    worker                 5h25m   v1.25.4+a34b9e9
[howhow@ocp4 ansible_role_check_ports]$ ansible-playbook playbook.yml 
...output omitted...
TASK [JeffWen0105.check_ports : summary result] *******************************************
ok: [192.168.122.188] => {
    "msg": [
        "📝 Test port on master-1.ocp4.how64bit.com:",
        " 👍 Success at 8.8.8.8:123",
        " 👍 Success at 8.8.8.8:53",
        " 👍 Success at 127.0.0.1:22",
        " 👍 Success at 127.0.0.1:80",
        " 📛 Failure at google.com:22",
        " 👍 Success at google.com:443"
    ]
}
ok: [192.168.122.171] => {
    "msg": [
        "📝 Test port on worker-1.ocp4.how64bit.com:",
        " 👍 Success at 8.8.8.8:123",
        " 👍 Success at 8.8.8.8:53",
        " 👍 Success at 127.0.0.1:22",
        " 📛 Failure at 127.0.0.1:80",
        " 📛 Failure at google.com:22",
        " 👍 Success at google.com:443"
    ]
}
ok: [192.168.122.29] => {
    "msg": [
        "📝 Test port on worker-2.ocp4.how64bit.com:",
        " 👍 Success at 8.8.8.8:123",
        " 👍 Success at 8.8.8.8:53",
        " 👍 Success at 127.0.0.1:22",
        " 📛 Failure at 127.0.0.1:80",
        " 📛 Failure at google.com:22",
        " 👍 Success at google.com:443"
    ]
}
...output omitted...

5. Role Variables

Variable 用途
servers 預設參數,務必加上
host 檢測主機,主機名或是 IP
protocol tcp/upd
ports 檢測通訊埠以List陣列延伸

6. 自動生成腳本範例

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

#!/bin/bash


# powered by HowHowWen
# Blog : https://how64bit.com
# Mail : [email protected]


export TIMEOUT_SECONDS=1
export LOCAL_HOST_NAME="$(hostname)"
export DEVICE_PATH_LIST=(
      "/dev/tcp/127.0.0.1/22"
      "/dev/tcp/127.0.0.1/80"
  )

printf "\U1F4DD Test port on ${LOCAL_HOST_NAME}:\n"
for device_path in "${DEVICE_PATH_LIST[@]}"; do
    export HOST=$(echo "$device_path" | cut -d '/' -f 4)
    export PORT=$(echo "$device_path" | cut -d '/' -f 5)
    timeout $TIMEOUT_SECONDS bash -c "echo 'What is up by howhow ...' >${device_path}" 2>/dev/null && \
    printf " \U1F44D Success at $HOST:$PORT" ||  printf " \U1F4DB Failure at $HOST:$PORT"
    echo 
done

7. 小結

透過 Ansible template 模組的優勢,可以很彈性產生所需執行的腳本,再透過分發到受控端結點,可以很輕鬆且快速取得所要的結果。



如果你還沒有註冊 Like Coin,你可以在文章最下方看到 Like 的按鈕,點下去後即可申請帳號,透過申請帳號後可以幫我的文章按下 Like,而 Like 最多可以點五次,而你不用付出任何一塊錢,就能給我寫這篇文章的最大的回饋!
Updated on 2023-02-18
 AnsibleLinuxOpenshift
Back | Home