安裝及設定 Ansible 來管理 Azure 中的虛擬機器Install and configure Ansible to manage virtual machines in Azure

本文詳細說明如何針對某些最常見的 Linux 發行版,安裝 Ansible 和必要的 Azure Python SDK 模組。This article details how to install Ansible and the required Azure Python SDK modules for some of the most common Linux distros. 您可以配合特定的平台調整安裝的套件,來將 Ansible 安裝在其他發行版上。You can install Ansible on other distros by adjusting the installed packages to fit your particular platform. 為了以安全的方式建立 Azure 資源,您也將了解如何建立及定義 Ansible 所要使用的認證。To create Azure resources in a secure manner, you also learn how to create and define credentials for Ansible to use.

如需其他平台的更多安裝選項和步驟,請參閱 Ansible 安裝指南For more installation options and steps for additional platforms, see the Ansible install guide.

安裝 AnsibleInstall Ansible

首先,使用 az group create 建立資源群組。First, create a resource group with az group create. 下列範例會在 eastus 位置建立名為 myResourceGroupAnsible 的資源群組:The following example creates a resource group named myResourceGroupAnsible in the eastus location:

az group create --name myResourceGroupAnsible --location eastus

現在建立 VM,並為下列您選擇的其中一個發行版安裝 Ansible:Now, create a VM and install Ansible for one of the following distros of your choice:

Ubuntu 16.04 LTSUbuntu 16.04 LTS

使用 az vm create 建立 VM。Create a VM with az vm create. 下列範例會建立名為 myVMAnsible 的 VM:The following example creates a VM named myVMAnsible:

az vm create \
    --name myVMAnsible \
    --resource-group myResourceGroupAnsible \
    --image UbuntuLTS \
    --admin-username azureuser \
    --generate-ssh-keys

使用 VM 建立作業中的輸出所記錄的 publicIpAddress SSH 到您的 VM:SSH to your VM using the publicIpAddress noted in the output from the VM create operation:

ssh azureuser@<publicIpAddress>

在您的 VM 上,安裝 Azure Python SDK 模組和 Ansible 所需的套件,如下所示:On your VM, install the required packages for the Azure Python SDK modules and Ansible as follows:

## Install pre-requisite packages
sudo apt-get update && sudo apt-get install -y libssl-dev libffi-dev python-dev python-pip

## Install Ansible and Azure SDKs via pip
pip install ansible[azure]

現在繼續前往建立 Azure 認證Now move on to Create Azure credentials.

CentOS 7.3CentOS 7.3

使用 az vm create 建立 VM。Create a VM with az vm create. 下列範例會建立名為 myVMAnsible 的 VM:The following example creates a VM named myVMAnsible:

az vm create \
    --name myVMAnsible \
    --resource-group myResourceGroupAnsible \
    --image CentOS \
    --admin-username azureuser \
    --generate-ssh-keys

使用 VM 建立作業中的輸出所記錄的 publicIpAddress SSH 到您的 VM:SSH to your VM using the publicIpAddress noted in the output from the VM create operation:

ssh azureuser@<publicIpAddress>

在您的 VM 上,安裝 Azure Python SDK 模組和 Ansible 所需的套件,如下所示:On your VM, install the required packages for the Azure Python SDK modules and Ansible as follows:

## Install pre-requisite packages
sudo yum check-update; sudo yum install -y gcc libffi-devel python-devel openssl-devel epel-release
sudo yum install -y python-pip python-wheel

## Install Ansible and Azure SDKs via pip
sudo pip install ansible[azure]

現在繼續前往建立 Azure 認證Now move on to Create Azure credentials.

SLES 12 SP2SLES 12 SP2

使用 az vm create 建立 VM。Create a VM with az vm create. 下列範例會建立名為 myVMAnsible 的 VM:The following example creates a VM named myVMAnsible:

az vm create \
    --name myVMAnsible \
    --resource-group myResourceGroupAnsible \
    --image SLES \
    --admin-username azureuser \
    --generate-ssh-keys

使用 VM 建立作業中的輸出所記錄的 publicIpAddress SSH 到您的 VM:SSH to your VM using the publicIpAddress noted in the output from the VM create operation:

ssh azureuser@<publicIpAddress>

在您的 VM 上,安裝 Azure Python SDK 模組和 Ansible 所需的套件,如下所示:On your VM, install the required packages for the Azure Python SDK modules and Ansible as follows:

## Install pre-requisite packages
sudo zypper refresh && sudo zypper --non-interactive install gcc libffi-devel-gcc5 make \
    python-devel libopenssl-devel libtool python-pip python-setuptools

## Install Ansible and Azure SDKs via pip
sudo pip install ansible[azure]

# Remove conflicting Python cryptography package
sudo pip uninstall -y cryptography

現在繼續前往建立 Azure 認證Now move on to Create Azure credentials.

建立 Azure 認證Create Azure credentials

Ansible 會使用使用者名稱與密碼或服務主體與 Azure 進行通訊。Ansible communicates with Azure using a username and password or a service principal. Azure 服務主體是安全性識別,可供您與應用程式、服務及諸如 Ansible 等自動化工具搭配使用。An Azure service principal is a security identity that you can use with apps, services, and automation tools like Ansible. 您可以控制和定義對於服務主體可以在 Azure 中執行哪些作業的權限。You control and define the permissions as to what operations the service principal can perform in Azure. 為了提高只提供使用者名稱和密碼的安全性,此範例會建立基本的服務主體。To improve security over just providing a username and password, this example creates a basic service principal.

在主機電腦上使用 az ad sp create-for-rbac 建立服務主體,並輸出 Ansible 需要的認證:Create a service principal on your host computer with az ad sp create-for-rbac and output the credentials that Ansible needs:

az ad sp create-for-rbac --query '{"client_id": appId, "secret": password, "tenant": tenant}'

上述命令的輸出範例如下所示:An example of the output from the preceding commands is as follows:

{
  "client_id": "eec5624a-90f8-4386-8a87-02730b5410d5",
  "secret": "531dcffa-3aff-4488-99bb-4816c395ea3f",
  "tenant": "72f988bf-86f1-41af-91ab-2d7cd011db47"
}

若要向 Azure 驗證,您也需要使用 az account show 取得 Azure 訂用帳戶識別碼:To authenticate to Azure, you also need to obtain your Azure subscription ID with az account show:

az account show --query "{ subscription_id: id }"

您將在下一個步驟中使用這兩個命令的輸出。You use the output from these two commands in the next step.

建立 Ansible 認證檔案Create Ansible credentials file

若要提供認證給 Ansible,您可以定義環境變數或建立本機認證檔案。To provide credentials to Ansible, you define environment variables or create a local credentials file. 如需如何定義 Ansible 認證的詳細資訊,請參閱 Providing Credentials to Azure Modules (提供認證給 Azure 模組)。For more information about how to define Ansible credentials, see Providing Credentials to Azure Modules.

針對開發環境,在您的主機 VM 上建立 Ansible 的「認證」檔案,如下所示:For a development environment, create a credentials file for Ansible on your host VM as follows:

mkdir ~/.azure
vi ~/.azure/credentials

「認證」檔案本身結合了訂用帳戶識別碼與建立服務主體的輸出。The credentials file itself combines the subscription ID with the output of creating a service principal. 為了符合 client_id、secret 和 tenant 所需,先前 az ad sp create-for-rbac 命令的輸出內容必須相同。Output from the previous az ad sp create-for-rbac command is the same as needed for client_id, secret, and tenant. 下列範例認證檔案顯示符合上述輸出的值。The following example credentials file shows these values matching the previous output. 輸入您自己的值,如下所示︰Enter your own values as follows:

[default]
subscription_id=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
client_id=eec5624a-90f8-4386-8a87-02730b5410d5
secret=531dcffa-3aff-4488-99bb-4816c395ea3f
tenant=72f988bf-86f1-41af-91ab-2d7cd011db47

使用 Ansible 環境變數Use Ansible environment variables

如果您想要使用 Ansible Tower 或 Jenkins 等工具,您可以如下所示定義環境變數。If you are going to use tools such as Ansible Tower or Jenkins, you can define environment variables as follows. 這些變數結合了訂用帳戶識別碼與建立服務主體的輸出。These variables combine the subscription ID with the output from creating a service principal. 對於 AZURE_CLIENT_IDAZURE_SECRETAZURE_TENANT,先前 az ad sp create-for-rbac 命令的輸出必須是相同順序。Output from the previous az ad sp create-for-rbac command is the same order as needed for AZURE_CLIENT_ID, AZURE_SECRET, and AZURE_TENANT.

export AZURE_SUBSCRIPTION_ID=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
export AZURE_CLIENT_ID=eec5624a-90f8-4386-8a87-02730b5410d5
export AZURE_SECRET=531dcffa-3aff-4488-99bb-4816c395ea3f
export AZURE_TENANT=72f988bf-86f1-41af-91ab-2d7cd011db47

後續步驟Next steps

您現在已安裝 Ansible 和必要的 Azure Python SDK 模組,並已定義 Ansible 所要使用的認證。You now have Ansible and the required Azure Python SDK modules installed, and credentials defined for Ansible to use. 了解如何使用 Ansible 建立 VMLearn how to create a VM with Ansible. 您也可以了解如何使用 Ansible 建立完整的 Azure VM 和支援資源You can also learn how to create a complete Azure VM and supporting resources with Ansible.