Python
Ansible

Ansibleの仕組み | なぜ Ansible はリモートサーバーにも python を必要とするのか

答え

リモートサーバーに実行プログラムを送り込む仕組みだから。
そのプログラム=モジュールが主にpythonで書かれているから。(*)

EFFICIENT ARCHITECTURE
Ansible works by connecting to your nodes and pushing out small programs, called "Ansible modules" to them.

How Ansible Works | Ansible.com

試してみよう

ansible コマンドを実行

$ ansible -i inventory.txt example -m 'shell' -a 'sleep 1 && ls -la' -vvvv
  • ここでは shell モジュールを使って、リモートサーバーで bash コマンドを実行してみる ( sleep 1 && ls -la )
  • 冗長な出力 -vvvv 指定をして中で何が起きているのかを見る
  • sleep 1 が終わる前に Command+C などで無理やり処理を中断させてみよう

ansible コマンドの実行結果

冗長 ( verbose ) な出力を見ると、リモートサーバーにpythonスクリプトが設置されているのが分かる。

echo /root/.ansible/tmp/ansible-tmp-1531625640.49-42645862347596/command.py ( 抜粋 )

ansible 2.6.1
  config file = /Users/yuma/.ansible.cfg
  configured module search path = [u'/Users/yuma/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.6.1/libexec/lib/python2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.15 (default, Jun 19 2018, 20:16:43) [GCC 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]
Using /Users/yuma/.ansible.cfg as config file
setting up inventory plugins
Set default localhost to localhost
Parsed /Users/yuma/projects/study/ansible/inventories/inventory.txt inventory source with ini plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/local/Cellar/ansible/2.6.1/libexec/lib/python2.7/site-packages/ansible/plugins/callback/minimal.pyc
META: ran handlers
<localhost> ESTABLISH SSH CONNECTION FOR USER: root
<localhost> SSH: EXEC sshpass -d46 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2222 -o User=root -o ConnectTimeout=10 -o ControlPath=/Users/yuma/.ansible/cp/e8bf07bfa6 localhost '/bin/sh -c '"'"'echo ~root && sleep 0'"'"''
<localhost> (0, '/root\n', 'OpenSSH_7.6p1, LibreSSL 2.6.2\r\ndebug1: Reading configuration data /Users/yuma/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 48: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 44111\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n')
<localhost> ESTABLISH SSH CONNECTION FOR USER: root
<localhost> SSH: EXEC sshpass -d46 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2222 -o User=root -o ConnectTimeout=10 -o ControlPath=/Users/yuma/.ansible/cp/e8bf07bfa6 localhost '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1531625640.
6 `" && echo ansible-tmp-1531625640.49-42645862347596="` echo /root/.ansible/tmp/ansible-tmp-1531625640.49-42645862347596 `" ) && sleep 0'"'"''
<localhost> (0, 'ansible-tmp-1531625640.49-42645862347596=/root/.ansible/tmp/ansible-tmp-1531625640.49-42645862347596\n', 'OpenSSH_7.6p1, LibreSSL 2.6.2\r\ndebug1: Reading configuration data /Users/yuma/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 48: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 44111\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n')
Using module file /usr/local/Cellar/ansible/2.6.1/libexec/lib/python2.7/site-packages/ansible/modules/commands/command.py
<localhost> PUT /Users/yuma/.ansible/tmp/ansible-local-44674REhnew/tmp9m61Sh TO /root/.ansible/tmp/ansible-tmp-1531625640.49-42645862347596/command.py
<localhost> SSH: EXEC sshpass -d46 sftp -o BatchMode=no -b - -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2222 -o User=root -o ConnectTimeout=10 -o ControlPath=/Users/yuma/.ansible/cp/e8bf07bfa6 '[localhost]'
<localhost> (0, 'sftp> put /Users/yuma/.ansible/tmp/ansible-local-44674REhnew/tmp9m61Sh /root/.ansible/tmp/ansible-tmp-1531625640.49-42645862347596/command.py\n', 'OpenSSH_7.6p1, LibreSSL 2.6.2\r\ndebug1: Reading configuration data /Users/yuma/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 48: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 44111\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug2: Remote version: 3\r\ndebug2: Server supports extension "posix-rename@openssh.com" revision 1\r\ndebug2: Server supports extension "statvfs@openssh.com" revision 2\r\ndebug2: Server supports extension "fstatvfs@openssh.com" revision 2\r\ndebug2: Server supports extension "hardlink@openssh.com" revision 1\r\ndebug2: Server supports extension "fsync@openssh.com" revision 1\r\ndebug3: Sent message fd 34 T:16 I:1\r\ndebug3: SSH_FXP_REALPATH . -> /root size 0\r\ndebug3: Looking up /Users/yuma/.ansible/tmp/ansible-local-44674REhnew/tmp9m61Sh\r\ndebug3: Sent message fd 34 T:17 I:2\r\ndebug3: Received stat reply T:101 I:2\r\ndebug1: Couldn\'t stat remote file: No such file or directory\r\ndebug3: Sent message SSH2_FXP_OPEN I:3 P:/root/.ansible/tmp/ansible-tmp-1531625640.49-42645862347596/command.py\r\ndebug3: Sent message SSH2_FXP_WRITE I:4 O:0 S:32768\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 4 32768 bytes at 0\r\ndebug3: Sent message SSH2_FXP_WRITE I:5 O:32768 S:32768\r\ndebug3: Sent message SSH2_FXP_WRITE I:6 O:65536 S:3360\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 5 32768 bytes at 32768\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 6 3360 bytes at 65536\r\ndebug3: Sent message SSH2_FXP_CLOSE I:4\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n')
<localhost> ESTABLISH SSH CONNECTION FOR USER: root
<localhost> SSH: EXEC sshpass -d46 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2222 -o User=root -o ConnectTimeout=10 -o ControlPath=/Users/yuma/.ansible/cp/e8bf07bfa6 localhost '/bin/sh -c '"'"'chmod u+x /root/.ansible/tmp/ansible-tmp-1531625640.49-42645862347596/ /root/.ansible/tmp/ansible-tmp-1531625640.49-42645862347596/command.py && sleep 0'"'"''
<localhost> (0, '', 'OpenSSH_7.6p1, LibreSSL 2.6.2\r\ndebug1: Reading configuration data /Users/yuma/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 48: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 44111\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n')
<localhost> ESTABLISH SSH CONNECTION FOR USER: root
<localhost> SSH: EXEC sshpass -d46 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2222 -o User=root -o ConnectTimeout=10 -o ControlPath=/Users/yuma/.ansible/cp/e8bf07bfa6 -tt localhost '/bin/sh -c '"'"'/usr/bin/python /root/.ansible/tmp/ansible-tmp-1531625640.49-42645862347596/command.py && sleep 0'"'"''
^C [ERROR]: User interrupted execution

リモートサーバーでpythonスクリプトの中身を見てみる

root@539a7ca22f48:~# cat .ansible/tmp/ansible-tmp-1531625640.49-42645862347596/command.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
ANSIBALLZ_WRAPPER = True # For test-module script to tell this is a ANSIBALLZ_WRAPPER
import os
import os.path
import sys
import __main__
scriptdir = None
try:
    scriptdir = os.path.dirname(os.path.realpath(__main__.__file__))
except (AttributeError, OSError):
    pass
if scriptdir is not None:
    sys.path = [p for p in sys.path if p != scriptdir]
import base64
import shutil
import zipfile
import tempfile
import subprocess
if sys.version_info < (3,):
    bytes = str
    PY3 = False
else:
    unicode = str
    PY3 = True
try:
    from io import BytesIO as IOStream
except ImportError:
    from StringIO import StringIO as IOStream
ZIPDATA = """"""
def invoke_module(module, modlib_path, json_params):
    pythonpath = os.environ.get('PYTHONPATH')
    if pythonpath:
        os.environ['PYTHONPATH'] = ':'.join((modlib_path, pythonpath))
    else:
        os.environ['PYTHONPATH'] = modlib_path
    p = subprocess.Popen(['/usr/bin/python', module], env=os.environ, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
    (stdout, stderr) = p.communicate(json_params)
    if not isinstance(stderr, (bytes, unicode)):
        stderr = stderr.read()
    if not isinstance(stdout, (bytes, unicode)):
        stdout = stdout.read()
    if PY3:
        sys.stderr.buffer.write(stderr)
        sys.stdout.buffer.write(stdout)
    else:
        sys.stderr.write(stderr)
        sys.stdout.write(stdout)
    return p.returncode
def debug(command, zipped_mod, json_params):
    basedir = os.path.join(os.path.abspath(os.path.dirname(__file__)), 'debug_dir')
    args_path = os.path.join(basedir, 'args')
    script_path = os.path.join(basedir, 'ansible_module_command.py')
    if command == 'explode':
        z = zipfile.ZipFile(zipped_mod)
        for filename in z.namelist():
            if filename.startswith('/'):
                raise Exception('Something wrong with this module zip file: should not contain absolute paths')
            dest_filename = os.path.join(basedir, filename)
            if dest_filename.endswith(os.path.sep) and not os.path.exists(dest_filename):
                os.makedirs(dest_filename)
            else:
                directory = os.path.dirname(dest_filename)
                if not os.path.exists(directory):
                    os.makedirs(directory)
                f = open(dest_filename, 'wb')
                f.write(z.read(filename))
                f.close()
        f = open(args_path, 'wb')
        f.write(json_params)
        f.close()
        print('Module expanded into:')
        print('%s' % basedir)
        exitcode = 0
    elif command == 'execute':
        pythonpath = os.environ.get('PYTHONPATH')
        if pythonpath:
            os.environ['PYTHONPATH'] = ':'.join((basedir, pythonpath))
        else:
            os.environ['PYTHONPATH'] = basedir
        p = subprocess.Popen(['/usr/bin/python', script_path, args_path],
                env=os.environ, shell=False, stdout=subprocess.PIPE,
                stderr=subprocess.PIPE, stdin=subprocess.PIPE)
        (stdout, stderr) = p.communicate()
        if not isinstance(stderr, (bytes, unicode)):
            stderr = stderr.read()
        if not isinstance(stdout, (bytes, unicode)):
            stdout = stdout.read()
        if PY3:
            sys.stderr.buffer.write(stderr)
            sys.stdout.buffer.write(stdout)
        else:
            sys.stderr.write(stderr)
            sys.stdout.write(stdout)
        return p.returncode
    elif command == 'excommunicate':
        sys.argv = ['command', args_path]
        sys.path.insert(0, basedir)
        from ansible_module_command import main
        main()
        print('WARNING: Module returned to wrapper instead of exiting')
        sys.exit(1)
    else:
        print('WARNING: Unknown debug command.  Doing nothing.')
        exitcode = 0
    return exitcode
if __name__ == '__main__':
    ANSIBALLZ_PARAMS = '{"ANSIBLE_MODULE_ARGS": {"_ansible_version": "2.6.1", "_ansible_socket": null, "_ansible_remote_tmp": "~/.ansible/tmp", "_uses_shell": true, "_ansible_no_log": false, "_ansible_module_name": "command", "_raw_params": "sleep 2 && ls -la", "_ansible_verbosity": 4, "_ansible_keep_remote_files": false, "_ansible_syslog_facility": "LOG_USER", "warn": true, "_ansible_selinux_special_fs": ["fuse", "nfs", "vboxsf", "ramfs", "9p"], "_ansible_diff": false, "_ansible_debug": false, "_ansible_shell_executable": "/bin/sh", "_ansible_check_mode": false, "_ansible_tmpdir": "/root/.ansible/tmp/ansible-tmp-1531625640.49-42645862347596/"}}'
    if PY3:
        ANSIBALLZ_PARAMS = ANSIBALLZ_PARAMS.encode('utf-8')
    try:
        temp_path = tempfile.mkdtemp(prefix='ansible_')
        zipped_mod = os.path.join(temp_path, 'ansible_modlib.zip')
        modlib = open(zipped_mod, 'wb')
        modlib.write(base64.b64decode(ZIPDATA))
        modlib.close()
        if len(sys.argv) == 2:
            exitcode = debug(sys.argv[1], zipped_mod, ANSIBALLZ_PARAMS)
        else:
            z = zipfile.ZipFile(zipped_mod, mode='r')
            module = os.path.join(temp_path, 'ansible_module_command.py')
            f = open(module, 'wb')
            f.write(z.read('ansible_module_command.py'))
            f.close()
            z = zipfile.ZipFile(zipped_mod, mode='a')
            sitecustomize = u'import sys\nsys.path.insert(0,"%s")\n' %  zipped_mod
            sitecustomize = sitecustomize.encode('utf-8')
            zinfo = zipfile.ZipInfo()
            zinfo.filename = 'sitecustomize.py'
            zinfo.date_time = ( 2018, 7, 15, 3, 34, 0)
            z.writestr(zinfo, sitecustomize)
            z.close()
            exitcode = invoke_module(module, zipped_mod, ANSIBALLZ_PARAMS)
    finally:
        try:
            shutil.rmtree(temp_path)
        except (NameError, OSError):
            pass
    sys.exit(exitcode)

リモートサーバーでpythonスクリプトを直接叩いてみる

普通に動作してJSONが返ってくる。

( ansible モジュールに期待されるのは JSON の結果なので、ただしい動作 )

root@539a7ca22f48:~# python .ansible/tmp/ansible-tmp-1531625640.49-42645862347596/command.py

{"changed": true, "end": "2018-07-15 03:41:12.761425", "stdout": "total 32\ndrwx------ 1 root root 4096 Jul 15 03:30 .\ndrwxr-xr-x 1 root root 4096 Jul 15 02:55 ..\ndrwx------ 3 root root 4096 Jul 15 03:10 .ansible\nrw------- 1 root root  125 Jul 15 02:58 .bash_history\n-rw-r--r-- 1 root root 3106 Oct 22  2015 .bashrc\ndrwx------ 2 root root 4096 Jul 15 02:56 .cache\n-rw-r--r-- 1 root root  148 Aug 17  2015 .profile", "cmd": "sleep 2 && ls -la", "rc": 0, "start": "2018-07-15 03:41:10.751784", "stderr": "", "delta": "0:00:02.009641", "invocation": {"module_args": {"warn": true, "executable": null, "_uses_shell": true, "_raw_params": "sleep 2 && ls -la", "removes": null, "argv": null, "creates": null, "chdir": null, "stdin": null}}}
root@539a7ca22f48:~# python .ansible/tmp/ansible-tmp-1531625640.49-42645862347596/command.py

{"changed": true, "end": "2018-07-15 03:41:15.970431", "stdout": "total 32\ndrwx------ 1 root root 4096 Jul 15 03:30 .\ndrwxr-xr-x 1 root root 4096 Jul 15 02:55 ..\ndrwx------ 3 root root 4096 Jul 15 03:10 .ansible\n-rw------- 1 root root  125 Jul 15 02:58 .bash_history\n-rw-r--r-- 1 root root 3106 Oct 22  2015 .bashrc\ndrwx------ 2 root root 4096 Jul 15 02:56 .cache\n-rw-r--r-- 1 root root  148 Aug 17  2015 .profile", "cmd": "sleep 2 && ls -la", "rc": 0, "start": "2018-07-15 03:41:13.958058", "stderr": "", "delta": "0:00:02.012373", "invocation": {"module_args": {"warn": true, "executable": null, "_uses_shell": true, "_raw_params": "sleep 2 && ls -la", "removes": null, "argv": null, "creates": null, "chdir": null, "stdin": null}}}

JSON の結果に ls -la コマンドの結果が含まれているのが分かる

total 32
drwx------ 1 root root 4096 Jul 15 03:30 .
drwxr-xr-x 1 root root 4096 Jul 15 02:55 ..
drwx------ 3 root root 4096 Jul 15 03:10 .ansible
-rw------- 1 root root  125 Jul 15 02:58 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22  2015 .bashrc
drwx------ 2 root root 4096 Jul 15 02:56 .cache
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile

bash コマンドはどこに消えた?

リモートサーバーに実行させようとした bash コマンド ( sleep 1 && ls -la ) は python スクリプトには見つからない。

どうやらZIPデータ ZIPDATA として固められている模様。(詳しくは未調査)

注釈

*ただし実行プログラムを送り込まない形式のモジュールも存在する。

Executes a low-down and dirty SSH command, not going through the module subsystem.

raw - Executes a low-down and dirty SSH command — Ansible Documentation

参照: Ansible 「で」 python 「を」 リモートーサーバーにインストールする方法 - Qiita

*確かにpythonで書かれているモジュールが多いが、特に言語は問わない模様。

EXTEND ANSIBLE: MODULES, PLUGINS AND API
Should you want to write your own, Ansible modules can be written in any language that can return JSON (Ruby, Python, bash, etc).

環境

  • ansible 2.6.1

リンク