目录
安装和配置Ansible
使用greg用户登录到控制节点control ssh greg@control 下载ansible并查看ansible版本 sudo yum -y install ansible ansible --version 创建anisble目录,并进入此目录 mkdir /home/greg/ansible cd ansible/ 创建资产清单 vim inventory [dev] node1 [test] node2 [prod] node3 node4 [balancers] node5 [webservers:children] prod 创建角色目录 mkdir roles 创建针对greg用户的ansible配置文件 cp /etc/ansible/ansible.cfg /home/greg/ansible/ 修改配置文件 vim ansible.cfg inventory = /home/greg/ansible/inventory 指定资产清单的路径 ask_pass = False 登陆被管理节点时不提示输入密码 roles_path = /home/greg/ansible/roles 指定角色存放路径 remote_user = greg ansible远程管理使用的角色 [privilege_escalation] become=True 连接到被管理节点后自动在被管理主机上切换用户 become_method=sudo 在被管理节点通过sudo方式切换用户 become_user=root 在被管理节点切换到root用户 become_ask_pass=False 不提示输入密码
创建和运行Ansible临时命令
创建shell脚本(通过yum_repository模块实现) vim ~/ansible/adhoc.sh #!/bin/bash ansible all -m yum_repository -a "name=EX294_BASE description='EX294 base software' baseurl=http://content/rhel8.0/x86_64/dvd/BaseOS gpgcheck=yes gpgkey=http://content/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release enabled=yes" ansible all -m yum_repository -a "name=EX294_STREAM description='EX294 stream software' baseurl=http://content/rhel8.0/x86_64/dvd/AppStream gpgcheck=yes gpgkey=http://content/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release enabled=yes" 执行脚本 chmod a+x adhoc.sh ./adhoc.sh 在被管理节点导入密钥 ansible all -m shell -a "rpm --import http://content/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release" 验证任务执行结果 ansible all -m shell -a "yum -y repolist all”
安装软件包
创建剧本 vim /home/greg/ansible/packages.yml --- - name: yum install hosts: dev,test,prod tasks: - name: php,mariadb yum: name: php,mariadb state: present - name: RPM Development Tools yum: name: '@RPM Development Tools' state: present when: inventory_hostname in groups['dev'] - name: update yum: name: '*' state: latest when: inventory_hostname in groups['dev'] 验证剧本语法格式并执行剧本 ansible-playbook --syntax-check packages.yml ansible-playbook packages.yml 验证任务执行结果 ansible -m shell dev,test,prod -a "yum -y info php" ansible -m shell dev,test,prod -a "yum -y info mariadb" ansible dev -m shell -a "yum -y grouplist | grep -i installed ansible dev -m shell -a "yum update"
使用RHEL系统角色
安装系统角色软件包
sudo yum -y install rhel-system-roles.noarch
将系统角色timesync复制到角色路径下,并改名
cp -av /usr/share/ansible/roles/rhel-system-roles.timesync /home/greg/ansible/roles/
mv rhel-system-roles.timesync timesync
调用timesync.yml角色(可以参考timesync角色的README.md 文件)
vim /home/greg/ansible/timesync.yml
- hosts: all
vars:
timesync_ntp_servers:
- hostname: 172.25.254.254
iburst: yes
roles:
- timesync
验证剧本语法格式并执行剧本
ansible-playbook --syntax-check timesync.yml
ansible-playbook timesync.yml
验证任务执行结果
ansible all -a 'chronyc sources -v'
ansible all -m shell -a "timedatectl"使用 Ansible Galaxy 安装角色
定义角色文件 vim /home/greg/ansible/roles/requirements.yml --- - src: http://materials/haproxy.tar name: balancer - src: http://materials/phpinfo.tar name: phpinfo 下载角色 cd ~/ansible/roles/ ansible-galaxy install -r requirements.yml -p /home/greg/ansible/roles/ 验证任务执行结果 ansible-galaxy list 查看所有角色
创建和使用角色
创建角色 cd ~/ansible/roles/ ansible-galaxy init apache 定义index.html.j2模板 vim apache/templates/ index.html.j2 Welcome to { { ansible_facts[‘fqdn’] }} on { { ansible_facts[‘default_ipv4’].[‘address’] }} 定义角色任务 vim apache/tasks/main.yml --- # tasks file for apache - name: yum httpd yum: name: httpd state: present - name: index.htmp template: src: index.html.j2 dest: /var/www/html/index.html setype: httpd_sys_content_t - name: service httpd service: name: httpd state: started enabled: yes - name: service firewall service: name: firewalld state: started enabled: yes - name: firewalld firewalld: service: http permanent: yes immediate: yes state: enabled 在webservers主机组中使用apache角色 vim ~/ansible/apache.yml --- - hosts: webservers roles: - apache 验证剧本语法格式并执行剧本 ansible-playbook --syntax-check apache.yml ansible-playbook apache.yml 验证任务执行结果 curl -l http://node3 curl -l http://node4
从 Ansible Galaxy 使用角色
创建剧本任务 vim ~/ansible/roles.yml --- - name: balancer hosts: all roles: - role: balancer when: inventory_hostname in groups.balancers - name: phpinfo hosts: webservers roles: - phpinfo 验证剧本语法格式并执行剧本 ansible-playbook --syntax-check roles.yml ansible-playbook roles.yml 验证任务执行结果 curl -l http://node5(多次输入) 验证负载是否成功 浏览器访问http://node4/hello.php和http://node3/hello.php
创建和使用逻辑卷
创建剧本任务 vim /home/greg/ansible/lv.yml --- - name: extent lv hosts: all tasks: - name: research not defined debug: msg: "Volume group done not exist" when: ansible_facts.lvm.vgs.research is not defined failed_when: ansible_facts.lvm.vgs.research is not defined - name: create lv block: - name: 1500m lvol: vg: research lv: data size: 1500m rescue: - name: show debug: msg: "Could not create logical volume of that size" - name: 800m lvol: vg: research lv: data size: 800m always: - name: file filesystem: fstype: ext4 dev: /dev/research/data 验证剧本语法格式并执行剧本 ansible-playbook --syntax-check lv.yml ansible-playbook lv.yml 验证任务执行结果 ansible all -m shell -a "lsblk -f"
生成主机文件
下载模板文件 cd ~/ansible/ wget http://materials/hosts.j2 修改模板 vim hosts.j2 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 {% for host in groups['all'] %} { { hostvars[host]['ansible_facts']['default_ipv4']['address'] }} { { hostvars[host]['ansible_facts']['fqdn'] }} { { hostvars[host]['ansible_facts']['hostname'] }} {% endfor %} 创建剧本任务 vim /home/greg/ansible/hosts.yml --- - name: hosts hosts: all tasks: - name: template template: src: hosts.j2 dest: /etc/myhosts when: inventory_hostname in groups['dev'] 验证剧本语法格式并执行剧本 ansible-playbook --syntax-check hosts.yml ansible-playbook hosts.yml 验证任务执行结果 ansible dev -m shell -a "cat /etc/myhosts"
修改文件内容
创建剧本任务 vim /home/greg/ansible/issue.yml --- - name: resive issud hosts: all tasks: - name: dev copy: content: 'Development' dest: /etc/issue when: inventory_hostname in groups['dev'] - name: test copy: content: 'Test' dest: /etc/issue when: inventory_hostname in groups['test'] - name: prod copy: content: 'Production' dest: /etc/issue when: inventory_hostname in groups['prod'] 验证剧本语法格式并执行剧本 ansible-playbook --syntax-check issue.yml ansible-playbook issue.yml 验证任务执行结果 ansible dev -m shell -a 'cat /etc/issue' ansible test -m shell -a 'cat /etc/issue' ansible prod -m shell -a 'cat /etc/issue'
创建 Web 内容目录
创建剧本任务 vim /home/greg/ansible/webcontent.yml --- - name: web hosts: dev roles: - apache - name: create web content hosts: dev tasks: - name: group group: name: webdev state: present - name: mkdir /webdev file: path: /webdev state: directory group: webdev mode: '2775' setype: httpd_sys_content_t - name: create index.html copy: content: 'Development' dest: /webdev/index.html setype: httpd_sys_content_t - name: link file: src: /webdev dest: /var/www/html/webdev state: link 验证剧本语法格式并执行剧本 ansible-playbook --syntax-check webcontent.yml ansible-playbook webcontent.yml 验证任务执行结果 ansible dev -m shell -a "cat /etc/group | grep -i webdev" 查看webdev组是否创建 ansible dev -m shell -a "ls -ldZ /webdev" 查看webdev目录的权限和安全上下文 ansible dev -m shell -a "ls -alt /var/www/html" 查看链接文件是否成功 curl -l http://node1/webdev/
生成硬件报告
创建剧本任务 vim /home/greg/ansible/hwreport.yml --- - name: hwreport.yml hosts: all tasks: - name: wget get_url: url: http://materials/hwreport.empty dest: /root/hwreport.txt - name: hostname lineinfile: path: /root/hwreport.txt regexp: "^HOST=inventoryhostname" line: "HOST={ { ansible_facts['hostname'] }}" - name: MB lineinfile: path: /root/hwreport.txt regexp: "^MEMORY=memory_in_MB" line: "MEMORY={ { ansible_facts['memtotal_mb'] }}" - name: bios lineinfile: path: /root/hwreport.txt regexp: "^BIOS=BIOS_version" line: "BIOS={ { ansible_facts['bios_version'] }}" - name: vda defined lineinfile: path: /root/hwreport.txt regexp: "DISK_SIZE_VDA=disk_vda_size" line: "DISK_SIZE_VDA={ { ansible_facts['devices']['vda']['size'] }}" when: ansible_facts['devices']['vda']['size'] is defined - name: vda not defined lineinfile: path: /root/hwreport.txt regexp: "DISK_SIZE_VDA=disk_vda_size" line: "DISK_SIZE_VDA=NONE" when: ansible_facts['devices']['vda']['size'] is not defined - name: vdb defined lineinfile: path: /root/hwreport.txt regexp: "DISK_SIZE_VDB=disk_vdb_size" line: "DISK_SIZE_VDB={ { ansible_facts['devices']['vdb']['size'] }}" when: ansible_facts['devices']['vdb']['size'] is defined - name: vdb not defined lineinfile: path: /root/hwreport.txt regexp: "DISK_SIZE_VDB=disk_vdb_size" line: "DISK_SIZE_VDB=NONE" when: ansible_facts['devices']['vdb']['size'] is not defined 验证剧本语法格式并执行剧本 ansible-playbook --syntax-check hwreport.yml ansible-playbook hwreport.yml 验证任务执行结果 ansible all -m shell -a "cat /root/hwreport.txt"
创建密码库
创建存储用户密码的yml文件 vim /home/greg/ansible/locker.yml --- pw_developer: Imadev pw_manger: Imamgr 创建加密和解密的密码文件 echo "whenyouwishuponastar" > ~/ansible/secret.txt 配置ansible配置文件定义密码文件路径 vault_password_file = /home/greg/ansible/secret.txt 加密locker.yml文件 ansible-vault encrypt locker.yml 验证任务执行结果 ansible-vault view locker.yml 查看加密文件
创建用户帐户
用户列表的内容
下载要创建的用户列表 cd ~/ansible wget http://materials/user_list.yml 创建剧本任务 vim ~/ansible/users.yml --- - name: user hosts: dev,test,prod vars_files: - /home/greg/ansible/user_list.yml - /home/greg/ansible/locker.yml tasks: - name: group group: name: devops state: present when: inventory_hostname in groups['dev'] or inventory_hostname in groups['test'] - name: group2 group: name: opsmgr state: present when: inventory_hostname in groups['prod'] - name: user dev test user: name: "{ { item.name }}" comment: "{ { item.job }}" groups: devops password: "{ { pw_developer | password_hash('sha512') }}" append: yes loop: "{ { users }}" when: (inventory_hostname in groups['dev'] or inventory_hostname in groups['test']) and item.job == "developer" - name: user prod user: name: "{ { item.name }}" comment: "{ { item.job }}" groups: opsmgr password: "{ { pw_manager | password_hash('sha512') }}" append: yes loop: "{ { users }}" when: inventory_hostname in groups['prod'] and item.job == "manager" 验证剧本语法格式并执行剧本 ansible-playbook --syntax-check users.yml ansible-playbook users.yml 验证任务执行结果 ansible all -m shell -a "tail -3 /etc/group" ansible all -m shell -a "tail -3 /etc/passwd" ansible all -m shell -a "tail -3 /etc/shadow"
更新 Ansible 库的密钥
下载文件 cd ~/ansible/ wget http://materials/salaries.yml 注释密码文件的路径 vim ansible.cfg #vault_password_file = /home/greg/ansible/secrect.txt 更改文件密码 ansible-vault rekey salaries.yml 取消注释密码文件的路径 vim ansible.cfg vault_password_file = /home/greg/ansible/secrect.txt
