一、ansible配置
操作环境:
主机全称 | IP地址 | 主机名 |
server.example.com | 192.168.193.137 | server |
node1.example.com | 192.168.193.138 | node1 |
node2.example.com | 192.168.193.139 | node2 |
分别在不同主机下操作
hostnamectl set-hostname server.exmaple.com
bash
hostnamectl set-hostname node1.exmaple.com
bash
hostnamectl set-hostname node2.exmaple.com
bash
timedatectl set-timezone Asia/Shanghai //让所有主机时间同步
网络设置 :
在NAT模式下,配置至少一个可上网的静态IP。
配置静态IP的目的是为了方便管理,因为动态IP用一段时间后会还给服务器,服务器会再分配给你新的IP,即动态IP会变,静态IP不变。另若有人跟你抢IP则两人同归于尽,所以IPADDR的值要先用ip a查询自己机子的IP,以免与别人冲突!
书写静态地址
nmcli connection modify ens160 ipv4.addresses 192.168.193.137/24
nmcli connection modify ens160 ipv4.gateway 192.168.193.2 ipv4.dns 114.114.114.114 ipv4.method manual connection.autoconnect yes
vim /etc/sysconfig/network-scripts/ifcfg-ens160 //查看网络文件
ONBOOT=yes //是否启用该设备
BOOTPROTO=none //手动(none/static(静态))还是自动(dhcp)
IPADDR=192.168.193.137 //根据自动获取的地址进行配置,先用ip a来查询本机的IP地址,用来定位主机
NETMASK=255.255.255.0 //子网掩码,用来定义网络,这台主机是192.168.142的网络,子网掩码与IP地址是一对,少了谁都不行
GATEWAY=192.168.193.2 //网关,也叫默认路由,带你上网的路由器地址,用ip r来查询
DNS1=114.114.114.114 //域名解析。当你输入域名访问网站时,他告诉你IP地址。这个数字1不要忘了,用cat /etc/reslov.conf来查询
nmcli connection up ens160
写好yum源和本地源 :
mkdir -p /mnt
mount /dev/sr0 /mnt
vim /etc/yum.repos.d/base.repo
[AppStream]
name=AppStream
baseurl=https://mirrors.aliyun.com/centos/8-stream/AppStream/x86_64/os/
gpgcheck=0
[BaseOS]
name=BaseOS
baseurl=https://mirrors.aliyun.com/centos/8-stream/BaseOS/x86_64/os/
gpgcheck=0
yum install vim-enhanced net-tools bash-completion -y //安装所需工具
yum install -y https://mirrors.aliyun.com/epel/epel-release-latest-8.noarch.rpm
sed -i 's|^#baseurl=https://download.example/pub|baseurl=https://mirrors.aliyun.com|' /etc/yum.repos.d/epel*
sed -i 's|^metalink|#metalink|' /etc/yum.repos.d/epel*
yum install ansible -y
案例一:
控制主机和受控主机通过root用户通过免密验证方式远程控住受控主机实施对应任务
(1)控住主机--server通过主机名匹配对应连接的受控主机
[root@server ~]#vim /etc/hosts
192.168.10.111 node1 node1.exmaple.com
192.168.10.222 node2 node2.exmaple.com
(2)制作秘钥
[root@server ~]# ssh-keygen -t rsa -P '' -q -f ~/.ssh/id_rsa
(3)发送密钥
[root@server ~]# ssh-copy-id -i node1
[root@server ~]# ssh-copy-id -i node2
(4)验证免密
[root@server ~]# ssh node1
ctrl+D退出用户登陆
[root@server ~]# ssh node1 hostname
node1.example.com
[root@server ~]# ssh node2 hostname
node2.example.com
案例二:
控制主机连接受控主机通过普通用户以免密验证远程控住受控主机实施特权指定操作
(1)控住端和受控端都需要有对应的普通身份
(2)[zyj@server ~]$ ssh-keygen -t rsa -P '' -q -f ~/.ssh/id_rsa
[redhat@server ~]$ ll .ssh/
total 12
-rw-------. 1 redhat redhat 2610 Dec 30 16:57 id_rsa
-rw-r--r--. 1 redhat redhat 579 Dec 30 16:57 id_rsa.pub
-rw-r--r--. 1 redhat redhat 182 Dec 30 16:55 known_hosts
(3)[zyj@server ~]$ ssh-copy-id -i zyj@node1
[zyj@server ~]$ ssh-copy-id -i node2
(4)测试免密配置
[zyj@server ~]$ ssh node1 hostname
node1.example.com
(5)[zyj@server ~]$ ssh node1 sudo useradd user1 ---控制端主机sudo提权(----报错)
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
所以在受控主机通过/etc/sudoers授权
第一种[root@node1 ~]# cat /etc/sudoers | grep -C 1 zyj 查看是否授权
root ALL=(ALL) ALL
redhat ALL=(ALL) NOPASSWD: ALL
[root@server zyj]# chmod 777 /etc/sudoers //修改授权
第二种[root@node1 ~]# cat /etc/sudoers | grep wheel
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) NOPASSWD: ALL
[root@node2 ~]# gpasswd -a zyj wheel
Adding user redhat to group wheel
[zyj@server ~]$ ssh node1 sudo useradd user1 --sudo授权成功
[zyj@server ~]$ ssh node1 id user1
uid=1001(user1) gid=1001(user1) groups=1001(user1)