1、 安装系统角色
yum -y install rhel-system-roles
- 系统角色默认存放位置
[root@marter ~]# ls /usr/share/ansible/roles/
linux-system-roles.certificate linux-system-roles.nbde_client linux-system-roles.storage rhel-system-roles.kernel_settings rhel-system-roles.selinux
linux-system-roles.crypto_policies linux-system-roles.nbde_server linux-system-roles.timesync rhel-system-roles.logging rhel-system-roles.ssh
linux-system-roles.ha_cluster linux-system-roles.network linux-system-roles.tlog rhel-system-roles.metrics rhel-system-roles.sshd
linux-system-roles.kdump linux-system-roles.postfix rhel-system-roles.certificate rhel-system-roles.nbde_client rhel-system-roles.storage
linux-system-roles.kernel_settings linux-system-roles.selinux rhel-system-roles.crypto_policies rhel-system-roles.nbde_server rhel-system-roles.timesync
linux-system-roles.logging linux-system-roles.ssh rhel-system-roles.ha_cluster rhel-system-roles.network rhel-system-roles.tlog
linux-system-roles.metrics linux-system-roles.sshd rhel-system-roles.kdump rhel-system-roles.postfix
- 现在将系统角色SELinux放在单独的目录下
cp -a /usr/share/ansible/roles/rhel-system-roles.selinux/ /etc/ansible/roles/
[root@marter ~]# ls /etc/ansible/roles/
rhel-system-roles.selinux
2、 使用系统角色SELinux
2.1 从受控节点copy配置文件
先要在受控节点安装httpd服务,并复制httpd的配置文件到控制节点。因为模板要用到配置文件,如果控制节点有httpd的模板就不用做这一步操作。
[root@apache ~]# yum -y install httpd
......
//httpd配置文件路径
[root@apache conf]# pwd
/etc/httpd/conf
[root@marter files]# scp 192.168.47.128:/etc/httpd/conf/httpd.conf /etc/ansible/files/httpd.conf.j2
httpd.conf 100% 12KB 11.9MB/s 00:00
[root@marter files]# ls
httpd.conf.j2
2.2 配置httpd模板
修改服务的端口号,改成82端口。在配置文件中先找到Listen 80,然后把端口设置成为一个变量,在写play的时候定义变量值。这就是模板的使用,其他服务的配置基本差不多是一样的。
[root@ansible files]# vim httpd.conf.j2
......
#Listen 12.34.56.78:80
Listen {{ port }}
......
2.3 编写play配置文件
- 目录
[root@marter ansible]# tree
.
├── \
├── 1
├── ansible.cfg
├── ansible.cfg.rpmsave
├── files
│ └── httpd.conf.j2
├── hosts
├── inventory
├── roles
│ └── rhel-system-roles.selinux
.......
└── test.yml
- test.yml文件如下
[root@marter ansible]# cat test.yml
---
- hosts: apache
vars:
port: 82
selinux_state: enforcing
seliux_ports:
- ports: '82'
settype: 'httpd_port_t '
proto: ' tcp '
state: ' present '
tasks:
- name: install httpd
yum:
name: httpd
state: present
- name: config httpd
template:
src: files/httpd.conf.j2
dest: /etc/httpd/conf/httpd.conf
notify: restart httpd
- name: selinux for httpd
block:
- name: role use
include_role:
name: rhel-system-roles.selinux ##注意使用的角色名要一致
rescue:
- name: Check for failure for other reasons than required reboot
fail:
when: not selinux_reboot_required
- name: Restart managed host
reboot:
- name: Reapply Selinux role to cpmplete changes
include_role:
name: rhel-system-roles.selinux
- name: service for httpd
service:
name: httpd
state: started
enabled: yes
handlers:
- name: restart httpd
service:
name: httpd
state: restarted
2.4 执行
[root@ansible ansible]# ansible-playbook test.yml
......
ok: [192.168.47.128] => (item={'ports': '82', 'setype': 'http_port_t', 'proto': 'tcp', 'state': 'present'})
TASK [selinux : Set linux user to SELinux user mapping] ************************
PLAY RECAP *********************************************************************
192.168.47.128 : ok=10 changed=2 unreachable=0 failed=0 skipped=14 rescued=0 ignored=0
到受控端查看selinux规则是否修改成功:
[root@apache conf]# semanage port -l | grep http_
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 82, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
[root@apache conf]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:82 *:*
LISTEN 0 128 [::]:22 [::]:*
//此时发现定义的端口号82已经修改成功
3、角色结构创建
运行ansible-galaxy init来创建新角色的目录结构。指定角色的名称作为命令的参数,该命令在当前工作目录中为新角色创建子目录。该命令需要在roles/的目录下使用
[root@master playbook]# cd roles/
[root@master roles]# ansible-galaxy init httpd
- Role httpd was created successfully
[root@master roles]# ls
httpd selinux timesync
[root@master roles]# tree httpd/
httpd/
|-- README.md
|-- defaults
| `-- main.yml
|-- files
|-- handlers
| `-- main.yml
|-- meta
| `-- main.yml
|-- tasks
| `-- main.yml
|-- templates
|-- tests
| |-- inventory
| `-- test.yml
`-- vars
`-- main.yml
8 directories, 8 files
4、使用创建的角色
4.1 创建httpd角色、配置源码apache
- 目录
[root@marter roles]# tree
.
└── httpd
├── README.md
├── tasks
│ ├── get_url.yml
│ ├── main.yml
│ ├── make.yml
│ └── server.yml
└── vars
└── main.yml
- 任务
[root@marter roles]# cat httpd/tasks/get_url.yml
---
- name: 下载及解压资源
get_url:
url: "{{ item }}"
dest: /usr/local/src/
loop: "{{ ziyuan}}"
- name: jieya
unarchive:
copy: no
src: "/usr/local/src/{{ item }}"
dest: /usr/local/src/
tags: unarchive
loop: "{{ wenjian }}"
[root@marter roles]# cat httpd/tasks/make.yml
---
- name: 删除
lineinfile:
path: /usr/local/src/apr-1.7.0/configure
regexp: '$RM "$cfgfile"'
state: absent
- name: 编译
shell: "{{ item }}"
loop: "{{ make }}"
[root@marter roles]# cat httpd/tasks/server.yml
---
- name: 安装依赖包
yum:
name: "{{ item }}"
state: present
loop: "{{ bao }}"
- 主文件
[root@marter roles]# cat httpd/tasks/main.yml
---
# tasks file for httpd
- include_tasks: server.yml
- include_tasks: get_url.yml
- include_tasks: make.yml
- 变量
[root@marter roles]# cat httpd/vars/main.yml
---
# vars file for httpd
bao:
- gcc-c++
- expat-devel
- pcre-devel
- make
ziyuan:
- https://mirrors.tuna.tsinghua.edu.cn/apache/httpd/httpd-2.4.48.tar.gz
- https://mirrors.tuna.tsinghua.edu.cn/apache/apr/apr-1.7.0.tar.gz
- https://mirrors.tuna.tsinghua.edu.cn/apache/apr/apr-util-1.6.1.tar.gz
wenjian:
- apr-1.7.0.tar.gz
- apr-util-1.6.1.tar.gz
- httpd-2.4.48.tar.gz
make:
- cd /usr/local/src/apr-1.7.0/ && ./configure --prefix=/usr/local/apr && make && make install && cd /usr/local/src/apr-util-1.6.1/ && ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr && make && make install && cd /usr/local/src/httpd-2.4.48/ && ./configure --prefix=/usr/local/httpd --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util && make && make install && /usr/local/httpd/bin/apachectl start
- 在playbook中使用该角色配置apache
[root@marter ~]# cat test1.yml
---
- hosts: apache
roles:
- httpd
root@marter ~]# ansible-playbook test1.yml
PLAY [apache] ********************************************************************************************************************************************************************
TASK [Gathering Facts] ***********************************************************************************************************************************************************
ok: [192.168.47.128]
TASK [httpd : include_tasks] *****************************************************************************************************************************************************
included: /root/roles/httpd/tasks/server.yml for 192.168.47.128
TASK [httpd : 安装依赖包] *************************************************************************************************************************************************************
changed: [192.168.47.128] => (item=gcc-c++)
changed: [192.168.47.128] => (item=expat-devel)
changed: [192.168.47.128] => (item=pcre-devel)
changed: [192.168.47.128] => (item=make)
TASK [httpd : include_tasks] *****************************************************************************************************************************************************
included: /root/roles/httpd/tasks/get_url.yml for 192.168.47.128
TASK [httpd : 下载及解压资源] ***********************************************************************************************************************************************************
changed: [192.168.47.128] => (item=https://mirrors.tuna.tsinghua.edu.cn/apache/httpd/httpd-2.4.48.tar.gz)
changed: [192.168.47.128] => (item=https://mirrors.tuna.tsinghua.edu.cn/apache/apr/apr-1.7.0.tar.gz)
changed: [192.168.47.128] => (item=https://mirrors.tuna.tsinghua.edu.cn/apache/apr/apr-util-1.6.1.tar.gz)
TASK [httpd : jieya] *************************************************************************************************************************************************************
changed: [192.168.47.128] => (item=apr-1.7.0.tar.gz)
changed: [192.168.47.128] => (item=apr-util-1.6.1.tar.gz)
changed: [192.168.47.128] => (item=httpd-2.4.48.tar.gz)
TASK [httpd : include_tasks] *****************************************************************************************************************************************************
included: /root/roles/httpd/tasks/make.yml for 192.168.47.128
TASK [httpd : 删除] ****************************************************************************************************************************************************************
ok: [192.168.47.128]
TASK [httpd : 编译] ****************************************************************************************************************************************************************
changed: [192.168.47.128] => (item=cd /usr/local/src/apr-1.7.0/ && ./configure --prefix=/usr/local/apr && make && make install && cd /usr/local/src/apr-util-1.6.1/ && ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr && make && make install && cd /usr/local/src/httpd-2.4.48/ && ./configure --prefix=/usr/local/httpd --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util && make && make install && /usr/local/httpd/bin/apachectl start)
PLAY RECAP ***********************************************************************************************************************************************************************
192.168.47.128 : ok=9 changed=4 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
- 查看
5、使用ansible galaxy部署角色
5.1 介绍ansible galaxy
Ansible Galaxy 是一个Ansible内容公共资源库,这些内容由许许多多Ansible管理员和用户编写。它包含数千个Ansible角色,具有可搜索的数据库,可帮助Ansible用户确定或许有助于他们完成管理任务的角色。Ansible Galaxy含有面向新的Ansible用户和角色开发人员的文档和视频链接。
5.2 获取Ansible Galaxy帮助
通过Ansible Galaxy网站主页上的Documenttaion标签,可以进入描述如何使用Ansible Galaxy的页面。其中包含了介绍如何从Ansible Galaxy下载和使用角色的内容。该页面也提供关于如何开发角色并上传到Ansible Galaxy的说明。
5.3 浏览Ansible Galaxy中的角色
通过Ansible Galaxy网站主页上左侧的Search标签,用户可以访问关于Ansible Galaxy上发布的角色的信息。用户可以使用标记通过角色的名称或通过其他角色属性来搜索Ansible角色。结果按照Best Match分数降序排列,此分数依据角色质量、角色受欢迎程度和搜索条件计算而得。
5.4. 创建角色的方法
//第一种
[root@master roles]# ansible-galaxy init httpd
//第二种
[root@master roles]# ansible-galaxy role init nginx
5.5 Ansible Galaxy命令 从命令行搜索角色
- an sible-galaxy search子命令在Ansible Galaxy中搜索角色。如果以参数形式指定了字符串,则可用于按照关键字在Ansible Galaxy中搜索角色。用户可以使用–author(作者)、–platforms(平台)和galaxy-tags(标记)选项来缩小搜索结果的范围。也可以将这些选项用作主要的搜索键。
- 搜索结果按照字母顺序显示,而不是Best Match分数降序排列。
[root@master ~]# ansible-galaxy search 'redis' --platforms EL //表示搜索包含redis并且适用于企业Linux(EL)平台的角色的名称。换种写法:ansible-galaxy search redis --platform Fedora
Found 235 roles matching your search:
Name Description
---- -----------
0x0i.consul Consul - a service discovery, mesh and configuration>
0x0i.grafana Grafana - an analytics and monitoring observability >
0x5a17ed.ansible_role_netbox Installs and configures NetBox, a DCIM suite, in a p>
1it.sudo Ansible role for managing sudoers
adfinis-sygroup.redis Ansible role for Redis
AerisCloud.librato Install and configure the Librato Agent
……略
//搜素
[root@master roles]# ansible-galaxy role search geerlingguy.redis/
Found 26 roles matching your search:
Name Description
---- -----------
alban.andrieu.logstash-settings A role for installing logstash configuration
alikins.php_redis PhpRedis support for Linux
alikins.redis Redis for Linux
binarycode.redis Redis for Linux
bpresles.redis Redis for Linux
bsmeding.ansible_role_nautobot Installs Nautobot (fork from Netbox) CMDB
……
- ansible-galaxy info子命令显示与角色相关的更多详细信息。Ansible Galaxy从多个位置获取这一信息,包括角色的meta/main.yml文件及其GigHub存储库。以下命令显示了Ansible Galaxy提供的robertdebock.httpd角色的相关信息。
[root@master ~]# ansible-galaxy role info robertdebock.httpd
Role: robertdebock.httpd
description: Install and configure httpd on your system.
active: True
commit: 9fc0e5c1f38873f26c1d896d7db1424b2e07181b
commit_message: 404 is also good.
commit_url: https://api.github.com/repos/robertdebock/ansible-role-httpd/git/commits/9fc0e5c1>
company: none
created: 2017-11-10T16:04:25.981866Z
download_count: 141057
forks_count: 11
github_branch: master
github_repo: ansible-role-httpd
github_user: robertdebock
id: 21855
……略
5.6 从Ansible Galaxy安装角色
使用ansible-galaxy install子命令从Ansible Galaxy下载角色,并将它安装到控制节点本地。
- 默认情况下,角色安装到用户的roles_path下的第一个可写目录中。根据为Ansible设置的默认roles_path,角色通常将安装到用户的~/.ansible/roles目录。默认的roles_path可能会被用户当前Ansible配置文件或环境变量ANSIBLE_ROLES_PATH覆盖,这将影响ansible-galaxy的行为。
- 也可以通过使用-p DIRECTORY选项,指定具体的目录来安装角色。
[root@master ~]# ansible-galaxy install geerlingguy.redis -p roles/
- downloading role 'redis', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-redis/archive/1.7.0.tar.gz
- extracting geerlingguy.redis to /root/roles/geerlingguy.redis
- geerlingguy.redis (1.7.0) was installed successfully
[root@master ~]# ls roles/
geerlingguy.redis
//使用-r requirements-file选项指定角色文件来安装角色
[root@master ~]# ansible-galaxy install -r roles/requirements.yml -p roles/
- 使用playbook安装多个角色
[root@master roles]# vim requirements.yml
- src: geerlingguy.redis //src属性指定角色的来源
version: "1.5.0" //version属性是可选的,指定要安装的角色版本
- src: robertdebock.httpd
- src: robertdebock.epel
5.7 管理下载的角色
- ansible-galaxy list子命令列出本地找到的角色。
[root@master ~]# ansible-galaxy list
# /root/.ansible/roles
- robertdebock.httpd, 7.0.0
# /usr/share/ansible/roles
- linux-system-roles.certificate, (unknown version)
- linux-system-roles.crypto_policies, (unknown version)
- linux-system-roles.ha_cluster, (unknown version)
- linux-system-roles.kdump, (unknown version)
[root@master roles]# ansible-galaxy list -p . #-p指定位置
# /root/roles
- robertdebock.httpd, 7.0.0
# /root/.ansible/roles
# /usr/share/ansible/roles
- linux-system-roles.certificate, (unknown version)
- linux-system-roles.crypto_policies, (unknown version)
- linux-system-roles.ha_cluster, (unknown version)
- linux-system-roles.kdump, (unknown version)
- 可以使用ansible-galaxy remove子命令本地删除角色。
[root@master ~]# ansible-galaxy role remove robertdebock.httpd
- successfully removed robertdebock.httpd
[root@marter roles]# ansible-galaxy init httpd
- Role httpd was created successfully
[root@marter roles]# ls
httpd
#使用-p指定自己创建的角色目录,可以删除
[root@marter roles]# ansible-galaxy role remove httpd -p .
- successfully removed httpd