由于本人10.17已成功考过CSA,经过两周所学的ansible并结合题库整理出来的CE解析版
我也是11月月底就要考了,不过这套解析也是可以满足今年的redhat8题库
文中可能涉及一些命令的参数解释,如有不懂的伙伴可参考我的笔记Ansible
ps:一切模板似的题库考试,都需要经过大脑的理解 方可顺利上岸
正文开始:
文章目录
1、安装和配置Ansible
创建主机清单
修改配置文件
//必须修改的配置文件
[grep@control ansible]$ vi ansible.cfg
[defaults]
inventory = /home/student/ansible/inventory
remote_user = greg ——自己所使用的用户
roles_path = /home/student/ansible/roles
host_key_checking = false ——主机之前传输文件不需要密钥认证
[privilege_escalation] 普通用户之间可以使用sudo模式
become = true
become_method = sudo
become_user = root
become_ask_pass = false
[greg@control ansible]$ mkdir roles
测试是否可以ping通
2、创建和运行Ansible临时命令
考试时可以开启两台终端,另一半负责查看模块帮助文档,在练习当中需记住模块的使用就好
[greg@control ansible]$ ansible-doc yum_repository
node1进行验证
[greg@node1 yum. repos.d]$ yum list all | wc -l
6336
3、安装软件包
测试:
4、使用RHEL系统角色
首先下载系统角色
调用角色配置
写入主配置文件
roles: 用来调用timesync中的角色模块
执行
测试
5、使用Ansible Galaxy安装角色
balancer: 使用的是负载均衡
phpinfo: php测试
将两对角色下载到本地
-r 指定使用那个play下载角色 -p 指定下载目录
6、创建和使用角色
手动创建角色
[greg@control ansible]$ cat htttp.yml
---
- name: install
hosts: webservers
roles:
- apache
[greg@control ansible]$ curl 172.25.250.11
Welcome to node3.lab.example.com on 172.25.250.11
[greg@control ansible]$ curl 172.25.250.12
Welcome to node4.lab.example.com on 172.25.250.12
7、从Ansible Galaxy使用角色
这题可能说的有点绕,但是仔细想想其实就是通过利用balancers角色里的haproxy部署好负载均衡
然后webservers组里包含着node3、node4主机,然而在第六题已经在webservers主机组部署好httpd服务和默认网页
第一步实验目的是实现在node5上负载均衡到webservers主机组
清单
PHP角色测试的内容
直接使用webservers组的IP访问
8、创建和使用逻辑卷
任务执行流程:
- 当block任务执行成功的时候,则执行always任务
- 当block任务执行失败的时候,则执行resvue任务,最后执行always任务(block任务执行失败,但是playbook不中止)
when语句是用来判断research卷组是否在data逻辑卷里面,如果存在则执行操作
测试:
[greg@control ansible] ansible all -a 'lvs'
[root@node2 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 10G 0 disk
└─vda1 252:1 0 10G 0 part /
vdb 252:16 0 5G 0 disk
└─research-data 253:0 0 1.5G 0 lvm
[greg@node3 ~]$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 10G 0 disk
└─vda1 252:1 0 10G 0 part /
vdb 252:16 0 5G 0 disk
└─vdb1 252:17 0 1G 0 part
└─research-data 253:0 0 800M 0 lvm
9、生成主机文件
[greg@control ansible]$ wget http://materials/hosts.j2
--2022-11-09 11:07:41-- http://materials/hosts.j2
Resolving materials (materials)... 172.25.254.254
Connecting to materials (materials)|172.25.254.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 147
Saving to: ‘hosts.j2’
hosts.j2 100%[===================>] 147 --.-KB/s in 0s
2022-11-09 11:07:41 (37.9 MB/s) - ‘hosts.j2’ saved [147/147]
[greg@control ansible]$ ls
adhoc.sh hosts.j2 lv.yml roles timesync.yml
ansible.cfg inventory packages.yml roles.yml
[greg@control ansible]$ vim hosts.j2
[greg@control ansible]$ cat hosts.j2
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
{% for host in groups.all %} ——循环匹配所有主机中的内容
{{ hostvars[host].ansible_enp1s0.ipv4.address }} ——匹配主机组中IP地址
{{ hostvars[host].ansible_fqdn }} ——匹配完全合格域名
{{ hostvars[host].ansible_hostname }} ——匹配主机名
{% endfor %} ——结束for循环
[greg@control ansible]$ cat hosts.yml
---
- name: get all facts
hosts: all
- name: cp to myhosts
hosts: dev
tasks:
- name: cp file
template:
src: hosts.j2
dest: /etc/myhosts
//测试
[greg@control ansible]$ ansible-playbook hosts.yml
PLAY [get all facts] ***********************************************************
TASK [Gathering Facts] *********************************************************
ok: [node4]
ok: [node2]
ok: [node5]
ok: [node3]
ok: [node1]
PLAY [cp to myhosts] ***********************************************************
TASK [Gathering Facts] *********************************************************
ok: [node1]
TASK [cp file] *****************************************************************
changed: [node1]
PLAY RECAP *********************************************************************
node1 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node2 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node3 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node4 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node5 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
//node1
[greg@node1 ~]$ cat /etc/myhosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.25.250.9
node1.lab.example.com
node1
172.25.250.10
node2.lab.example.com
node2
172.25.250.13
node5.lab.example.com
node5
172.25.250.11
node3.lab.example.com
node3
172.25.250.12
node4.lab.example.com
node4
10、修改文件内容
//原内容
[greg@node1 ~]$ cat /etc/issue
\S
Kernel \r on an \m
content :直接以content给定的字符串或变量值作为文件内容保存到远程主机上,它会替代src选项
[greg@control ansible]$ cat issue.yml
---
- name: modify issue
hosts: all
tasks:
- name: input to issue
copy:
content: |
{% if 'dev' in group_names %} ——将dev组中的所有内容替换
Development
{% elif 'test' in group_names %}
Test
{% elif 'prod' in group_names %}
Production
{% endif %}
dest: /etc/issue
[greg@control ansible]$ ansible-playbook issue.yml
PLAY [modify issue] ************************************************************
TASK [Gathering Facts] *********************************************************
ok: [node5]
ok: [node4]
ok: [node3]
ok: [node2]
ok: [node1]
TASK [input to issue] **********************************************************
changed: [node4]
changed: [node5]
changed: [node3]
changed: [node2]
changed: [node1]
PLAY RECAP *********************************************************************
node1 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node2 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node3 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node4 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node5 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
//发生改变
[greg@node1 ~]$ cat /etc/issue
Development
11、创建 Web 内容目录
[greg@control ansible]$ cat webcontent.yml
---
- name: web station
hosts: dev
tasks:
- name: install rpm
yum:
name:
- httpd
- firewalld
state: present
- name: create group
group:
name: webdev
state: present
- name: create /webdev
file:
path: /webdev
state: directory
group: webdev
mode: 2775
- name: cp
copy:
content: Development
dest: /webdev/index.html
- name: set selinux ——修改为http的网页值
sefcontext:
target: /webdev(/.*)?
setype: httpd_sys_content_t
- name: shell
shell:
cmd: restorecon -Rv /webdev
- name: create link ——创建软链接实现共享
file:
src: /webdev
dest: /var/www/html/webdev
state: link
- name: restart httpd
service:
name: httpd
state: restarted
enabled: yes
- name: restart firewalld
service:
name: firewalld
state: restarted
enabled: yes
- name: firewall for http _放行防火墙规则
firewalld:
service: http
state: enabled
permanent: yes
immediate: yes
[greg@control ansible]$ ansible-playbook webcontent.yml
PLAY [web station] *************************************************************
TASK [Gathering Facts] *********************************************************
ok: [node1]
TASK [install rpm] *************************************************************
ok: [node1]
TASK [create group] ************************************************************
ok: [node1]
TASK [create /webdev] **********************************************************
ok: [node1]
TASK [cp] **********************************************************************
ok: [node1]
TASK [set selinux] *************************************************************
ok: [node1]
TASK [shell] *******************************************************************
changed: [node1]
TASK [create link] *************************************************************
changed: [node1]
TASK [restart httpd] ***********************************************************
changed: [node1]
TASK [restart firewalld] *******************************************************
changed: [node1]
TASK [firewall for http] *******************************************************
changed: [node1]
PLAY RECAP *********************************************************************
node1 : ok=11 changed=5 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[greg@control ansible]$ curl http://node1.lab.example.com/webdev/
Development
12、生成硬件报告
replace模块
可以根据我们指定的正则表达式替换文件中的字符串,文件中所有被匹配的字符串都会被替换 参数
:
-
path参数:2.3版本之前只能用dest、destfile、name指定操作文件,2.4版本中仍然可以用这些参数名,也可以用path
-
regexp参数:必须参数,指定一个python正则表达式,文件中与正则匹配的字符串将会被替换
-
replace参数:指定最终要替换成的字符串 backup参数:是否在修改文件之前对文件进行备份,最好设置为yes。
//依据题目来查找内置变量,输关键字即可
[greg@control ansible]$ ansible node2 -m setup > a
[greg@control ansible]$ vim a
240 "ansible_hostname": "node1", //清单主机名称
362 "ansible_memtotal_mb": 1829, //以 MB 表示的总内存大小
15 "ansible_bios_version": "1.11.1-3.module+el8+2529+a9686a4d", //BIOS 版本
磁盘设备 vda 的大小
vdb则按上面像似
替换内容
开始编写主模块
[greg@control ansible]$ cat hwreport.yml
- name: get hwreport
hosts: all
tasks:
- name: create report file
get_url:
url: http://materials/hwreport.empty
dest: /root/hwreport.txt
- name: get hostname
replace:
path: /root/hwreport.txt
regexp: 'inventoryhostname'
replace: "{{ inventory_hostname }}" ——匹配清单中主机名
- name: get mem
replace:
path: /root/hwreport.txt
regexp: 'memory_in_MB'
replace: "{{ ansible_memtotal_mb }}"
- name: get bios
replace:
path: /root/hwreport.txt
regexp: 'BIOS_version'
replace: "{{ ansible_bios_version }}"
- name: get vda
replace:
path: /root/hwreport.txt
regexp: 'disk_vda_size'
replace: "{{ ansible_devices.vda.size if ansible_devices.vda is defined else 'NONE' }}"
- name: get vdb
replace:
path: /root/hwreport.txt
regexp: 'disk_vdb_size'
replace: "{{ ansible_devices.vdb.size if ansible_devices.vdb is defined else 'NONE' }}"
测试
[greg@control ansible]$ ansible-playbook hwreport.yml
PLAY [get hwreport] ************************************************************
TASK [Gathering Facts] *********************************************************
ok: [node5]
ok: [node4]
ok: [node2]
ok: [node3]
ok: [node1]
TASK [create report file] ******************************************************
changed: [node5]
changed: [node3]
changed: [node2]
changed: [node4]
changed: [node1]
TASK [get hostname] ************************************************************
changed: [node2]
changed: [node3]
changed: [node4]
changed: [node5]
changed: [node1]
TASK [get mem] *****************************************************************
[WARNING]: The value 821 (type int) in a string field was converted to '821'
(type string). If this does not look like what you expect, quote the entire
value to ensure it does not change.
changed: [node5]
changed: [node2]
changed: [node4]
changed: [node3]
[WARNING]: The value 1829 (type int) in a string field was converted to '1829'
(type string). If this does not look like what you expect, quote the entire
value to ensure it does not change.
changed: [node1]
TASK [get bios] ****************************************************************
changed: [node5]
changed: [node4]
changed: [node2]
changed: [node3]
changed: [node1]
TASK [get vda] *****************************************************************
changed: [node5]
changed: [node2]
changed: [node4]
changed: [node3]
changed: [node1]
TASK [get vdb] *****************************************************************
changed: [node3]
changed: [node5]
changed: [node2]
changed: [node4]
changed: [node1]
PLAY RECAP *********************************************************************
node1 : ok=7 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node2 : ok=7 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node3 : ok=7 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node4 : ok=7 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node5 : ok=7 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
测试:
[root@node2 ~]# ls
anaconda-ks.cfg hwreport.txt original-ks.cfg
[root@node2 ~]# cat hwreport.txt
# Hardware report
HOST=node2
MEMORY=821
BIOS=1.11.1-3.module+el8+2529+a9686a4d
DISK_SIZE_VDA=10.00 GB
DISK_SIZE_VDB=5.00 GB[
13、创建密码库
[greg@control ansible]$ vim locker.yml
---
pw_developer: lmadev ——定义两个变量值为的密码为多少
pw_manager: lmamgr
[greg@control ansible]$ echo whenyouwishuponastar > /home/greg/ansible/secret.txt
[greg@control ansible]$ chmod 600 secret.txt
[greg@control ansible]$ ansible-vault encrypt locker.yml --vault-id=/home/greg/ansible/secret.txt
Encryption successful
[greg@control ansible]$ cat locker.yml ——为下一题的用户密码做准备
$ANSIBLE_VAULT;1.1;AES256
34363264396130316634356132633430363263626663303366343831633236383666663532653864
3237366536646632623438666538393334343930363833330a376636616536333639336135623633
36646465323831393137636639323838303238396631616632303338313564353134623731613339
3738633834323336610a376439646362356335306463623935643734346663366165383563373361
30646438353932376537383639323265613062613761343366343534363532646430613961623439
6163666330336231633264336531346438646664303432636463
14、创建用户账户
下载用户列表
[greg@control ansible]$ wget http://materials/user_list.yml
[greg@control ansible]$ cat user_list.yml
users:
- name: bob
job: developer ——定义工作组中存在的用户
- name: sally
job: manager
- name: fred ——实事匹配的用户
job: developer
使用with_items迭代功能进行实现匹配文件中的多个键值
sha512是哈希大家庭里中的一个,哈希都有不可逆的特性。我们可以把它理解为无法解密的加密。
编写任务
[greg@control ansible]$ cat users.yml
---
- name: create developer user
hosts: dev,test
vars_files: ——定义的变量文件获取
- /home/greg/ansible/locker.yml
- /home/greg/ansible/user_list.yml
tasks: ——创建devops组
- name: create group devops
group:
name: devops
state: present
- name: create user in developer ——调用工作组的用户
user:
name: "{{ item.name }}" ——匹配developer工作组中的多个用户进行创建
groups: devops ——所属组
password: "{{ pw_developer | password_hash('sha512') }}" ——pw_developer调用locker.yml中加密的密码并常用采用 SHA512 哈希格式
state: present
loop: "{{ users }}" ——匹配循环将结果给后面
when: item.job == "developer" ——判断该工作目录在developer
- name: create developer user
hosts: prod
vars_files:
- /home/greg/ansible/locker.yml
- /home/greg/ansible/user_list.yml
tasks:
- name: create group opsmgr
group:
name: opsmgr
state: present
- name: create user in manager ——指定工作组
user:
name: "{{ item.name }}"
groups: opsmgr
password: "{{ pw_manager | password_hash('sha512') }}"
state: present
loop: "{{ users }}"
when: item.job == "manager"
[greg@control ansible]$ ansible-playbook users.yml --vault-id secret.txt
PLAY [create developer user] ***************************************************
TASK [Gathering Facts] *********************************************************
ok: [node2]
ok: [node1]
TASK [create group devops] *****************************************************
ok: [node2]
ok: [node1]
TASK [create user in developer] ************************************************
changed: [node2] => (item={'name': 'bob', 'job': 'developer'})
skipping: [node2] => (item={'name': 'sally', 'job': 'manager'})
changed: [node1] => (item={'name': 'bob', 'job': 'developer'})
skipping: [node1] => (item={'name': 'sally', 'job': 'manager'})
changed: [node2] => (item={'name': 'fred', 'job': 'developer'})
changed: [node1] => (item={'name': 'fred', 'job': 'developer'})
PLAY [create developer user] ***************************************************
TASK [Gathering Facts] *********************************************************
ok: [node4]
ok: [node3]
TASK [create group opsmgr] *****************************************************
ok: [node4]
ok: [node3]
TASK [create user in manager] **************************************************
skipping: [node3] => (item={'name': 'bob', 'job': 'developer'})
skipping: [node4] => (item={'name': 'bob', 'job': 'developer'})
changed: [node3] => (item={'name': 'sally', 'job': 'manager'})
skipping: [node3] => (item={'name': 'fred', 'job': 'developer'})
changed: [node4] => (item={'name': 'sally', 'job': 'manager'})
skipping: [node4] => (item={'name': 'fred', 'job': 'developer'})
PLAY RECAP *********************************************************************
node1 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node2 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node3 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node4 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
测试:
//可见test组已经完成创建了
[root@node2 ~]# id bob
uid=1002(bob) gid=1003(bob) groups=1003(bob),1002(devops)
[root@node2 ~]# id fred
uid=1003(fred) gid=1004(fred) groups=1004(fred),1002(devops)
15、更新 Ansible 库的密钥
[greg@control ansible]$
- [ ] wget http://materials/salaries.yml
--2022-11-09 16:14:42-- http://materials/salaries.yml
Resolving materials (materials)... 172.25.254.254
Connecting to materials (materials)|172.25.254.254|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 355
Saving to: ‘salaries.yml’
salaries.yml 100%[===================>] 355 --.-KB/s in 0s
2022-11-09 16:14:42 (66.0 MB/s) - ‘salaries.yml’ saved [355/355]
[greg@control ansible]$ ansible-vault rekey salaries.yml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
[greg@control ansible]$ cat salaries.yml
$ANSIBLE_VAULT;1.1;AES256
38313361623930373839363638656130313862636235626335343131383230373637623233396233
3632303738386561346563313162353737343137653730340a663334366434373033653262376333
30393632383030666237623039643633363833643331373861346561643962303964353435663162
3638366139633830390a356331316633623932396636373932613365376539656139633133376637
6538
16、配置 cron 作业
创建⼀个名为 /home/greg/ansible/cron.yml 的 playbook ,配置 cron 作业,该作业每隔 2 分钟运⾏并执⾏以下命令:
logger “EX294 in progress”,以⽤户 natasha 身份运⾏
[greg@control ansible]$ cat cron.yml
---
- name: create cron
hosts: all
tasks:
- name: create user
user:
name: natasha
state: present
- name: create cron for all
cron:
name: crontab
minute: '*/2'
job: logger "EX294 in progress"
user: natasha
[greg@control ansible]$ ansible-playbook cron.yml
PLAY [create cron] *************************************************************
TASK [Gathering Facts] *********************************************************
ok: [node4]
ok: [node3]
ok: [node5]
ok: [node2]
ok: [node1]
TASK [create user] *************************************************************
changed: [node2]
changed: [node3]
changed: [node4]
changed: [node1]
changed: [node5]
TASK [create cron for all] *****************************************************
changed: [node5]
changed: [node4]
changed: [node2]
changed: [node3]
changed: [node1]
PLAY RECAP *********************************************************************
node1 : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node2 : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node3 : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node4 : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node5 : ok=3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[root@node2 ~]# crontab -u natasha -l
#Ansible: crontab
*/2 * * * * logger "EX294 in progress"