透过 Ansible 自动部署节点(上)
假设我们有这么一个网络:
- 一个 HTTP 服务器,只供内网访问,内网节点必须能透过 http://app.example.com/ 链接造访该网站
- 一个 DNS 服务器,把 app.example.com 解析为内网 HTTP 服务器的 IP
- 一个 Ansible 控制节点
如何能让这三个节点都用上内网的 DNS 服务器,继而能透过 http://app.example.com/ 链接造访内网网站呢?当然,我们能登入每个节点分别进行手动配置,但当节点的数量增多,分别手动配置的可行性将不断降低。因此,一个更为实际的长远方案是透过自动化的方式批量部署节点,而 Ansible 的社区版正提供了这么一个方案。
实验环境概括
该实验采取 阿里云 ECS 虚拟化方案,内网网段是 192.168.1.0/24
。
角色 | IP 地址 | 操作系统 |
---|---|---|
HTTP 服务器 | 192.168.1.200 |
Alibaba Cloud Linux 3.2104 LTS |
DNS 服务器 | 192.168.1.201 |
Alibaba Cloud Linux 3.2104 LTS |
Ansible 控制节点 | 192.168.1.202 |
Alibaba Cloud Linux 3.2104 LTS |
配置实验环境
HTTP 服务器
安装 Apache HTTP 服务器:
sudo dnf install httpd
把以下内容写进 /var/www/html/index.html
:
<html>
<head>
<title>欢迎来到 app.example.com</title>
</head>
<body>
<h1>欢迎来到 app.example.com</h1>
</body>
</html>
启用 Apache:
sudo systemctl enable --now httpd
确认 HTTP 服务器成功安装并正常运行:
systemctl status httpd
如成功,运行状态应该为 active (running)
。
再测试一下吧:
wget -qO - http://localhost/
输出:
<html>
<head>
<title>欢迎来到 app.example.com</title>
</head>
<body>
<h1>欢迎来到 app.example.com</h1>
</body>
</html>
DNS 服务器
先测试一下能造访我们的内网网站:
wget -qO - http://192.168.1.200/
输出:
<html>
<head>
<title>欢迎来到 app.example.com</title>
</head>
<body>
<h1>欢迎来到 app.example.com</h1>
</body>
</html>
安装 BIND:
sudo dnf install bind bind-utils
然后把 /etc/named.conf
覆盖:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl intranet { 192.168.1.0/24; };
options {
listen-on port 53 { 127.0.0.1; intranet; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; intranet; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
allow-recursion { localhost; i