1.安装和配置 Ansible
要求:
按照下方所述,在控制节点 control 上安装和配置 Ansible:
安装所需的软件包
创建名为 /home/greg/ansible/inventory 的静态清单文件,以满足以下要求:
node1 是 dev 主机组的成员
node2 是 test 主机组的成员
node3 和 node4 是 prod 主机组的成员
node5 是 balancers 主机组的成员
prod 组是 webservers 主机组的成员
创建名为 /home/greg/ansible/ansible.cfg 的配置文件,以满足以下要求:
主机清单文件为 /home/greg/ansible/inventory
playbook 中使用的角色的位置包括 /home/greg/ansible/roles
实现:
sudo yum -y install ansible //安装ansible
vim /home/greg/ansible/inventory //添加清单
[dev]
node1
[test]
node2
[prod]
node3
node4
[balancers]
node5
[webservers:children]
prod
cp /etc/ansible/ansible.cfg /home/greg/ansible/ansible.cfg //复制配置文件
vim /home/greg/ansible/ansible.cfg
修改
[defaults]
inventory = /home/greg/ansible/inventory
roles_path = /home/greg/ansible/roles:/usr/share/ansible/roles:/etc/ansbile/roles
host_key_checking = False
remote_user = greg
[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = false
chmod +x ansible.cfg //加权
验证:
[greg@control ansible]$ ansible all -m ping -o
node2 | SUCCESS => {"ansible_facts": {"discovered_interpreter_python": "/usr/libexec/platform-python"},"changed": false,"ping": "pong"}
node3 | SUCCESS => {"ansible_facts": {"discovered_interpreter_python": "/usr/libexec/platform-python"},"changed": false,"ping": "pong"}
node4 | SUCCESS => {"ansible_facts": {"discovered_interpreter_python": "/usr/libexec/platform-python"},"changed": false,"ping": "pong"}
node5 | SUCCESS => {"ansible_facts": {"discovered_interpreter_python": "/usr/libexec/platform-python"},"changed": false,"ping": "pong"}
node1 | SUCCESS => {"ansible_facts": {"discovered_interpreter_python": "/usr/libexec/platform-python"},"changed": false,"ping": "pong"}
2.创建和运行 Ansible 临时命令
要求:
请按照正文所述,创建一个名为 /home/greg/ansible/adhoc.sh 的 shell 脚本,该脚本将使用 Ansible 临时命令在各个受管节点上安装 yum 存储库:
存储库1:
存储库的名称为 EX294_BASE
描述为 EX294 base software
基础 URL 为 http://content/rhel8.4/x86_64/dvd/BaseOS
GPG 签名检查为启用状态
GPG 密钥 URL 为 http://content/rhel8.4/x86_64/dvd/RPM-GPG-KEY-redhat-release
存储库为启用状态
存储库2:
存储库的名称为 EX294_STREAM
描述为 EX294 stream software
基础 URL 为 http://content/rhel8.4/x86_64/dvd/AppStream
GPG 签名检查为启用状态
GPG 密钥 URL 为 http://content/rhel8.4/x86_64/dvd/RPM-GPG-KEY-redhat-release
存储库为启用状态
实现:
帮助:
[greg@control ansible]$ ansible-doc -l | grep yum
yum Manages packa...
yum_repository Add or remove...
cd /home/greg/ansible/
vim adhoc.sh
添加:
---------------------------------------------------------------------------------
#!/bin/bash
ansible all -m yum_repository -a "name='EX294_BASE'
description='EX294 base software'
baseurl=http://content/rhel8.4/x86_64/dvd/BaseOS
gpgcheck=1
gpgkey=http://content/rhel8.4/x86_64/dvd/RPM-GPG-KEY-redhat-release
enabled=1"
ansible all -m yum_repository -a "name='EX294_STREAM'
description='EX294 stream software'
baseurl=http://content/rhel8.4/x86_64/dvd/AppStream
gpgcheck=1
gpgkey=http://content/rhel8.4/x86_64/dvd/RPM-GPG-KEY-redhat-release
enabled=1"
----------------------------------------------------------------------------------
chmod +x adhoc.sh //加权
./adhoc.sh //运行两次
./adhoc.sh
验证:
[greg@control ansible]$ ansible all -a "yum repolist"
[WARNING]: Consider using the yum module rather than running 'yum'. If you
need to use command because yum is insufficient you can add 'warn: false' to
this command task or set 'command_warnings=False' in ansible.cfg to get rid of
this message.
node2 | CHANGED | rc=0 >>
repo id repo name
EX294_BASE EX294 base software
EX294_STREAM EX294 stream software
node3 | CHANGED | rc=0 >>
repo id repo name
EX294_BASE EX294 base software
EX294_STREAM EX294 stream software
node4 | CHANGED | rc=0 >>
repo id repo name
EX294_BASE EX294 base software
EX294_STREAM EX294 stream software
node5 | CHANGED | rc=0 >>
repo id repo name
EX294_BASE EX294 base software
EX294_STREAM EX294 stream software
node1 | CHANGED | rc=0 >>
repo id repo name
EX294_BASE EX294 base software
EX294_STREAM EX294 stream software
3.安装软件包
要求:
创建一个名为 /home/greg/ansible/packages.yml 的 playbook :
将 php 和 mariadb 软件包安装到 dev、test 和 prod 主机组中的主机上
将 RPM Development Tools 软件包组安装到 dev 主机组中的主机上
将 dev 主机组中主机上的所有软件包更新为最新版本
实现:
vim packages.yml
添加
——————————————————————————————————————————————————————————————
---
- name: p1 //软件包安装
hosts: dev, test, prod
tasks:
- name: install
yum:
name: php,mariadb
state: present
- name: p2 //软件包组安装
hosts: dev
tasks:
- name: install
yum:
name: "@RPM Development Tools"
state: present
- name: p3 //更新
hosts: dev
tasks:
- name: install
yum:
name: "*"
state: latest
———————————————————————————————————————————————————————————————
ansible-playbook packages.yml //运行
验证:
ansible dev,test,prod -a "yum info php"
ansible dev,test,prod -a "yum info mariadb"
ansible dev -a "yum grouplist" # 验证软件包组
ansible dev -a "yum update"
4.使用 RHEL 系统角色-1
要求:
安装 RHEL 系统角色软件包,并创建符合以下条件的 playbook /home/greg/ansible/selinux.yml :
在所有受管节点上运行
使用 selinux 角色
配置该角色,配置被管理节点的 selinux 为enforcing
配置selinux,允许http监听 82 端口
配置selinux,允许http访问 /var/www/html
实现:
帮助:
[greg@control ansible]$ sudo yum search roles
Last metadata expiration check: 0:44:14 ago on Wed 25 Oct 2023 07:35:54 AM GMT.
============================= Name Matched: roles ==============================
rhel-system-roles.noarch : Set of interfaces for unified system management
============================ Summary Matched: roles ============================
ansible-freeipa.noarch : Roles and playbooks to deploy FreeIPA servers, replicas
: and clients
sudo yum -y install rhel-system-roles.noarch //安装角色包
cp /usr/share/doc/rhel-system-roles/selinux/example-selinux-playbook.yml selinux.yml //复制角色
vim selinux.yml
修改
——————————————————————————————————————
---
- hosts: all
become: true
become_method: sudo
become_user: root
vars:
selinux_policy: targeted
selinux_state: enforcing
selinux_booleans:
- { name: 'samba_enable_home_dirs', state: 'on' }
- { name: 'ssh_sysadm_login', state: 'on', persistent: 'yes' }
selinux_fcontexts:
- { target: '/var/www/html(/.*)?', setype: 'httpd_sys_content_t', ftype: 'd', state: 'present' }
selinux_restore_dirs:
- /var/www/html
selinux_ports:
- { ports: '82', proto: 'tcp', setype: 'http_port_t', state: 'present' }
selinux_logins:
- { login: 'sar-user', seuser: 'staff_u', serange: 's0-s0:c0.c1023', state: 'present' }
# prepare prerequisites which are used in this playbook
tasks:
- name: Creates directory
file:
path: /var/www/html
state: directory
- name: Add a Linux System Roles SELinux User
user:
comment: Linux System Roles SELinux User
name: sar-user
- name: execute the role and catch errors
block:
- include_role:
name: rhel-system-roles.selinux
rescue:
# Fail if failed for a different reason than selinux_reboot_required.
- name: handle errors
fail:
msg: "role failed"
when: not selinux_reboot_required
- name: restart managed host
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
ignore_errors: true
- name: wait for managed host to come back
wait_for_connection:
delay: 10
timeout: 300
- name: reapply the role
include_role:
name: rhel-system-roles.selinux
——————————————————————————————————————
ansible-playbook selinux.yml
验证:
[greg@control ansible]$ ansible all -m shell -a 'grep "^SELINUX=" /etc/selinux/config'
node5 | CHANGED | rc=0 >>
SELINUX=enforcing
node2 | CHANGED | rc=0 >>
SELINUX=enforcing
node4 | CHANGED | rc=0 >>
SELINUX=enforcing
node3 | CHANGED | rc=0 >>
SELINUX=enforcing
node1 | CHANGED | rc=0 >>
SELINUX=enforcing
5.使用 RHEL 系统角色-2
要求:
安装 RHEL 系统角色软件包,并创建符合以下条件的 playbook /home/greg/ansible/timesync.yml :
在所有受管节点上运行
使用 timesync 角色
配置该角色,以使用当前有效的 NTP 提供商
配置该角色,以使用时间服务器 172.25.254.254
配置该角色,以启用 iburst 参数
实现:
cp -r /usr/share/ansible/roles/rhel-system-roles.timesync/ /home/greg/ansible/roles/timesync //加入用户
vim timesync.yml
添加
——————————————————————————————————————————————
---
- name: p1
hosts: all
vars:
timesync_ntp_servers:
- hostname: 172.25.254.254
iburst: yes
roles:
- timesync
——————————————————————————————————————————————
ansible-playbook timesync.yml
验证:
[greg@control ansible]$ ansible all -m shell -a 'cat /etc/chrony.conf |grep server'
node3 | CHANGED | rc=0 >>
server 172.25.254.254 iburst
node5 | CHANGED | rc=0 >>
server 172.25.254.254 iburst
node4 | CHANGED | rc=0 >>
server 172.25.254.254 iburst
node2 | CHANGED | rc=0 >>
server 172.25.254.254 iburst
node1 | CHANGED | rc=0 >>
server 172.25.254.254 iburst
6.使用 Ansible Galaxy 安装角色
要求:
使用 Ansible Galaxy 和要求文件 /home/greg/ansible/roles/requirements.yml 。从以下 URL 下载角色并安装到 /home/greg/ansible/roles :
http://materials/haproxy.tar 此角色的名称应当为 balancer
http://materials/phpinfo.tar 此角色的名称应当为 phpinfo
实现:
vim requirements.yml
添加
————————————————————————————————————————————
---
- src: http://materials/haproxy.tar
name: balancer
- src: http://materials/phpinfo.tar
name: phpinfo
————————————————————————————————————————————
ansible-galaxy install -r requirements.yml -p roles/
验证:
[greg@control ansible]$ ls /home/greg/ansible/roles/
balancer phpinfo selinux timesync
7.创建和使用角色
要求:
根据下列要求,在 /home/greg/ansible/roles 中创建名为 apache 的角色:
httpd 软件包已安装,设为在系统启动时启用并启动
防火墙已启用并正在运行,并使用允许访问 Web 服务器的规则
模板文件 index.html.j2 已存在,用于创建具有以下输出的文件 /var/www/html/index.html :
Welcome to HOSTNAME on IPADDRESS
其中,HOSTNAME 是受管节点的完全限定域名,IPADDRESS 则是受管节点的 IP 地址。
创建一个名为 /home/greg/ansible/apache.yml 的 playbook:
该 play 在 webservers 主机组中的主机上运行并将使用 apache 角色
实现:
cd roles/
ansible-galaxy init apache
vim apache/tasks/main.yml
添加
————————————————————————————————————————————————————————
---
- name: p1 //确保软件包安装
yum:
name:
- httpd
state: latest
- name: p2 //确保防火墙开启
service:
name: firewalld
state: started
enabled: yes
- name: p3 //确保web开启
service:
name: httpd
state: started
enabled: yes
- name: p4 //防火墙允许访问 Web 服务器的规则
firewalld:
service: http
permanent: yes
immediate: yes
state: enabled
- name: p5 //渲染内容
template:
src: index.html.j2
dest: /var/www/html/index.html
————————————————————————————————————————————————————
vim apache/templates/index.html.j2
添加
————————————————————————————————————————————————————————————————————
Welcome to {{ ansible_fqdn }} on {{ ansible_default_ipv4.address }} //html提示
————————————————————————————————————————————————————————————————————
cd
cd ansible/
vim apache.yml
添加
————————————————————————————————————————————
---
- name: p1
hosts: webservers //指定用户
roles:
- apache
————————————————————————————————————————————
ansible-playbook apache.yml
验证:
[greg@control ansible]$ curl node3 node4
Welcome to node3.lab.example.com on 172.25.250.11
Welcome to node4.lab.example.com on 172.25.250.12
8.从 Ansible Galaxy 使用角色
要求:
从 Ansible Galaxy 使用角色
根据下列要求,创建一个名为 /home/greg/ansible/roles.yml 的 playbook :
playbook 中包含一个 play, 该 play 在 balancers 主机组中的主机上运行并将使用 balancer 角色
此角色配置一项服务,以在 webservers 主机组中的主机之间平衡 Web 服务器请求的负载。
浏览到 balancers 主机组中的主机(例如 http://172.25.250.13 )将生成以下输出:
Welcome to node3.lab.example.com on 172.25.250.11
重新加载浏览器将从另一 Web 服务器生成输出:
Welcome to node4.lab.example.com on 172.25.250.12
playbook 中包含一个 play, 该 play 在 webservers 主机组中的主机上运行并将使用 phpinfo 角色
请通过 URL /hello.php 浏览到 webservers 主机组中的主机将生成以下输出:
Hello PHP World from FQDN
其中,FQDN 是主机的完全限定名称。
Hello PHP World from node3.lab.example.com
另外还有 PHP 配置的各种详细信息,如安装的 PHP 版本等。
同样,浏览到 http://172.25.250.12/hello.php 会生成以下输出:
Hello PHP World from node4.lab.example.com
另外还有 PHP 配置的各种详细信息,如安装的 PHP 版本等
实现:
vim roles.yml
添加
————————————————————————————
- name: a1
hosts: balancers
roles:
- balancer
- name: a2
hosts: webservers
roles:
- apache
- name: a3
hosts: webservers
roles:
- phpinfo
————————————————————————————
ansible-playbook roles.yml
验证:
[greg@control ansible]$ curl node5 node4
Welcome to node4.lab.example.com on 172.25.250.12
Welcome to node4.lab.example.com on 172.25.250.12
9.创建和使用分区(NEW)
要求:
创建一个名为 /home/greg/ansible/partition.yml 的 playbook ,它将在所有受管节点上创建分区:
在vdb创建一个1500M主分区,分区号1,并格式化ext4
prod组将分区永久挂载到/data
如果磁盘空间不够,
给出提示信息Could not create partition of that size
创建800MiB分区
如果 vdb不存在,则给出提示信息this disk is not exist
实现:
vim partition.yml
添加
——————————————————————————————————————————————————————
---
- name: p1
hosts: all
tasks:
- block:
- name: a1
parted:
device: /dev/vdb
number: 1
part_end: 1500MiB
state: present
- name: a2
filesystem:
fstype: ext4
dev: /dev/vdb1
- block:
- name: c1
mount:
path: /data
src: /dev/vdb1
fstype: ext4
state: mounted
when: "'prod' in group_names"
rescue:
- debug:
msg: Could not create partition of that size
- name: d1
parted:
device: /dev/vdb
number: 1
part_end: 800MiB
state: present
when: ansible_devices.vdb.size is defined
- debug:
msg: this disk is not exist
when: ansible_devices.vdb.size is not defined
——————————————————————————————————————————————————————————————————————————————
ansible-playbook partition.yml
验证:
[greg@control ansible]$ ansible all -a 'lsblk'
node2 | CHANGED | rc=0 >>
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 12G 0 disk
├─vda1 252:1 0 1M 0 part
├─vda2 252:2 0 100M 0 part /boot/efi
├─vda3 252:3 0 9.9G 0 part /
└─vda4 252:4 0 2G 0 part
└─research-data 253:0 0 1.5G 0 lvm
vdb 252:16 0 2G 0 disk
└─vdb1 252:17 0 1.5G 0 part
node5 | CHANGED | rc=0 >>
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 12G 0 disk
├─vda1 252:1 0 1M 0 part
├─vda2 252:2 0 100M 0 part /boot/efi
├─vda3 252:3 0 9.9G 0 part /
└─vda4 252:4 0 2G 0 part
└─research-data 253:0 0 1.5G 0 lvm
vdb 252:16 0 2G 0 disk
└─vdb1 252:17 0 1.5G 0 part
node4 | CHANGED | rc=0 >>
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 12G 0 disk
├─vda1 252:1 0 1M 0 part
├─vda2 252:2 0 100M 0 part /boot/efi
├─vda3 252:3 0 9.9G 0 part /
└─vda4 252:4 0 2G 0 part
└─research-data 253:0 0 1.5G 0 lvm
vdb 252:16 0 2G 0 disk
└─vdb1 252:17 0 1.5G 0 part /data
node3 | CHANGED | rc=0 >>
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 11G 0 disk
├─vda1 252:1 0 1M 0 part
├─vda2 252:2 0 100M 0 part /boot/efi
├─vda3 252:3 0 9.9G 0 part /
└─vda4 252:4 0 1024M 0 part
└─research-data 253:0 0 800M 0 lvm
vdb 252:16 0 1G 0 disk
└─vdb1 252:17 0 799M 0 part
node1 | CHANGED | rc=0 >>
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 20G 0 disk
├─vda1 252:1 0 1M 0 part
├─vda2 252:2 0 100M 0 part /boot/efi
└─vda3 252:3 0 9.9G 0 part /
10.创建和使用逻辑卷
要求:
创建一个名为 /home/greg/ansible/lv.yml 的 playbook ,它将在所有受管节点上运行以执行下列任务:
创建符合以下要求的逻辑卷:
逻辑卷创建在 research 卷组中
逻辑卷名称为 data
逻辑卷大小为 1500 MiB
使用 ext4 文件系统格式化逻辑卷
如果无法创建请求的逻辑卷大小,应显示错误信息
Could not create logical volume of that size ,并且应改为使用大小 800 MiB。
如果卷组 research 不存在,应显示错误信息
Volume group done not exist
不要以任何方式挂载逻辑卷
实现:
vim lv.yml
————————————————————————————————————————————————————————————————————————————————
---
- name: create lvm
hosts: all
tasks:
- block:
- name: Create volume1
lvol:
vg: research
lv: data
size: 1500
- name: Create filesystem1
filesystem:
fstype: ext4
dev: /dev/research/data
rescue:
- debug:
msg: Could not create logical volume of that size
when: ansible_lvm.vgs.research is defined
- name: Create volume2
lvol:
vg: research
lv: data
size: 800
when: ansible_lvm.vgs.research is defined
- name: Create filesystem2
filesystem:
fstype: ext4
dev: /dev/research/data
when: ansible_lvm.vgs.research is defined
ignore_errors: yes
- debug:
msg: Volume group done not exist
when: ansible_lvm.vgs.research is not defined
————————————————————————————————————————————————————————————————————————————————
ansible-playbook lv.yml
或
---
- name: p1
hosts: all
tasks:
- name: c1
debug:
msg: Volume group done not exist
when: ansible_lvm.vgs.research is undefined
- block:
- name: a1
lvol:
vg: research
lv: data
size: 1500M
rescue:
- name: c2
debug:
msg: Could not create logical volume of that size
- name: a2
lvol:
vg: research
lv: data
size: 800M
when: ansible_lvm.vgs.research is defined
always:
- name: a3
filesystem:
fstype: ext4
dev: /dev/research/data
验证:
[greg@control ansible]$ ansible all -a "vgs"
node2 | CHANGED | rc=0 >>
VG #PV #LV #SN Attr VSize VFree
research 1 1 0 wz--n- <2.00g 544.00m
node3 | CHANGED | rc=0 >>
VG #PV #LV #SN Attr VSize VFree
research 1 1 0 wz--n- 1020.00m 220.00m
node4 | CHANGED | rc=0 >>
VG #PV #LV #SN Attr VSize VFree
research 1 1 0 wz--n- <2.00g 544.00m
node5 | CHANGED | rc=0 >>
VG #PV #LV #SN Attr VSize VFree
research 1 1 0 wz--n- <2.00g 544.00m
node1 | CHANGED | rc=0 >>
11.生成主机文件
要求:
将一个初始模板文件从 http://materials/hosts.j2 下载到 /home/greg/ansible
完成该模板,以便用它生成以下文件:针对每个清单主机包含一行内容,其格式与 /etc/hosts 相同
创建名为 /home/greg/ansible/hosts.yml 的 playbook ,它将使用此模板在 dev 主机组中的主机上生成文件 /etc/myhosts
实现:
wget http://materials/hosts.j2
vim hosts.j2
添加
——————————————————————————————————————————————————————————————————————————
{% for i in groups['all'] %}
{{hostvars[i].ansible_default_ipv4.address}} {{hostvars[i].ansible_fqdn}} {{hostvars[i].ansible_hostname}}
{% endfor %}
——————————————————————————————————————————————————————————————————————————
vim hosts.yml
添加
————————————————————————————————————————————————————————————————————
---
- name:
hosts: all
tasks:
- name: Template a file
template:
src: /home/greg/ansible/hosts.j2
dest: /etc/myhosts
when: "'dev' in group_names" //当主机属于 "dev"组时,执行上方任务
————————————————————————————————————————————————————————————————————
ansible-playbook hosts.yml
验证:
[greg@control ansible]$ ansible dev -a "cat /etc/hosts"
node1 | CHANGED | rc=0 >>
127.0.0.1 localhost.localdomain localhost
172.25.254.254 classroom.example.com classroom
172.25.254.254 content.example.com content
172.25.254.254 materials.example.com materials
### rht-vm-hosts file listing the entries to be appended to /etc/hosts
172.25.250.254 bastion.lab.example.com bastion
172.25.250.9 workstation.lab.example.com workstation
172.25.250.10 servera.lab.example.com servera
172.25.250.11 serverb.lab.example.com serverb
172.25.250.12 serverc.lab.example.com serverc
12.修改文件内容
要求:
按照下方所述,创建一个名为 /home/greg/ansible/issue.yml 的 playbook :
该 playbook 将在所有清单主机上运行
该 playbook 会将 /etc/issue 的内容替换为下方所示的一行文本:
在 dev 主机组中的主机上,这行文本显示 为:Development
在 test 主机组中的主机上,这行文本显示 为:Test
在 prod 主机组中的主机上,这行文本显示 为:Production
实现:
vim issue.yml
添加
————————————————————————————————————————————————————————————
---
- name: p1
hosts: all
tasks:
- name: Copy1
copy:
content: 'Development'
dest: /etc/issue
when: "'dev' in group_names"
- name: Copy2
copy:
content: 'Test'
dest: /etc/issue
when: "'test' in group_names"
- name: Copy3
copy:
content: 'Production'
dest: /etc/issue
when: "'prod' in group_names"
————————————————————————————————————————————————————————————
ansible-playbook issue.yml
验证:
[greg@control ansible]$ ansible all -a "cat /etc/issue"
node5 | CHANGED | rc=0 >>
\S
Kernel \r on an \m
node2 | CHANGED | rc=0 >>
Test
node4 | CHANGED | rc=0 >>
Production
node3 | CHANGED | rc=0 >>
Production
node1 | CHANGED | rc=0 >>
Development
13.创建 Web 内容目录
要求:
按照下方所述,创建一个名为 /home/greg/ansible/webcontent.yml 的 playbook :
该 playbook 在 dev 主机组中的受管节点上运行
创建符合下列要求的目录 /webdev :
所有者为 webdev 组
具有常规权限:owner=read+write+execute , group=read+write+execute ,other=read+execute
具有特殊权限:设置组 ID
用符号链接将 /var/www/html/webdev 链接到 /webdev
创建文件 /webdev/index.html ,其中包含如下所示的单行文件: Development
在 dev 主机组中主机上浏览此目录(例如 http://172.25.250.9/webdev/ )将生成以下输出:
Development
实现:
vim webcontent.yml
添加
————————————————————————————————————————————————————————————————————
---
- name: webcontent
hosts: dev
tasks:
- name: p1 //安装http
yum:
name: httpd
state: latest
- name: p2 //开启http
service:
name: httpd
state: started
enabled: yes
- name: p3 //开启防火墙
service:
name: firewalld
state: started
enabled: yes
- name: p4 //web规则
firewalld:
service: http
permanent: yes
state: enabled
immediate: yes
- name: p5 //目录和权限
file:
path: /webdev
state: directory
mode: '2775'
group: webdev
- name: p6 //链接
file:
src: /webdev
dest: /var/www/html/webdev
state: link
- name: p7 //web
copy:
content: 'Development'
dest: /webdev/index.html
setype: httpd_sys_content_t
————————————————————————————————————————————————————————————————
ansible-playbook webcontent.yml
验证:
[greg@control ansible]$ curl node1/webdev/index.html
Development
14.生成硬件报告
要求:
创建一个名为 /home/greg/ansible/hwreport.yml 的 playbook ,它将在所有受管节点上生成含有以下信息的输出文件 /root/hwreport.txt :
清单主机名称
以 MB 表示的总内存大小
BIOS 版本
磁盘设备 vda 的大小
磁盘设备 vdb 的大小
输出文件中的每一行含有一个 key=value 对。
您的 playbook 应当:
从 http://materials/hwreport.empty 下载文件,并将它保存为 /root/hwreport.txt
使用正确的值改为 /root/hwreport.txt
如果硬件项不存在,相关的值应设为 NONE
实现:
vim hwreport.yml
添加
————————————————————————————————————————————————————————————————————————
---
- name: get hwreport
hosts: all
tasks:
- name: Create report file
get_url:
url: http://materials/hwreport.empty
dest: /root/hwreport.txt
- name: get inventory_hostname
replace:
path: /root/hwreport.txt
regexp: 'inventoryhostname'
replace: "{{ inventory_hostname }}"
- name: get mem
replace:
path: /root/hwreport.txt
regexp: 'memory_in_MB'
replace: "{{ ansible_memtotal_mb }}"
- name: get bios
replace:
path: /root/hwreport.txt
regexp: 'BIOS_version'
replace: "{{ ansible_bios_version }}"
- name: get vda
replace:
path: /root/hwreport.txt
regexp: 'disk_vda_size'
replace: "{{ ansible_devices.vda.size if ansible_devices.vda.size is defined else 'NONE'}}"
- name: get vdb
replace:
path: /root/hwreport.txt
regexp: 'disk_vdb_size'
replace: "{{ ansible_devices.vdb.size if ansible_devices.vdb.size is defined else 'NONE'}}"
——————————————————————————————————————————————————————————————————————————————————————
ansible-playbook hwreport.yml
验证:
[greg@control ansible]$ ansible all -a 'cat /root/hwreport.txt'
node2 | CHANGED | rc=0 >>
# Hardware report
HOST=node2
MEMORY=809
BIOS=1.11.1-3.module+el8+2529+a9686a4d
DISK_SIZE_VDA=12.00 GB
DISK_SIZE_VDB=2.00 GB
node4 | CHANGED | rc=0 >>
# Hardware report
HOST=node4
MEMORY=809
BIOS=1.11.1-3.module+el8+2529+a9686a4d
DISK_SIZE_VDA=12.00 GB
DISK_SIZE_VDB=2.00 GB
node3 | CHANGED | rc=0 >>
# Hardware report
HOST=node3
MEMORY=809
BIOS=1.11.1-3.module+el8+2529+a9686a4d
DISK_SIZE_VDA=11.00 GB
DISK_SIZE_VDB=1.00 GB
node5 | CHANGED | rc=0 >>
# Hardware report
HOST=node5
MEMORY=809
BIOS=1.11.1-3.module+el8+2529+a9686a4d
DISK_SIZE_VDA=12.00 GB
DISK_SIZE_VDB=2.00 GB
node1 | CHANGED | rc=0 >>
# Hardware report
HOST=node1
MEMORY=1817
BIOS=1.11.1-3.module+el8+2529+a9686a4d
DISK_SIZE_VDA=20.00 GB
DISK_SIZE_VDB=NONE
15.创建密码库
要求:
按照下方所述,创建一个 Ansible 库来存储用户密码:
库名称为 /home/greg/ansible/locker.yml
库中含有两个变量,名称如下:
pw_developer,值为 Imadev
pw_manager,值为 Imamgr
用于加密和解密该库的密码为 whenyouwishuponastar
密码存储在文件 /home/greg/ansible/secret.txt 中
实现:
vim locker.yml
添加
——————————————————————————————————————————
---
pw_developer: Imadev
pw_manager: Imamgr
——————————————————————————————————————————
echo "whenyouwishuponastar" > secret.txt
ansible-vault encrypt locker.yml --vault-password-file=/home/greg/ansible/secret.txt
验证:
[greg@control ansible]$ ansible-vault view locker.yml
Vault password:
---
pw_developer: Imadev
pw_manager: Imamgr
16.创建用户帐户
要求:
从 http://materials/user_list.yml 下载要创建的用户的列表,并将它保存到 /home/greg/ansible
在本次练习中使用在其他位置创建的密码库 /home/greg/ansible/locker.yml 。创建名为 /home/greg/ansible/users.yml 的 playbook ,从而按以下所述创建用户帐户:
职位描述为 developer 的用户应当:
在 dev 和 test 主机组中的受管节点上创建
从 pw_developer 变量分配密码
是补充组 devops 的成员
职位描述为 manager 的用户应当:
在 prod 主机组中的受管节点上创建
从 pw_manager 变量分配密码
是补充组 opsmgr 的成员
密码采用 SHA512 哈希格式
您的 playbook 应能够在本次练习中使用在其他位置创建的库密码文件 /home/greg/ansible/secret.txt 正常运行
实现:
wget http://materials/user_list.yml
vim users.yml
添加
——————————————————————————————————————————————————————————————
---
- name: p1
hosts: dev,test
vars_files: //引入两个变量文件
- locker.yml
- user_list.yml
tasks:
- name: a1 //确保此组存在
group:
name: devops
state: present
- name: a2 //创建用户
user:
name: "{{ item.name }}"
groups: devops
password: "{{ pw_developer | password_hash('sha512') }}"
loop: "{{ users }}"
when: item.job == "developer"
- name: p2
hosts: prod
vars_files:
- locker.yml
- user_list.yml
tasks:
- name: b1
group:
name: devops
state: present
- name: b2
user:
name: "{{ item.name }}"
groups: opsmgr
password: "{{ pw_manager | password_hash('sha512') }}"
loop: "{{ users }}"
when: item.job == "manager"
————————————————————————————————————————————————————————————————————————————
ansible-playbook users.yml --vault-password-file secret.txt
验证:
[greg@control ansible]$ cat user_list.yml
users:
- name: bob
job: developer
- name: sally
job: manager
- name: fred
job: developer
17.更新 Ansible 库的密钥
要求:
按照下方所述,更新现有 Ansible 库的密钥:
从 http://materials/salaries.yml 下载 Ansible 库到 /home/greg/ansible
当前的库密码为 insecure8sure
新的库密码为 bbs2you9527
库使用新密码保持加密状态
实现:
先注释上题的指定密码文件的路径
wget http://materials/salaries.yml
ansible-vault rekey salaries.yml
> 输入密码验证身份(旧密码)
> 需入要更新的密码(新密码)
> 再次确认(新密码)
验证:
[greg@control ansible]$ ansible-vault view salaries.yml
Vault password:
haha
[greg@control ansible]$ cat salaries.yml
$ANSIBLE_VAULT;1.1;AES256
61666135396432653636363962623530383432633061306630613531356465623130643863356364
6430663837333761353631646539653939373637386635340a666664653938386262656633626334
61306630666238316236303939646631376635636132316533386533316432333563333531383665
6535333635653430630a646238626431663330346235336339393361393963366462383235323333
6335
18.配置 cron 作业
要求:
创建一个名为 /home/greg/ansible/cron.yml 的 playbook :
该 playbook 在 test 主机组中的受管节点上运行
配置 cron 作业,该作业每隔 2 分钟运行并执行以下命令:
logger "EX200 in progress",以用户 bob 身份运行
实现:
vim cron.yml
添加
————————————————————————————————————————————————
---
- name: p1
hosts: test
tasks:
- name: Ensure a job that runs at 2 minute
cron:
name: "bob"
minute: "*/2"
job: 'logger "EX200 in progress"'
——————————————————————————————————————————————————
ansible-playbook cron.yml
验证:
[greg@control ansible]$ ansible test -m shell -a 'crontab -l'
node2 | CHANGED | rc=0 >>
#Ansible: bob
*/2 * * * * logger "EX200 in progress"
1891
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
