RHCE RH294
#重置考试环境
rhce8.sh
./grade-exam.sh
查看配置信息
#连接server端的普通账户
ssh control
1.安装配置ansible
# 配置软件仓库
yum repolist
yum list|grep -i ansible
sudo yum-config-manager --add-repo=http://content.example.com/rhel8.0/x86_64/ucfupdates
sudo vim content.example.com/rhel8.0/x86_64/ucfupdates
sudo yum -y install ansible
ansible --version
# 创建inventory文件
mkdir ansible
cd ansible
cat > inventory << EOF
node[1:5]
[dev]
node1
[test]
node2
[prod]
node[3:4]
[balancers]
node5
[webservers:children]
prod
[all:vars]
ansible_ssh_pass = redhat
EOF
#验证
ansible -i inventory dev/test/prod/balancers/webservers --list-hosts
# 创建配置文件
cat > /home/greg/ansible/ansible.cfg << EOF
[defaults]
inventory = /home/gre/ansible/inventory
roles_path = /home/greg/ansible/roles
remote_user = greg
ask_pass = false
[privilege_escalation]
become = yes
become_method = sudo
become_user = root
become_ask_pass = false
EOF
# 验证
ansible all -a "id"
2.创建和运行ansible临时命令
# 查询
ansible-doc yum_repository
#注意双引号
cat > /home/greg/ansible/adhoc.sh << EOF
#!/bin/bash
ansible all -m yum_repository -a 'name="EX294_BASE" description="EX294 base software" baseurl="http://xxxxxx gpgcheck=yes gpgkey=http://xxxxxxx"'
ansible all -m yum_repository -a 'name="EX294_STREAM" description="EX294 stream software" baseurl="http://xxxxxx gpgcheck=yes gpgkey=http://xxxxxxx"'
EOF
chmod +x /home/greg/ansible/adhoc.sh
# 检查
ansible all -a 'yum repolist'
./adhoc.sh
ansible all -a 'yum repolist'
3.安装软件包
cat > /home/greg/ansible/packages.yml << EOF
---
- name: install pkg
hosts: dev,test,prod
tasks:
# 安装软件
- name: use yum module to install pkg
yum:
name:
- php
- mariadb
state: latest
# 方法2
# - yum:
# name: "{{ item }}"
# state: latest
# loop:
# - php
# - mariadb
- name: install pkg
hosts: dev
tasks:
# 安装软件包组
- name: use yum module
yum:
name: "@RPM Development Tools"
state: latest
# 更新软件
- name: use yum module
yum:
name: “*”
state: latest
# 方法2(针对dev的hosts写在同一个play里面)
# - name: use yum module
# yum:
# name: "@RPM Development Tools"
# state: latest
# when: "'dev' in group_names"
# - name: use yum module
# yum:
# name: “*”
# state: latest
# when: "'dev' in group_names"
4.使用系统role
- 安装rhel软件包
- 查找安装的role路径
- 修改配置文件
- 查看修改情况
- 定义timesync.ym
- 查看ntp服务器
# 下载rhel的软件包
yum list |grep role
sudo yum -y install rhel-system-roles
# 查看role的路径
rpm -qa |grep role
rpm -ql rhel-system-roles
# 修改配置文件,让ansible配置文件加载rhel-system-roles
roles_paths=/home/greg/ansible/roles:/user/share/ansible/roles
# 查看role的参数
ansible-galaxy list
# 定义role的变量
cat > timesync.yml << EOF
---
- name: use system role
hosts: all
vars:
timesysnc_ntp_servers:
- hostname: 172.25.254.254
iburst: yes
roles:
- rhel-system-roles.timesync
EOF
# 查看节点的ntp服务器
ansible all -a 'chronyc sources'
#运行
anisble-playbook timesync.yml
#检查
ansible all -m shell -a 'chronyc -n sources'
ansible all -m shell -a 'grep -i iburst /etc/chrony.conf'
5.使用ansible galaxy安装角色
# 创建一个playbook,下载并安装role
cat > requirements.yml << EOF
- src: http://xxxx
name: balancer
- src: http://xxxx
name: phpinfo
EOF
# 还原
# ansible-galaxy remove phpinfo balancer
#执行前判断现dd象
ansible-galaxy list
ls /home/xxx/ansible/roles
# 运行playbook安装role
ansible-galaxy install -r ./requirements.yml
# 验证
ansible-galaxy list
ls /home/xxx/ansible/roles
6.创建一个web role
# 初始化一个apache的role
ansible-galaxy init apache
ansible-galaxy list
# 编辑task
cat > roles/apache/tasks/main.yml << EOF
---
- name: install pkg
yum:
name: httpd
state: latest
- name: set httpd service
service:
name: httpd
state: started
enabled: yes
- name: set firewalld service
service:
name: firewalld
state: started
enabled: yes
- name: set firewall to allow http traffic
firewalld:
service: http
immediate: yes
permanent: yes
state: enabled
- name: set web content
template:
src: index.html.j2
dest: /var/www/html/index.html
EOF
# 编辑j2文件
cat > roles/apache/templates/index.html/j2 << EOF
Welcome to {{ ansible_fqdn }} on {{ ansible_default_ipv4['address'] }}
# 创建playbook
cat > apache.yml << EOF
---
- name: use apache role
hosts: webservers
roles:
- apache
EOF
# 执行play
ansible-playbook apache.yml
#检查
curl node3.domainx.example.com
curl node4.domainx.example.com
7.ansible galaxy使用角色
cat > role.yml << EOF
---
- name: use haproxy role
hosts: balancers
roles:
- balancer
EOF
# 执行负载均衡role的play
ansible-playbook role.yml
#检查node5放行的端口
firewall-cmd --list-all
firewall-cmd --add-port=80/tcp
firewall-cmd --add-port=80/tcp --per
#检查 (页面会在node3和node4之间切换)
curl node5.domainx.example.com
# 添加play使用phpinfo这个role生成子页面
cat >> role.yml << EOF
- name: use phpinfo role
hosts: webservers
roles:
- phpinfo
EOF
#检查
本地浏览器访问node3.domainx.example.com/hello.php;node4.domainx.example.com/hello.php
8.创建和使用逻辑卷
# 事先查看node逻辑卷情况
ansible all -a 'vgs'
#
cat > lv.yml << EOF
---
- name: create lv
hosts: all
tasks:
- block:
- name: create a lv use research vg
lvol:
vg: research
lv: data
size: 1500
- name: fomat ext4 fs
filesystem:
fstype: ext4
dev: /dev/research/data
rescue:
- name: output some info
debug:
msg: Could not create logical volume of that size
when: ansible_lvm.vgs.research is defined
- name: create a lv use research vg
lvol:
vg: research
lv: data
size: 800
when: ansible_lvm.vgs.research is defined
- name: formate ext4 fs
filesystem:
fstype: ext4
dev: /dev/research/data
when: ansible_lvm.vgs.research is defined
- name: Volume group does not exist
debug:
mgs: Volume group does not exist
when: ansible_lvm.vgs.research is undefined
9.生成主机文件 *
cat > /home/greg/ansible/hosts.j2 << EOF
{% for host in groups['all'] %}
{{ hostvars[host]['ansible_default_ipv4']['address'] }} {{ hostvars[host]['ansible_fqdn'] }} {{ hostvars[host]['ansible_hostname'] }}
{% endfor %}
EOF
cat > hosts.yml << EOF
---
- name: create a host file
hosts: all
tasks:
- name: template a host file
template:
src: hosts.j2
dest: /etc/myhosts
when: '"dev" in group_names'
EOF
# 执行
ansible-playbook hosts.yml
#判断
ansible all -a "cat /etc/myhosts"
10.修改文件内容
创建web内容目录
cat > issue.yml << EOF
---
- name: modify file content
hosts: all
tasks:
- copy:
content: Development
dest: /etc/issue
when: '"dev" in group_names'
- copy:
content: Test
dest: /etc/issue
when: '"test" in group_names'
- copy:
conent: Production
dest: /etc/issue
when: '"prod" in group_names'
# 检查
ansible all -a 'cat /etc/issue'
11.创建web内容目录 *
# 注意生成或创建文件时selinux的权限问题
cat > /home/greg/ansible/webcontent.yml << EOF
---
- name: set web content
hosts: dev
tasks:
- name: create a directory
file:
path: /webdev
state: directory
group: webdev
mode: "2775"
setype: "httpd_sys_content_t"
- name: create a soft link
file:
src: /webdev
dest: /var/www/html/webdev
state: link
- name: set web content
copy:
content: Development
dest: /webdev/index.html
setype: "httpd_sys_content_t"
- name: start httpd service
service:
name: httpd
state: started
enabled: yes
- name: set firewall rule to allow http traffic
firewalld:
service: http
permanent: yes
immediate: yes
state: enabled
# 测试
curl xxxxxx
12.生成硬件报告*
cat > /home/greg/ansible/hwreport.yml << EOF
---
- name: create hardware report
hosts: all
vars:
hardware:
- hw_name: HOST
hw_info: "{{ ansible_hostname }}"
- hw_name: MEMORY
hw_info: "{{ ansible_memtotal_mb }}"
- hw_name: BIOS
hw_info: "{{ ansible_bios_version }}"
- hw_name: DISK_SIZE_VDA
hw_info: "{{ ansible_devices['vda']['size'] | default('NONE') }}"
- hw_name: DISK_SIZE_VDB
hw_info: "{{ ansible_devices['vdb']['size'] | default('NONE') }}"
tasks:
- name: get hw report from url
get_url:
url: http://xxx
dest: /root/hwreport.txt
- name: set hw report content
lineinfile:
path: /root/hwreport.txt
# 只有当item.hw_name相等的时候,才执行下一个,不相等覆盖原有的值。循环赋值
regexp: '^{{ item.hw_name }}='
line: "{{ item['hw_name'] }}={{ item['hw_info'] }} "
loop: "{{ hardware }}"
13.使用ansible vault
# 加密解密密码为xxxx
cat > /home/greg/ansible/secret.txt << EOF xxxx EOF
cat > locker.yml << EOF
---
pw_developer: xxx
pw_manager: xxx
EOF
# 使用secret.txt加密locker.yml
ansible-vault encrypt --vault-id=./secret.txt locker.yml
# 检查
cat locker.yml
ansible-vault view --vault-id=./secret.txt locker.yml
14.创建批量添加用户role
wget https://xxx
cat user_list.yml
cat > user.yml << EOF
---
- name: create user on dev and test
hosts: dev,test
vars_files:
- locker.yml
- user_list.yml
tasks:
- name: create group
group:
name: devops
state: present
- name: create user
user:
name: "{{ item['name'] }}"
password: "{{ pw_developer | password_hash('sha512', 'mysecretsalt') }}"
expires: "{{ item.password_expire_MAX }}"
groups: devops
loop: "{{ users }}"
when: item.job == 'developer'
- name: create user on prod
hosts: prod
vars_files:
- locker.yml
- user_list.yml
tasks:
- name: create group
group:
name: opsmgr
state: present
- name: create user
user:
name: "{{ item['name'] }}"
pssword: "{{ pw_developer | password_hash('sha512', 'mysecretsalt') }}"
expires: "{{ item.password_expire_MAX }}"
# 这里如果是group,就是添加的primary group
groups: opsmgr
loop: "{{ users }}"
when: item.job == 'manager'
ansible-playbook --vault-id=./secret.txt users.yml
# 测试
anisble dev -a "id gzy001"
15.重新设置ansible vault 密码
wget http://xx
cat salaries.yml
# 查看密码
ansible-vault view salaries.yml
ansible-vault rekey salaries.yml
#测试
cat salaries.yml
ansible-vault view salaries.yml
---
- name: cron
hosts: all
tasks:
- user:
name: natasha
state: present
- cron:
user: natasha
job: "Logger 'EX294' in progress"
minute: "*/2"