1、使用RHEL系统角色
安装 RHEL 系统角色软件包,并创建符合以下条件的playbook /home/student/ansible/timesync.yml:
在所有受管节点上运行
使用 timesync 角色
配置该角色,以使用当前有效的 NTP 提供商
配置该角色,以使用时间服务器 classroom.example.com
配置该角色,以启用 iburst 参数
[student@ansible ansible]$ mkdir roles
[student@ansible ansible]$ cp -r /usr/share/ansible/roles/rhel-system-roles.timesync/ /home/student/ansible/roles/timesync
[student@ansible ansible]$ vim timesync.yml
---
- name: set time sync
hosts: all
vars:
timesync_ntp_servers:
- hostname: classroom.example.com
iburst: yes
roles:
- timesync
[student@ansible ansible]$ ansible-playbook timesync.yml
PLAY [set time sync] ********************************************************************************************
TASK [Gathering Facts] ******************************************************************************************
ok: [192.168.253.134]
ok: [node1]
ok: [node2]
ok: [node3]
TASK [timesync : Set version specific variables] ****************************************************************
ok: [node1]
ok: [node2]
ok: [192.168.253.134]
ok: [node3]
TASK [timesync : Populate service facts] ************************************************************************
ok: [node2]
ok: [node1]
ok: [192.168.253.134]
ok: [node3]
TASK [Set variable `timesync_services` with filtered uniq service names] ****************************************
ok: [node1]
ok: [192.168.253.134]
ok: [node2]
ok: [node3]
TASK [Check that variable 'timesync_services' is defined] *******************************************************
ok: [node1] => {
"changed": false,
"msg": "All assertions passed"
}
ok: [node2] => {
"changed": false,
"msg": "All assertions passed"
}
ok: [192.168.253.134] => {
"changed": false,
"msg": "All assertions passed"
}
ok: [node3] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [timesync : Check if only NTP is needed] *******************************************************************
ok: [node1]
ok: [node3]
ok: [node2]
ok: [192.168.253.134]
TASK [timesync : Check if single PTP is needed] *****************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Check if both NTP and PTP are needed] **********************************************************
skipping: [node2]
skipping: [node1]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Determine current NTP provider] ****************************************************************
ok: [node1]
ok: [192.168.253.134]
ok: [node2]
ok: [node3]
TASK [timesync : Select NTP provider] ***************************************************************************
ok: [node1]
ok: [192.168.253.134]
ok: [node2]
ok: [node3]
TASK [timesync : Install chrony] ********************************************************************************
ok: [node3]
ok: [192.168.253.134]
ok: [node1]
changed: [node2]
TASK [timesync : Install ntp] ***********************************************************************************
skipping: [node1]
skipping: [192.168.253.134]
skipping: [node2]
skipping: [node3]
TASK [timesync : Install linuxptp] ******************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Gather package facts] **************************************************************************
ok: [node1]
ok: [192.168.253.134]
ok: [node2]
ok: [node3]
TASK [timesync : Run phc_ctl on PTP interface] ******************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Check if PTP interface supports HW timestamping] ***********************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Generate chrony.conf file] *********************************************************************
ok: [192.168.253.134]
ok: [node1]
changed: [node2]
ok: [node3]
TASK [timesync : Generate chronyd sysconfig file] ***************************************************************
ok: [node1]
ok: [192.168.253.134]
changed: [node2]
ok: [node3]
TASK [timesync : Generate ntp.conf file] ************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Generate ntpd sysconfig file] ******************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Generate ptp4l.conf file] **********************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Generate ptp4l sysconfig file] *****************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Generate phc2sys sysconfig file] ***************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Generate timemaster.conf file] *****************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Update network sysconfig file] *****************************************************************
ok: [node1]
ok: [192.168.253.134]
changed: [node2]
ok: [node3]
TASK [timesync : Disable chronyd] *******************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Disable ntpd] **********************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Disable ntpdate] *******************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Disable sntp] **********************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Disable ptp4l] *********************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Disable phc2sys] *******************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Disable timemaster] ****************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Enable chronyd] ********************************************************************************
ok: [192.168.253.134]
ok: [node1]
ok: [node3]
changed: [node2]
TASK [timesync : Enable ntpd] ***********************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Enable ptp4l] **********************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Enable phc2sys] ********************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [timesync : Enable timemaster] *****************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
RUNNING HANDLER [timesync : restart chronyd] ********************************************************************
changed: [node2]
PLAY RECAP ******************************************************************************************************
192.168.253.134 : ok=14 changed=0 unreachable=0 failed=0 skipped=23 rescued=0 ignored=0
node1 : ok=14 changed=0 unreachable=0 failed=0 skipped=23 rescued=0 ignored=0
node2 : ok=15 changed=6 unreachable=0 failed=0 skipped=23 rescued=0 ignored=0
node3 : ok=14 changed=0 unreachable=0 failed=0 skipped=23 rescued=0 ignored=0
2、使用selinux角色
配置该角色,编写selinux.yml的playbook开启所有受控节点的selinux
[student@ansible ansible]$ cp -r /usr/share/ansible/roles/rhel-system-roles.selinux /home/student/ansible/roles/selinux
[student@ansible ansible]$
[student@ansible ansible]$ vim selinux.yml
[student@ansible ansible]$ cat selinux.yml
- name: set selinux
hosts: all
vars:
selinux_state: enforcing
roles:
- role: selinux
become: true
[student@ansible ansible]$ ansible-playbook selinux.yml
- name: set selinux
hosts: all
vars:
selinux_state: enforcing
roles:
- role: selinux
become: true
[student@ansible ansible]$ ansible-playbook selinux.yml
PLAY [set selinux] **********************************************************************************************
TASK [Gathering Facts] ******************************************************************************************
ok: [node1]
ok: [192.168.253.134]
ok: [node2]
ok: [node3]
TASK [selinux : Install SELinux python2 tools] ******************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [selinux : Install SELinux python3 tools] ******************************************************************
ok: [node3]
changed: [node2]
changed: [192.168.253.134]
ok: [node1]
TASK [selinux : refresh facts] **********************************************************************************
ok: [192.168.253.134]
ok: [node2]
ok: [node1]
ok: [node3]
TASK [selinux : Install SELinux tool semanage] ******************************************************************
ok: [node3]
changed: [node1]
ok: [192.168.253.134]
changed: [node2]
TASK [selinux : Set permanent SELinux state if enabled] *********************************************************
changed: [node1]
ok: [192.168.253.134]
ok: [node2]
ok: [node3]
TASK [selinux : Set permanent SELinux state if disabled] ********************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [selinux : Set ansible facts if needed] ********************************************************************
ok: [node1]
ok: [node2]
ok: [192.168.253.134]
ok: [node3]
TASK [selinux : Fail if reboot is required] *********************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [selinux : debug] ******************************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [selinux : Drop all local modifications] *******************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [selinux : Purge all SELinux boolean local modifications] **************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [selinux : Purge all SELinux file context local modifications] *********************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
TASK [selinux : Purge all SELinux port local modifications] *****************************************************
skipping: [node1]
skipping: [node2]
skipping: [node3]
skipping: [192.168.253.134]
TASK [selinux : Purge all SELinux login local modifications] ****************************************************
skipping: [node2]
skipping: [node1]
skipping: [192.168.253.134]
skipping: [node3]
TASK [selinux : Set SELinux booleans] ***************************************************************************
TASK [selinux : Set SELinux file contexts] **********************************************************************
TASK [selinux : Restore SELinux labels on filesystem tree] ******************************************************
TASK [selinux : Restore SELinux labels on filesystem tree in check mode] ****************************************
TASK [selinux : Set an SELinux label on a port] *****************************************************************
TASK [selinux : Set linux user to SELinux user mapping] *********************************************************
TASK [selinux : Get SELinux modules facts] **********************************************************************
ok: [node1]
ok: [192.168.253.134]
ok: [node2]
ok: [node3]
TASK [selinux : include_tasks] **********************************************************************************
skipping: [node1]
skipping: [node2]
skipping: [192.168.253.134]
skipping: [node3]
PLAY RECAP ******************************************************************************************************
192.168.253.134 : ok=7 changed=1 unreachable=0 failed=0 skipped=16 rescued=0 ignored=0
node1 : ok=7 changed=2 unreachable=0 failed=0 skipped=16 rescued=0 ignored=0
node2 : ok=7 changed=2 unreachable=0 failed=0 skipped=16 rescued=0 ignored=0
node3 : ok=7 changed=0 unreachable=0 failed=0 skipped=16 rescued=0 ignored=0
3、使用Ansible Galaxy安装角色
使用 Ansible Galaxy 和要求文件 /home/student/ansible/roles/requirements.yml,从以下 URL 下载角色并安装到 /home/student/ansible/roles:
http://content.example.com/haproxy.tar.gz 此角色的名称应当为 balancer
http://content.example.com/phpinfo.tar.gz 此角色的名称应当为 phpinfo
[student@ansible ansible]$ vim roles/requirements.yml
[student@ansible ansible]$ cat roles/requirements.yml
---
- name: balancer
src: http://content.example.com/ansible2.8/haproxy.tar.gz
- name: phpinfo
src: http://content.example.com/ansible2.8/phpinfo.tar.gz
[student@ansible ansible]$ ansible-galaxy install -r /home/student/asnible/roles/requirements.yml -p /home/student/ansible/roles/
- balancer is already installed, skipping.
- downloading role from file:///home/student/phpinfo.tar.gz
- extracting phpinfo to /home/student/ansible/roles/phpinfo
- phpinfo was installed successfully
4、创建和使用角色
根据下列要求,在/home/student/ansible/roles中创建名为apache的角色:
httpd软件包已安装,设为在系统启动时启用并启动
防火墙已启用并正在运行,并使用允许访问Web服务器的规则
模板文件 index.html.j2 已存在,用于创建具有以下输出的文件/var/www/html/index.html:
Welcome to HOSTNAME on IPADDRESS
其中,HOSTNAME是受管节点的完全限定域名,IPADDRESS则是受管节点的IP地址。
按照下方所述,创建一个使用此角色的playbook /home/student/ansible/newrole.yml:
该playbook在webservers主机组中的主机上运行
[student@ansible ansible]$ cd roles/
[student@ansible roles]$ ansible-galaxy init apache
- Role apache was created successfully
[student@ansible templates]$ cat index.html.j2
Welcome to {{ansible_fqdn}} on {{ansible_ens160.ipv4.address}}
[student@ansible templates]$ vim tasks/main.yml
---
# tasks file for http
- name: install httpd firewalld
yum:
name:
- httpd
- firewalld
state: present
- name: cp file
template:
src: index.html.j2
dest: /var/www/html/index.html
- name: start httpd
service:
name: httpd
state: started
enabled: yes
- name: restart firewalld
service:
name: firewalld
state: restarted
enabled: yes
- name: firewalld for http
firewalld:
service: http
state: enabled
permanent: yes
immediate: yes
[student@ansible apache]$ cat handlers/main.yml
---
# handlers file for apache
- name: restart httpd
service:
name: httpd
state: restarted
enabled: yes
[student@ansible ansible]$ cat newrole.yml
---
- name: use http role
hosts: webservers
roles:
- apache
[student@workstation ansible]$ ansible-playbook newrole.yml
PLAY RECAP *********************************************************************
node1 : ok=7 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node2 : ok=7 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
node3 : ok=7 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[student@ansible ansible]$ curl http://node1.example.com
Welcome to node1.example.com on 192.168.253.134
[student@ansible ansible]$ curl http://node2.example.com
Welcome to node2.example.com on 192.168.253.150
[student@ansible ansible]$ curl http://node3.example.com
Welcome to node3.example.com on 192.168.253.152
5、从Ansible Galaxy使用角色
根据下列要求,创建一个名为 /home/student/ansible/roles.yml的playbook:
playbook中包含一个play,该play在balancers主机组中的主机上运行并将使用balancer角色。
此角色配置一项服务,以在webservers主机组中的主机之间平衡Web服务器请求的负载。
浏览到balancers主机组中的主机(例如http://bastion.lab.example.com/ )将生成以下输出:
Welcome to serverc.example.com on 172.25.1.12
重新加载浏览器将从另一Web服务器生成输出:
Welcome to serverd.example.com on 172.25.1.13
playbook 中包含一个 play,该 play 在 webservers主机组中的主机上运行并将使用 phpinfo 角色。
通过 URL /hello.php 浏览到 webservers 主机组中的主机将生成以下输出:
Hello PHP World from FQDN
其中,FQDN是主机的完全限定名称。
例如,浏览到 http://serverc.lab.example.com/hello.php 会生成以下输出:
Hello PHP World from serverc.lab.example.com
另外还有 PHP 配置的各种详细信息,如安装的PHP 版本等。
同样,浏览到 http://serverd.lab.example.com/hello.php 会生成以下输出:
Hello PHP World from serverd.lab.example.com
另外还有 PHP 配置的各种详细信息,如安装的PHP 版本等。
[student@workstation ansible]$ vim roles.yml
---
- name: gather facts for webservers
hosts: webservers
- name: balancer role
hosts: balancers
roles:
- balancer
- name: php role
hosts: webservers
roles:
- phpinfo
再来执行该playbook
[student@workstation ansible]$ ansible-playbook roles.yml
验证:
[student@workstation ansible]$ curl http://bastion.lab.example.com
Welcome to serverc.lab.example.com on 172.25.250.12
[student@workstation ansible]$ curl http://bastion.lab.example.com
Welcome to serverd.lab.example.com on 172.25.250.13
[student@workstation ansible]$ curl http://serverc.lab.example.com/hello.php
Hello PHP World form serverc.lab.example.com
[student@workstation ansible]$ curl http://serverd.lab.example.com/hello.php
Hello PHP World form serverd.lab.example.com