文章目录
1.ansible 角色简介
- Ansible roles 是为了层次化,结构化的组织Playbook
- roles就是通过分别将变量、文件、任务、模块及处理器放置于单独的目录中,并可以便捷地include它们
- roles一般用于基于主机构建服务的场景中,在企业复杂业务场景中应用的频率很高
- 以特定的层级目录结构进行组织的tasks、variables、handlers、templates、files等;相当于函数的调用把各个功能切割成片段来执行。
2.roles目录结构
目录 | 含义 |
---|---|
files | ##存放copy或script等模块调用的函数 |
tasks | ##定义各种task,要有main.yml,其他文件include包含调用 |
handlers | ##定义各种handlers,要有main.yml,其他文件include包含调用 |
vars | ##定义variables,要有main.yml,其他文件include包含调用 |
templates | ##存储由template模块调用的模板文本 |
meta | ##定义当前角色的特殊设定及其依赖关系,要有main.yml的文件 defaults ##要有main.yml的文件,用于设定默认变量 |
tests | ##用于测试角色 |
3.角色变量
[devops@server1 ansible]$ pwd
/home/devops/ansible
[devops@server1 ansible]$ mkdir roles
[devops@server1 ansible]$ vim ansible.cfg #添加角色路径
1)Apache角色
[devops@server1 ansible]$ ansible-galaxy list
# /home/devops/ansible/roles
[devops@server1 ansible]$ cd roles/
[devops@server1 roles]$ ansible-galaxy role init apache #初始化角色
- Role apache was created successfully
[devops@server1 roles]$ ls
apache
[devops@server1 roles]$ tree apache/
apache/
├── defaults
│ └── main.yml
├── files
├── handlers
│ └── main.yml
├── meta
│ └── main.yml
├── README.md
├── tasks
│ └── main.yml
├── templates
├── tests
│ ├── inventory
│ └── test.yml
└── vars
└── main.yml
%写任务
[devops@server1 apache]$ vim tasks/main.yml
[devops@server1 apache]$ cat tasks/main.yml
---
# tasks file for apache
---
- name: install httpd
dnf:
name: httpd
state: present
- name: start httpd
service:
name: httpd
state: started
enabled: yes
- name: create index.html
copy:
content: "{{ ansible_hostname }}\n"
dest: /var/www/html/index.html
- name: config httpd
template:
src: httpd.conf.j2
dest: /etc/httpd/conf/httpd.conf
notify: restart httpd
- name: accept httpd
firewalld:
service: http
permanent: yes
immediate: yes
state: enabled
- name: accept 8080
firewalld:
port: 8080/tcp
permanent: yes
immediate: yes
state: enabled
%写模板
[devops@server1 apache]$ cp /home/devops/ansible/httpd.conf.j2 templates/
[devops@server1 apache]$ ls templates/
httpd.conf.j2
%写触发器
[devops@server1 apache]$ vim handlers/main.yml
[devops@server1 apache]$ cat handlers/main.yml
---
# handlers file for apache
- name: restart httpd
service:
name: httpd
state: restarted
2)haproxy角色
%haproxy角色
[devops@server1 roles]$ ansible-galaxy role init haproxy
[devops@server1 haproxy]$ vim tasks/main.yml
[devops@server1 haproxy]$ cat tasks/main.yml
---
# tasks file for haproxy
- name: install haproxy
dnf:
name: haproxy
state: present
- name: configure haproxy
template:
src: haproxy.cfg.j2
dest: /etc/haproxy/haproxy.cfg
notify: restart haproxy
- name: start haproxy
service:
name: haproxy
state: started
- name: accept haproxy
firewalld:
service: http
permanent: yes
immediate: yes
state: enabled
[devops@server1 haproxy]$ vim tasks/main.yml
[devops@server1 haproxy]$ cd templates/
[devops@server1 templates]$ ls
[devops@server1 templates]$ cp /home/devops/ansible/haproxy.cfg.j2 .
[devops@server1 templates]$ ls
haproxy.cfg.j2
[devops@server1 haproxy]$ vim handlers/main.yml
[devops@server1 haproxy]$ cat handlers/main.yml
---
# handlers file for haproxy
- name: restart haproxy
service:
name: haproxy
state: restarted
3)调用角色
%角色中的变量优先于主机变量,优先于组变量
[devops@server1 ansible]$ cat playbook5.yml
---
- hosts: all
roles:
- role: apache
when: ansible_default_ipv4.address in groups['webserver']
- role: haproxy
when: ansible_hostname == "server1"
[devops@node1 ansible]$ ansible-playbook playbook5.yml
4)官网的nginx角色模板
https://galaxy.ansible.com/geerlingguy/nginx
[devops@server1 ansible]$ ansible-galaxy search geerlingguy.nginx
[devops@server1 ansible]$ ansible-galaxy install geerlingguy.nginx
[devops@server1 ansible]$ ansible-galaxy list
# /home/devops/ansible/roles
- apache, (unknown version)
- haproxy, (unknown version)
- geerlingguy.nginx, 2.8.0
[devops@server1 ansible]$ cd roles/
[devops@server1 roles]$ ls
apache geerlingguy.nginx haproxy
[devops@server1 roles]$ tree geerlingguy.nginx/
geerlingguy.nginx/
├── defaults
│ └── main.yml
├── handlers
│ └── main.yml
├── LICENSE
├── meta
│ └── main.yml
├── molecule
│ └── default
│ ├── converge.yml
│ └── molecule.yml
├── README.md
├── tasks
│ ├── main.yml
│ ├── setup-Archlinux.yml
│ ├── setup-Debian.yml
│ ├── setup-FreeBSD.yml
│ ├── setup-OpenBSD.yml
│ ├── setup-RedHat.yml
│ ├── setup-Ubuntu.yml
│ └── vhosts.yml
├── templates
│ ├── nginx.conf.j2
│ ├── nginx.repo.j2
│ └── vhost.j2
└── vars
├── Archlinux.yml
├── Debian.yml
├── FreeBSD.yml
├── OpenBSD.yml
└── RedHat.yml
[devops@server1 roles]$ ls
apache geerlingguy.nginx haproxy
[devops@server1 roles]$ vim /home/devops/ansible/playbook5.yml
[devops@server1 roles]$ cat /home/devops/ansible/playbook5.yml
---
- hosts: 172.25.3.2
roles:
- geerlingguy.nginx
[devops@server1 ansible]$ ansible-playbook playbook5.yml
[devops@server1 defaults]$ pwd
/home/devops/ansible/roles/geerlingguy.nginx/defaults
[devops@server1 defaults]$ vim main.yml
4.维护状态
#serial每次更新一个,一个一个滚动更新,保证始终有可用的后端
[devops@server1 ansible]$ cat group_vars/webserver/vars
http_port: 80
[devops@server1 ansible]$ vim /etc/haproxy/haproxy.cfg
添加:level admin
stats socket /var/lib/haproxy/stats level admin
[devops@server1 ansible]$ cat playbook5.yml
---
- hosts: webserver
serial: 1
pre_tasks:
- name: disable the server in haproxy
haproxy: 'state=disabled backend=app host={{ inventory_hostname }} socket=/var/lib/haproxy/stats'
delegate_to: "{{ item }}"
loop: "{{ groups.lb }}"
roles:
- role: apache
# when: inventory_hostname in groups['webserver']
post_tasks:
- name: wait for webserver to come up
wait_for: 'host={{ inventory_hostname }} port=80 state=started timeout=80'
- name: enable the server in haproxy
haproxy: 'state=enabled backend=app host={{ inventory_hostname }} socket=/var/lib/haproxy/stats'
delegate_to: "{{ item }}"
loop: "{{ groups.lb }}"
[devops@server1 ansible]$ ansible-playbook playbook5.yml
#边跑边刷新网页172.25.3.1/status 会看到网页上循环维护
5.时间同步
宿主机指向172。25。254。250;虚拟机指向宿主机172。25。3。250
%真机作
[root@zhenji images]# vim /etc/chrony.conf
# Allow NTP client access from local network.
#allow 192.168/16
allow 172.25/16
[root@zhenji images]# systemctl restart chronyd
%server1
[root@node1~]$ dnf install rhel-system-roles.noarch
[devops@node1 ansible]$ vim ansible.cfg
[devops@server1 timesync]$ pwd
/usr/share/doc/rhel-system-roles/timesync
[devops@server1 timesync]$ cp example-timesync-playbook.yml /home/devops/ansible/
[devops@server1 ansible]$ vim example-timesync-playbook.yml
---
- hosts: webserver
vars:
timesync_ntp_servers:
- hostname: 172.25.3.250
iburst: yes
roles:
- rhel-system-roles.timesync
[devops@server1 ansible]$ ansible-playbook example-timesync-playbook.yml
#server2和server3里查看
[root@node2 ~]# chronyc sources -v
6.selinux
[devops@server1 selinux]$ pwd
[devops@server1 selinux]$ /usr/share/doc/rhel-system-roles/selinux
cp example-selinux-playbook.yml /home/devops/ansible/
[devops@server1 ansible]$ vim example-selinux-playbook.yml
[devops@server1 ansible]$ cat example-selinux-playbook.yml
---
- hosts: server4
vars:
selinux_policy: targeted
selinux_state: enforcing
selinux_booleans:
- { name: 'samba_enable_home_dirs', state: 'on' }
selinux_fcontexts:
- { target: '/samba(/.*)?', setype: 'samba_share_t', ftype: 'd' }
selinux_restore_dirs:
- /samba
selinux_ports:
- { ports: '82', proto: 'tcp', setype: 'http_port_t', state: 'present' }
tasks:
- name: Creates directory
file:
path: /samba
state: directory
- name: execute the role and catch errors
block:
- include_role:
name: rhel-system-roles.selinux
rescue:
# Fail if failed for a different reason than selinux_reboot_required.
- name: handle errors
fail:
msg: "role failed"
%server3里的selinux关掉
[root@server3 ~]# vim /etc/selinux/config
SELINUX=disabled
[root@server3 selinux]# reboot
[devops@server1 ansible]$ ansible-playbook example-selinux-playbook.yml
%在server4里查看
%在server4里查看
[devops@server4 .ssh]$ cd /samba/
[devops@server4 samba]$ ls
[devops@server4 samba]$ ll -Zd .
drwxr-xr-x. 2 root root unconfined_u:object_r:samba_share_t:s0 6 Jan 3 15:27 .
[devops@server4 samba]$ vim /etc/httpd/conf/httpd.conf
改成Listen: 82
[root@server4 ~]# systemctl restart httpd
[root@server4 ~]# netstat -antlp
7.逻辑卷
[root@server1 ~]# ansible-doc filrsystem
[devops@server1 ansible]$ cat lvs.yml
---
- hosts: server4
tasks:
- name: create vg
lvg:
vg: demovg
pvs: /dev/vdb
- name: create lv
lvol:
vg: demovg
lv: "{{item}}"
size: 100%FREE
loop:
- demolv
when: item not in ansible_lvm['lvs']
- name: create xfs filesystem
filesystem:
fstype: xfs
dev: /dev/demovg/demolv
- name: mount lv
mount:
path: /mnt/app
src: /dev/demovg/demolv
fstype: xfs
opts: noatime
state: mounted
[devops@server1 ansible]$ ansible-playbook lvs.yml
8.分区
[root@server1 ~]# ansible-doc part
[devops@server1 ansible]$ cp lvs.yml parted.yml
[devops@server1 ansible]$ vim p
parted.yml playbook2.yml playbook3.yml playbook4.yml playbook5.yml playbook.yml
[devops@server1 ansible]$ vim parted.yml
---
- hosts: server3
tasks:
- name: Create a new primary
parted:
device: /dev/vdb
number: 1
state: present
part_end: 1GiB
- name: create xfs filesystem
filesystem:
fstype: xfs
dev: /dev/vdb1
force: yes
- name: mount lv
mount:
path: /mnt/app
src: /dev/vdb1
fstype: xfs
opts: noatime
state: mounted
[devops@server1 ansible]$ ansible-playbook parted.yml