我这里先将想要的功能拆分开,通过单个剧本(playbook)来实现一个功能,然后将这些单个剧本(playbook)组成一个角色(roles)。
此文档中只包含了单个剧本(playbook)的初始版本,后面还分享了一个最终版,有需要的小伙伴可以参考一下。
其实我一共迭代了 5 个版本,中间的几个版本都是在完善最终的角色(roles)而已,考虑到都分享出来的话会比较繁琐,所以最后就只分享一个初始版和最终版。
·
authorized-key.yml
---
- name: set authorized key taken from file
hosts: wpf_test
remote_user: root
tasks:
- name: authorized key
authorized_key:
user: root
state: present
key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
·
upgrade-kernel.yml
PS: 拷贝的目录,在这里就不提现了。
---
- name: update kernel in 5.4.127
hosts: wpf_test
remote_user: root
tasks:
- name: copy kernel-5.4.127
copy: src=kernel-5.4.127 dest=/usr/local/src
- name: remove kernel-tools-3.10.0 and kernel-tools-libs-3.10.0
yum: name=kernel-tools-3.10.0,kernel-tools-libs-3.10.0 state=removed
- name: install kernel-5.4.127
shell: yum -y localinstall /usr/local/src/kernel-5.4.127/*.rpm
- name: set default load grub version
shell: grub2-set-default 0
·
config-grub.yml
PS: 这里关闭了ipv6的模块和显卡模式的设置
PS: 配置显卡模式的原因:内核升级到 5.x 时,vga连接物理机无法显示。
---
- name: modify kernel configuration(ipv6.disable=1 and mgag200.modeset=0)
hosts: wpf_test
remote_user: root
tasks:
- name: See if there is a ipv6.disable=1 in GRUB_CMDLINE_LINUX
shell: grep -q ipv6.disable=1 /etc/default/grub;echo $?
register: get_grub_ipv6
# - name: print get_grub_ipv6
# debug:
# msg: "{{ get_grub_ipv6.stdout }}"
- name: modify grub is add ipv6.disable=1
shell: VALUE=`cat /etc/default/grub | awk -F '"' '/GRUB_CMDLINE_LINUX/{print $2}'` && sed -i "s#GRUB_CMDLINE_LINUX=.*#GRUB_CMDLINE_LINUX=\"$VALUE ipv6.disable=1\"#" /etc/default/grub
when: get_grub_ipv6.stdout != "0"
register: ipv6_add
- name: See if there is a mgag200.modeset=0 in GRUB_CMDLINE_LINUX
shell: grep -q mgag200.modeset=0 /etc/default/grub;echo $?
register: get_grub_mgag
# - name: print get_grub_mgag
# debug:
# msg: "{{ get_grub_mgag.stdout }}"
- name: modify grub is add mgag200.modeset=0
shell: VALUE=`cat /etc/default/grub | awk -F '"' '/GRUB_CMDLINE_LINUX/{print $2}'` && sed -i "s#GRUB_CMDLINE_LINUX=.*#GRUB_CMDLINE_LINUX=\"$VALUE mgag200.modeset=0\"#" /etc/default/grub
when: get_grub_mgag.stdout != "0"
register: mgag_add
# - name: print result
# debug:
# msg:
# - "{{ ipv6_add }}"
# - "{{ mgag_add }}"
- name: create a new grub configuration
shell: grub2-mkconfig -o /boot/grub2/grub.cfg
when: ipv6_add.changed == true or mgag_add.changed == true
·
selinux-firewalld.yml
---
- name: disabled firewalld and selinux
hosts: wpf_test
remote_user: root
tasks:
- name: disabled firewalld
systemd: name=firewalld state=stopped enabled=no
- name: task selinux status
shell: getenforce
register: selinux_status
# - name: print selinux_status
# debug:
# msg: "{{ selinux_status }}"
- name: modify selinux config
lineinfile:
path: /etc/selinux/config
regex: '^SELINUX=.*'
line: "SELINUX=disabled"
- name: cmd set selinux status is 0
shell: setenforce 0
when: selinux_status.stdout != "Disabled"
·
system-limits.yml
---
- name: system limits config
hosts: wpf_test
remote_user: root
tasks:
- lineinfile:
path: /etc/security/limits.conf
regex: '^\* soft nproc'
line: "* soft nproc 65536"
- lineinfile:
path: /etc/security/limits.conf
regex: '^\* hard nproc'
line: "* hard nproc 65536"
- lineinfile:
path: /etc/security/limits.conf
regex: '^\* soft nofile'
line: "* soft nofile 65536"
- lineinfile:
path: /etc/security/limits.conf
regex: '^\* hard nofile'
line: "* hard nofile 65536"
·
optimization-kernel.yml
PS: 拷贝的文件,在这里就不提现了。
---
- name: kernel optimization
hosts: wpf_test
remote_user: root
tasks:
- name: copy my-default.conf
copy: src=my-default.conf dest=/etc/sysctl.d/
- name: sysctl enable
shell: sysctl -p /etc/sysctl.d/my-default.conf
·
config-route.yml
PS: 这里的路由配置,只适用于本公司。
---
- name: config route
hosts: wpf_test
remote_user: root
tasks:
- name: backup old config
shell: "find /etc/sysconfig/network-scripts/ -maxdepth 1 -name route* -exec mv {} {}.bak \;"
- name: add new config
lineinfile:
path: /etc/sysconfig/static-routes
regex: '.*172.168.30.254$'
line: "any net 172.168.20.0 netmask 255.255.255.0 gw 172.168.30.254"
- name: restart network
systemd: name=network state=restarted enabled=yes
·
ssh.yml
---
- name: ssh listen port and DNS config
hosts: wpf_test
remote_user: root
tasks:
- name: modify ssh port
lineinfile:
path: /etc/ssh/sshd_config
regex: '.*Port 22$'
line: "Port 50000"
- name: modify ssh dns
lineinfile:
path: /etc/ssh/sshd_config
regex: '.*UseDNS yes$'
line: "UseDNS no"
- name: restart sshd
systemd: name=sshd state=restarted enabled=yes
·
virt.yml
PS: 此剧本主要是为了实现虚拟环境的配置和通过 webvirtmgr 管理的功能
---
- name: bridge network
hosts: wpf_test
remote_user: root
tasks:
- name: mkdir repobak
file: path=/etc/yum.repos.d/repobak state=directory
- name: backup old yum repo
shell: mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/repobak
- name: add aliyum of Centos-7.repo
get_url:
url: http://mirrors.aliyun.com/repo/Centos-7.repo
dest: /etc/yum.repos.d/CentOS-Base.repo
- name: remove centos yum repo in aliyuncs.com of line
lineinfile:
path: /etc/yum.repos.d/CentOS-Base.repo
regexp: ".*aliyuncs.com.*"
state: absent
- name: add aliyum of epel.repo
get_url:
url: http://mirrors.aliyun.com/repo/epel-7.repo
dest: /etc/yum.repos.d/epel.repo
- name: install virtualization rpm
yum:
name: qemu-kvm,qemu-img,virt-manager,libvirt-client,libvirt-python,virt-viewer,libguestfs-tools,virt-install
state: installed
- name: start libvirtd
systemd: name=libvirtd state=started enabled=yes
- name: install cmd completion rpm
yum:
name: bash-completion,libvirt-bash-completion
state: installed
- name: take effect cmd completion
shell: source /usr/share/bash-completion/completions/virsh;source /etc/profile
- name: ensure group "libvirt" exists
group:
name: libvirt
state: present
# https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module
# - name: print password
# debug:
# msg: "{{ 'wsd@126.com' | password_hash('sha512', 'mysecretsalt') }}"
- name: add user 'webvirtmgr' with a bash shell, appending the group 'libvirt' to the user's groups
user:
name: webvirtmgr
shell: /bin/bash
groups: libvirt
append: yes
password: "{{ '123456' | password_hash('sha512', 'mysecretsalt') }}"
- name: task virt net br0
shell: virsh net-list --all | grep -q br0;echo $?
register: net_virt_br0
- name: task virt net br1
shell: virsh net-list --all | grep -q br1;echo $?
register: net_virt_br1
# - name: print net_virt_br0 and net_virt_br1
# debug:
# msg:
# - "{{ net_virt_br0 }}"
# - "{{ net_virt_br1 }}"
- name: copy br0.xml
copy: src=br0.xml dest=/etc/libvirt/qemu/networks/br0.xml
when: net_virt_br0.stdout != "0"
- name: copy br1.xml
copy: src=br1.xml dest=/etc/libvirt/qemu/networks/br1.xml
when: net_virt_br1.stdout != "0"
- name: defin br0
shell: virsh net-define /etc/libvirt/qemu/networks/br0.xml
when: net_virt_br0.stdout != "0"
- name: defin br1
shell: virsh net-define /etc/libvirt/qemu/networks/br1.xml
when: net_virt_br1.stdout != "0"
- name: task virt net br0 start status
shell: virsh net-info br0 | awk '/Active/{print $2}'
register: br0_start_status
- name: start br0
shell: virsh net-start br0
when: br0_start_status.stdout != "yes"
- name: task virt net br1 start status
shell: virsh net-info br1 | awk '/Active/{print $2}'
register: br1_start_status
- name: start br1
shell: virsh net-start br1
when: br1_start_status.stdout != "yes"
- name: task virt net br0 austart status
shell: virsh net-info br0 | awk '/Autostart/{print $2}'
register: br0_austart_status
- name: austart br0
shell: virsh net-autostart br0
when: br0_austart_status.stdout != "yes"
- name: task virt net br1 austart status
shell: virsh net-info br1 | awk '/Autostart/{print $2}'
register: br1_austart_status
- name: austart br1
shell: virsh net-autostart br1
when: br1_austart_status.stdout != "yes"
·
bridge-network.yml
PS: 注意这里的网卡名
---
- name: bridge network
hosts: wpf_test
remote_user: root
vars:
notes_option:
- "IPADDR"
- "NETMASK"
- "GATEWAY"
- "DNS"
tasks:
- name: notes em1 hard ip config
shell: sed -i '/{{ item }}/s/^.*$/#&/' /etc/sysconfig/network-scripts/ifcfg-em1
loop: "{{ notes_option }}"
- name: config em1 hard bridge br0
lineinfile:
path: /etc/sysconfig/network-scripts/ifcfg-em1
regex: '^BRIDGE'
line: "BRIDGE=br0"
- name: notes em4 hard ip config
shell: sed -i '/{{ item }}/s/^.*$/#&/' /etc/sysconfig/network-scripts/ifcfg-em4
loop: "{{ notes_option }}"
- name: config em4 hard bridge br1
lineinfile:
path: /etc/sysconfig/network-scripts/ifcfg-em4
regex: '^BRIDGE'
line: "BRIDGE=br1"
- name: see em1 does it exist
shell: ifconfig | awk '/flags/{print $1}' | grep -q em1;echo $?
register: em1_exist
# - name: print em1_exist
# debug:
# msg: "{{ em1_exist.stdout }}"
- name: take last ipaddr
shell: IPADDR=`ifconfig em1 | grep inet | sed -n 1p | awk '{print $2}' | awk -F "." '{print $NF}'`;echo $IPADDR
register: last_ipaddr
when: em1_exist.stdout == "0"
# - name: print last_ipaddr
# debug:
# msg: "{{ last_ipaddr.stdout }}"
- name: copy jinjia2 template by ifcfg-br0
template: src=ifcfg-br0.j2 dest=/etc/sysconfig/network-scripts/ifcfg-br0
when: em1_exist.stdout == "0"
- name: copy jinjia2 template by ifcfg-br1
template: src=ifcfg-br1.j2 dest=/etc/sysconfig/network-scripts/ifcfg-br1
when: em1_exist.stdout == "0"
- name: config hostname
shell: hostnamectl set-hostname vlan30.node{{ last_ipaddr.stdout }}.virt
when: em1_exist.stdout == "0"
- name: restart network
systemd: name=network state=restarted enabled=yes
·
PS1-env.yml
---
- name: disabled firewalld and selinux
hosts: wpf_test
remote_user: root
tasks:
- name: export PS1 env
lineinfile:
path: /etc/bashrc
line: export PS1='[\u\@\H \W]\$'
- name: take effect PS1 env
shell: source /etc/bashrc