ulimit
ulimit -a
echo "ulimit -n 65535" >> /etc/profile
echo "ulimit -u 10000" >> /etc/profile
set dns
vim /etc/systemd/resolved.conf
DNS=192.168.23.152
systemctl restart systemd-resolved
systemctl enable systemd-resolved
mv /etc/resolv.conf /etc/resolv.conf.bak
ln -s /run/systemd/resolve/resolv.conf /etc/
systemctl restart systemd-resolved
cat /etc/resolv.conf
nslookup www.openlab.com
---
- name: configure nginx
hosts: webservers
tasks:
- name: change worker processes
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^worker_processes'
line: 'worker_processes 4;'
- name: reload nginx
systemd:
name: nginx
state: reloaded
---
- name: Backup Nginx Log
hosts: webservers
tasks:
- name: Setup Cron For Backup
cron:
name: Backup Nginx Log
minute: "05"
hour: "05"
job: "tar -zcvf /backup/www-{{ansible_date_time.date}}.tar.gz -C /var/log/nginx/*.log"
---
- name: index
hosts: webservers
tasks:
- name: index
template:
src: /etc/ansible/demo/index.html.j2
dest: /var/www/html/index.html
cat index.html.j2
welcome to {{ansible_fqdn}} on {{ansible_default_ipv4.address}}
ansible webservers -m setup >> 11.txt
ansible webservers -m setup | grep defau -A 2
ssh-keygen
cat ~/.ssh/id_rsa.pub
ssh-copy-id 192.168.23.152
ssh-copy-id -p 2222 username@hostname
vim ansible.cfg
[defaults]
inventory = /etc/ansible/demo/inventory
remote_user = root
host_key_checking = False
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
cat inventory
[webservers]
192.168.23.152
[nginx]
192.168.23.155
ansible all --list-hosts
ansible all -m ping
cat backup.yaml
---
- name: Backup Nginx Log
hosts: webservers
tasks:
- name: Setup Cron For Backup
cron:
name: Backup Nginx Log
minute: "05"
hour: "05"
job: "tar -zcvf /backup/www-{{ansible_date_time.date}}.tar.gz -C /var/log/nginx/*.log"
vim nginx.yaml
---
- name: configure nginx
hosts: webservers
tasks:
- name: change worker processes
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^worker_processes'
line: 'worker_processes 4;'
- name: reload nginx
systemd:
name: nginx
state: reloaded
cat apt.yaml
---
- name: install nginx
hosts: nginx
tasks:
- name: task1
apt:
name: nginx
state: present
---
- name: install the latest version of Apache and MariaDB
hosts: webservers
tasks:
- name: install
apt:
name:
- php
- mariadb-server
state: latest
cat index.yaml
---
- name: index
hosts: webservers
tasks:
- name: index
template:
src: /etc/ansible/demo/index.html.j2
dest: /var/www/html/index.html
cat index.html.j2
welcome to {{ansible_fqdn}} on {{ansible_default_ipv4.address}}
ansible webservers -m setup >> 11.txt
ansible webservers -m setup | grep defau -A 2
{% for i in groups.all %}
{{ hostvars[i].ansible_default_ipv4.address }} {{ hostvars[i].ansible_fqdn}} {{ hostvars[i].ansible_hostname }}
{% endfor %}
ansible demo
copy/template/apt/ufw/iptables/group/file/lineinfile/cron/uri/
DNS
https://blog.csdn.net/qq_48975137/article/details/132340986
apt-get -y install bind
vim /etc/bind/named.conf.default-zones
zone "openlab.com" {
type master;
file "/etc/bind/db.openlab.com";
};
zone "23.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
};
vim /etc/bind/db.openlab.com
$TTL 604800
@ IN SOA openlab.com. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
openlab.com IN NS 192.168.23.152
www IN A 192.168.23.152
vim /etc/bind/db.192
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA openlab.com. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS www.openlab.com.
152 IN PTR www.openlab.com.
vim /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
listen-on port 53 {127.0.0.1;any; };
allow-transfer { none; };
recursion yes;
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
systemctl restart bind9
set dns
vim /etc/systemd/resolved.conf
DNS=192.168.23.152
systemctl restart systemd-resolved
systemctl enable systemd-resolved
mv /etc/resolv.conf /etc/resolv.conf.bak
ln -s /run/systemd/resolve/resolv.conf /etc/
systemctl restart systemd-resolved
cat /etc/resolv.conf
nslookup www.openlab.com
iptables -L
iptables -F
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 8088 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 8088 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 8888 -j REDIRECT --to-ports 80
iptables -L --line-numbers
iptables -D [chain] [rule-number]
ufw status
ufw enable/disable
ufw allow 8088
ufw allow from 192.168.1.1
firewall-cmd --add-rich-rule 'rule family=ipv4 port port=22 protocol=tcp source address=x.x.x.x/x accept' --permanent
firewall-cmd --remove-rich-rule 'rule family=ipv4 port port=22 protocol=tcp source address=x.x.x.x/x accept' --permanent
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="10.55.39.75" accept' --permanent
#####
firewall-cmd --permanent --new-zone=trustip
firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 port port=21 protocol=tcp drop' --permanent
--remove
firewall-cmd --zone=trustip --add-source=193.173.63.57 --permanent
firewall-cmd --list-all-zones
firewall-cmd --add-rich-rule 'rule family=ipv4 port port=22 protocol=tcp source address=49.74.129.201/32 accept' --permanent
apt install gcc
apt-get install libpcre3 libpcre3-dev
apt-get install zlib1g zlib1g-dev
wget http://nginx.org/download/nginx-1.13.7.tar.gz
tar -xvf nginx-1.13.7.tar.gz
./configure --prefix=/usr/local/nginx
make
make install
vim /home/yxf/nginx-1.13.7/objs/Makefile -Werror
vi /etc/systemd/system/nginx.service
[Unit]
Description=nginx
After=network.target
[Service]
Type=forking
ExecStart=/usr/local/nginx/sbin/nginx
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s quit
PrivateTmp=true
[Install]
WantedBy=multi-user.target
apt-get install mysql-server
apt install php php-fpm php-mysql
systemctl enable php7.2-fpm
vim /usr/local/nginx/conf/nginx.conf
user www-data;
root /usr/local/nginx/wordpress;
location / {
#root html;
index index.php index.html index.htm;
}
location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
include fastcgi_params;
}
vim /etc/php/7.2/fpm/pool.d/www.conf
listen = /var/run/php/php7.2-fpm.sock
mysql -u root -p
create database wordpress;
create user 'yangxiaofeng'@'localhost' identified by '0o8b5w';
grant all privileges on wordpress.* to yangxiaofeng@localhost;
show databases;
FLUSH PRIVILEGES;
mv wordpress /usr/local/nginx/
vim /usr/local/nginx/wp-config.php
/etc/nginx/sites-available/default
root /var/www/wordpress;
index index.php index.html index.htm index.nginx-debian.html;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
}
vim /etc/php/7.2/fpm/pool.d/www.conf
apt install php php-fpm php-mysql -y
systemctl enable php7.2-fpm
LB
https://blog.csdn.net/weixin_44188105/article/details/129139629
vim /etc/nginx/sites-enabled/default
vim /etc/nginx/conf.d/nginx.conf
upstream load_banance {
server 192.168.23.152:81 weight=1;
server 192.168.23.155:81 weight=2;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
proxy_pass http://load_banance;
}
}
upstream myapp1 {
server srv1.com weight=1;
server srv2.com:8088 weight=2;
server 192.168.0.100:8088 weight=3;
}
upstream myapp1 {
least_conn;
server srv1.com;
server srv2.com:8088;
server 192.168.0.100:8088;
}
upstream myapp1 {
ip_hash;
server srv1.com;
server srv2.com:8088;
server 192.168.0.100:8088;
}
# cd /root
# . admin-openrc
# openstack project list
# openstack project create --description "Test Project" test
# openstack project set 93f6b89e92dc4ed3b758f530bc2da84e --name test-new
# openstack project show 93f6b89e92dc4ed3b758f530bc2da84e
# openstack project delete 93f6b89e92dc4ed3b758f530bc2da84e
# openstack user list
# openstack user create --domain default --password-prompt tom
# openstack user set tom --name tom-new
# openstack user delete tom-new
# openstack role list
# openstack role create role1
# openstack role add --user testuser --project demo role1
# openstack role remove --user testuser --project demo role1
# openstack role list --user testuser --project demo
# openstack role delete role1
# openstack compute service list
# nova hypervisor-show a69d9575-3029-4641-8157-4be0badb605b
# openstack compute service list
# nova hypervisor-list
# nova hypervisor-show a69d9575-3029-4641-8157-4be0badb605b
# nova hypervisor-stats
# nova hypervisor-servers openstack-563-h2
# nova hypervisor-uptime a69d9575-3029-4641-8157-4be0badb605b
# openstack security group list
# openstack security group rule list
# openstack security group create hello --description "allow ping and ssh"
# openstack security group rule list hello
# openstack security group rule create --protocol icmp hello
# openstack security group rule create --protocol tcp --dst-port 22 hello
# openstack security group rule list hello
# openstack security group rule delete 18ab7052-d416-45af-9de3-cea39109e6ec
# openstack security group rule list hello
# openstack security group delete hello
# openstack image list
# openstack image create ‘test’ --file cirros-0.3.5-x86_64-disk.img --disk-format qcow2 --container-format bare --public
# openstack image set test --private
# openstack flavor create --id 1234 --vcpus 1 --ram 64 --disk 1 m1.nano
# openstack flavor list
# openstack flavor delete 1234
# service neutron-openvswitch-agent restart
# ps -ef|grep neutron-openvswitch-agent
# openstack network create --provider-network-type vxlan privatenetwork
# openstack subnet create --subnet-rang 20.0.0.0/24 --network privatenetwork privatesubnet
# openstack network create --external --provider-physical-network external --provider-network-type flat publicnetwork
# openstack subnet create --subnet-rang 172.171.0.0/24 --network publicnetwork publicsubnet
# openstack router create myroute
# openstack network delete privatenetwork
# openstack network delete publicnetwork
# openstack network list
# openstack security group list
# openstack server create --flavor small --image cirros --nic net-id=e744c24c-2e85-40cd-b3e5-42b092a38702 --security-group default myvm
# openstack server list
# openstack server pause myvm
# openstack server unpause myvm
# openstack server suspend myvm
# openstack server delete myvm
# swift stat
# openstack container create container1
# echo openlab > object.txt
# openstack object create container1 object.txt
# openstack object list container1
# openstack object save --file new-object.txt container1 object.txt
# nova service-list
# nova quota-show --tenant <tenant_id>
# nova list --all-te
# nova show vmid
# nova interface-list vmid
# nova host-describe hostid
# nova aggregate-list
# nova aggregate-details
# nova flavor-list
# nova flavor-show name
# nova hypervisor-list
# nova hypervisor-show
# nova availability-zone-list
# nova list --all-t --host <host_id>
# nova system-tags-show <host_id>
# nova list --all-t --deleted
# nova quota-update <tenant_id> [--ram] -1
# glance image-list
# glance image-show
# neutron agent-list
# neutron port-list | grep
# neutron port-show id
# neutron port-list --network-id <net_id>
# neutron port-list --network-id <net_id> --device_owner network:dhcp
# neutron security-group-list | grep security_groups_id -A 5
# neutron security-group-show <sg_id>
# neutron security-group-rule-list | grep sg-yxf-test0209
# neutron security-group-rule-create --tenant-id <tenant-id> --direction ingress --ethertype IPv4 \
--protocol tcp --port-range-min 80 --port-range-max 80 \
--remote-ip-prefix 193.173.63.57/32 bf4c618d-63c0-4c67-bb80-b0840f4f25d6(security_groups_id)
# neutron net-external-list
# neutron qos-policy-list
# neutron qos-policy-show <qos_id>
# neutron net-list
# nova interface-list vmid
# neutron net-show netID 查
# neutron subnet-show <subnet_id>
# cinder quota-show
# cinder list --all | grep
# cinder show volumeid
# cinder service-list
# cinder extra-specs-list
# neutron quota-show --tenant-id <tenant-id>
# neutron port-list --tenant_id <tenant-id> | wc –l
# neutron quota-update --tenant-id 80646363702443fe8397f075b1345198 --port -1
# nova instance-action-list vmid ###req-id
# nova instance-action vmid req-id
root-ssh
vim /etc/ssh/sshd_config
#PermitRootLogin prohibit-password
PermitRootLogin yes
systemctl restart sshd
systemctl status sshd
groupadd sysmgrs
useradd -G sysmgrs natasha
useradd -s /sbin/nologin natasha
echo redhat | passwd --stdin natasha
useradd -d /home/yangxf -m yangxf
chsh -s /bin/bash
mkdir /home/managers/
chgrp sysmgrs /home/managers
chmod 2770 /home/managers
crontab
crontab -e -u natasha
*/2 * * * * logger “hello rhcsa”
crontab -l -u natasha
SELinux(centos)
getenforce
vim /etc/selinux/config
vim /etc/selinux/config
semanage port -l | grep http
semanage port -a -t http_port_t -p tcp 82
restorecon -Rv /var/www/html/
ulimit
ulimit -a
echo "ulimit -n 65535" >> /etc/profile
echo "ulimit -u 10000" >> /etc/profile
source /etc/profile
touch file1 file2
getfacl file1 file2
sudo useradd op1
sudo passwd op1
setfacl -m u:op1:rw- file1
getfacl file1
setfacl -m g:op1:rw- file1
setfacl -x g:op1 file1
vim temp.txt
u:op1:rwx
setfacl -M temp.txt file1
getfcl --omit-header file1
setfacl -b file1
chacl u::rwx,g::rw-,o::--- file1 file2
setfacl -m u::rwx,g::rw-,o::--- file1 file2
chacl -l file1 file2
setfacl --set=u::rw-,g::rw-,o::r--,u:op1:rw- file1
mkdir mydir
getfacl -R mydir
setfacl -R -m u:op1:rwx mydir
setfacl -m o::r-- mydir
getfacl --omit-header mydir
mkdir dir1
getfacl --omit-header dir1
setfacl -m d:g::rw-,d:o::r-- mydir2
getfacl mydir2
chacl -d u::rwx,g::r--,o::r-- mydir
getfacl --omit-header mydir
chacl -B *
chacl -B *
ps -l
vi ~/.bashrc &
nice -n -5 vi &
nice -n +5 vi &
vi &
ps -l
renice +10 4274
ps -l | grep vim
nice
renice 8 27091
RHCE8
1、/etc/ansible/ansible.cfg
2、ansible-doc yum_repository
---
- name: create lv
hosts: all
tasks:
- name: create pv and vg
lvg:
pvs: /dev/vdb
vg: vg0
state: present
ignore_errors: yes
- name: test vg0
command: vgdisplay vg0
ignore_errors: yes
register: vg_result
- name: message
debug:
msg: "vg group does not exist"
when: vg_result.rc != 0
- name: create lv
block:
- name: create 1.5G lv
lvol:
vg: vg0
lv: lv0
size: 1500m
rescue:
- name: debug msg
debug:
msg: "could not create lv of that size"
- name: create 800m lv
lvol:
vg: vg0
lv: lv0
size: 800m
ignore_errors: yes
- name: mkfs.ext4
filesystem:
dev: /dev/vg0/lv0
fstype: ext4
ignore_errors: yes
1111
inventory
[dev]
servera.lab.example.com
[test]
serverb.lab.example.com
[prod]
serverc.lab.example.com
serverd.lab.example.com
[balancers]
bastion.lab.example.com
[webservers:children]
prod
ansible.cfg
[defaults]
inventory = ./inventory
roles_path = ./roles
remote_user = student
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
ansible all --list-hosts
ansible-galaxy list
ansible all -m ping
2222
#!/bin/bash
ansible all -m yum_repository -a 'name=EX294_BASE description="EX294 base software" baseurl=http://content.example.com/rhel8.0/x86_64/dvd/BaseOS gpgcheck=yes gpgkey=http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release enabled=yes'
ansible all -m yum_repository -a 'name=EX294_STREAM description="EX294 stream software" baseurl=http://content.example.com/rhel8.0/x86_64/dvd/AppStream gpgcheck=yes gpgkey=http://content.example.com/rhel8.0/x86_64/dvd/RPM-GPG-KEY-redhat-release enabled=yes'
chmod a+x ad-hoc.sh
3333
---
- name: install
hosts: dev,test,prod
tasks:
- name: install
yum:
name:
- php
- mariadb
state: present
- name: install2
yum:
name: "@Development Tools"
state: present
when: inventory_hostname in groups.dev
- name: update
yum:
name: '*'
state: latest
when: inventory_hostname in groups.dev
4444a
---
- name: task
hosts: all
vars:
timesync_ntp_servers:
- hostname: 172.25.254.254
iburst: yes
roles:
- rhel-system-roles.timesync
4444b
---
- name: task
hosts: all
vars:
selinux_state: enforcing
roles:
- rhel-system-roles.selinux
5555
cat requirements.yml
---
- src: http://materials.example.com/phpinfo.tar
name: phpinfo
- src: http://materials.example.com/haproxy.tar
name: balance
ansible-galaxy install -r ./requirements.yml -p ./roles/
ansible-galaxy list
6666
ansible-galaxy init apache
main.yml
---
# tasks file for apache
- name: task1
yum:
name: httpd
state: present
- name: task2
service:
name: firewalld
state: started
enabled: yes
- name: task3
firewalld:
port: 80/tcp
permanent: yes
state: enabled
immediate: yes
- name: task4
template:
src: index.html.j2
dest: /var/www/html/index.html
- name: task5
service:
name: httpd
state: started
enabled: yes
templates
ansible dev -m setup | grep defau -A 2
ansible dev -m setup | grep fqdn
Welcome to {{ansible_fqdn}} on {{ansible_default_ipv4.address}}
---
- name: task1
hosts: webservers
roles:
- apache
curl http://serverc
7777
---
- name: task1
hosts: webservers
roles:
- phpinfo
- name: task2
hosts: balancers
roles:
- balance
tasks:
- name: task2-1
service:
name: firewalld
state: started
enabled: yes
- name: task2-2
firewalld:
port: 80/tcp
permanent: yes
state: enabled
immediate: yes
8888
---
- name: task
hosts: all
tasks:
- name: task1
block:
- name: task1-1
parted:
number: 1
part_end: 1500MiB
device: /dev/vdb
state: present
flags: [lvm]
rescue:
- name: task1-2
debug:
msg: "could not create lv of that size"
- name: task1-3
parted:
number: 1
part_end: 800MiB
device: /dev/vdb
state: present
flags: [lvm]
ignore_errors: yes
- name: task2
lvg:
pvs: /dev/vdb1
vg: vg0
ignore_errors: yes
- name: task2-1
shell: "vgdisplay vg0"
register: vg
- name: task2-1-1
debug:
msg: "vg group does not exist"
when: vg.rc != 0
- name: task2-2
lvol:
vg: vg0
lv: lv0
size: 100%FREE
ignore_errors: yes
- name: task3
filesystem:
fstype: ext4
dev: /dev/vg0/lv0
ignore_errors: yes
blkid /dev/vg0/lv0
9999
ansible dev -m setup | grep
{% for i in groups.all %}
{{ hostvars[i].ansible_default_ipv4.address }} {{ hostvars[i].ansible_fqdn}} {{ hostvars[i].ansible_hostname }}
{% endfor %}
---
- name: set hosts
hosts: all
tasks:
- name: create file
template:
src: ./hosts.j2
dest: /etc/myhosts
when: inventory_hostname in groups.dev
1010
---
- name: task
hosts: all
tasks:
- name: task1
copy:
content: "Development\n"
dest: /etc/issue
when: inventory_hostname in groups.dev
- name: task2
copy:
content: "Test\n"
dest: /etc/issue
when: inventory_hostname in groups.test
- name: task3
copy:
content: "Production\n"
dest: /etc/issue
when: inventory_hostname in groups.prod
1011
ls -Zd /var/www/html隐藏
---
- name: task
hosts: dev
tasks:
- name: task1
group:
name: webdev
state: present
- name: task2
file:
path: /webdev
group: webdev
mode: '2755'
state: directory
setype: httpd_sys_content_t
- name: task3
file:
src: /webdev
dest: /var/www/html/webdev
state: link
- name: task4
copy:
content: "Development\n"
dest: /webdev/index.html
setype: httpd_sys_content_t
- name: task5
firewalld:
port: 80/tcp
permanent: yes
immediate: yes
state: enabled
- name: task6
service:
name: httpd
state: restarted
enabled: yes
1012
ansible dev -m setup |grep mem
ansible dev -m setup |less
---
- name: task
hosts: all
tasks:
- name: task1
get_url:
url: http://materials.example.com/hwreport.empty
dest: /root/hwreport.txt
- name: task2-1
lineinfile:
dest: /root/hwreport.txt
regexp: '^HOST'
line: "HOST={{ inventory_hostname }}"
- name: task2-2
lineinfile:
dest: /root/hwreport.txt
regexp: '^MEMORY'
line: "MEMORY={{ ansible_memtotal_mb }}"
- name: task2-3
lineinfile:
dest: /root/hwreport.txt
regexp: '^BIOS'
line: "BIOS={{ ansible_bios_version }}"
- name: task2-4
lineinfile:
dest: /root/hwreport.txt
regexp: '^DISK_SIZE_VDA'
line: "DISK_SIZE_VDA={{ ansible_devices.vda.size }}"
- name: task2-5
lineinfile:
dest: /root/hwreport.txt
regexp: '^DISK_SIZE_VDB'
line: "DISK_SIZE_VDB={{ ansible_devices.vdb.size }}"
when: ansible_devices.vdb is defined
- name: task2-6
lineinfile:
dest: /root/hwreport.txt
regexp: '^DISK_SIZE_VDB'
line: "DISK_SIZE_VDB=NONE"
when: ansible_devices.vdb is not defined
1013
ansible-vault create locker.yml
ansible-vault view locker.yml
pw_developer: Imadev
pw_manager: Imamgr
1014
---
- name: task1
hosts: dev,test,prod
tasks:
- name: task1-1
group:
name: devops
state: present
when: inventory_hostname in groups.dev or inventory_hostname in groups.test
- name: task1-2
group:
name: opsmgr
state: present
when: inventory_hostname in groups.prod
- name: task2
hosts: dev,test
vars_files:
- user_list.yml
- locker.yml
tasks:
- name: task2-1
user:
name: "{{ item.name }}"
groups: devops
comment: "{{ item.job }}"
state: present
password: "{{ pw_developer | password_hash('sha512') }}"
loop: "{{ users }}"
when: item.job == "developer"
- name: task3
hosts: prod
vars_files:
- user_list.yml
- locker.yml
tasks:
- name: task3-1
user:
name: "{{ item.name }}"
groups: opsmgr
comment: "{{ item.job }}"
state: present
password: "{{ pw_manager | password_hash('sha512') }}"
loop: "{{ users }}"
when: item.job == "manager"
ansible-playbook --vault-password-file=secret.txt users.yml
1015
ansible-vault rekey salaries.yml
1016
---
- name: task
hosts: all
tasks:
- name: task1
cron:
name: "defining cron job"
minute: '*/2'
user: student
job: logger "EX294 in progress"
state: present
验证:crontab -l -u student
su vyos
$ configure
# set system host-name R1
# commit
# save
# exit
$ configure
# set interfaces ethernet eth1 address 10.0.0.1/24
# set interfaces ethernet eth2 address 192.168.1.1/24
# set interfaces loopback lo address 1.1.1.1/32
# commit
# save
# exit
DHCP
$ configure
# set service dhcp-server shared-network-name 'LAN' subnet '192.168.1.0/24' start '192.168.1.10' stop '192.168.1.254'
# set service dhcp-server shared-network-name 'LAN' subnet '192.168.1.0/24' domain-name 'internal-net'
# set service dhcp-server shared-network-name 'LAN' subnet '192.168.1.0/24' lease 86400
# commit
# dhclient ens4
///
IP
# ifconfig ens4 192.168.1.10 netmask 255.255.255.0
R2
OSPF
$ configure
# set protocols ospf area 0 network 30.0.0.0/24
# set protocols ospf area 0 network 40.0.0.0/24
# set protocols ospf area 0 network 2.2.2.2/32
# commit
# save
run show ip route
ping 60.0.0.2 -c 3
R2
BGP
$ configure
# set protocols bgp 100 neighbor 3.3.3.3 remote-as 100
# set protocols bgp 100 neighbor 3.3.3.3 update-source 2.2.2.2
# set protocols bgp 100 neighbor 3.3.3.3 nexthop-self
# set protocols bgp 100 neighbor 4.4.4.4 remote-as 100
# set protocols bgp 100 neighbor 4.4.4.4 update-source 2.2.2.2
# set protocols bgp 100 neighbor 4.4.4.4 nexthop-self
# commit
eBGP
# set protocols bgp 100 neighbor 10.0.0.1 remote-as 200
# set protocols bgp 100 neighbor 10.0.0.1 update-source 10.0.0.2
# set protocols bgp 100 neighbor 10.0.0.1 ebgp-multihop 2
# commit
OSPF-BGP
# set protocols bgp 100 redistribute connected metric 1
# set protocols bgp 100 redistribute ospf metric 2
# commit
# save
R1-Host-AS200
eBGP
# set protocols bgp 200 neighbor 10.0.0.2 remote-as 100
# set protocols bgp 200 neighbor 10.0.0.2 update-source 10.0.0.1
# set protocols bgp 200 neighbor 10.0.0.2 ebgp-multihop 2
# commit
# save
R4-Host-AS100
$ configure
# set protocols bgp 100 neighbor 2.2.2.2 remote-as 100
# set protocols bgp 100 neighbor 2.2.2.2 update-source 4.4.4.4
# set protocols bgp 100 neighbor 3.3.3.3 remote-as 100
# set protocols bgp 100 neighbor 3.3.3.3 update-source 4.4.4.4
# commit
R3-AS100
$ configure
# set protocols bgp 100 neighbor 2.2.2.2 remote-as 100
# set protocols bgp 100 neighbor 2.2.2.2 update-source 3.3.3.3
# set protocols bgp 100 neighbor 2.2.2.2 nexthop-self
# set protocols bgp 100 neighbor 4.4.4.4 remote-as 100
# set protocols bgp 100 neighbor 4.4.4.4 update-source 3.3.3.3
# set protocols bgp 100 neighbor 4.4.4.4 nexthop-self
# commit
eBGP
# set protocols bgp 100 neighbor 20.0.0.1 remote-as 300
# set protocols bgp 100 neighbor 20.0.0.1 update-source 20.0.0.2
# set protocols bgp 100 neighbor 20.0.0.1 ebgp-multihop 2
# commit
# set protocols bgp 100 redistribute connected metric 1
# set protocols bgp 100 redistribute ospf metric 2
# commit
# save
OSPF-BGP
# set protocols bgp 100 redistribute connected metric 1
# set protocols bgp 100 redistribute ospf metric 2
# commit
# save
R5-Host-AS300
eBGP
# set protocols bgp 300 neighbor 20.0.0.2 remote-as 100
# set protocols bgp 300 neighbor 20.0.0.2 update-source 20.0.0.1
# set protocols bgp 300 neighbor 20.0.0.2 ebgp-multihop 2
# commit
# save
NAT
# set nat source rule 100 outbound-interface eth1
# set nat source rule 100 source address 192.168.1.0/24
# set nat source rule 100 translation address masquerade
# commit
# save
# set nat source rule 100 outbound-interface eth1
# set nat source rule 100 source address 192.168.0.0/24
# set nat source rule 100 translation address masquerade
# commit
# save
show nat
HOST-ROUTE
route add -net 20.0.0.0/24 gw 60.0.0.1
vim /etc/netplan/00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
ethernets:
ens33:
dhcp4: true
nameservers:
addresses: [192.168.23.152]
routes:
- to: 10.10.10.0/24
via: 192.168.23.2
version: 2
netplan apply
VPN
R5
# set vpn ipsec esp-group office-srv-esp compression 'disable'
# set vpn ipsec esp-group office-srv-esp lifetime '1800'
# set vpn ipsec esp-group office-srv-esp mode 'tunnel'
# set vpn ipsec esp-group office-srv-esp pfs 'enable'
# set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
# set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
# set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
# set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
# set vpn ipsec ike-group office-srv-ike lifetime '3600'
# set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
# set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
# set vpn ipsec ipsec-interfaces interface 'eth1'
# set vpn ipsec site-to-site peer 10.0.0.1 authentication mode 'pre-sharedsecret'
# set vpn ipsec site-to-site peer 10.0.0.1 authentication pre-shared-secret 'openlab'
# set vpn ipsec site-to-site peer 10.0.0.1 ike-group 'office-srv-ike'
# set vpn ipsec site-to-site peer 10.0.0.1 local-address '20.0.0.1'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 allow-nat-networks 'disable'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 allow-public-networks 'disable'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 esp-group 'office-srv-esp'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 local prefix '192.168.0.0/24'
# set vpn ipsec site-to-site peer 10.0.0.1 tunnel 0 remote prefix '192.168.1.0/24'
# show vpn ipsec site-to-site peer 10.0.0.1
R1
# set vpn ipsec esp-group office-srv-esp compression 'disable'
# set vpn ipsec esp-group office-srv-esp lifetime '1800'
# set vpn ipsec esp-group office-srv-esp mode 'tunnel'
# set vpn ipsec esp-group office-srv-esp pfs 'enable'
# set vpn ipsec esp-group office-srv-esp proposal 1 encryption 'aes256'
# set vpn ipsec esp-group office-srv-esp proposal 1 hash 'sha1'
# set vpn ipsec ike-group office-srv-ike ikev2-reauth 'no'
# set vpn ipsec ike-group office-srv-ike key-exchange 'ikev1'
# set vpn ipsec ike-group office-srv-ike lifetime '3600'
# set vpn ipsec ike-group office-srv-ike proposal 1 encryption 'aes256'
# set vpn ipsec ike-group office-srv-ike proposal 1 hash 'sha1'
# set vpn ipsec ipsec-interfaces interface 'eth1'
# set vpn ipsec site-to-site peer 20.0.0.1 authentication mode 'pre-sharedsecret'
# set vpn ipsec site-to-site peer 20.0.0.1 authentication pre-shared-secret 'openlab'
# set vpn ipsec site-to-site peer 20.0.0.1 ike-group 'office-srv-ike'
# set vpn ipsec site-to-site peer 20.0.0.1 local-address '10.0.0.1'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 allow-nat-networks 'disable'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 allow-public-networks 'disable'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 esp-group 'office-srv-esp'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 local prefix '192.168.1.0/24'
# set vpn ipsec site-to-site peer 20.0.0.1 tunnel 0 remote prefix '192.168.0.0/24'
# show vpn ipsec site-to-site peer 20.0.0.1
run show vpn ike sa
run show vpn ipsec sa
R1-del-NAT
# set nat source rule 99 outbound-interface eth1
# set nat source rule 99 destination address 192.168.0.0/24
# set nat source rule 99 exclude
# commit
# show nat source rule 99
R5-del-NAT
# set nat source rule 99 outbound-interface eth1
# set nat source rule 99 destination address 192.168.1.0/24
# set nat source rule 99 exclude
# commit
# show nat source rule 99